pixel_dreams - Fotolia


Five steps for responding to hospital ransomware attacks

Hospitals are prime targets for ransomware attacks. Health IT teams must move quickly to identify and isolate a ransomware infection to keep it from spreading.

Ransomware incidents have become more frequent in 2016. So frequent that cyber criminals extorted $209 million from organizations in the first three months in 2016, according to an FBI report. These attacks are far more concerning in the healthcare arena because they can potentially interrupt patient care if clinicians are disrupted.  Hospital ransomware attacks can also cause breaches of protected patient care data. While this form of malware has risen to the top of the security list of healthcare IT executives, the preventative steps involve the users more than just the systems.

When a hospital first detects a ransomware incident, it is usually the result of a staff member telling IT they are unable to open some or all of their documents. In some cases the user receives an odd notification on their desktop. If the files in question have been encrypted, and the user has permissions to other network and server resources, other files have likely been encrypted as well and are no longer accessible. Once IT has confirmed that this is in fact a ransomware infection, there are several steps that should be taken.

Limiting and stopping the ransomware from further damage

The first step is to identify the workstation or infected machine within the network. This is usually the PC that is being used by the staff member who reported the issue. Isolating that machine helps reduce any further file encryption. Another method is to use tools that allow IT to look for suspicious activity on file servers to prevent further data encryption.

Understanding the type of infection

Cybercriminals release different variants of ransomware on a regular basis. Changing the tools that encrypt files allows them to become undetected by the antivirus and antimalware tools in the marketplace. As a result, most IT teams find it valuable to identify which version of ransomware they are dealing with to understand the extent of damage that can be expected.

Initiating the recovery plan

At this stage almost all hospitals and large organizations are aware of the ransomware attack, and are generally aware of what must be done in order to recover from the incident. For those who are uncertain how to tackle a ransomware attack, the two options are to either pay the ransom in order to receive the encryption key -- and in which case there is no guarantee they will receive it -- or simply initiate the data recovery process and restore all the files that have been encrypted.

Evaluating if a data breach has taken place

As part of the CMS data breach rules, hospitals are required to report when patient information is stolen. Since different variations of ransomware impact data in different ways, and some are able to affect locked database files, hospital IT must evaluate what type of infection they have at hand. There have been reported cases of hospital ransomware attacks where the ransomware hijacks the information and sends it back to the cybercriminal, in which case it is then considered a patient data breach and needs to be treated as such.

Communicating internally the overall recovery plan

When it comes to restoring normal system functionality, IT leaders need to notify their affected users with a general ETA on when they expect access to data to be restored. But more importantly, IT should communicate what occurred and use it as an opportunity to train or retrain users on what can be done to avoid ransomware attacks in the future. Communicating with end users frequently and training them on what to look for is the best way to protect against these infections.

Rising hospital ransomware attacks show how crippling these incidents can be to the healthcare group. IT departments are implementing tools and software-based safeguards to mitigate risks of infections. But despite all the tools available today, there are still several occurrences of infections and many agree that training end users is and will continue to be a great investment of IT's time.

Next Steps

Apply analytics to prevent healthcare data breaches

How to reduce healthcare cybersecurity attacks

Technologies to maintain cybersecurity in healthcare

Dig Deeper on Electronic medical records security and data loss prevention