[BreachExchange] Healthcare Ransomware: To Pay or Not to Pay?

Fri Nov 11 14:05:17 EST 2016

http://healthitsecurity.com/news/healthcare-ransomware-to-pay-or-not-to-pay

An increasingly popular area of concern for healthcare organizations is
whether or not they should give into potential healthcare ransomware
demands. Should a hospital pay thousands of dollars to regain access to
data, or should it just move on? What if there were not proper backups in
place? How does this affect an organization’s decision.

Those issues and more were covered in the recent
HealthITSecurity.comwebcast, “Prepare and Respond to Healthcare Ransomware
Attacks,”which was presented by Institute for Critical Infrastructure
Technology (ICIT) contributor Travis Farral and Foley & Lardner LLP Partner
Mike Overly.

The two agreed that determining whether or not to pay a healthcare
ransomware demand is a complicated issue. However, the default answer
should always be not to pay, Farral explained during the question and
answer portion of the webcast.

As ransomware continues to evolve and become more intricate and more
damaging, an organization does not necessarily want to reward the attackers
by paying.

“Every situation is dependent on understanding the risks of paying versus
potentially not having access to the information again,” Farral said. “If
you’re a healthcare organization and there’s a risk in not paying because
there weren’t ample backups, or there wasn’t a way to recover that system,
is that the cost is a couple hundred bucks, you’re probably going to go
ahead and just pay it. They need to get that system back online.”

Individual lives could also be at stake, and no healthcare organization
wants patient care to have to be put on hold because of a ransomware
attack, he added. This is why comprehensive preparation methods are
essential, so a provider can work toward never being put in a situation
where it feels like it needs to pay.

Overly agreed that it is an extremely difficult decision for a provider to
have to make. Depending on the amount of demanded money, an organization
could easily decide to go with that option to hopefully regain access to
their data quickly.

“There’s a lot of risk in making that decision,” Overly cautioned.
“Unfortunately, you may have little alternatives available to you at the
time.”

Recognizing potential ransomware attacks, how they affect healthcare

There can be certain indicators that ransomware has infiltrated a system.
Farral explained in the presentation that an increase in hard drive
activity or an increase in network activity could mean that malware has
made its way in.

For example, if there is lots of file access from a single computer to a
shared drive, a type of ransomware may be at work. If this is the case, an
organization should make sure that it isolates the potentially infected
devices or systems, to try and keep it from spreading further.

An organization may not always be able to immediately identify what type of
ransomware has infected its system. It will also depend on the type of
variant of ransomware as to whether an organization can immediately
determine if data is being exfiltrated or is being encrypted.

“Being able to tell depends on the level of logging inside an
organization,” said Farral. “If you can see that a tremendous amount of
information went out from that system, more than just some identifying
information and encryption keys, then there’s a good likelihood that
something was exfiltrated from that system.”

Overly also noted how healthcare organizations should be aware of whether
or not a ransomware attack necessarily constitutes a HIPAA data breach. The
Department of Health and Human Services (HHS) recently published guidance
on the very topic, he pointed out.

“It comes down to a pretty emphatic yes,” Overly said in terms of if a
ransomware attack was a breach. “Unless the healthcare provider has
extremely high confidence that there was no actual disclosure of
unencrypted PHI. The problem with that great confidence is, it takes awhile
to determine that.”

Organizations will need to bring in a security expert that can make an
assessment by looking at logs and other things to see if there’s been an
actual compromise, he added. Typically, it’s not a very obvious thing to
determine, in which case it would likely fall into a reportable situation.

Employee education is also an essential aspect to preparing for a potential
healthcare ransomware attack, Farral and Overly said in the webcast. All
staff members should be trained, Overly maintained, but not necessarily
receive the same level of education.

He explained that one of the best ways to hammer home to individuals about
the importance of recognizing ransomware is to tie it into their personal
lives as well. If a person understands how to spot suspicious activity on
their home computer, which is perhaps storing wedding photos they don’t
want to lose, it will be easier to carry that same concern over to their
work life.

“If an employee can recognize that, they can learn to recognize that at
work when something like this happens,” Overly said. “Then they know how to
avoid it and how to report it.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161111/c2422834/attachment.html>