Lysa: Small- to medium-sized
practices are very much at risk. In a lot of ways these
organizations are more attractive to criminals, as they are less
apt to have someone on staff who is focusing on a clinic's data
and network security.
While
it may not be as big of a potential payday as hitting a big
hospital, hitting several small practices can quickly equal the
payout of a single larger business.
Lysa: Ransomware gets on
people's machines through attachments to email, through
vulnerabilities, etc. It's hard to generalize about this, as
criminals add to their repertoire on a regular basis.
Aresh: Ransomware authors
have gotten a lot better over the years about not drawing
attention to attacks until after they have completely finished
encrypting all of a victim's files. For many victims, the
first notification is the extortion message from the
ransomware.
CureMD: What's the most
cost effective prevention strategy for a small-medium sized
practice?
Lysa: Both the most
important and most cost effective thing I would recommend
healthcare practices should do to improve their security is to
perform regular and ongoing risk assessments
If
you don't have a clear picture of what you're trying to
protect, you may overspend in some areas and totally overlook
others. Performing a risk assessment allows you to put your
resources to their best use.
CureMD: Does a typical
ransomware only 'attack' certain folders/file types?
Lysa: I'm not sure "only"
is the word I would use to describe the list of files and
folders that ransomware attacks - some of them include
file-type lists which are several hundred long. Much longer
than that and you're either going off into the weeds and
encrypting file-types very few people use, or you're going to
encrypt a file such that it will disable the operating system
itself.
It's very hard to get money out of someone if you kill the
mechanism that is used to show people how to pay.
CureMD: What should
computer operators do if they suspect CryptoWall/ransomware
present in their organizations systems?
Lysa: If files are
encrypted and you don't have known-good backup, you may be in
a difficult situation. This is one of many reasons why backing
up data is so very important. It may be worthwhile to do a
quick internet search to see if there is a decryptor available
from a reputable source. It’s rare that this is the case, but
it certainly can’t hurt to check.
CureMD: What steps can a
small-medium sized practice take in order to implement a
successful preventive strategy?
Lysa: We have written
extensively on this topic. You can find some great tips
here
CureMD: What factors
increase the vulnerability of a practice?
Lysa: Not having a viable
backup is certainly a significant way to increase
vulnerability to damage from a variety of issues, including
ransomware. Being slow about updating software can increase
vulnerability to malware, not having up-to-date anti-malware
software plus firewall, as can being incautious about opening
unexpected files arriving in email.
CureMD: What measures
should the healthcare sector take in order to increase
security against cyber threats?
Lysa: Risk assessment and
remediation is step one. Implementing the Principle of Least
Privilege, which is another way of saying "Don't give users
more access than they legitimately need." Many attackers and
malware infections spread from one department to another
because users and systems are granted way more access than
necessary. By limiting access, you can limit spread.
Aryeh: HIPAA compliance and
the nature of the healthcare computing industry make keeping
systems up to date extremely difficult. You can start by
requiring vendors to provide regular, periodic updates for and
upgrades to computers which are compatible with the latest,
patched versions of those computers' operating systems.
Software should never require administrator privileges to run,
nor should it require making unusual modifications to or
disabling firewalls or proxy servers.
This
should be an explicit requirement for all tenders and
procurements.
CureMD: What would be a
good back up strategy for small-medium sized practices,
against threat of ransomware?
Lysa: Backup off the
machine, backup offline, and backup offsite. Having these
three backups will help in the maximum number of scenarios.
Aryeh: It's not just enough
to have multiple backups if the backups themselves are subject
to being encrypted. A back-up system must have robust
versioning control, and also have an offline component so that
if the backup accounts or computers are affected, recovery is
still from the offline backups.
June 14, 2016
Guest Bio:
Aryeh is ESET’s Distinguished Researcher and has been with
the company for over ten years. A twenty-seven year
veteran of fighting viruses, today he is responsible for
threatscape monitoring, investigations and working with
researchers in and outside of ESET globally.
He has received industry awards from Microsoft, Lenovo and
Securing our eCity for his efforts to help make computing
safer.
Lysa began her career in Information Security at a malware
research labs of McAfee in the weeks before the Melissa
virus outbreak in 1999. As the Internet has grown in
popularity, she’s been motivated to help mitigate the
harmful effects of a lack of adequate security education.
Over the years, Lysa has worked within anti-malware
research labs and in testing organizations to help improve
computer security products. Lysa is a security researcher
for ESET.
