Imagine getting home from a long day at work and turning the key to your front door, only to find it won’t open. Puzzled, you look at the door and see a note. It says, “We changed the locks to your house. Pay us and we’ll give you the new key.” This is essentially the nightmare that happened to a California hospital this month, when they became one of the latest high-profile victims of ransomware. Hackers locked them out of their systems by encrypting their files which could only be unlocked with the hackers’ encryption key. HIT security keeps these locks secure.
Think of it like this: someone wants to make a quick buck. They go door to door in a business complex posing as building maintenance. Of the 30 units they knock on, ten answer the door, though only one of those believe the story of the gas leak and let them in. While inside, this imposter maintenance worker changes the locks to the filing cabinets with an industrial strength lock that can’t easily be picked and a note on the door explaining how they’ll be provided the new key for a fee. Rather than try to deal with the specialty locksmith, the business pays the ransom since they are losing business and clients’ trust by the minute. Truth be told, half of American ransomware victims pay up.
Now, of course building maintenance does come by from time to time, but they need to be challenged when they want to do something out of the norm. While the hospital hasn’t commented on the specifics of how they were targeted and hacked, ransomware is typically executed on a system via email, though it could just as easily have been done with direct system access or infected media. We’ve all received those enticing emails that we want to click on to read more. Maybe it was how to become rich with this ‘one simple trick,’ or it was something that looks like it was sent to you by mistake.
Let’s say you get an email that says “Judy in HR wants you to sign these documents.” That looks important – I’ll read that. You click. Now that you have opened the email, it could send embedded cookie information back to the sender (or someone with nefarious intent) letting them know “J.Doe@company.com” is a real email address.
Once they know, they can begin to send more targeted emails. They know there is a J.Doe that works for company X, and it seems his email address is his first initial and his last name. Now they head over to the company’s website and look at the staff. This phishing scam has now accelerated into spear phishing, where hackers know who they are targeting and could spoof the “from” field of the email to look like it came from Bob in Sales. They send an email that doesn’t need to have any attachment at all, just a link to a site that can exploit basic security flaws. The link redirects to a site, maybe one that looks official, or even mimics the targeted company’s own website, and prompts the user for their password. As you may have gathered, this isn’t a rabbit hole you want to venture into.
Thankfully there are some easy and cost-effective measures that can be taken to mitigate the risks posed by these sorts of attacks. These five basic HIT Security best practices can easily save your company heartache, money, and clients’ information and trust.
Least Privilege – (ISC)2® puts it like this: The principle of least privilege states that a user or process is given explicitly only the necessary, minimum level of access rights (privileges) for the minimum amount of time required to complete the user’s or process’s operation. Not only is this good practice to keep users from accessing files they shouldn’t be accessing, it can also help prevent spread of infectious files: if a user doesn’t have access to write to a folder, their sign-on cannot be used to encrypt files in the example of ransomware.
Social Engineering Training – Social Engineering is easily the most effective method used by hackers to obtain unauthorized access to systems. Whether it is posing as an employee or tricking the Help Desk into divulging login information, hackers can be very clever when it comes to gaining access. A breadth of information on Social Engineering techniques is covered here. It all comes down to being hypervigilant. Train your staff to understand and accept that they may be the weak point in any security system. Have your IT staff provide training or seek out training from a third party. Here are some points covered by Microsoft.
Strong Password Policy – My colleague Daniel Williams went over strong password policies here in his blog post about Management-friendly policies we’ve taken to improve information security. Strong password policies can be debatable on the specifics and quantifiable bits. The main thing it comes down to: don’t share your password, don’t have generic administrator level accounts, and don’t reuse passwords between sites.
System Updates – This may seem like an easy one, but you may be surprised by how often companies do not enforce system updates. It is a constant struggle with Network and System Administrators and Developers and Application Administrators. Whether it is a Microsoft Update or an update for Java, developers will need to test their applications with the updated patches. Regardless of how frustrating it can be, updates should be performed frequently.
Backup and Data Recovery Plan – Here you have it. Depending on the severity of an infection or loss of data, if there is a thorough backup plan in place, you should be able to recover. Let’s say all of your database files are the victim of ransomware or all payroll and budget spreadsheets are encrypted with no way to read the data unless you pay the ransom. Who’s to say you will even get the encryption key? Who’s to say they won’t do it again? Having a complete backup of your data is mission critical to keeping your systems available and open for business.
While these are not in the top five, they are also worth mentioning.
Computer Training – Not on the top of the list since it is often assumed and the work force is becoming younger and younger, basic computer training can save a great deal of time and money for companies, not to mention freeing up the wait time for your Help Desk.
Media Drives and Disabling External Storage Devices – Malicious software doesn’t need to find its way to your systems via email; systems could be infected by software set to run from a DVD or a USB drive. Although this could make the already arduous task of using a computer even more difficult for some users, it could also ensure confidentiality of your work.
HIT Security tries to protect us from a scary world out there, but we don’t have to be helpless. Just like we’d question a maintenance worker who wants to enter our house unannounced, we should question what emails or other online content we are opening with the same healthy skepticism. Proactive IT security measures are some of the most important to take to safeguard our work, our identities, and ultimately, our peace of mind.
For a deeper dive, check out a great Health IT Security webcast put on by our own Bob Downey, and visit our Events page to register for future webcasts. For more information contact us below: