I Got Hit by Ransomware… Now What?

By: Amy Wood, President, ACS Technologies, LLC

You clicked on a link in email and now your information is encrypted and being held for ransom. Your bad day is about to get worse.

What is Ransomware?

Simply put, it’s a type of computer virus called malware that encrypted all or a portion of your data and holds the decryption key for ransom. If this ransom is not paid within the time allotted, your data gets deleted permanently. Further complicating the problem is that the bad guys are asking for a virtually untraceable form of currency called Bitcoin, which is neither fast or easy to get. In fact, it can take a couple of weeks to complete a transaction into Bitcoin and by that time your data is gone.

Most ransomware comes in through email attachments, that once clicked and opened, will infect the computer and network, look for backups and encrypt them as well. Some recent variants such as ‘wannacry’ exploit unpatched or non-updated computers that use free anti-virus and left companies around the world both big and small with encrypted files.

How Do You Prevent It?

Technology Business Best Practices with a Multi-Layered Defense System and not clicking on bad attachments. Seriously — it’s that simple and also that complex at the same time. When we’re talking about security, it’s a never-ending process that is constantly changing. As it turns out, it’s not elusive and it’s nothing secret or proprietary — it’s doing the things you’re supposed to do as a business anyway: paid, business grade anti-virus, firewall, patching, backups and proper training.

If you start with training your staff, you will avoid most of the cyber threats that are out there. Not all of them, as they are getting better at disguising these, but the vast majority can be prevented just by knowing what is safe to click on. Since most ransomware comes in to networks by email attachments, be on the lookout for .doc files or .zip files or .exe files that are from companies like banks, government agencies etc. The bad guys play odds, and the odds of someone using banks like Bank of America or Wells Fargo are significantly higher than not, so that’s why they use them as bait.

Utilizing basic computer security is your next layer of defense. In healthcare, it is now expected both by doctors as well as by the government that IT Providers will protect your network by providing security products that include things such as secure email, anti-virus, firewall subscriptions, patching and backups. Most IT Providers will tell you that they would rather spend a few minutes with you to determine if an email is fake or legitimate instead of cleaning up the nightmare of a virus or malware infection that usually includes downtime, extra cost and in the case of ransomware — a potential data breach.

What Happens If You Get It Anyway?

If basic best practices aren’t enough, or you have an employee that just can’t help themselves and click on an attachment, then you are looking at a brutal confrontation with ransomware asking yourself, “what next?”.

Hopefully, you have all of the technology best practices in place from your IT Provider before this happens (hint, hint — hire a qualified, healthcare specific IT Provider that fully understands HIPAA and how it applies to both you as a Covered Entity and them as a Business Associate), so you’ll be able to rely on your backups to avoid paying the ransom. That’s not the end though. You need to prove that your data did not leave your custody. That means you need to prove that the ransomware didn’t send your data out of your practice. This is usually done through the use of a properly configured firewall. Keep in mind that Ransomware, in most cases is considered a reportable data breach since someone else had custody and control of your data that contains ePHI— unless you can prove that it stayed within your facility.

Reverting to a backup is no picnic either. Most people think all backups are created equal and that is not the case. Depending on your current backups, it could be several days or weeks downloading the raw data over the internet and rebuilding a server and setup of the practice management system to put the data into or it could be an a few hours to spin up a virtual machine of your server. The standard of care with backups has changed significantly in the last few years and you should ask your IT Provider if your current backup solution meets the needs with the current threats you are facing, such as Ransomware.

Should you have to actually pay the ransom, as a last line of defense you may look at insurance as a financial safety net, but just like backups, not all insurance is equal. What you’ll need is Cyberliability with CyberCrime and Data Breach insurance. Contrary to popular belief, this is not part of your General Liability or Malpractice insurance. If you do get the insurance, chances are that it doesn’t adequately cover you. Since this insurance is relatively new, there are a lot of low limits and exclusions for common claims. You should prepare to have $500,000 of coverage for every 1,000 active charts, so check your current policies.

Ransomware can be prevented by utilizing a few easy processes with your employees as well as good technology security. It doesn’t have to be as scary as everyone makes it sound.