Employee education vital in defense against ransomware

Employee education and awareness are healthcare organizations' greatest defenses against ransomware, attorney Mary Ellen Callahan advises in an AHA News article.

The malware in such an attack usually infects a network through a phishing scam, though unlike those that hit Magnolia Health Corp. in California and more recently St. Joseph's Healthcare System in New Jersey, the hackers aren't interested in identity theft, but in collecting a ransom.

Hollywood Presbyterian Medical Center in Los Angeles, whose computer systems were offline for a week in a ransomware attack, decided to pay about $17,000 in the cybercurrency Bitcoin to the hackers. However, law enforcement officials advise against paying ransom. There's no guarantee you'll get your data back or that hackers, now knowing you'll pay, won't subject you to ransomware again.

It's essential to know where your organization's encrypted "crown jewels" are and ensure that they're regularly backed up, Callahan says.

In addition, employees must be trained:

  • Not to click on links or open attachments in emails or messages from senders they don't know
  • To never open an attachment that appears to come from a company with whom they've never done business
  • To know what to do if they believe they have fallen victim to a ransomware attack

Even that advice might not be enough. In the St. Joseph's case, emails appeared to come from a high-ranking official in the organization who would have the authority to access the employee information being requested, according to NewJersey.com. Hackers impersonated the CEO in emails in the Magnolia Health case.

Regular backups, up-to-date patching and avoiding Java were among the suggestions that security experts offered to FierceHealthIT as defenses against ransomware.

To learn more:
- here's the AHA News article
- read about the St. Joseph's breach