In this three-part series, Academic Health care CISO Mitch Parker shares his insights on ransomware, incident response and best practices for building a world class prevention program.

Ransomware has been the buzzword du jour for the past year in computer security.  This mostly unsophisticated attack type uses deception and already-existing means of communication to destroy the integrity of systems and shut down businesses by holding their critical assets for cryptocurrency ransom via encryption.

In my opinion, there has been little thought to either mitigating the risks caused by ransomware attacks, or an overall attempt to use products to fix what a good incident management process should.

In addition, newer versions of ransomware are utilizing more sophisticated means to cloak themselves, bypass defenses, and cause damage, propelling this threat as one of the industry’s most critical.

The first important item to keep in mind is that most computers are based on the Von Neumann architecture, where memory holds both data and the programs that manipulate it.  Therefore, it is always possible to manipulate data to affect stored programs, and vice versa.  One doesn’t need Phrack 49, Smashing the Stack for Fun and Profit, to tell you that.

Secondly, it is generally considered impossible to determine with 100% accuracy whether or not a program is malicious without actually running it.  Newer ransomware variants employ techniques such as encryption, polymorphism, and digitally signed code using stolen code signing certificates, and have defeated most, if not all, anti-malware programs on the market. Therefore, it is important to have an incident management process in place to deal with the inevitable.

Complicating matters, the Department of Health and Human Services, Office of Civil Rights (OCR), has issued guidance that considers ransomware attacks reportable breaches for healthcare organizations and other covered entities under HITECH.

There have been a number of reported ransomware attacks at hospitals and healthcare systems across the United States, including Medstar, Kansas Heart Hospital, and several affiliates of larger health systems.

As part of the guidance given by OCR, you have to conduct a risk analysis on the effects of the attack (http://www.hhs.gov/hipaa/for-professionals/breach-notification/) to determine what records have been breached, and report it just like misdirected or stolen information.

Under HIPAA and HITECH, if you are considered a covered entity or business associate, you must not only protect against reasonably anticipated threats or hazards, but also conduct a risk analysis to ensure that your organization implements reasonable and appropriate controls.

One other important item of note is that recent ransomware attacks have shut down access to critical systems such as Electronic Medical Records (EMR), which have become essential to operations for healthcare organizations around the globe.  These attacks have impacted patient care and caused affected organizations to divert patients to other hospitals to receive care, delaying treatment to those who need it most.

The Joint Commission, which is the main organization that certifies and accredits healthcare organizations and programs in the United States, has two requirements for its member organizations to follow.

Joint Commission Standard IM.01.01.03 requires hospitals to plan for the management of interruptions to information processes.  This requires organizations to be able to plan for and manage downtimes.  Hospitals are also required by the Joint Commission to conduct annual Hazard Vulnerability Analysis exercises, and have since 2001.  These exercises require hospitals to conduct a systematic analysis to identify hazards or risks that will impact their facility, which includes computer and network downtimes.

Together, these standards hold healthcare organizations accountable for preparation and incident management, and as ransomware attacks grow in sophistication and frequency, it is critical for security teams to reevaluate and refine their approaches to protecting the enterprise.

Over the past year, I have given a number of presentations and webinars on the topic of ransomware, including the Ransomware in Healthcare summit in Philadelphia this past April that had 67 attendees from 37 different organizations.

Dialogue during this conference revealed several key factors that healthcare organizations should possess to be able to survive a ransomware attack.  In part two, I will begin going through the first four of nine best practices and key factors for building a strong security program. 

Leave a Reply