A Socio-technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks

 

 Permissions and Reprints

Summary

Recently there have been several high-profile ransomware attacks involving hospitals around the world. Ransomware is intended to damage or disable a user’s computer unless the user makes a payment. Once the attack has been launched, users have three options: 1) try to restore their data from backup; 2) pay the ransom; or 3) lose their data. In this manuscript, we discuss a socio-technical approach to address ransomware and outline four overarching steps that organizations can undertake to secure an electronic health record (EHR) system and the underlying computing infrastructure. First, health IT professionals need to ensure adequate system protection by correctly installing and configuring computers and networks that connect them. Next, the health care organizations need to ensure more reliable system defense by implementing user-focused strategies, including simulation and training on correct and complete use of computers and network applications. Concomitantly, the organization needs to monitor computer and application use continuously in an effort to detect suspicious activities and identify and address security problems before they cause harm. Finally, organizations need to respond adequately to and recover quickly from ransomware attacks and take actions to prevent them in future. We also elaborate on recommendations from other authoritative sources, including the National Institute of Standards and Technology (NIST). Similar to approaches to address other complex socio-technical health IT challenges, the responsibility of preventing, mitigating, and recovering from these attacks is shared between health IT professionals and end-users.

Citation: Sittig DF, Singh H. A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks.

