Skip to main content

Healthcare ransom: A security nightmare


It reads like a Liam Neeson movie script: 'We’ve got your daughter…'; only replace 'daughter' with 'daughter’s healthcare records'. And not just your daughter’s, but millions of other daughters’ and sons’ records. And unless you pay, you’ll never see them again. Welcome to the world of ransomware, a recent and most insidious threat plaguing healthcare organisations worldwide.

Kidnapping healthcare

As a patient you rely on doctors, hospitals, and the myriad of support staff to take care of you, heal you, and ultimately send you home in better shape that you arrived. Now imagine the doctors not having access to your medical history, allergies, or lab results. Treating you just became far more difficult and risky. This is the net effect created by ransomware.

Ransomware is a type of malware used to effectively kidnap your data by entering computer systems unseen and encrypting data, followed by a demand for payment for the decryption key. Failure to pay the ransom results in your data being forever locked and unusable, despite the data never leaving your system. For consumer victims, this is an emotionally devastating experience. For businesses, this can result in going out of business, or at the very least, severely impact operations. But for healthcare organisations, this can literally be life or death – for both the organisation and patients. Unfortunately, the bad guys know this and have aggressively started targeting healthcare organisations with ransomware.

To pay or not to pay

It’s bad enough to have a Protected Health Information (PHI) security breach. Anthem’s 80 million record breach in February 2015 was the largest of its kind, causing substantial damage to the organisation’s brand and drawing healthcare security into the public spotlight. However, few people were put in direct physical risk because of this enormous breach.

Compare that situation to a single ransomware attack, such as that on Hollywood Presbyterian Medical Center (HPMC) highlighted in the New York Times recently, where the hospital faced a difficult decision: immediately pay a $17,000 (£12,000) ransom or lose use of critical computer systems. Without access to the affected systems, patient care and operations would suffer. In healthcare, patient safety is an Achilles heel. Threaten patient safety and the organisation has little option other than to capitulate. HPMC paid the ransom and was able to gain use of the system after being provided with the decryption key. It was either that or risk patient safety, possibly even lives – an untenable situation. Even with the payment, it took HPMC 10 days to restore use of the systems.

A growing menace

The attack on HPMC is not an isolated event. Healthcare organisations are seeing a huge uptick in ransomware attacks over the last six to eight months, according to Kathrine Keefe, the head of breach response services at Beazley, an insurance company. Of the 1,200 breaches her team investigated last year, half of them involved healthcare organisations. And reported cases represent just a fraction of the total incidents according to many industry experts.

A layered prevention approach

When you are facing a dire situation, you take your medicine, no matter how bad it tastes. However, a better solution is to avoid getting into that situation in the first place. Fortunately, most organisations already have the rudimentary tools in place to help prevent such a catastrophe, such as backup, anti-malware, and firewalls. There are several aspects to making these tools effective.


You need to prevent every attack. Criminals only need to succeed once.
Deploy and maintain up-to-date anti-malware for every employee. This is your first line of defence. Anti-malware often identifies the malware before it infects the user. As long as the user heeds alerts and takes the recommended actions, usually a simple email or file delete, or removal of a device, the threat is terminated for the moment. This is the most effective first step, one that stops more ransomware threats than any other.

However, it is not 100 per cent effective. In fact, according to Panda Research, traditional anti-virus tools only stop 30-50 per cent of new zero-hour malware when it’s first seen. If there is no virus signature for a particular piece of malware, a user can innocently trigger the malware, resulting in file encryption, first noticed when file extensions change and a notice about payment shows up. It typically takes AV vendors a full seven days to stop 98 per cent of threats.

This gap triggers the need for our next most effective layer.

Employee education

How does a laptop get infected with ransomware? Typically, it starts with a malicious email which contains an infected attachment or tricks you into downloading the virus. Infected devices, such as thumb drives, also are sources.

In 2015, Intel Security reported that 94 per cent of people, and 96 per cent of executives with the most to lose, couldn’t tell the difference between a real email and a phishing email 100 per cent of the time. When study participants received an email that was spoofed to appear as if it was sent by UPS, 62 per cent trusted it enough to click the link. And a 2015 Verizon Data Breach Investigation Report found over 20 per cent of users will open a phishing email and 11 per cent will open an attachment infected with malware.

