Electronic Health Reporter

By Bill DeLisi, CEO and CTO, GOFBA, Inc.

In October 2020 a joint advisory by the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the FBI noted there is a “credible information of an increased and imminent cybercrime threat” affecting U.S. hospitals and healthcare providers. A main part of this threat features ransomware attacks, where hackers take control of data and systems to extract ransoms.

The alert detailed the actions of a Russian-speaking group called Ryuk and a type of trojan known as Trickbot. Even more alarming, many healthcare providers might already be infected with malware, with hackers waiting for an opportune time to launch an attack and cripple the organization’s operations.

To prevent successful ransomware attacks, hospital IT and management teams need to implement multi-pronged strategies focusing on training, technology solutions, and other best practices. See below for a few actionable tips to include in your plan.

Preventing Intrusions with Training

A fall 2020 phishing attack against the University of Missouri Health Center exposed data for more than 14,000 patients. The health center noted two employee email accounts were hacked, which led to data access to Social Security numbers, clinical information, and other patient-specific data. The breach underscores the threat of staff members as the most prevalent conduit for hackers. Preventing such instances takes diligent training that helps workers understand the various threats and how they should adjust their behaviors accordingly. This is critically important.

Hackers also attack healthcare providers to take advantage of overworked nurses, doctors, and other clinical staff. COVID-19 places enormous strain on these workers, and they may not make the best IT-related decisions when they’re functioning on limited sleep and enormous stress.

Preventing the “human element” that leads to ransomware attacks requires diligent training. Here are some key tips for employees:

• Show staff members examples of phishing schemes. Use visuals to show them emails that might look authentic at first glance but deserve closer inspection. For example, phishing emails might include links with misspelled addresses and may not look professional, however recent phishing emails look very authentic, and hackers are getting much better at fooling people. Many recent hacking schemes use COVID-19 content to grab people’s interest.
• Discuss some of the most prevalent tricks hackers use to fool people, such as adding an urgent tone to messages or imploring them to take an unusual action, or even something as simple as “click here”.
• Encourage staff to confirm messages with their superiors or outside trusted resources. So instead of relying on a “Breakthrough Message from the CDC”, they should visit the official CDC site for assurance.
• Remind staff members it’s always acceptable to alert IT about suspicious messages. Get them to err on the side of caution, while also giving them the access they need to work effectively.
• Talk about vishing and smishing schemes, which come through the phone, tablet, or through SMS messaging. Email-based phishing has been around for a while, so hackers are using new pathways like vishing and smishing to persuade your employees to give them access.

Manage Remote Workers

The number of at-home healthcare workers is exploding due to COVID-19, as administrative and billing roles are easily handled through online platforms. And, with the rise in telemedicine, more practitioners are setting up HIPPA-compliant communications tools from home.

At-home employees are a new reality during COVID-19, but they pose unique risks. For example, these employees are much more likely to look at inappropriate websites containing pornography, which has content filled with malware, spyware and viruses. A Kaspersky study of 6,000 remote workers found more than fifty percent reported looking at adult content on their work devices, which exposes them to personal blackmail, opens a conduit to their employer’s IT infrastructure, and reduces their efficiency as productive employees.

Remote workers often engage in “Shadow IT” which means they make their own choices about various software and devices they use to conduct work. Using unapproved devices and services, such as an unsecured communication/messenger platform, not only exposes patient data to HIPPA violations, but it also exposes the IT infrastructure to hackers. Setting defined BYOD rules is an important addition to managing approved platforms, and keeping your network secure.

Prevent Intrusions

In addition to training, IT can implement other technical and behavioral guidelines to stop breaches and potential ransomware attacks. Ensure your IT group is using the latest firewalls and anti-malware solutions, and just as important, that these are continually updated. Consider using a “secure” search engine and communication platform, such as GOFBA, that greatly reduces the possibility of users reaching sites with suspected malware. A safe and secure communication platform is essential when healthcare staff are working from home.

Additional IT-side tips to reduce ransomware intrusions include:

• Install OS, firmware, and system patches immediately upon availability.
• Require multi-factor authentication for all staff members to access systems.
• Perform an audit to determine the number of users with admin access privileges and reconfigure to reduce access levels for additional safety.
• Ensure the legitimacy of new user accounts through auditing.
• Backup systems and store the backup data offline for maximum protection — test your ability to restore data and get back to full operations after a ransomware attack.
• Have your email and other communication platforms (IOT’s) on a separate network.

Why are hospitals and other healthcare organizations consistently threatened with ransomware? Unfortunately, it’s because of the type of valuable data the hackers can steal, “lock” and hold hostage. A common type of ransomware involves a hacker encrypting files or hard drives, and the facility must pay to get the decrypting key. If the hospital does not follow sound backup and redundancy procedures, then they might face losing the data or paying the ransom. Also, and most important to the hacker, hospitals are more likely to pay because the information they hold relates to saving lives. They could also possess data about medical research such as treatment regimens for COVID-19, or other emergency response metrics.

Reducing the ransomware threat is truly a “life or death” situation for healthcare providers, one that requires a combination of training and technology. Having a plan, and incorporating strategies like these, will greatly decrease your chances of being attacked, and more importantly, save lives.