Lysa: Small- to medium-sized practices are very much at risk. In a lot of ways these organizations are more attractive to criminals, as they are less apt to have someone on staff who is focusing on a clinic's data and network security.
While it may not be as big of a potential payday as hitting a big hospital, hitting several small practices can quickly equal the payout of a single larger business.
Lysa: Ransomware gets on people's machines through attachments to email, through vulnerabilities, etc. It's hard to generalize about this, as criminals add to their repertoire on a regular basis.
Aresh: Ransomware authors have gotten a lot better over the years about not drawing attention to attacks until after they have completely finished encrypting all of a victim's files. For many victims, the first notification is the extortion message from the ransomware.
CureMD: What's the most cost effective prevention strategy for a small-medium sized practice?
Lysa: Both the most important and most cost effective thing I would recommend healthcare practices should do to improve their security is to perform regular and ongoing risk assessments
If you don't have a clear picture of what you're trying to protect, you may overspend in some areas and totally overlook others. Performing a risk assessment allows you to put your resources to their best use.
CureMD: Does a typical ransomware only 'attack' certain folders/file types?
Lysa: I'm not sure "only" is the word I would use to describe the list of files and folders that ransomware attacks - some of them include file-type lists which are several hundred long. Much longer than that and you're either going off into the weeds and encrypting file-types very few people use, or you're going to encrypt a file such that it will disable the operating system itself.
It's very hard to get money out of someone if you kill the mechanism that is used to show people how to pay.
CureMD: What should computer operators do if they suspect CryptoWall/ransomware present in their organizations systems?
Lysa: If files are encrypted and you don't have known-good backup, you may be in a difficult situation. This is one of many reasons why backing up data is so very important. It may be worthwhile to do a quick internet search to see if there is a decryptor available from a reputable source. It’s rare that this is the case, but it certainly can’t hurt to check.
CureMD: What steps can a small-medium sized practice take in order to implement a successful preventive strategy?
Lysa: We have written extensively on this topic. You can find some great tips here
CureMD: What factors increase the vulnerability of a practice?
Lysa: Not having a viable backup is certainly a significant way to increase vulnerability to damage from a variety of issues, including ransomware. Being slow about updating software can increase vulnerability to malware, not having up-to-date anti-malware software plus firewall, as can being incautious about opening unexpected files arriving in email.
CureMD: What measures should the healthcare sector take in order to increase security against cyber threats?
Lysa: Risk assessment and remediation is step one. Implementing the Principle of Least Privilege, which is another way of saying "Don't give users more access than they legitimately need." Many attackers and malware infections spread from one department to another because users and systems are granted way more access than necessary. By limiting access, you can limit spread.
Aryeh: HIPAA compliance and the nature of the healthcare computing industry make keeping systems up to date extremely difficult. You can start by requiring vendors to provide regular, periodic updates for and upgrades to computers which are compatible with the latest, patched versions of those computers' operating systems. Software should never require administrator privileges to run, nor should it require making unusual modifications to or disabling firewalls or proxy servers.
This should be an explicit requirement for all tenders and procurements.
CureMD: What would be a good back up strategy for small-medium sized practices, against threat of ransomware?
Lysa: Backup off the machine, backup offline, and backup offsite. Having these three backups will help in the maximum number of scenarios.
Aryeh: It's not just enough to have multiple backups if the backups themselves are subject to being encrypted. A back-up system must have robust versioning control, and also have an offline component so that if the backup accounts or computers are affected, recovery is still from the offline backups.
June 14, 2016
Aryeh is ESET’s Distinguished Researcher and has been with the company for over ten years. A twenty-seven year veteran of fighting viruses, today he is responsible for threatscape monitoring, investigations and working with researchers in and outside of ESET globally.
He has received industry awards from Microsoft, Lenovo and Securing our eCity for his efforts to help make computing safer.
Lysa began her career in Information Security at a malware research labs of McAfee in the weeks before the Melissa virus outbreak in 1999. As the Internet has grown in popularity, she’s been motivated to help mitigate the harmful effects of a lack of adequate security education. Over the years, Lysa has worked within anti-malware research labs and in testing organizations to help improve computer security products. Lysa is a security researcher for ESET.