CBS on its show “60 Minutes” this week devoted a couple of segments to the growing problem of ransomware in healthcare. In one segment, they interviewed two cybersecurity experts, and one hospital CEO who recently lived through a ransomware attack, to learn some fundamental tips. Every healthcare CIO, CTO, or IT Director should review these tips and determine if there are gaps at their organization they should address to better prevent and prepare for a ransomware attack.
Michael Christman, an FBI Cybersecurity Executive who formerly ran the FBI’s Cybercrime unit, was asked how to avoid a ransomware attack. He answered, “Practice great cyber hygiene.” His list of “cyber hygiene” recommendations are as follows:
- Patch computers and networks regularly and rapidly. (Note: in video interview but not in article)
- Enforce two-factor, or multi-factor, methodology for password authentication.
- Make sure backups are secured offline.
- Employ internal network segmentation firewalls so that someone who may penetrate your exterior firewall cannot mover laterally through your entire network.
- Regularly update your password (Note: in article but not in video interview).
- Allowing remote access for staff creates its own set of vulnerabilities. This is especially true when you consider the possibility of stolen password.
Tom Pace, the VP of Blackberry Cylance, was asked about tips for the individual to not be vulnerable on their computer to ransomware, nor to be the cause for introducing it to their organization’s netowrk. Pace focused on how to recognize a phishing email, and avoid clicking on attachments or links in a phishing email. Here are his top tips:
- Be aware and know who you and where are getting the email from.
- Consider whether you are expecting an attachment or link from this person. Do they normally send this kind of email to you? If not, give them a call to make sure they actually were the ones sending the email.
- Does the email have misspelled words or strange word choices?
- Does the email have odd links?
- Does it have an unexpected attachment (especially a .exe file or zip file)?
Pace also emphasized that patching or updating your computer is important, and when it prompts you to update your software, do it.
Steve Long, the CEO of Indiana’s Hancock Regional Hospital, experienced a ransomware attack and ended up paying $55,000 to unlock and retrieve his organization’s data. He regularly speaks to other healthcare executives and emphasizes these three points:
- Healthcare executives need to talk about this [ransomware] so they are prepared when they experience an attack.
- It’s not “if” but “when” as far as whether you are going to be a victim of an attack.
- “Fundamentally good organizational dynamics are what you need. So the things you are trying to do anyway, that’s what will get you through this.”