The US healthcare industry breathed a collective sigh of relief when the recent ransomware attack, WannaCry, appeared to bypass the United States. But the Department of Health and Human Services (HHS) is warning the nation’s providers that the threat might not be over.
According to a June 6, 2017, article in Healthcare Data Management Magazine, HHS has indicated that at least two large multi-state hospital systems “are continuing to face significant challenges to operations” as a result of WannaCry malware.
Does that mean US hospitals were affected? Or a new attack has been detected? Not according to the HHS Office of the Assistant Secretary for Preparedness and Response. But the risk remains for computers that still have not had recent Microsoft patches applied to Windows systems or for systems that only recently had a patch applied and may have already been affected. Also, in the last couple of days, security experts are warning of another hack called ExplodingCan, which was created by the same group that developed WannaCry and targets computers running on Microsoft Windows 2003 (which is still being run on approximately 375,000 computers worldwide).
But ransomware like WannaCry and the new ExplodingCan isn’t the only persistent cybersecurity risk facing healthcare providers. According to HIPAA Journal, 47% of data breaches reported in April 2017 were caused by hacking/IT incidents. While WannaCry infected computers by taking advantage of system defects that were vulnerable in unpatched computers, other hacking occurs through more common human actions like clicking on a link or entering information in a redirected website that looks valid.
So how do healthcare organizations protect themselves from cyberattacks?
Prepare for the Inevitable
First the bad news. “A breach is not a matter of if, but when,” warns Theresa Meadows, co-chair of the Health Care Industry Cybersecurity Task Force. “Everybody is going to experience some level of this type of issue. One of the most important takeaways from the task force report is knowing your plan of action when a situation occurs so you can mitigate and recover from such an event.”
That means healthcare organizations should have both a HIPAA-required plan in place for notifying clients and/or patients of potential breaches along with a secure backup and restore process that would allow them to lose as little data … and time … as possible.
“If hackers really want to get you, they’re going to find a way to get in and do it,” says Matthew Simpson, CIO of CIPROMS. “It’s really important to have good backups and be able restore from them.”
IT Best Practices
But just because cyberattacks likely will happen doesn’t mean organizations should make it easy for the hackers. WannaCry was a wakeup call throughout the healthcare industry to follow basic IT security protocols:
- Patch vulnerable systems as quickly as possible after patches are released. (To protect against WannaCry spefically, the Department of Homeland Security advises: “Microsoft released a patch in March that addresses this specific vulnerability, and installing this patch will help secure your systems from the threat.)
- Upgrade to newer versions that are still supported by developers. (In the instance of the new ExplodingCan hack, Microsoft no longer even supports Windows 2003 and no patches are available.)
- Use multiple virus-scanning systems with up-to-date definitions on all devices.
- Utilize user-specific access controls to keep employees from accessing unnecessary websites, applications, network drives, etc.
- Reimage potentially affected devices which might have a virus running in the background.
Cybersecurity Is Not Just for IT
Beyond that, Simpson says the most important thing to remember about cybersecurity is that it’s not just an IT problem. “Preventing a virus or other cyberattack is not just IT’s responsibility but all employees’.”
For instance, in his experience most viruses get into computers and networks through careless clicking on links in emails and websites or by bringing an infected file in on a flash drive. To avoid potential cyberattacks, CIPROMS blocks most social media sites on company networks, bans the use of flash drives by employees, and uses as many as three different virus-scanning softwares on all network computers.
But keeping employees from clicking on a link or accessing a redirected and/or replicated website takes education and training. As a basic guideline, Simpson tells employees, “If it looks suspicious, don’t click or open it. Question it first.” More specifically, he recommends:
- If you get an email from someone you don’t know, do not click any links or open any attachments.
- If you get an email from someone you DO know but with unusual or unexpected links or attachments, don’t open or click them without independently confirming their legitimacy (like through a text message or phone call).
- If you get an email from a vendor or government agency you don’t use, don’t click on a link or open an attachment.
- If you get an email from a vendor or government agency you DO use, examine the email address it came from and the URLs of all links before you click on them. Is the address one you normally use to communicate with them or visit them online? If not, don’t click on a link or open an attachment.
- Don’t be fooled by “branded” emails with official logos or fonts. Anyone can snag a logo or other branding items from a company website to make an email look more legitimate.
- Be aware of the URL of any website where you are entering personal information to ensure you haven’t been redirected to another site.
Cyberattacks affect everyone in a company—or even an industry. That’s why cybersecurity is everyone’s responsibility.
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at firstname.lastname@example.org.