Ever since WannaCry, the healthcare industry has known just how dangerous ransomware can really be. However, practices keep getting hit – as is the case with the Olean Medical Group. Have you learned the right lessons from incidents like these?
Ransomware is a growing problem for healthcare organizations of all sizes – in fact, almost half of all ransomware incidents reported last year targeted healthcare companies.
Aggressive strains like WannaCry are becoming more and more common, while many healthcare organizations continue to fail to take the appropriate steps to protect themselves.
It’s been over two years since the WannaCry ransomware strain struck on the evening of May 11th 2017, encrypting the data of thousands of healthcare organizations in the UK (including the entirety of the National Health Service) and holding them to ransom. By the end of the weekend, WannaCry had infected thousands of networks in over 150 countries around the world.
Despite the extent of that attack, the world still doesn’t seem prepared to defend itself against ransomware. Case in point – the Olean Medical Group.
While the exact details of the New York state ransomware attack from earlier this month are unclear, the Olean Medical Group staff went without access to their systems and data for over 40,000 patients until they paid the hackers. Olean Medical Group CEO Christine Strade confirmed that they did, in the end, agree to pay the hackers, since which they have been working to regain access to their data and systems.
In the meantime, staff members had to maintain patient files in hard copy, with pen and paper. Olean Medical Group has since hired Kivu, a cybersecurity forensic company, to investigate the attack.
Even without talking to Olean Medical Group or Kivu directly, a few key lessons can be learned from this incident…
4 Lessons To Learn From Olean Medical Group
- Test Your Disaster Recovery – Otherwise It Will Likely Fail
Even though Olean Medical Group insists that no patient data was compromised, the fact is that they lost access to patient data, and they had to pay a ransom. That’s a clear failure of whatever disaster recovery and business continuity processes they had in place.
The best way to make sure this won’t happen is to test it on a regular basis. Evidently, Olean Medical Group either didn’t test their disaster recovery processes, or the testing that did take place was not comprehensive enough.
- Do You Have Business Continuity Plans To Follow During An Incident?
After they lost access to data, Olean Medical Group’s staff had to use pen and paper to complete patient charts. What would happen if they had a fire on site? Or if a chart was misplaced? Or if the paper records were compromised in any other way?
The point is that you need a plan for when your systems are down. Olean Medical Group either assumed that their systems were infallible, or that they could survive on pen and paper for as long as needed – in either case, they assumed a high degree of risk in the continuity of their patient data. One more mistake would quickly compound the trouble they were already in.
- Paying Doesn’t Make The Problem Go Away
Despite the fact that Olean Medical Group paid “a significant amount of money” to the hackers, that didn’t solve their immediate problems. It may have given them what they needed to decrypt their files, but they were still offline for days in the aftermath of the attack while they worked to restore access to files. As Kapersky notes, 34% of businesses hit by ransomware take up to a week to regain access to data.
It’s important to understand that even if you’ve budgeted large sums of money to pay off hackers in the event of a ransomware attack (which is unlikely and unreasonable in and of itself), it won’t make all your problems go away in an instant.
- Will You Have The Help You Need?
Olean Medical Group hired Kizu to investigate the incident, which is just another expense to add to the tab. However, as of June 19, they had yet to contact local law enforcement or the FBI, the latter of which deal with ransomware on a regular basis.
It begs the questions – have you established relationships with local law enforcement? They can be a big help in situations like this – you don’t want the first time you talk to them to be when you’re trying to protect your data and come up with the money to pay a ransom.
What Steps Can You Take To Protect Your Practice?
While we do have three tips list below, the theory behind this kind of defense has two key aspects – prevention and response.
In prevention, you need to make sure your staff understands how ransomware works, and how it tends to make it onto a victim’s network – that is, by tricking an unsuspecting user into opening an email that’s carrying ransomware.
In response, it comes down to disaster recovery and incident response. If you have your data backed up, are you testing recovery procedures regularly? If so, then it doesn’t matter if your data has been encrypted. You can just replace it with your backup, simple as that.
When developing your ransomware defense, keep these three recommendations in mind:
- Make a considerable investment in a comprehensive backup data recovery solution so that you can restore your data at a moment’s notice when necessary.
- Train your employees to recognize spoofed and false emails so that they don’t download a malware-infected attachment and help the hacker encrypt your data.
- Be sure to make the most of the available resources (both provided online and through expert IT support professionals) to ensure that you’re not overlooking vulnerabilities in your IT security.
Beyond simple security updates, it’s worth noting that ransomware often penetrates many systems through conventional phishing schemes, in which a fraudulent email requests that the recipient downloads an attachment, or clicks a link. That’s why it’s important to guarantee your staff knows what to look for.
Send out a company-wide memo. Make sure it comes from someone who won’t/can’t be ignored. It should say something like…
It is imperative that you follow these guidelines on ALL work computers and ANY personal devices used for work to protect against ransomware.
- If you get emails with suspicious attachments; even if it is from people you know do not click on the attachment.
- Be very cautious of what you click on while browsing. Do not click on random pop-ups!
- If you accidentally click on a suspicious email or web link, immediately unplug the computer from the network and turn off the WIFI – even before calling IT support.
If you’re not sure about how to ensure your protection against ransomware and other cybercrime threats, then don’t try “fake it ’till you make it”. Be sure to consult a Nashville Healthcare IT company like Kraft Technology Group if you’re unsure as to the state of your healthcare organization’s ransomware contingencies.
Like this article? Check out the following blogs to learn more:
The new Health Industry Cybersecurity Practices (HICP)
NIST’s Small Business Cybersecurity Corner
How to Respond to a Network-Wide Malware Attack
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.