(1) MedStar was recently hit by a virus that is suspected to be ransomware. According to CSO Online: "For now, MedStar is using paper to process patients, and staff report that they're having trouble accessing patient records. Communication between staff is either face-to-face or via phone. In addition to delays in record searches, it's also possible that appointments and surgeries will have to be delayed too, as will lab results."
(3) Methodist Hospital in Kentucky suffered a ransomware attack recently. According to Brian Krebs, the ransomware "came in via spam email, in messages stating something about invoices and that recipients needed to open an attached (booby-trapped) file."
(4) Two hospitals run by Prime Healthcare Services -- the Chino Valley Medical Center and the Desert Valley Hospital -- were hit by ransomware recently.
Why Healthcare?
Why is the healthcare industry taking so many hits recently from ransomware? David Melamed, Senior Research Engineer at CloudLock, explains that healthcare targets "are particularly vulnerable because they cannot afford to be paralyzed for a long time (either because their data has been encrypted or because they shut down the system to avoid spreading the infection) and prefer to pay the ransom."
Brian Krebs has an ominous prediction, one that I think will likely come true:
It’s a fair bet that as ransomware attacks and attackers mature, these schemes will slowly become more targeted. I also worry that these more deliberate attackers will take a bit more time to discern how much the data they’ve encrypted is really worth, and precisely how much the victim might be willing to pay to get it back.
Coping with the Ransomware Epidemic
Here is the basic advice for preventing ransomware:
(1) Improve on data security best practices.
Basic data security best practices will help a lot. Now, more than ever, is a good time for institutions to reinforce them. Hospitals should think of data security best practices as the information equivalent to washing one's hands and wearing gloves.
(2) Step up the back ups.
Back up everything frequently. Sometimes paying the ransom will fail to get the data recovered.
(3) Keep software up to date.
Make sure everything is promptly patched.
(4) Train, train, train!
Train your workforce again and again. I have more detailed thoughts below on this point.
Preventing Ransomware Through HIPAA Training
Although not all ransomware requires human interaction to infect, much ransomware infiltrates the network because people are tricked to click on malicious email attachments or links to nefarious websites.
As an article in the Washington Post explains, "Medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades."
When it comes to dealing with human behavior, the best way to improve it is through effective education. The HIPAA Privacy and Security Rules each mandate training, but it isn't enough just to have HIPAA training -- it is how you train the workforce that matters. I recommend the following things for training:
(1) Make it memorable and engaging.
Merely saying "don't click on stuff" isn't really helpful. Training must really capture people's interest and stick in people's minds if it is to make any difference.
(2) Use stories.
People remember stories. They engage with stories. Stories help people forge a more emotional connection with the material. Abstract do's and don'ts are not as effective as a story. See here for my post about the power of storytelling.
(3) Make it interactive.
People learn better when they actively engage with information, not when information is dumped on them.
(4) Show the consequences.
A lot of errant clicking is done not out of ignorance but out of carelessness. People might have some suspicions but might not care enough to be at their most vigilant. Showing people how devastating an attack can be will help them understand the gravity of every click. Make it visceral -- this will make it register more powerfully in people's minds and hearts.
(5) Teach the common tricks.
Much malware and phishing attacks still use the same bag of tricks. People need to be able to spot the telltale signs of these tricks. Generic emails with barely any text except for something such as "invoice attached" still remain remarkably common and successful.
(6) Awareness must be ongoing.
Short periodic awareness communications tend to be more effective than a mention in a once-a-year training program. Rolling out short awareness messages is not feasible at many organizations, but where possible, I strongly recommend it. Keeping security in front burner of people's minds will make compliance much more consistent, as good security takes constant vigilance and care, and it is easy to forget and lapse.
Training isn't a full vaccine against ransomware, but it can inoculate many in the workforce. Every single workforce member is a risk, so the more that you reach, the more you reduce risk.
* * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. He is the author of 10 books and more than 50 articles.
