Ransomware 101: The need-to-knows for healthcare execs

The cyberattack on Change Healthcare that debilitated health providers and pharmacies across the country last month sent a foreboding message: Your company may be the next big cyberattack victim.

“But Healthcare Brew,” you may be thinking, “we’re so careful with our employees. We send out phishing test emails every week. We have posters about not clicking on suspicious links hung up around the office.”

The problem is all of that might be too little, too late.

“Healthcare organizations can’t prevent becoming a target,” Steve Cagle, CEO of healthcare security and risk management company Clearwater, told Healthcare Brew. “The very nature of being in healthcare makes covered entities and business associates a target for cyberattacks.”

In recent years, ransomware attacks on health providers have increased in number, according to the HIPAA Journal. The US Department of Health referred to ransomware as “the largest cybersecurity threat facing the healthcare industry and the protected health information it holds.”

But what exactly are ransomware attacks?

Ransomware attacks start with malicious software that is unwittingly downloaded onto a computer. For example, you may receive an email masquerading as a bank statement or essential service that tells you to follow a link or download an attached file to fix a critical problem. It might claim your bank account was hacked! And you have to reset your password! Right now!

Once the file attachment is downloaded, the software runs and infects your computer. The code goes through all your computer’s files and encrypts them so they’re unusable. A message then pops up informing you that you need to pay a ransom to decrypt them—or they’ll be lost forever.

If you were hoping your company would be off the hook for ransomware attacks because hackers have bigger fish to fry, you may be out of luck, thanks to something called the ransomware-as-a-service (RaaS) model.

The RaaS model is sort of the evil twin to the more well-known software-as-a-service model. It allows anyone with an internet connection and access to the dark web to purchase ransomware code from hacker groups for their own use. RaaS users can choose between payment options, including a one-time purchase fee or an affiliate fee, which means the hacker group receives a monthly fee and a cut of every ransom. BlackCat, the ransomware group UnitedHealth Group accused of being behind the Change Healthcare attack in a statement, reportedly operated on an affiliate system.

So now you know a bit about ransomware and RaaS—but the big question remains:

What can organizations do about it?

Risk analysis. Cagle recommends organizations start with a “comprehensive asset-based risk analysis” to understand their complete inventory of assets and liabilities.

• “There is no such thing as ‘protecting what’s important,’” Cagle said. If something is on a network or accessible via the internet to a network, he said, it can be used to an attacker’s advantage. That means one employee’s computer can lead to other employees’ computers, which can lead to internal server access that can allow an attacker to do anything from read company emails to jam a favorite printer.

Business impact analysis. In other words, plan for rain. A business impact analysis allows an organization to understand the impact of systems going down and develop contingency plans accordingly.

• Have up-to-date incident response plans to help “minimize the disruption and damage” and prevent the attack from having the intended effect on the organization, according to Cagle.

Physical and technical guardrails. If an organization is dealing with sensitive data, it should put measures in place to prevent malicious actors from accessing anything in the first place.

• Physical: Limit access to server rooms and install security cameras to catalog who has access to what. Enable multifactor authentication on computers, laptops, and phones so an attacker will have a harder time gaining remote access. Additionally, have physical hard drives of backed-up information in case systems do go offline.
• Technical: Install firewalls to prevent unwanted access to the internal network. This is often a more costly investment, according to research that recommends organizations conduct a “needs assessment, threat assessment, and budgetary assessment” before installing a firewall. Firewalls, the researchers wrote, are one way to ensure the security of sensitive data, such as electronic health records and insurance information.