To address this security hole, educate employees periodically -- at least once every six months -- on identification and threat avoidance. If the email looks odd in anyway – unusual sender, weird distribution list, non-standard domain or country of origin, misspellings, unexpected emails from apparently legitimate sources, content that is vague or sparse, or not normally associated with the sender – STOP and VERIFY with the sender, preferably via a non-email method: phone, Skype, or text.

Ensure employees update security software regularly and preferably automatically as updates are available. Delayed action can allow new threats without known virus signatures to enter unnoticed. Security software does most of the heavy lifting of detecting and deleting threats so employees can keep working. However, new threats appear all the time, so employee education is a critical step.

Employees are your frontline alert system to new threats. Ensure they report anything suspicious so that emails or other multi-person threats can be stopped early.

Backup and recovery

Backups serve many purposes, but the number one purpose of backups is to restore in the event of a disaster, including ones that are manmade. Unfortunately, most organisations treat backups as a chore rather than a strategic imperative. Backups are the essential building blocks to recover data and systems. Backups need to be accompanied by a well thought out process that protects and tests them, as well as a corresponding recovery plan.

Backups provide you with clean data, but most organisations do not have instant recovery capabilities. Traditional restoration from backup takes hours, if not days, depending on the scope of the backup and the granular recovery capabilities of the organisation. This problem is exacerbated with cloud backup, as restoration duration increase by 5-10 times, resulting days or weeks or downtime.

Do not confuse enterprise file sync and share solutions for backup. These programs, such as Box, Dropbox, Google, and OneDrive, sync files to another location. In effect, files get encrypted and end up in both places, rendering both copies useless. Some vendors provide the capability to roll back to previous versions, but this is a time consuming and laborious process when done in mass.

If you don’t have a proper backup or can’t get your backup to work, your only choices are to pay the ransom or lose all your affected data. And paying the ransom is not a guarantee – 19 per cent of victims that paid the ransom still didn’t get their files back, according a 2016 Intermedia ransomware survey. Other findings from this survey is that the biggest cost to businesses is downtime, not the ransom payment. Layer on top the highly public nature of healthcare organisations, critical nature of patient care, and damage to brand and reputation, and the ransom is the least of your worries.

Business continuity

Most organisations plan for nature disasters or other causes of business interruption, but few develop a business continuity plan for electronic threats. This should be the next impactful planning activity any healthcare organisation does in order to identify and limit rapidly growing threats such as ransomware.

When all else fails, click here …

No amount of protection and education can guarantee you won’t fall victim to ransomware, but proper protection goes a long way. In the event you do find yourself facing a ransomware situation, what can you do?


IT typically doesn’t learn about the infection until after the damage has begun and the malware is already inside the network. At this point, containment is the top priority. Sophisticated ransomware will spread to other data sources in your organisation. Assume the worst and be prepared to turn off the network to limit damage and downtime. Determine the extent of the infection. Remove all infected machines from the network before turning the network back on. Identify the source of the virus so that you can patch any security weaknesses or holes. Otherwise, you may remain vulnerable.

As part of your containment effects, alert all employees to cease syncing to EFSS tools like Box, or Google or Dropbox to prevent good copies of files from becoming unusable.

Getting rid of the malware

1. Find the source and type of the infection

Forensics can be very challenging for a typical IT department. If needed, bring in or at least contact some forensic professionals. This will help if you want to understand what happened, the scope of the infections, and vector of occurrence.

2. Identify other users who might be infected

The most common source of infection tends to be an email from an outside source, but it could be an internally forwarded message. Find out who else got the email, alert recipients and email subject. That way, they can remove that email from everyone’s inbox. If one of those users also executed the malware, then their machine would need to be reimaged.

3. Wipe the drive and reimage from the operating system on up, or replace the drive

Replacing can sometimes be a faster and/or lower cost method that provides assurance.

4. Restore from a backup

Restore shared files first to get teams functioning quickly. Leverage extra computers to avoid downtime while you rebuild infected machines.

An ounce of prevention goes a long way

Healthcare organisations spend tremendous energy focusing on patient care. But as with patients, the nature of threats to the organisation change over time. The most prudent way to protect your healthcare organisation from a damaging event is to proactively plan for those kinds of events and prevent them from happening in the first place.

Paul LaPorte, Director of Products at Metalogix

Image Credit: Ninescene / Shutterstock