Healthcare continue to be a prime target for ransomware. All hospitals, small and large, seem to be on a hit list. Hospitals around the U.S. are reporting ransomware incidents. In fact, HHS has stepped in with its guidelines on ransomware and claims a ransomware incident is a data breach unless the hospital can prove no data exfilteration occurred. Fun fact: Many hospitals I have visited do not have the capability to investigate data exfilterarion. So, not seeing any data leaving the hospital means no exfilterarion? If so, how do you really prove it? What if you don't keep firewall or NIDS logs?
Whining aside, security experts have suggested few ways to fight ransomware.
- Educate your users about drive by downloads and phishing
- Keep your systems and applications to to date
- Monitor system and network resource usage
- Backup your systems and applications configurations
- Backup your data
- Keep offsite cold backups
- Test your backups regularly
- Update and test your incident response plan
- Update and test your disaster recovery plan
To be honest, healthcare industry is only beginning to let go of Windows XP. It will take them a while to solidify their cybersecurity structure. Just last month a friend discovered one of her clients was using the word password as a default password for new and reset credentials. Guess what? If you don't require your users to change their new password they won't. About 10% of accounts were cracked using this default password.
Maybe ransomware is a wake-up call. Maybe it's a healthy dose the healthcare industry needed to realize how they have been putting lives at danger. Cost of EHR outage is roughly $480/physician per hour. A ransomware outbreak that sends an EHR into one week of outage can cost a fortune. Do we really want to see another example?