“A recent U.S. government interagency report indicates that an average of 4,000 ransomware attacks happen daily, since early 2016. This is a 300% increase over the 1,000 daily ransomware attacks reported in 2015.” Source: HHS.gov.
Ransomware presents a very serious threat today. For organizations that work with electronic protected health information (ePHI), ransomware threatens not only data privacy, but also the safety of those who rely on electronic systems for ongoing care. Ransomware refers to a form of malicious software (also known as malware) that infiltrates your system and attempts to block user access by encrypting the data. As the name implies, the cybercriminal holds your data hostage for ransom and will only release a decryption key to restore access after you pay the ransom. But the situation can be more complex: The Department of Health and Human Services (HHS) reports that hackers often deploy ransomware that also destroys data— increasing the potential damage to your organization and verifying that even if you comply with the hackers’ request, you may not be able to fully restore your data.
Since ransomware attacks enter your network through an email, seemingly innocent shortcut, or browser activity, employee training has proven to be a top factor in helping secure ePHI and prevent ransomware attacks..
Protect Your Business as Ransomware Risks Increase
In 2016, more than a dozen hospitals experienced ransomware attacks, including Hollywood Presbyterian Medical Center and the Kansas Heart Hospital. Each of these organizations is required to maintain data security and comply with federal HIPAA regulations that safeguard ePHI. Other types of businesses—medical software providers, equipment manufacturers, managed service providers—who store, transmit, or maintain protected health information (PHI) are held to the same HIPAA standards and are targets for ransomware attacks.
According to the NTT Security Q3 2016 Threat Intelligence Report, 73% of healthcare industry malware entered organization systems via emails with dangerous attachments. From Q2 to Q3, the NTT Security identified a 17% increase in ransomware cases, indicating an alarming rise in the popularity of this technique among hackers.
While some (like McAfee) have declared 2016 as the year of ransomware and expect the threat to decrease in 2017, ransomware remains a recognizable and dangerous threat companies can proactively combat. By working to reduce the risk of ransomware, companies lessen other risks and improve compliance with HIPAA regulations. Some ransomware attacks constitute HIPAA violations.
The Role of a Healthcare Employee in a Ransomware Attack
Ransomware accesses and encrypts data, making it inaccessible to the rightful, authorized owner. The virus enters the network when unsuspecting users click on email attachments (Word documents, PDFs, etc.), compromised sites or advertisements, and malicious links on social media sites. A hacker can gain access to one computer and eventually the entire network (depending on your configuration), encrypt valuable files, and use fear to coerce a person or a company to pay a ransom for returned access. Some forms of ransomware permanently delete information if the victim refuses to pay (and as mentioned before, sometimes despite payment).
Email inspection tools, user rights, access control, backup systems, and other cybersecurity tools all improve ransomware prevention. An informed employee also plays a key role in ransomware defense. Employees who recognize and report suspicious emails, links, or other digital activities can sometimes contain a widespread and costly attack.
Improve Your Preparation – Tips for Ongoing Employee Training
Malware prevention begins with company policy and user awareness. Healthcare organizations often feature complex networks with several layers of data, including protected health information (PHI). Every access point represents a possible vulnerability. Consider the following user training practices as tactics to improve your existing security policy:
- Limit and prioritize access control. “Verizon’s 2016 Data Breach Investigations Report” notes that 53% of cyber incidents involving insiders occurred due to abuse of user access. Only provide access to what the user absolutely needs to get their job accomplished, and consider that access control takes some of the responsibility away from individual users. If every user, no matter what level of security training they have received, can access the same information, the risk of a breach increases. Access control policies should include strict enforcement for new hires and those leaving, as well as address mobile device use and give management a way to monitor access.
- Create a culture of security awareness. Every employee with some level of access to the network represents a potential vulnerability. Involve everyone in ongoing security training. When employees understand the threats and the consequences of their actions, they make informed decisions.
- Regularly update security training materials. Hackers do not stop evolving, and your healthcare organization cannot afford to stop researching the current threat landscape. Send notices, create practice-based training, and create awareness whenever new phishing scams and compromised websites arise.
- Develop and enforce digital policies. Many employees grow accustomed to browsing online, checking their social media accounts, and playing games during breaks. Completely locking down the network may create a new problem with shadow IT. Instead, create reasonable restrictions and give employees the tools they need to use the internet on company devices responsibly. Consider blocking attachments featuring executable files or installing an office viewer so employees can see what an attachment looks like without opening it.
- Simulate ransomware attacks. Send out suspicious emails as part of an exercise to showcase the camouflaged nature of ransomware. Run simulations on a quarterly basis to see if any employees willingly and repeatedly click on suspicious files or links. You can also use quizzes and interactive training to enhance retention and improve adoption rates.
- Empower employees to report suspicious content. Employees should never fear reprisal for willingly admitting a mistake or reporting suspicious activity. Encourage employees to act quickly if they click on something accidentally or suspect malware. Fast reaction times may help an organization combat an attempted attack.
- Discourage shadow IT. Shadow IT—the use of unauthorized technology in the workplace—can open the door to ransomware attacks. Ask all employees to obtain approval from the IT department before downloading applications on a work device or prevent employees from downloading anything new without first getting IT approval. Instruct employees on general safety practices (e.g., passwords, virus protection, Wi-Fi safety, etc.) if they log into company applications from a personal device.
Proper training helps prevent security issues. Users represent one of the first defenses to malware attacks of all kinds, and something as simple as choosing not to click on a link could save an organization from experiencing devastating losses. Ransomware will continue to serve as a threat into 2017 and possibly beyond. Prioritize the use of these vital security measures to combat ransomware and other cybercrimes from taking place.
Additional Resources on This Topic:
Photo Credit: firstname.lastname@example.org Flickr via Compfight cc