Before the Ransomware Damage is Done

How a single ransomware attack destroyed a thriving medical business and how to avoid it happening to you or your clients.

I was sitting at a local breakfast spot near my home in Michigan one recent morning with a friend. I was discussing my work (online training for compliance and security in healthcare), when a neighbor leaned in to say she overheard me and wanted to share a story she thought I might be interested in. Apparently, a medical practice that did quite well in the Battle Creek area, experienced a data breach which locked down all of their patient records and accompanying files. Shortly thereafter they received a “ransom” message requiring them to pay $6500 for the key to unlock those files.

Ransomware attacks are becoming more and more common in healthcare. The payload is a type of malware that threatens to publish victim’s data or perpetually block access to it unless a ransom is paid. Ransomware attacks can be launched in a number of different forms with some more damaging than others, but they all have one thing in common; a demand for payment to release the data. The numbers of attacks continue to grow as evidenced in recent studies. One report cited 40 million ransomware attacks using malicious URLs or attachments against healthcare providers in one quarter of 2017 alone.

While $6500 may sound like a small price to pay for the retrieval of these important records, many of these ransoms (which happen more frequently than you might think) are priced by hackers to be significant enough to feed their own coffers, but not bank-busting enough to close the organization. It is in the hacker’s best interest to make the amount something that is deemed “worthwhile” that leaves the business intact following the event. But keep in mind that the people demanding this price are cyber-criminals. There is quite literally no way to know if the perpetrators will provide a key or decide to expand the demand once they confirm that a target will pay.

That said, in a recent article from ZDnet on the business decisions surrounding the payment of a ransom – they noted that many sites evaluate using a business decision tree, evaluating their downtime against the cost and the risk. The conventional recommendation is to NEVER pay a ransom. Partly due to the chance that it will trigger recurring demands and also because payment potentially supports the growth of this growing criminal enterprise. As a business owner myself, I can speak to the fact that protracted downtime can invoke serious consequences to business operations.

A year or so ago, my business was compromised by an AWS interruption that lasted only a few hours. In that time, I lost thousands of dollars of potential revenue. The average system downtime due to a ransomware demand is 7.3 days. That kind of interruption could devastate any practice or clinic, compromising the care of many patients and creating a financial burden that might be tough to resolve.

Such was the story of this ENT practice in Michigan. After reading several articles about the incident, I was struck by the senseless of the entire situation. They had seemingly done many things right. They had smartly encrypted all records to not be accessed if breached or accidentally misplaced. However, while encryption protects the patient data from prying eyes, it does not protect the system from a hijack of this kind. They apparently had no daily backup procedure. They had not invested in any kind of cybersecurity insurance (which has become more common in recent years), and they had not adequately planned for this level of business interruption.

The owners of the compromised practice had to weigh the benefits of paying the initial ransom request in hopes the hackers would not circle back for more or deny the demand. To do so would mean walking away from years of patient care and the possibility of selling their practice at a profit. They opted for the latter – which was an unusual move that I am certain confounded the hackers.

Sadly – the criminals did what they promised and destroyed ALL of the hijacked records, triggering the premature closure of a working medical business. Rather than profiting at the end of their business tenure, the owners were forced to refer clients to other practitioners and simply retire.

On so many levels, this story sparks questions and speculation regarding the owners’ unilateral decision around that patient data. For instance, should this practice have paid the initial ransom to test the possibility of regaining data access? If successful, they might have tried moving that data to an offline drive to protect it. In one news story regarding this case, it was reported that patients of the practice complained of losing important family medical information for future healthcare purposes.

As we were not in the drivers seat it is tough to judge what made the most sense for them.

The decision in this case aside, what could the Michigan practice have done to protect themselves against this attack in advance? It seems that while the healthcare industry is a prime target for cyber-criminals, practitioners and industry professionals seem woefully unprepared to address the increasing threat.

Here are 5 key suggestions compiled from our training programs and provided by firms who deal exclusively with malware infestations.

  • Hire a knowledgeable IT professional/firm with specific experience in healthcare to create your security system. Keep that firm on retainer to manage your technology and monitor security.
  • Execute a daily data backup that protects your data in an encrypted format and is secured apart from your primary network, cloud storage or workstation system. This small extra step each day will ensure that you never permanently lose access to archived patient care information.
  • Create a disaster recovery plan in advance of any potential incident, with detailed steps to accelerate the return to operational status, specific to your data and technical situation.
  • Train your entire staff at all levels of security to understand how to avoid errors that might lead to a breach or malware attack. Security awareness training when onboarding new employees and on an annual basis will create a culture of data protection.
  • Consider carrying a cybersecurity and business interruption insurance policy as an added level of financial preservation and protection. These policies are becoming more common and affordable and can provide piece-of-mind.
  • Understand that while many of these elements create cost, none will be as costly as the aftermath of a successful ransomware attack. Creating a comprehensive plan to protect against a cataclysmic business loss seems like a smart and worthwhile investment.

4MedPlus provides complete onboarding and annual training for security awareness at all levels including a certificate of ransomware prevention. Click this link to review the discounted bundle and ensure that you and your staff have all of the pieces in place to create a culture of data protection:

COMPLIANCE VALUE BUNDLE: Security Awareness Complete 2019/2020Y (CSAC)

Apply code 4MED25RM at checkout to receive an additional 25% off this comprehensive security awareness bundle.

Author: Wendy Whitmore, CLO