A Socio-technical Approach to Preventing, Mitigating, and Recovering from Ransomware AttacksDr. Singh’s research is supported by the VA Health Services Research and Development Service (CRE 12–033; Presidential Early Career Award for Scientists and Engineers USA 14–274), the VA National Center for Patient Safety, the Agency for Health Care Research and Quality (R01HS022087 and R21 HS 023602) and in part by the Houston VA HSR&D Center for Innovations in Quality, Effectiveness and Safety (CIN 13–413).
25 April 2016
accepted: 13 June 2016
16 December 2017 (online)
Recently there have been several high-profile ransomware attacks involving hospitals around the world. Ransomware is intended to damage or disable a user’s computer unless the user makes a payment. Once the attack has been launched, users have three options: 1) try to restore their data from backup; 2) pay the ransom; or 3) lose their data. In this manuscript, we discuss a socio-technical approach to address ransomware and outline four overarching steps that organizations can undertake to secure an electronic health record (EHR) system and the underlying computing infrastructure. First, health IT professionals need to ensure adequate system protection by correctly installing and configuring computers and networks that connect them. Next, the health care organizations need to ensure more reliable system defense by implementing user-focused strategies, including simulation and training on correct and complete use of computers and network applications. Concomitantly, the organization needs to monitor computer and application use continuously in an effort to detect suspicious activities and identify and address security problems before they cause harm. Finally, organizations need to respond adequately to and recover quickly from ransomware attacks and take actions to prevent them in future. We also elaborate on recommendations from other authoritative sources, including the National Institute of Standards and Technology (NIST). Similar to approaches to address other complex socio-technical health IT challenges, the responsibility of preventing, mitigating, and recovering from these attacks is shared between health IT professionals and end-users.
Citation: Sittig DF, Singh H. A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks.
- 1 Kandel J, Kovacik R. Hollywood Hospital ‘Victim of Cyber Attack’. NBC4 News. February 12, 2016 Available at: http://www.nbclosangeles.com/news/local/Hollywood-Hospital-Victim-of-Cyber-At tack-368574071.html
- 2 Steffen S. Hackers hold German hospital data hostage. Made for Minds. 25 February 2016 Available at: http://dw.com/p/1I2Xu
- 3 Olenick D. The Ottawa Hospital fends off ransomware attack. SC Magazine. 14 March 2016 Available at: http://www.scmagazine.com/the-ottawa-hospital-fends-off-ransomware-attack/article/482921/
- 4 Krebs B. Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection. Krebsonsecurity.com. March 16, 2016 Available at: http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/
- 5 Simms B. FBI investigating computer virus at MedStar Health. WBALTV11.com. March 29, 2016 Available at: http://www.wbaltv.com/news/fbi-investigating-computer-virus-at-medstar-health/38731548
- 6 Gallagher S. Two more healthcare networks caught up in outbreak of hospital ransomware. Ars Technica. March 29, 2016 Available at: http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/
- 7 Sullivan T. More than half of hospitals hit with ransomware in last 12 months. Health IT News. April 07, 2016 Available at: http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months
- 8 Sittig DF, Classen DC, Singh H. Patient safety goals for the proposed Federal Health Information Technology Safety Center. J Am Med Inform Assoc 2015; 22 (02) 472-478 doi: 10.1136/amiajnl-2014–002988.
- 9 Fischer T. Private and Public Key Cryptography and Ransomware. Center for Internet Security (CIS). December 2014 Available at: https://msisac.cisecurity.org/whitepaper/documents/10.pdf
- 10 Gazet A. Comparative analysis of various ransomware virii. Journal in computer virology 2010; Feb 1; 06 (01) 77-90.
