2 min read

What Can Be Done To Help Hospitals Hit by Ransomware?

March 31, 2016


News that three hospitals in the US were last week hit by a ransomware attack shocked many.

This sort of attack is typically designed to block access to a computer system until a sum of money has been extorted, often in Bitcoin rather than a traditional currency.

In many respects providers of healthcare are the perfect targets for such attacks - the care of patients in the 21st century is reliant on Electronic Patient Records, and hospitals are more likely to pay the ransom than risk delays that could result in the death of patients.

Ultimately, you're more likely to pay the ransom if you have patients waiting to be treated, than a traditional business, for example. Hospitals simply cannot afford a prolonged period of disruption.

In the case of the three hospitals in the US, one of them, MedStar Health, posted on Facebook that its network "was affected by a virus that prevents certain users from logging-in to our system."

Last night, more than a week since the attack, MedStar Health posted another update saying it was moving "towards full restoration of our IT systems".

Ransomware initially targeted individuals before realising targeting businesses was much more profitable - and ultimately, ransomware exists because it works.

Generally attacks take the form of a phishing email that carry an attachment loaded with ransomware, and it only takes one person in an organisation to open this infected attachment before it travels laterally across a network, locking up computers and even file servers.

It only takes the locking down of a couple of files servers that staff, both clinical and admin, use routinely before a network is effectively held hostage.

How Can Hospitals Protect Themselves?

Adam Alessandrini's Hostage Rescue Manual offers an excellent step-by-step guide to those who have been infected by malware and want to know how to respond.

Alessandrini boils your response options down to:

I'm Infected, Now What?

a. Disconnect!
b. Determine the Scope
c. What Strain of Ransomware?
d. Evaluate Your Responses: Restore, Decrypt, Do Nothing

Negotiate/Pay Ransom

e. First Response: Restore From Backup/Shadow Volume
f. Second Response: Try to Decrypt
g. Third Response: Do Nothing (Lose Files)
h. Fourth Response: Negotiate / Pay the Ransom
i. Ransomware Attack Response Checklist

But what can be done to best protect yourself from attacks in the first place?

Subscribe to the LAN3 Blog

Topics: Security

Written by Paul Sweeney