The FBI, HHS and Cybersecurity & Infrastructure Security Agency (CISA) issued an Alert on 10/28/20 that ransomware criminals are going after healthcare practice as never before. How might this happen to you?
You arrive at your office, turn on your computer and see the message to the right. You try everything you can think of to get into your programs, but nothing works. Your data has been kidnaped.
You call your computer guy who tells you to unplug your modem and router, but not turn off any computers. He rushes over and tries 5-6 possible solutions, without success.
He then says, “I recommend we wipe your computer server, reinstall your software and use your backup copy to restore your data. You do have a backup copy, right?”
How Ransomware Works
A recent U.S. Government report found that on average, there are 4000 ransomware attacks per day. Millions of computers around the world have been locked by malicious programs that are designed to extort money from users. They have gotten money from businesses of all sizes, government departments (including police departments) and individuals. In April 2020, more healthcare businesses were hit than ever before as, it turns out, hackers can sell patient data for four times more money than general ID and credit card theft.
The bad guys infect your computer, encrypt your data so you cannot use it, and then use an untraceable communication system (Tor) and an untraceable finance system (Bitcoin) to get your ransom payment. Healthcare practices and their online computer providers are being hit each day. The criminals demand payment or their data will be lost, sold or released to the public.
What to do if You Are the Victim of a Ransomware Attack
Computer experts recommend you disconnect from the internet, but not turn off any device. Some of the ransomware viruses do more damage when a computer is rebooted.
You can then recover your systems by replacing or wiping your hard drive and restore your backup. If you have no backup, you will need to either hire a ransomware expert or pay the ransom. If you pay the ransom, the hackers may or may not restore your data, or will simply disappear and sell your data. The hackers can also leave viruses in your system to repeat a ransom demand in the future. If you do not pay the ransom, the hackers will make more threats or disappear.
Meanwhile, the US Health and Human Services would like you to do the following:
- Never pay the ransom, but to contact your local FBI Field Office Cyber Task Force or US Secret Service Electronic Crimes Task Force (secretservice.gov/investigation/#field) immediately to report the ransomware and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Report cyber incidents to the US-CERT (us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (ic3.gov).
- If your facility experiences a suspected cyberattack affecting medical devices, contact the FDA’s 24/7 emergency line at 1-866-300-4374.
Ransomware May Be a HIPAA PHI Breach
On July 11, 2016, the Health and Human Services Office for Civil Rights released a new HIPAA guideline on ransomware. Per the HHS, “A ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule unless you can demonstrate (and document) that there is a ‘low probability’ that the information was compromised.” This easy-to-understand guideline explains how to prevent, report and recover from a Ransomware attack: www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
How to Block Ransomware Infections
Fortunately, you can reduce or eliminate your risk of such an infection with these steps.
- Never open an attachment from someone you do not know or even a suspicious email from someone you do know. In the second case, send the person you do know a new email asking about the attachment.
- Common attack emails include, “Your payment was approved,” “Your password was changed,” Your health insurance policy has been cancelled,” “Your invoice is attached” or “Your package is ready for pickup.” Because of the coronavirus crisis, ransomware spam emails also include “Buy your masks here” or “Coronavirus cure is now available!” or “Read what the government does not want you to know.” Never reply to these emails, click the links or download the attachments. Block them, report them as spam or just delete them.
- Only download a file from websites that you completely trust. For example, a user manual that is not from the manufacturer’s website. If you open the file and do not see a user manual, you have been infected by something.
- Before clicking on a link on a website or in your email, roll your mouse cursor over the link before clicking it. You should see a small window pop up somewhere (e.g., near your cursor or at the bottom of your screen) that shows where the link will be taking you. If it does not look right, do not click it! For example, if you roll your cursor over this link: www.google.com, you will see it takes you to Google, but this link takes you to Yahoo: www.google.com.
- Set up and use user accounts that do not have the power to install anything. Only the practice’s Administrator user account should have this power. The Administrator should only use this user account for Administrator duties, not day-to-day work.
- The Administrator user account should require extra security to sign in. For example, use a password that is at least 16 characters long, but still easy to enter like “allcatsareorange” For example, a two-part verification that sends a text code to the Administrator’s phone; the Administrator must then enter the code before gaining access to the server.
- Install and use anti-virus software. Window 10’s free Defender now includes ransomware protection as do all major anti-virus systems..
- Keep all of your software up-to-date. Every time you get a notice to update your software, DO IT, no matter what it costs. These updates may block recently-discovered infections.
- Try not to install software from a company that you are not familiar with. If you are confident it will not open the door to a problem, read the “End User License Agreement” before you install it. You can also install it on a computer that is not in your network.
- If you use Windows XP or Windows Server 2003, upgrade to Windows 10 or Windows Server 2012 as soon as possible. Microsoft is constantly and automatically updating their latest software to protect your data better than ever.
- If you give a service technician access to your system, make sure to close the access when done and reboot your computer, as well. Do not allow 24/7 access to your computer system to anyone.
- Backup your data every night. You can use physical backups, like tapes or disks, you can backup your data online or, ideally, both. If you use physical backups, remove the disk or tape as computer viruses can access your backup copy if it is in your computer. To be completely safe, follow the 3-2-1 rule: three copies of your data, stored in two different formats, with one copy stored off-site.
- Make sure your backups are encrypted. Search the web for encrypted backup systems to find the best deals.
- Check your backup copies on a regular basis to ensure they are usable.
- Find a computer security person or company that can quickly help you, in an emergency. Ask them to run a scan to ensure a ransomware virus is not sleeping on your hard drive. A good place to start is bleepingcomputer.com.
- Check if your office liability policy covers ransomware attacks. If not, consider buying ransomware insurance.
Learn more at krebsonsecurity.com/tools-for-a-safer-pc, cisa.gov and microsoft.com.