Recently, I received a call from a close friend who wanted advice because his small company had been the victim of a ransomware attack. A hacker had locked the company out of all significant business applications, compromised all the backups, and wanted $250 in the form of Bitcoins to unlock the system. The IT manager tried to restore the systems without paying and without success.
As I tried to help my friend, I started doing some real-world research and contacted some of my business associates with questions about their preparations for ransomware attacks. No one I called had a great strategy. Either they relied on their prevention tactics to keep them safe or hoped they wouldn’t be hacked because they were small organizations. No one I spoke to had any bitcoins or a bitcoin wallet.
I thought about the small healthcare organizations I work with on a regular basis. They are at risk precisely because they are small. Hackers know that small hospitals have small budgets and are understaffed. Hackers have become more aware that many small hospitals have limited resources and are more likely to pay a ransom than larger organizations. Hackers also know that IT systems at small hospitals are integrated into all aspects of the organization. If a hacker can control a hospital’s access to critical data and equipment, he or she can force the hospital to shut its doors. Lives could hang in the balance. The criminal has great leverage.
So what would you do if your hospital were hacked?
You might say, “$250 sounds extremely reasonable to get a hospital up and running again.” You would be right; $250 is a small amount of money. But there are several other considerations:
- Do you know what bitcoins are?
- Do you know how to obtain and use bitcoins?
- If you have bitcoins, should you hand them over?
- What other options do you have?
- What can you do to avoid this situation in the future?
Bitcoin is a form of currency that uses encryption to implement the transfer of funds, making it independent of banking institutions and resistant to formal regulation. A bitcoin payment is made between two parties with a digital public register, called a “blockchain,” verifying the validity of each transaction. The authenticity of the transaction is protected by a digital signature attached to each user’s sending address.
There are few legal protections for these transactions, however, and nothing to guarantee that service or data will be restored upon payment. There are no refunds or reversals for transactions.
Paying an attacker in Bitcoin for a ransom is a “Hail Mary pass” that is only explored by victims as a last resort when their preparation was unable to allow them to independently recover from the attack.
In my friend’s case, he had no data recovery plan or readable back-ups safely stored away; therefore, he was left with no other option. So, he went through an arduous and unfamiliar process to set up a bitcoin wallet, obtain bitcoins via an exchange, and then make payment. Luckily, after making the payment, the hacker did pass along the key to unlock their system. The situation could have been worse if the hacker had not responded, leaving my friend with no data and a few hundred dollars poorer. It could have also gone better if preparations had been made ahead of the attack.
This story offers up some lessons for IT personnel in hospitals of all sizes. We say it all the time – it is no longer a question of “if” but “when.” In the past two weeks, Ken Miller has written about defense against ransomware attacks. I agree with him that educating your employees is the best first step. Your employees are critical to keeping hackers of all types out of your system. Here are a few more lessons to be learned from my friend’s situation:
Lesson #1 – Be prepared! Good preparation starts with a solid back-up policy. Periodically test your system backups to ensure readability and to keep IT personnel familiar with the process. Most companies have a bad habit of only testing their backups once a year during a disaster recovery test or when an employee loses important files. Periodic backup testing helps to ensure that tapes are not corrupted and may help to point out potential unauthorized activity.
Lesson #2 – Implement sufficient network security and perform periodic advanced internal and external penetration testing to help point out those vulnerable areas that external hackers and internal threats might attempt to compromise.
Lesson #3 – Have an incident response plan that involves professionals. Anyone who has been a victim of ransomware can tell you that it is important to act quickly. A team of incident response professionals can quickly help you get back up and running while also identifying what happened in order to avoid falling victim a second time.
Time really is money and a hospital can’t afford to be down for a significant period of time as a result of being locked out of its systems. Being prepared and having a plan to handle digital ransom scenarios is becoming more and more important in this ever evolving digital age.