A recent ransomware presentation… while the Petya attack was underway

I was recently invited to present two talks on ransomware at EMR-related seminars attended by physicians, clinical staff and service providers, held last week in British Columbia.

Interestingly, the last seminar took place just as news was emerging that morning of Petya, described as a new, massive ransomware attack, was spreading across the Ukraine, Europe, and the US. We are now learning that, because it encrypts entire hard disks but does not appear to have the capability to decrypt them, Petya may not have been ransomware at all. Instead, some analysts believe it may have been designed to be a weapon to cripple systems, possibly targeting infrastructure in the Ukraine. This gives little comfort to organizations around the world that have been hit with it, including shipping companies, a multinational law firm, and the giant pharmaceutical firm, Merck.

What was immediately apparent during the morning of the attack, however, is that it won’t be the last.  The need to protect information systems in health care clinics is more important than ever.

My presentation summarizes some of the information that is described in more detail here:


Update 20170630: More information is emerging concerning the Petya attack. For further information, here is the latest update from US National Health Information Sharing and Analysis Center (NH-ISAC)

Ransomware revisited


A few months ago, we wrote an article on Ransomware: ten ways you can help protect your clinic .  Since then, the Doctors Technology Office (DTO), at Doctors of BC, has published a brief indicating there has been an increase in reports from doctors about attacks by ransomware.

We agree with the DTO’s statement in their accompanying technical bulletin called “Ransomware – What should I do?“, “It’s spreading like the plague. Healthcare organizations must know that they ARE a target and will be attacked”.

Furthermore, the DTO indicated, quite rightly, that antivirus software does not provide sufficient protection from ransomware. The best practices we’ve published above, and the DTO’s technical bulletin, provide some helpful measures to assist in preventing some of the most common ways clinics may be hit with ransomware.

What we have been observing since our first report is that ransomware and malware tools are rapidly evolving to trick users into installing it onto their computers.  And attacks are becoming increasingly sophisticated. For example,

  • If you are scanning your email for possible “phishing” attempts to get you to download malware, be aware that no matter how carefully you examine the embedded link, it can be almost impossible identify malware websites based on the URL.
  • It used to be thought that PDF documents were safe. No longer. A new ransomware variant has emerged that will embed itself inside a PDF document.
  • Some variants that are emerging will also leak your data if you don’t pay the ransom.  Will keeping your patient files on a server outside the clinic help prevent this? Perhaps, but remember that for network efficiency reasons temporary files are frequently generated on local computers every time files are downloaded and reports are printed, all of which may contain confidential data.

Since our last “best practices” post was published, we have noticed it seems a number of clinicians and even some IT technical support staff have mistaken ideas about the threat of ransomware in medical and dental clinics.  Here are some examples.

“I don’t keep my electronic medical records (EMR) data on my Windows laptop. It is stored on a Linux server, so if ransomware hits my computer, it won’t be affected”.  Simple answer, no, that’s not correct.

  • Linux systems are not immune to ransomware. And more and more cross-platform threats are appearing, due to multi-platform frameworks that are available nowadays under Linux. Frameworks such as Adobe Flash and Reader, Java, JavaScript, Perl, PHP, Python, Ruby, etc.
  • In addition to mapped network drives which are always at risk, Microsoft Active Directory is now being used by some ransomware for reconnaissance and to spread across an entire network, encrypting files on every server and computer.
  • There is nothing to prevent other malware to be installed along with ransomware that could exploit vulnerabilities on any system.

“If ransomware hits my computer, I have other computers that I can use until I get my laptop back”.  Don’t depend on this. Some types of ransomware can propagate across a network. And besides, if your clinic is unfortunate enough to experience it, you will be immediately affected, without warning. Do you really want to have to deal with this problem when you have a waiting room full of patients?

If I am hit with ransomware, I’ll simply recover my data from backups”  We agree, backups are essential to recover from an attack. But only if backups are done right.

  • Any information you have entered that has been encrypted by ransomware since the last backup may not be recoverable.
  • We have seen cases where perfectly good backups have been overwritten with later scheduled backups where dormant malware will simply reinfect the computer when it is restored.
  • If the backup is located on a shared drive that a user can access with a network-connected computer, ransomware can encrypt those backups, too.

“If ransomware strikes, I’ll pay the ransom to get my files back.”  That, of course, is your decision, and with respect to some forms of ransomware, the FBI has actually recommended this. But just know that:

  • There are known variants of ransomware that will encrypt your data, but the ‘unlock’ key you receive after paying the ransom may not actually unlock it.  In the case cited, involving a hospital, the extortionist tried asking for more money.
  • Attendees at an RSA cybersecurity conference in February learned that 31% of victims have been hit multiple times, and 25% did not get their data back, even after they paid the ransom.
  • Even if you pay the ransom, this doesn’t necessarily resolve the risk of personal health information having been disclosed.  It should be treated as a potentially serious privacy breach.

