The Do's and Dont's of a Ransomware Incident Response

RansomwareIncidentResponse_620.jpg

If you work with any electronic data, you’ve probably at least heard of the term ransomware. 

If you haven’t it’s a form of malware that hackers use for financial gain.

They get into networks and block access to data until the victim pays a fee. In most cases, though, hackers will do more than just block access to data. They may also threaten to delete what they have possession over or publish it on malicious forums online. 

This kind of attack creates a sticky situation for your organization. It leads to…

  • A loss in data

  • Losing thousands of dollars

  • Interruptions in service

Unfortunately, we’ve yet to see the worst of these hacks because they continue to happen more often. In fact, 2019 saw the highest amount of ransomware incidents to date.

But out of every industry, healthcare providers have the biggest huge target on their backs since they deal with such valuable information.

At least 764 providers fell victim to this type of hack during last year alone. With the constant risk, these organizations must do everything they can to prevent hacks. But no matter how many steps they take, these situations could still happen.

So what should your organization do if you fall victim to an attack? Well, it all depends on your ransomware incident response. 

Table of Contents

Don't Panic

Imagine that when you come into work in the morning, you see a message on your computer stating that you no longer have access to your healthcare practice’s data. Not only that, but it says that the only way you can retrieve this data is to pay some random account thousands of dollars in bitcoin.

What a way to wake up, right? Your heart begins to pound and you start to sweat. How could this happen?

You begin to consider all the measures you took to prevent this, what more you could’ve done, and how this might ruin your practice. 

It’s no surprise that fear would be an immediate response to discovering that your organization got hacked. It’s difficult not to worry when these can have major repercussions on a company. 

But it’s important not to panic.

Take some time to gather your thoughts and relax before making any drastic decisions. Stress and anxiety interfere with decision making.

A study from The Journal of Neuroscience determined that anxiety affects the prefrontal cortex (PFC) region of the brain. It disrupts PFC-mediated functions such as flexible decision making.

Decision making and flexible control of behavior depend on the proper functioning of the PFC. But anxiety can skew decision making since it suppresses the spontaneous activity of PFC neurons. Now, I know this sounds pretty scientific. But the point is that anxiety affects the brain in a way that often leads to bad decision-making.

RansomwareIncidentResponse_PFC_620.png

This is especially true when there are conflicts or distractions. Because of this, it’s important not to panic in the situation of a ransomware attack or make any quick decisions during the initial stress.

Instead, acknowledge what happened, take a couple deep breaths and accept the long day ahead of you.

Do Inform Your Staff ASAP

After you’ve had some time to settle from the initial shock of what your organization is facing, you need to tell your team. While they’re bound to realize it themselves soon enough, they should know about it immediately.

The sooner they know, the faster everyone can work together to solve any daily workflow problems. To add to that, if the hack occurred because of something like a phishing attempt, other staff should be aware of circulating spam to prevent any further damage. 

RansomwareIncidentResponse_Employees_620

Your practice will need all your staff involved in its ransomware incident response. Sure, they might not all be resolving it first-hand. But they all need to understand the effects it has on the company so they know of any workflow changes.

This way they can inform clients of any process interruptions and they can make adjustments to care as quickly as possible so that it doesn’t affect your patients.

Don't Leave Your Customers in The Dark

I just mentioned that updating your staff is important so they can tell clients about any changes. 

While you might want to try resolving things before making your customers worry, it’s better to notify them early. 

It’s only a matter of time before they learn about the situation you’re dealing with, especially if your services come to a halt or need to change.

RansomwareIncidentResponse_Consumers_620.png

Or even worse, they might discover it months later after they get notified from an external company about their information. If clients found out on their own, they’ll lose trust in your organization entirely because it seems like you were hiding the situation from them.

If that happens, you’ll have to also spend time repairing your negative brand image on top of everything else on your plate.

Notifying your customers as soon as possible is necessary so they can be aware of any potential threats to their data. Even though it’s an unpleasant situation, they’ll be thankful that your practice was honest. 

Do Retrain All Employees

Simply Informing employees that an attack happened isn’t enough for your ransomware incident response. This is also a teachable moment.