• References

• 1 Kandel J, Kovacik R. Hollywood Hospital ‘Victim of Cyber Attack’. NBC4 News. February 12, 2016 Available at: http://www.nbclosangeles.com/news/local/Hollywood-Hospital-Victim-of-Cyber-At tack-368574071.html
  PubMedGoogle Scholar
• 2 Steffen S. Hackers hold German hospital data hostage. Made for Minds. 25 February 2016 Available at: http://dw.com/p/1I2Xu
  PubMedGoogle Scholar
• 3 Olenick D. The Ottawa Hospital fends off ransomware attack. SC Magazine. 14 March 2016 Available at: http://www.scmagazine.com/the-ottawa-hospital-fends-off-ransomware-attack/article/482921/
  PubMedGoogle Scholar
• 4 Krebs B. Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection. Krebsonsecurity.com. March 16, 2016 Available at: http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/
  PubMedGoogle Scholar
• 5 Simms B. FBI investigating computer virus at MedStar Health. WBALTV11.com. March 29, 2016 Available at: http://www.wbaltv.com/news/fbi-investigating-computer-virus-at-medstar-health/38731548
  PubMedGoogle Scholar
• 6 Gallagher S. Two more healthcare networks caught up in outbreak of hospital ransomware. Ars Technica. March 29, 2016 Available at: http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/
  PubMedGoogle Scholar
• 7 Sullivan T. More than half of hospitals hit with ransomware in last 12 months. Health IT News. April 07, 2016 Available at: http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months
  PubMedGoogle Scholar
• 8 Sittig DF, Classen DC, Singh H. Patient safety goals for the proposed Federal Health Information Technology Safety Center. J Am Med Inform Assoc 2015; 22 (02) 472-478 doi: 10.1136/amiajnl-2014–002988.
  PubMedGoogle Scholar
• 9 Fischer T. Private and Public Key Cryptography and Ransomware. Center for Internet Security (CIS). December 2014 Available at: https://msisac.cisecurity.org/whitepaper/documents/10.pdf
  PubMedGoogle Scholar
• 10 Gazet A. Comparative analysis of various ransomware virii. Journal in computer virology 2010; Feb 1; 06 (01) 77-90.
  CrossrefPubMedGoogle Scholar
• 11 Mun J. Trojan.Gpcoder. Symantec. May 22, 2005 Available at: https://www.symantec.com/security_re sponse/writeup.jsp?docid=2005-052215-5723-99
  PubMedGoogle Scholar
• 12 Giri BN, Jyoti N. The Emergence of Ransomware. 9th Annual Association of anti-Virus Asia Researchers (AVAR) International Conference – Digital Security: Prevention to Prosecution. Auckland, NZ: 2006 Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.169.5881&rep=rep1&type=pdf
  PubMedGoogle Scholar
• 13 Largent W. Ransomware: Past, Present, and Future. April 11, 2016 Available at: http://blog.talosintel.com/2016/04/ransomware.html
  PubMedGoogle Scholar
• 14 United States Computer Emergency Readiness Team. Alert (TA16–091A): Ransomware and Recent Variants. Original release date. March 31, 2016 Available at: https://www.us-cert.gov/ncas/alerts/TA16-091A
  PubMedGoogle Scholar
• 15 National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0 February 12, 2014 Available at: http://www.nist.gov/cyberframework/upload/cy bersecurity-framework-021214.pdf
  PubMedGoogle Scholar
• 16 Sittig DF, Singh H. Electronic health records and national patient-safety goals. N Engl J Med 2012; 367 (19) 1854-1860 doi: 10.1056/NEJMsb1205420.
  CrossrefPubMedGoogle Scholar
• 17 Singh H, Sittig DF. Measuring and improving patient safety through health information technology: The Health IT Safety Framework. BMJ Qual Saf 2016; 25 (04) 226-232 doi: 10.1136/bmjqs-2015–004486.
  CrossrefPubMedGoogle Scholar
• 18 Gallagher S. Maryland hospital: Ransomware success wasn’t IT department’s fault: MedStar denies ransom payment, denies earlier JBoss bugs played role. Ars Technica. Apr 7, 2016 Available at: http://arstechnica.com/security/2016/04/maryland-hospital-group-denies-ignored-warnings-allowed-ransomware-attack/
  PubMedGoogle Scholar
• 19 Gallagher S. Maryland hospital group hit by ransomware launched from within [Updated] Samsam malware injected into network from exploited web app server at MedStar. Ars Technica. March 31, 2016 Available at: http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomware/
  PubMedGoogle Scholar
• 20 DHHS Office for Civil Rights. HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Available at: http://www.hhs.gov/sites/default/files/NIST%20CSF%20to%20HIPAA%20Security%20Rule%20Crosswalk%2002–22–2016%20Final.pdf
  PubMedGoogle Scholar
• 21 Wright A, Sittig DF. Security threat posed by USB-based personal health records. Ann Intern Med 2007; Feb 20; 146 (04) 314-5.
  CrossrefPubMedGoogle Scholar
• 22 Hoffman C. How To Spot A Dangerous Email Attachment. 20 Jan 2014 Available at: http://www.make useof.com/tag/spot-dangerous-email-attachment/)
  PubMedGoogle Scholar
• 23 DNS-BH – Malware Domain Blocklist. Available at: http://www.malwaredomains.com/
  PubMedGoogle Scholar
• 24 Protection of Information Assets: CISA Tutorial. Available at: http://www.simplilearn.com/protection-of-information-assets-cisa-tutorial-video
  PubMedGoogle Scholar
• 25 Scarfone K, Souppaya M, Cody A, Orebaugh A. Technical Guide to Information Security Testing and Assessment: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800–115. September 2008 Available at: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
  PubMedGoogle Scholar
• 26 Youngstrom N. Hospital Uses Fake Phishing Emails in Security Training; Will Move to Gamification. Report on Medicare Compliance. 25. 17; May 9, 2016
  PubMedGoogle Scholar
• 27 Van Vlasselaer V, Bravo C, Caelen O, Eliassi-Rad T, Akoglu L, Snoeck M, Baesens B. APATE: A novel approach for automated credit card transaction fraud detection using network-based extensions. Decision Support Systems 2015; 75: 38-48.
  CrossrefPubMedGoogle Scholar
• 28 Bilge L, Dumitras T. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security 2012; Oct 16 833-844.
  PubMedGoogle Scholar
• 29 Singh H, Classen DC, Sittig DF. Creating an oversight infrastructure for electronic health record-related patient safety hazards. J Patient Saf 2011; 07 (04) 169-174 doi: 10.1097/PTS.0b013e31823d8df0.
  CrossrefPubMedGoogle Scholar
• 30 Sittig DF, Gonzalez D, Singh H. Contingency planning for electronic health record-based care continuity: a survey of recommended practices. Int J Med Inform 2014; 83 (11) 797-804 doi: 10.1016/j.ijmedinf.2014.07.007.
  CrossrefPubMedGoogle Scholar
• 31 Siwicki B. Tips for protecting hospitals from ransomware as cyberattacks surge. HealthIT News. April 6, 2016 Available at: http://www.healthcareitnews.com/news/tips-protecting-hospitals-ransomware-cyber-attacks-surge
  PubMedGoogle Scholar
• 32 Sittig DF, Singh H. A new sociotechnical model for studying health information technology in complex adaptive healthcare systems. Quality and Safety in Health Care 2010; 19 (Suppl. 03) i68-i74.
  CrossrefPubMedGoogle Scholar