How to beat ransomware with security best practices

Providers most fear losing access to their data and systems when a profiteering hacker attacks, but a few steps can protect key systems.


Ransomware has emerged as one of the largest concerns for healthcare organizations this year. An increasing number of incidents this year show that hackers are particularly targeting the healthcare sector, because of porous defenses and an apparent willingness to get critical systems up and running as quickly as possible.

There are many variants of ransomware, but all have the same modus operandi—they’ll prevent you from using your PC normally, and they all will ask you to do something before you can use your PC again. It’s a class of malware that holds a computer "hostage" until the user pays a particular amount or abides by specific instructions. Cybercriminals use online payment methods such as Ukash, PaySafeCard, MoneyPAK or Bitcoin as a way for users to pay the ransom.

These are just a few of recent cases reported in the national news.

  • February 5, 2016: Hollywood Presbyterian Medical Center in Los Angeles, had medical systems infected with the Locky crypto-ransomware affecting computers essential to laboratory work, CT scans, emergency room systems and pharmacy operations were all infected. After almost two weeks, the hospital paid a ransom of 40 Bitcoins ($17,000) to unlock their machines because paying the ransom was the quickest and most efficient way to restore their systems.
  • March 16, 2016: Ottawa Hospital in Canada is hit with Locky crypto-ransomware attack affecting four computers, but is fortunate enough to fend off the attack by completely wiping the affected computers and restoring data through backups.
  • March 18, 2016: Methodist Hospital in Henderson, Ky., is hit with the Locky crypto-ransomware, which came in as an attachment on a spam e-mail, and attempted to spread across the network after it had infected the computer on which it was triggered. Hackers demand a ransom of four bitcoins ($1,600), to unlock their machines.
  • March 23, 2016: Chino Valley Medical Center and Desert Valley Hospital part of Prima Healthcare, were both hit with ransomware. Fortunately, both facilities had a good defense strategy and were able to fend off the attack. Neither facility paid the ransom.

The serious nature of these attacks require healthcare organizations to make sure that their defenses are strong and they they are well prepared. Here are some defense tips that are considered best practices against ransomware.

  • Make sure operating systems are up to date with patches and security updates on all Windows Operating Systems. Windows XP, Windows Server 2003 and earlier versions are no longer patched by Microsoft and should be avoided. Updates to supported operating systems should be applied as quickly as possible after release.
  • Ensure SmartScreen Filter is enabled on all Internet Explorer browsers.
  • Make sure a pop-up blocker is running on all web browsers.
  • Show hidden file extensions on all incoming email.
  • Filter out .exe executable commands in incoming e mails.
  • Disable files running from AppData/LocalAppData folders.
  • Use the Cryptolocker Prevention Kit.
  • Disable RDP, and severely restrict usage.
  • Educate all staff to avoid clicking on links or opening attachments or email from people they do not know. Train all staff continually on these issues so they do not fall prey to social engineering attacks exploiting the human factor.
  • Install antivirus/adware/malware security software solution with current up-to-date subscriptions. Apply virus definition updates from your software provider as quickly as possible following release. Automate the process so human error is minimized.
  • Turn on Windows Firewall—this can help prevent malware infections by stopping suspicious programs from getting onto PCs or access the internet once installed)
  • Limit user privileges Many malware programs need full access to PCs to run properly. Only use Local Admin privileges when absolutely required by an application, tightly protect the system admin accounts to access by trained IT professionals on your staff.
  • Backup import file to a network share or cloud storage; it’s your first line of defense if attacked and you need to restore files.
  • Run intrusion detection software on your network perimeter.
  • Conduct regular external vulnerability and/or penetration tests. Fix all vulnerabilities found or fully understand why you’re not taking action.
  • Be certain firewalls are current and up to date. Implement foreign IP block list on on firewalls, and monitor the Fail2Ban list.
  • Be certain your wireless infrastructure is at current security levels.
  • Be certain network router and switch patches are at the highest vendor supplied security release.
  • Re-evaluate your risk assessments, especially any risks not mitigated, and determine if those widen your exposure, if so, develop a plan to address.
  • Segregate public wireless access from the hospital network with a separate public SSID.
  • Be absolutely certain that backups are current, complete and validated. In the event of a ransomware or any virus attack they, may be your best first line of defense.
  • Be certain that all user access is individually identifiable.
  • Ensure that individual access to network files and folders are only at the level needed. Individual named users have only the access the files and folders required for doing their job.
  • All network shares are only available to those who absolutely need the share.

Have a solid recovery plan in place, including the following protocols:
  • The FBI recommends paying the ransom in some cases—only if you cannot recover from good quality backup, nly if the value of the data is greater than ransom costs. Even so, this is a debatable course of action that only encourages attackers.
  • Analyze the file structures to determine the extent of attack;if you do not have the resources to do this, contact a professional immediately.
  • Review sys log server and block port that was utilized.
  • Immediately pull impacted devices from the network to avoid propagation; wipe the device and reinstall from bare metal.
  • Restore from backup.
  • After your organization has recovered either from paying ransom or restoring backup, focus on prevention going forward.

As you can see, prevention, and well planned strategies are major keys to avoiding an attack and establishing sufficient lines of defense.

More for you

Loading data for hdm_tax_topic #care-team-experience...