Ransomware is surging, and it’s taking a toll on the healthcare sector. In fact, ransomware attacks on businesses increased by 195% in the first three months of 2019. The price tag of these attacks is growing too. In the first quarter of 2019, the average ransomware demand was 93% higher than in 2018.
Healthcare is the hardest hit of all sectors. Healthcare breaches accounted for 37% of all ransomware incidents. Therefore it is imperative that you know what to do ahead of time in case your practice or facility determines an attack is underway.
Let’s consider what you should do on Day One of a ransomware attack.
Ransomware attack! What to do on Day One
Let’s say you work at a large medical practice. You begin to have trouble accessing an application or system that is a core component of your work. The server isn’t responding, so you contact the IT help desk. At the same time, the security team starts receiving alerts. These all are the early signs that ransomware is holding your organization hostage.
Once a ransomware attack is confirmed, immediate action must be taken. Infected servers and endpoints should be shut down to contain the impact of the attack. At the same time, IT and security teams need to investigate. Maybe the attacker gained access to the system by exploiting holes left by missing patches. Perhaps it was a phishing attack. Or maybe the hackers found another way in.
After confirmation of the attack, your organization — most likely at the executive level — has a big decision to make. Do you pay the cybercriminals? Or do you ignore the ransom demands, and get back to business by following your disaster recovery protocol?
The decision to pay often boils down to simple economics. Is it less expensive and will it result in less downtime, to meet the hackers’ demands and trust them to provide a valid decryption key to recover the systems and rebuild the compromised server?
The answer is not always an easy one. It depends on several factors:
- organizational protocol for such a situation
- the ease at which you can recover from backups
- the amount of the ransom demand
- the type of system that has been compromised.
Sophisticated IT organizations train on disaster recovery and have a process in place that enables them to recover and rebuild environments in a matter of hours. This ensures that the patient, provider, and operational and financial impact will be minimized. However, many organizations may do backups, but have never operationalized it. This leaves them unsure about how long it will take to recover and be back to normal again.
Healthcare providers often pay the ransom to get systems back up and running quickly — especially if the attacks impact critical systems. For example, hospital emergency departments cannot afford for their systems to be down. This is because the ability to look at patient history or see test results could be a matter of life or death. However, if an attack hits a small radiology lab, the organization may decide not to pay because even a few hours of recovery time will not materially impact patients or result in significant downtime costs.
If your organization decides to pay, the next step is figuring out how to meet the attackers’ demands. Most hackers today seek payment in bitcoin. So, you will need to establish a bitcoin account and make the payment, then hope the attacker will follow through with a decryption key. If the attacker does provide a key, the IT department will have to test it, since there are many reported incidents of attackers not following through once paid.
Why backup and recovery matter
A strong backup and recovery plan is key to successfully recovering from a ransomware attack with minimal downtime and expense. This is critical regardless of whether your organization pays the attacker’s ransom.
One important lesson here is not only to look at clinical and financial systems but also IT systems like Active Directory, telephone numbers and systems, internal and external websites, and other systems that are essential to communicate with internal and external stakeholders. In many cases, if your backup systems are updated frequently and can be easily accessed and operationalized, you could ignore the hacker, contain the attack, and restore operations without paying a ransom.
It is also important to test these backups periodically during non-emergencies and not wait for attacks to find out if they are working or not. This will ensure that patient care is not delayed, and costs associated with downtime are minimized.
What to do if you decide to pay the ransom
Even if you do decide to pay the ransom, you will want to immediately begin backing up your systems, while the executive leadership determines their approach and arranges to transfer payment for a decryption key. The IT team should go through its backup and recovery process while security addresses the root cause of the ransomware attack.
Since there is no guarantee that the hackers will provide a valid decryption key once paid, it’s important not to delay this step as it could result in you being down even longer than necessary.
Once the system is decrypted or as part of the recovery process, it is vital to build new environments on which the system will run. Best practices for recovering from a ransomware attack include clearing the memory and cache and wiping the entire system clean. If the attack happened on a virtual server, it should be completely deleted. These steps are necessary because ransomware could leave behind nuggets to give command/control functionality further ahead.
The bottom line: Be prepared ahead ransomware attacks ahead of time
Ransomware attacks are more prevalent than ever but recovery is possible if you follow the right best practices. Your organization can quickly address the problems and resume normal operations if, in advance, you consider the fundamental decisions that must be made once an attack occurs.
It’s crucial to always be prepared with the backups, people and processes in place to operationalize recovery and minimize the impact on finances, patients, and the daily course of business.