When hacks occur, the organization should host a series of retraining sessions to remind employees of how to handle the situation. This helps them know what they should and shouldn’t do, especially if they’re in the middle of an appointment with a patient. 

But more importantly, they need training on how to avoid future hacks.

Ransomware often occurs because of human error. Managed Service Providers reported common ransomware delivery methods that their clients experienced. The most common method of these infections in North America were spam and phishing emails.

Not only that, but 36% of attacks were from a lack of cybersecurity training. In the chart below, you’ll notice that all of the included methods are avoidable with proper employee training

While your staff may always know that the risk is there, an actual attack will still come as unexpected and it’s an opportunity to educate. People can learn more ways for preventing attacks, how to prepare for the potential risk, and how best to handle one if it ever happens again. 

Don't Go in Alone

You might think your organization is fully capable of dealing with these situations alone. While that very well might be true, it’s still best to reach out to appropriate authorities for help.

These experts can help further the investigation and give advice on the situation. The Federal Bureau of Investigation (FBI) is one organization that helps deal with these attacks. Victims can contact their local FBI field office for assistance or submit a tip online. 

RansomwareIncidentResponse_FBI_620

Hopefully, it’s the first time you’ve dealt with this kind of attack. If that’s true then no matter how much you think you know about the situation, there might be some important details you’ll miss. 

These attacks can have different impacts as well, so experts who have dealt with many cases can provide more insight into the investigation. They help determine and advise on the best course of action.

Do Evaluate Security Measures

Make sure that part of your ransomware incident response is evaluating security measures.

Throughout the resolution process, consider ways that you could have better protected against the hack. While it’s inevitable that hackers will target healthcare organizations, there are ways to reduce risk and damage.

For example, keeping data encrypted is necessary so that hackers can’t steal, sell, or use that data in any way. In this case, even if an organization pays the ransom, the person or group who stole it in the first place could’ve still made copies to sell it. 

RansomwareIncidentResponse_Encryption_620

Did your practice have recent backups of records?

This is a crucial question because even if a hacker does break into and lock your systems, your practice can still like nothing happened if you have a backup. That way, you don’t need to pay anything for the locked data since you still have a copy of all your records. But you still need to encrypt the data so that, even if you do have a backup, the hacker can’t access and sell the information. 

Another best practice is conducting frequent risk analyses.

This helps identify and assess factors that could jeopardize the safety of data. If your organization doesn’t complete these, then it will be more difficult to know if you’re at risk for a ransomware attack. While it might seem like it’s too late for this after an attack, it’s still necessary to pinpoint if there are other potential risks. And if there are any system vulnerabilities, you should patch and fix these immediately. 

Don't Instantly Pay The Ransom

If you don’t have a backup of records, you might think the only option you have is to pay the ransom. And if the attacker threatens to delete files, you might want to pay sooner rather than later.

But this isn’t always the best idea. As I mentioned before, the FBI assists with these attacks. It advises that organizations do not pay the ransom in response to an attack. It considers ransomware a form of terrorism, and the FBI doesn’t support negotiating with terrorists. 

RansomwareIncidentResponse_Paying_620

Paying doesn’t guarantee to get any data back. Even if victims pay, there’s the risk that the hacker will still delete or steal files or the decryption key won’t work. If this is the case, not only has your organization lost a lot of money, but you’ve also lost all of your patient’s protected health information (PHI).

And if you lose patient information, you could lose even more money. A survey of 12,000 consumers found that 65% would demand compensation if the company couldn’t restore their data. Even worse, 44% would stop using the company altogether. 

RansomwareIncidentResponse_Compensation_620.png

Paying off a ransom also encourages and fuels hackers to target more victims. If it proves effective with one organization, then they know it can be effective on others. This offers an incentive for hackers to continue their illegal actions, and others will also seek to get involved with this activity. 

Conclusion

No matter how much your organization tries to prevent data breaches, they could still happen.

Hackers continue to target healthcare organizations, especially with ransomware attacks. They know that these companies can’t afford to lose such valuable information or suffer from downtime. 

But paying up isn’t always the best solution.

Authorities don’t recommend it because it’s what fuels hackers to continue targeting others. Experts can help victims resolve these and make sure they don’t overlook any other problems.