Panelists: Providers must be 'defensive' against ransomware

With ransomware attacks on electronic health records, cloud providers and other systems more common than ever--and more sophisticated--providers must be "defensive," according to government experts on cybersecurity.

Speaking Thursday at a conference co-hosted by the Health and Human Services Department's Office for Civil Rights and the National Institute of Standards and Technology, Ben Rossen, an attorney with the Federal Trade Commission’s Division of Privacy and Identity Protection, warned that while the overwhelming majority of ransomware events are caused by phishing, the attacks are evolving into more targeted spear phishing, the use of compromised websites, exploitation server vulnerabilities and “malvertising,” when a virus is delivered through a compromised ad.

“[For some of these] you don’t need to click on anything [to become infected,” Rossen said.

Ransomware is also so prevalent in healthcare because its data is so critical to the provision of patient care, said Nick Heesters, a health information privacy and security specialist with OCR, who also spoke at the session. 

However, there are several steps that providers can take to reduce the chances that their EHRs will be infected by ransomware, and to stem the damage should it occur, session participants said. These include:

  • Review the security of any EHR or other product before allowing it to enter an entity’s environment and get security assurances in the vendor contract, according to Rossen. “I’ve seen vendors not meet promises,” he said.
  • Develop a “playbook” for different cyberevents, including one for a potential ransomware attack, said Jeff Cichonski, an information security engineer with NIST’s Applied Cybersecurity Division. NIST is in the process of developing a ransomware playbook, which should be available within the next few months, he said.
  • Train employees to be suspicious of everything online, and recognize phishing.
  • Back up EHR and other data responsibly. For example, the backup must be offline so that it also doesn’t become compromised by the ransomware, Cichonski said. He suggested that entities also check the integrity of backup data before installation.
  • Use access controls. For instance, one strain of ransomware uses fake invoice attachments in its phishing scheme. However, doctors in hospitals don’t need that kind of file. Those emails can be blocked so they never get to the users, Rossen said.