Assessing Ransomware Attacks and Shoring up Security Measures Under HIPAA
This article by Alex Speaks was originally published on the Compliance & Ethics Blog. Click here to view the original version of this article.
Ransomware is a frightening and growing global threat. Last month, the largest known string of ransomware attacks hit globally, impacting dozens of countries around the world and disrupting systems critical to hospitals, telecommunications, and corporations. More than ever, now is a good time to evaluate and shore up current network security measures.
The ransomware variant known as WannaCry exploits a flaw in Microsoft software that was described in leaked NSA files and is reported to be the work of an unidentified organization known as the Shadow Brokers. The ransomware is spread through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. As a result of these attacks, UK hospitals reported closures of entire wards and had to turn away patients, FedEx reported interference in a statement to NBC News, and telecommunications giant Telefonica was confirmed to be a victim of this attack.
Avoiding the WannaCry Attack or Other Similar Spear Phishing Attacks
First, make sure your software products are up to date with the most recent patches at all times. Here is a link to the critical patch for the WannaCry exploit. An aggressive patching schedule can be mildly disruptive if a patch adversely impacts organizational productivity but such interruptions are minor compared to an attack by a malicious entity.
Here are measures a system administrator should take to protect against attacks such as these, and as general best practices for strong security posture:
- Implement an aggressive patching schedule for all software.
- Regularly take full snapshots of your data and store them offline. If your data is ransomed you will at least be able to go back to a pre-infection copy instead of starting from scratch.
- Practice the principle of least privilege with user account access. An infected user can only damage files his or her computer can reach.
- Be very aggressive with your email monitoring. Do not accept mail from blacklisted servers, or servers not conforming to best practices.
- Regularly educate and test users to make sure they are on guard.