Mitigating the Risk of Ransomware Attacks

In the first part of this series, we discussed the recent increase in ransomware attacks on hospitals, what ransomware is, and what features of hospitals and healthcare organizations make them especially tempting targets. In this final part, we’ll look at what organizations can do to protect themselves and their patients or clients from these attacks.


How to prevent attacks – or at least minimize damage


A recent study by SailPoint on security practices within organizations takes the stand that organizations should assume that data breaches are now a matter of “when” rather than “if.” That is, a wise organization should focus not only on preventing data breaches, but also on recovering successfully from them when they inevitably occur.


Since many ransomware attackers gain access from successful phishing attempts, organizations still need to focus on educating their employees to identify phishing. This means continuing to teach users how to identify suspicious emails and share them with their IT teams so those IT teams can keep track of possible attacks.


Phishing is a specific type of social engineering attack in which confidential information is acquired by fraudulent methods. These attacks often attempt to acquire user names, passwords, or other information useful to hackers. In the case of ransomware attacks, hackers are generally attempting to get information that will allow them access to an organization’s systems.


Potential phishing attempts can be identified by educated users. For instance, they often make use of link shorteners or embedded links in an effort to create links that appear legitimate. Then after these links are clicked, they take victims to websites specifically created for fraudulent purposes.


Phishing attempts also frequently use threats to create a sense of urgency and fear so victims will hurry and not think carefully about the potential effects of their actions. Emails that threaten to cancel accounts immediately, etc., should be considered highly suspicious.


Some of the other measures suggested by the Department of Homeland Security include:


  • Employing a data backup and recovery plan for all critical information.
  • Using application whitelisting to help prevent malicious software and unapproved programs from running.
  • Keeping operating systems and software up-to-date with the most recent patches.
  • Maintaining up-to-date anti-virus software.
  • Restricting user permissions to install and run software applications.
  • Instructing users not to follow unsolicited web links in emails.
  • Avoiding enabling macros from email attachments.


In the case of MedStar’s ransomware attack, data backups were a key part of their solution. The organization reported that they were able shut down their systems, isolating the damage, and later restore their data from backups without having to resort to paying a ransom.


Future security requirements and guidelines


It is possible that HIPAA requirements will be changed in the future in response to ransomware attacks. According to Bloomberg BNA, Rep. Ted Lieu (D-Calif.) is considering legislation “that would require hospitals and other health-care organizations to notify their patients when they’ve been the victim of a ransomware attack.” This would involve updating HIPAA’s current requirements regarding breach notification.


The FBI also offered guidance regarding the risks of ransomware in its podcast from May 25, 2016, “Ransomware on the Rise.”


Additional Links:

United States Computer Emergency Readiness Team, Alert TA16-091A: Ransomware and Recent Variants

Bloomberg BNA, Ted Lieu mulls ransomware attack requirements