What Hospitals, Private Practices Should Know About Ransomware Attacks
In late September 2019, DCH Health Systems stopped accepting new patients and had to revert to manual mode — using paper copies of records and notes — to treat existing patients. The hospital system became infected with ransomware, a malicious type of software that blocks access to a computer system or data until a ransom is paid, after an employee opened an email with an infected attachment.
Earlier in the month, Campbell County Health diverted patients from its emergency rooms and canceled several exams and procedures after ransomware infected all of its computers. The organization said in a statement that the attack affected its hospital, clinics, surgery center and long-term care center.
In early October, the FDA issued a safety communication specifically aimed at healthcare institutions, device manufacturers, patients and IT professionals, warning of cybersecurity vulnerabilities. The FDA said the following operating systems were at risk for vulnerabilities: VxWorks, Operating System Embedded (OSE), INTEGRITY, ThreadX, ITRON, ZebOS.
Ransomware Attacks on the Rise
Ransomware attacks have been increasing because of how profitable they can be for attackers, one study found.
In fact, research from the American Medical Association (AMA) revealed that 1 in 2 physicians surveyed feels very or extremely concerned about future cyberattacks. For clinics or private practices, a ransomware attack can mean the end of the business. Wood Ranch Medical, a clinic in California, had to close its doors after a ransomware attack left it unable to recover and rebuild its data.
The FBI has urged ransomware attack victims not to pay attackers, which can be a difficult situation for hospital administrators or clinic owners when patient safety is on the line. In some cases, the FBI notes, victims were not provided decryption keys despite paying the ransom. Paying attackers also emboldens other criminals to target organizations via ransomware, the organization said.
How to Protect Your Hospital from Ransomware
Ransomware attacks can happen to any organization. The FBI recommends implementing backups and other defenses before, not after an attack.
“Having a recent backup to restore from could prevent a ransomware attack from crippling your organization,” FBI officials explained. “As ransomware techniques and malware continue to evolve and become more sophisticated, even the most robust prevention controls are no guarantee against exploitation.”
Your organization should regularly backup and verify the integrity of its data, according to the FBI. Because end users are often targets of attacks — as in the case of the DCH Health Systems when an employee opened an email with an attachment — organizations are encouraged to conduct regular training for employees.
“Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder,” the FBI wrote.
And, if your organization is the victim of a ransomware attack, report it as soon as possible to law enforcement, even if you have decided to pay the ransom.