- 11 Mun J. Trojan.Gpcoder. Symantec. May 22, 2005 Available at: https://www.symantec.com/security_re sponse/writeup.jsp?docid=2005-052215-5723-99
- 12 Giri BN, Jyoti N. The Emergence of Ransomware. 9th Annual Association of anti-Virus Asia Researchers (AVAR) International Conference – Digital Security: Prevention to Prosecution. Auckland, NZ: 2006 Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.169.5881&rep=rep1&type=pdf
- 13 Largent W. Ransomware: Past, Present, and Future. April 11, 2016 Available at: http://blog.talosintel.com/2016/04/ransomware.html
- 14 United States Computer Emergency Readiness Team. Alert (TA16–091A): Ransomware and Recent Variants. Original release date. March 31, 2016 Available at: https://www.us-cert.gov/ncas/alerts/TA16-091A
- 15 National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0 February 12, 2014 Available at: http://www.nist.gov/cyberframework/upload/cy bersecurity-framework-021214.pdf
- 16 Sittig DF, Singh H. Electronic health records and national patient-safety goals. N Engl J Med 2012; 367 (19) 1854-1860 doi: 10.1056/NEJMsb1205420.
- 17 Singh H, Sittig DF. Measuring and improving patient safety through health information technology: The Health IT Safety Framework. BMJ Qual Saf 2016; 25 (04) 226-232 doi: 10.1136/bmjqs-2015–004486.
- 18 Gallagher S. Maryland hospital: Ransomware success wasn’t IT department’s fault: MedStar denies ransom payment, denies earlier JBoss bugs played role. Ars Technica. Apr 7, 2016 Available at: http://arstechnica.com/security/2016/04/maryland-hospital-group-denies-ignored-warnings-allowed-ransomware-attack/
- 19 Gallagher S. Maryland hospital group hit by ransomware launched from within [Updated] Samsam malware injected into network from exploited web app server at MedStar. Ars Technica. March 31, 2016 Available at: http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomware/
- 20 DHHS Office for Civil Rights. HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Available at: http://www.hhs.gov/sites/default/files/NIST%20CSF%20to%20HIPAA%20Security%20Rule%20Crosswalk%2002–22–2016%20Final.pdf
- 21 Wright A, Sittig DF. Security threat posed by USB-based personal health records. Ann Intern Med 2007; Feb 20; 146 (04) 314-5.
- 22 Hoffman C. How To Spot A Dangerous Email Attachment. 20 Jan 2014 Available at: http://www.make useof.com/tag/spot-dangerous-email-attachment/)
- 23 DNS-BH – Malware Domain Blocklist. Available at: http://www.malwaredomains.com/
- 24 Protection of Information Assets: CISA Tutorial. Available at: http://www.simplilearn.com/protection-of-information-assets-cisa-tutorial-video
- 25 Scarfone K, Souppaya M, Cody A, Orebaugh A. Technical Guide to Information Security Testing and Assessment: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800–115. September 2008 Available at: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
- 26 Youngstrom N. Hospital Uses Fake Phishing Emails in Security Training; Will Move to Gamification. Report on Medicare Compliance. 25. 17; May 9, 2016
- 27 Van Vlasselaer V, Bravo C, Caelen O, Eliassi-Rad T, Akoglu L, Snoeck M, Baesens B. APATE: A novel approach for automated credit card transaction fraud detection using network-based extensions. Decision Support Systems 2015; 75: 38-48.
- 28 Bilge L, Dumitras T. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security 2012; Oct 16 833-844.
- 29 Singh H, Classen DC, Sittig DF. Creating an oversight infrastructure for electronic health record-related patient safety hazards. J Patient Saf 2011; 07 (04) 169-174 doi: 10.1097/PTS.0b013e31823d8df0.
- 30 Sittig DF, Gonzalez D, Singh H. Contingency planning for electronic health record-based care continuity: a survey of recommended practices. Int J Med Inform 2014; 83 (11) 797-804 doi: 10.1016/j.ijmedinf.2014.07.007.
- 31 Siwicki B. Tips for protecting hospitals from ransomware as cyberattacks surge. HealthIT News. April 6, 2016 Available at: http://www.healthcareitnews.com/news/tips-protecting-hospitals-ransomware-cyber-attacks-surge
- 32 Sittig DF, Singh H. A new sociotechnical model for studying health information technology in complex adaptive healthcare systems. Quality and Safety in Health Care 2010; 19 (Suppl. 03) i68-i74.