Protect USA Health from ransomware attacks

Imagine coming to work at USA Health and finding that our electronic medical record systems are not accessible because they are encrypted. This scenario is playing out at healthcare organizations across the nation every day because of cyber-attacks known as ransomware.

Ransomware is a type of malware that threatens to publish the victim’s data or continuously block access to it unless a ransom is paid.

On Oct. 28, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services released a joint statement indicating they “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” related to two variants of ransomware known as Trickbot and Ryuk.

While this statement draws attention to a spike in a specific wave of attacks, ransomware is continuously a problem among healthcare entities. The healthcare sector is a valuable target for hackers deploying ransomware, because victims are more likely to pay the ransom as quickly as possible to avoid the potential consequences, such as delays in access to their systems, exposure of patient data to a privacy breach, and financial and reputational harm.

“USA Health users are our first line of defense against ransomware attacks,” said Carrie Pace, assistant chief HIPAA compliance officer – security. “USA Health is relying on our users to be vigilant and help protect our systems from ransomware.”

Most ransomware enters through email links or attachments, or malicious links or ads on the internet, Pace said. She offered these tips to help USA Health avoid exposure to ransomware:

• Never interact with unsolicited email messages (e.g. messages you did not expect to receive) even if they appear to come from a person or organization with whom you are familiar.
• Hackers are well versed at making emails appear to be from a company or person you may know or trust, by “spoofing” the email signature, “from” line, or other characteristics.
• Note that all emails from outside of the USA Health system are indicated as such with [EXT] in the subject line and “External Email Warning” at the bottom of the email.
• Emails that contain ransomware typically have defining characteristics that can help a user identify the potential for the malicious content including, but not limited to:

1. Misspelled words
2. Bad grammar
3. Sender names that do not match the person identified in the content of the message
4. The message is sent from a public email domain (example: @gmail.com, @hotmail.com, @yahoo.com)
5. There is a suspicious link that does not match the context of the remainder of the email (example: The email appears to be from the University of South Alabama, but the link goes to a site: http://interweb-billing9.ru)&n... creates a sense of urgency

If a user receives a suspicious message, before they click on the message, it should be forwarded to hsis.emailreview@health.southalabama.edu for review by the USA Health IT department, where a group of security professionals can review the content to determine if it is safe. If there are no security issues, the user will be notified to proceed with opening the email. If there are issues, the email will be removed and the sender will be blocked.

“There are steps all USA Health users must take immediately if they feel they have become victim of a ransomware attack,” Pace said.

First, she said, the user should immediately unplug their device or disconnect it from the wireless network. Then they should notify their manager, the USA Health IT department, and the Office of HIPAA Compliance. The device will be reviewed by the IT department, who will work with the user to get them back online or a replacement device.

For more information on ransomware, watch “Ransomware Explained in Less than 2 Minutes.”