lolloj - Fotolia


How to battle ransomware in healthcare: Tips from a pro

Fighting ransomware in healthcare is an ongoing and seemingly never-ending battle. A health IT security expert discusses effective tactics healthcare organizations can take.

The battle against cyberattacks and ransomware in healthcare is a non-stop effort and with reports saying that in early 2016 alone there were 4,000 daily ransomware attacks against healthcare organizations -- a 300% increase from the 1,000 daily attacks reported in 2015 -- the reality is scary, to say the least.

Despite constant efforts by healthcare organizations to protect their data, the attacks and ransomware in healthcare keep happening. The question remains: What can be done?

Mark Dill, partner and principal consultant at tw-Security, a healthcare security firm based in Strongsville, Ohio, gives some concrete and specific advice for healthcare organizations, ranging from employee awareness to specific technologies that can help secure the organization.

What can healthcare organizations do to protect themselves from cybersecurity attacks?

Mark Dill: What fails most significantly when an organization becomes a victim of ransomware really starts with phishing awareness. … What leading organizations are doing is they're proactively phishing their workforce. They're either learning how to do it themselves or they're acquiring a tool. … The reason that [tools are] effective is they get delivered at the time of fail. When the person clicks on proactive phishing emails … [it] alerts them they've been phished and … it trains them on what they should have looked for. Maybe the hospital has two L's in their name and this email came from a domain that someone bought from GoDaddy for 99 cents that replaced the L's with 1's [for example].

What technologies or tools do you think are most effective in protecting against ransomware in healthcare?

Dill: On the tools side I'm seeing great success with advanced persistent threat, APT, protection tools that look for ultra-silent infections that can become ransomware infections. When you put intrusion prevention in block mode -- and I don't see that as often as I like -- I see people buying these expensive tools and putting them in detect mode. [In detect mode] they alert IT if anybody's looking that something might be happening but they don't do anything about it. … A lot of these malware infections, ransomware, actually infect the device and sit silent for a couple of weeks. It sits there hoping to get past the backup retention window, you know, IT might keep files for two weeks. This thing becomes an infection, becomes ransomware in two weeks and one day or whatever the time period is that they think they can exceed your backup window. So if you don't have anything to restore to and now their data's held for ransom the likelihood of you paying goes way up.

If you have intrusion prevention in block mode, some of this malware actually while it sits silent it's reaching out to the command and control server, little hand shake blips, that say "Hey, I've got the infection. I can go live anytime you want" and these tools can see that and block that communication. Sometimes that communication is needed in order to get the encryption keys to actually encrypt the data and if the tool is in block mode it can block the encryption key from ever getting into the organization. The device can be infected but it can't get the key. It gives IT and antivirus software a chance to catch up and figure these things out. … So that's an expensive tool set.

On the cheap side, organizations are learning how to create what's called a "crypto canary," that's the canary in the cave and if the canary keels over you know there's carbon monoxide and you probably best not go into the cave. On the digital side, infections like ransomware create a lot of file activity really fast, and it's away from the baseline profile or behavior of how a user ID or device is supposed to behave. … So there's inexpensive ways to put files out there that no one should ever use but yet would be encrypted as part of ransomware and you just have to tune your tools to be looking at those files and alert you if anybody leaves them, touches them [or] writes to them and that's an indication that the infection's started and time is of the essence.

So it's really about this balance of finding the right mix of proactive tools like … tools that would block the infection and then tools that would alert you that something odd is going on

Next Steps

How to respond to a hospital ransomware attack

With ransomware attacks, prevention and backups are key

The cloud offers potential answer to ransomware attacks

Dig Deeper on Electronic health records security compliance