Because ransomware attacks usually involve some type of social engineering such as phishing to lure unsuspecting victims into clicking on a malicious link in email, a purely technical prevention strategy is not effective, according to a best practice paper published in Applied Clinical Informatics.
Such efforts in healthcare must focus on the proper implementation and maintenance of IT, as well as educating those who use it. Organizations tend not to make attack details public, preventing the industry from learning how to protect itself.
While many of the authors' suggestions seem basic, they’re often overlooked, they say.
They propose a four-step strategy based on the National Institute of Standards and Technology's Cybersecurity Framework:
1. Ensure all computers and networks are installed and configured correctly: The authors mention an improperly installed JBoss server reportedly behind the MedStar attack--a story MedStar officials rebutted.
The paper calls for technical controls, including up-to-date patching, real-time or at least daily backups, regular testing for those backups, and maintaining a “gold image” of system configurations that would allow systems to be reset to their pre-attack state.
It also suggests allowing access to only a “whitelist” of approved programs and blocking suspicious emails.
2. Provide simulation and training for users, as Jackson Health System in Miami is doing. IT staff must create messages to help users identify legitimate company emails and those that are not. Users should know what to do if they think they’ve unleashed an attack.
3. Provide continuous monitoring of application and network activity to identify suspicious behavior and to address security problems early. It’s also vital to stay abreast of the changing threat landscape and to address security gaps as they evolve.
4. Respond quickly to attacks, including calling in the FBI and a forensic team to fully understand what happened. What's more, a multi-disciplinary team of key administrative, clinical and IT stakeholders just be formed to discuss how to prevent or mitigate future attacks.
To learn more:
- read the paper