Protecting your Organization from Ransomware

Quality Quarterly Article

The 2021 wave of ransomware attacks has washed over every major business sector — including health care. Moreover, a Wall Street Journal article dated June 10 pointed out that one group of ransomware criminals is specifically targeting hospitals. This unfortunate reality strongly suggests that everyone in the CHA/HQI community should be working to avoid becoming a ransomware victim. This article will discuss high-priority items for organizations to pursue in that effort and identify some important strategies that sometimes get overlooked. Together, this information will hopefully help bolster your barriers against ransomware. 

Maintain Best Practices for Your System Security 

To start with the obvious, invest in tried-and-true capabilities that implement and enforce security best practices. Maintain your software integrity with antivirus (end point) protection and an appropriate patching strategy. Make sure your network and infrastructure systems (email, domain name services , intrusion prevention systems , firewalls, etc.) are properly architected and secure. Ensure that the user end of the technology spectrum (client workstations, mobile devices, USB-based hardware, etc.) is also managed with security in mind. Seriously consider the use of dual-factor authentication where password-only log on verification is insufficient. A solution that generates an unpredictable stream of cleverly written fake phishing emails with tempting links therein can keep your employees on their toes and help them become one of the stronger links in your chain of defenses. Finally, make sure your critical, security-savvy information technology (IT) personnel are happily employed (allowing their institutional knowledge to stay in place), but make sure you can quickly recruit new IT talent when needed.

Consider Backing Up for Longer Periods 

Despite the best intentions of your information security training program, it’s always possible that one of your programmers could click on a malicious web link while logged on to a critical server. That could trigger installation and execution of a program that encrypts important files and makes your organization the next ransomware headline. If you have a backup from the previous night, you can recover from it and resolve the problem. But what if the triggered encryption execution is timed to happen 10 days after the program’s installation and you only have backups for the most recent week? In this situation, your team will be recovering from server backups taken when the server was already infected by the malicious program.  That means the bad guys could trigger program execution and encrypt your files again. Given this risk, evaluate retaining backups across a wider span of time. A larger set of backups will offer you more restore points to bail yourself out in the event of a ransomware attack.

Rebuilding Instead of Recovering 

Systems that run your data tier may require a recovery-from-backup operation to re-establish functionality in the event of an attack. But how about your application tier systems and your user workstations? Many of these systems can simply be rebuilt. With the help of configuration gold lists, virtual desktops, and provisioning tools, rebuilds can be used more widely and executed quickly. It is important to clearly distinguish and document what requires recovery vs. what can simply be rebuilt. In addition, you must have restoration plans for any information and tools used to support the recovery and rebuild functions. Of course, whatever strategy mix you come up with must be tested. It may seem odd, but if you can transform your systems into resources that can suddenly be wiped and then quickly and successfully resume processing with minimal impact, the less vulnerable you will be to a ransomware attack.

Unplug from the Network 

Information technology applications have improved significantly over the years but placing them on a pathway to the internet has made them more exposed. Must the benefit of the former always come with the risks of the latter? A system that runs on a completely dedicated network will inevitably be safer from ransomware than one that does not. Can some of your important systems be configured to run on an isolated, private network? How about running them without any network at all? Consider critical devices such as those that provide direct care to patients. Must they be dependent on a database server that is located several hops away on your public network, or is there a better way to keep these critical systems running and at a lower risk of being attacked? You won’t know unless you check.

Vigilance is Necessary but Not Easy 

Software-driven attacks such as ransomware will continue to evolve and the skills of those who design and launch such attacks will continue to improve. This means that organizations that merely maintain a security status quo will fall behind. This predicament cannot be addressed by purchasing a “100% Security in a Box” solution, as none exist. There is no single answer to the problem. Instead, there is a set of ever-evolving responses that you and your team need to stay on top of. Deploying a healthy mix of security-focused capabilities in a multi-layered defense approach is your best way to avoid being submerged by ransomware.

If you have more questions about how to protect your organization from ransomware, contact Tim Rehwald.