Technology news sites are currently buzzing with the latest story of another Ransomware victim – A hospital in Hollywood. While we at ETTE consider Ransomware in itself to be a despicable and disgraceful way of extorting money from businesses, an attack on a hospital is a whole new level of evil. It actually forced staff members at the Hospital to use pen and paper to continue operations this week.
Surprisingly, the Hospital confirmed today that it has paid the ransom of $17,000 to the hacker responsible in order to obtain the decryption key. That alone tells me that the Hospital was not prepared or equipped to deal with this kind of security breach. It likely means that it had no backups in place to restore the network and was incredibly vulnerable this whole time.
What shocks me the most is how this could even happen to an institution which handles thousands of confidential patient data files. Why didn’t IT security prevent the Ransomware getting into the network? Why do end users have Administrator privileges on their computers, allowing them to install software? Why did they not have daily backups? What are the risks that a hacker now has access to confidential medical files of patients and could theoretically blackmail patients to prevent making them public?
I’d be interested to know if the Hacker responsible for this attack is going to follow through with the decryption. When it comes to paying ransoms, there is no guarantee that your money will get you the result you want. And it’s not as if the Hacker is obliged or lawfully bound to keep his word and return the data to the Hospital.
In case you’re not familiar with Ransomware, here is how it works: A user receives an email with an attachment (usually in the form of an executable file, with .exe extension) or downloads a file from the internet. The user, unaware that you should never run an executable file unless you know exactly what it is and its purpose, opens the file and the Ransomware is installed on that machine. The software then infects the network, making its way to the databases and begins encrypting the tables and contents – making the data unreadable to the network users.
Some time later, the programmer/hacker of the Ransomware contacts the infected organization and demands a sum of money in return for decryption of the files – Hence the term “Ransomware”.
Some people would argue that this hospital was simply unlucky and that it’s not their fault that this happened to them. Others would argue that the newest viruses, malware and ransomware programs are not being detected by Anti-virus software because they are still new, therefore this was “just one of those things”. After all, we seem to be updating our antivirus software on a weekly basis now to keep up with the newest threats. But what many people don’t realize is that preventing a Ransomware attack is actually very simple and in the event that your network does become infected, there should be no need to resort quill and parchment to continue operating.
Firstly, it should be noted that in around 85% of cases where Ransomware has been detected on a network, an end user was responsible for the security breach. It wasn’t a fault with the operating system, the network, the IT guy or the antivirus software. It was a user being uneducated about the risks of opening files from unknown sources.
Secondly, by not having frequent backups of your systems, this kind of attack can have devastating consequences in the long run. In most organizations (Especially a Hospital), backups should be done on a daily basis if not hourly. Here at ETTE, customers with our backup service get the peace of mind of backups being taken every 15 minutes. This means that in the event of disaster, the most amount of data they will lose is 15 minutes worth of work, or less.
Thirdly, there is a little blame I could put on the IT guy in this particular instance – The end user responsible for the infection had enough user privileges to run and install software on their computer and therefore, opened the door to the Ransomware infection. This is a frustrating topic for me because we are very against end users having admin privileges for this very reason. Of course, I don’t know all of the facts surrounding the case, but this scenario is the most likely and most frequently seen.
Finally, as the saying goes: “A chain is only as strong as its weakest link”. Your antivirus, backups, firewalls, recovery plan and everything else might be in place and might be sound. However the best resource is prevention. Remember that the end users are the weakest link in the chain. They may know how to use a computer, but they may not be aware of the risks and dangers that are inherent to having a connection to the internet.
Implementing user policies is a great place to start, but educating the people who are using the computers is better. Most, if not all of us have made a mistake before which has caused an infection, including me. I was thirteen years old when I tried to download a modification for a PC game which was actually a malicious virus disguised as the file I needed. The result was the Desktop of my Father’s Pentium 2 being wiped out entirely – fortunately, my father backed up everything on Zip disk so the damage was limited.
I learned my lesson and the infection raised my awareness. I realized that there are a lot of people out there on the internet who invest hundreds of hours of coding into something that can ruin you or your business, usually just for kicks.
A good place to start the education process is with a strong IT usage policy and perhaps some documents or classes about the dangers of malicious software. If your end users read your strict IT usage policy thoroughly, it should highlight the potential dangers to them. You can hammer that point home by requesting their signature on that policy. You should always remove administrator rights from end users computers so that they cannot install something without the administrator entering a password first (And checking that the file is safe).
Finally; Backup, backup, backup. Daily, hourly, twice hourly – the frequency should be determined by your resources and potential amount of data loss in the event of attack. We often sit blissfully at our desks thinking that Hackers only target Government systems or large corporations with huge annual profits. It’s this exact thinking which is putting you at risk. Those large corporation’s and Government networks are protected by millions of dollars of security protocols and hardware. Ask yourself if an average bank robber would prefer to rob Fort Knox, or a small bank out in the countryside, based on whether or not he would get away with it.
I sincerely hope that confidential patient records in the Hospital have not been put at risk. If that’s not the case, then I certainly wouldn’t like to be the decision maker at the Hospital in the coming weeks. Since I’m British, ransom situations like this always remind me of Margaret Thatcher’s words from the eighties – “We do not negotiate with Terrorists”. Perhaps in this instance, one must consider a change of policy…