The impact:  Ransomware may do more than just lock you out from using your laptop or desktop computer. Once it gets a foothold in your clinic, it can be difficult and costly to eradicate. The threat to clinic business continuity and protecting patient personal health information is considerable. Understanding the specific risks your clinic may have at this time is a vital first step towards taking proactive measures to mitigate them and ensuring you have well-tested procedures to quickly recover if needed.

The bottom line:  Please take the threat of ransomware in your clinic seriously.  Make sure you have tested, proactive measures in place to mitigate risks before ransomware hits.

If you need help, contact us.


Ransomware: Ten ways you can help protect your clinic

Part 5 of our series on Privacy and Data Security Best Practices.

A highly-respected physician here in British Columbia recently told me that many clinicians he has spoken to tend to view privacy leaks and unauthorized access as a government or health authority issue. While this may be the case, a threat has emerged that not only has the potential of instantly endangering the confidentiality of personal health information, but also the operation of your clinic, and your bottom line.

The threat is ransomware.

According to Symantec, more than 1600 incidents per day hit Canadian firms in 2015, the last time these statistics were reported. And the threat is growing.  Last summer, Solutionary, a large security services firm, reported that ransomware became the single biggest response engagement for the company during the previous quarter, and across industries, 88% of all detected ransomware engagements targeted healthcare. Some of the most well-publicized healthcare ransomware attacks last year, including an attack in Ottawa, involved hospitals. Indications are that with increasingly sophisticated exploit techniques, hackers are moving towards data-intensive businesses, including medical practices, hospitals, financial services and legal services industries.

It is not difficult to imagine why healthcare data breaches are far more dangerous to victims than other breaches. Even small 1-2 physician medical clinics can host 3,000-6,000 confidential electronic medical records.  While privacy risks are serious and could jeopardize your clinic’s compliance to PIPA if breached, ransomware can, in addition, hold computer systems and medical data hostage by encrypting files and locking out access until a ransom is paid. Frequently the ‘hostage note’ will indicate data will be destroyed unless this is done within a given time. The disruption to patient care could be significant. And ransomware software is rapidly evolving. One of the latest variants, Doxware, lets hackers hold computer systems hostage like other ransomware, but takes the attack further by threatening to release personal information publicly unless the ransom is paid.

How many clinics have already been affected in western Canada? We don’t know. It is quite possible that some clinics, like many Canadian businesses, have quietly paid ransoms to get control over their systems. According to one study, Canadian companies are 75% more likely to pay ransoms compared to the  US, UK and Germany, and that if they didn’t pay, 82 percent lost files.  The cost to pay ransomware extortionists has ranged from $1,000 to $50,000. And it is not uncommon for the same businesses to be hit more than once, by the same hacker or by others.

How can you protect your clinic?  The following 10 recommendations are based on suggested actions by Public Safety Canada and others.

  1. Backups: Backup and regularly test them to make sure you can recover your data. Having encountered very unfortunate cases where owners thought their backups were working, we cannot say enough how important this is. Backups must be secure, encrypted, and not connected to your computers or network.  If cloud-based (and this, of course, could be questioned from a privacy perspective), avoid persistent synchronization techniques that could be locked by some ransomware variants. This includes Dropbox, Google Drive and One Drive.
  2. Good Email Hygiene: Do not open ANY email attachments from unknown senders, and treat ALL with suspicion. Inspect the URLs or any links inside email body copy before clicking. Don’t click on ‘URL shortened’ links as it is impossible to know where you are being directed.  Don’t click on any email that seems ‘out of the ordinary’, especially from a CEO, president or managing partner. Instead, confirm it through a new email you create, or by phone or in person. If you can, configure your email server to block suspicious email attachments similar to that done by UBC, and destroy emails with known malicious URLs.
  3. Application whitelisting: Implement application whitelisting, an IT technique used to prevent malicious software and unapproved programs from running.
  4. Security patches: Keep your computers up to date with the latest patches. Vulnerable systems and applications are the targets of most attacks. This, of course, includes servers hosting clinic data. A compromised client computer is often just the entry point from where exploits are launched to attack other systems inside a secure network.
  5. Anti-virus: Make sure antivirus is kept up to date and running on all of your systems. Scan all downloaded software before executing it.
  6. Basic Computer Security: Limit access.  Never use an admin profile as a user.  Apply the principle of ‘Least Privilege’ to all systems and services to help prevent malware from spreading.  Never download software from unknown sites. Be extremely critical of ‘free’ software.
  7. Macros: Disable macros unless absolutely required. Consider using Office Viewer software instead of MS Word when viewing email from clients or vendors. Receiving malware from unknowing senders you trust is a well-known technique.
  8. Web Browsing: Use safe practices when browsing the web not only within the clinic but when you take your laptop or mobile device home. A laptop can by itself become a trojan horse if taken from an untrusted home environment or public internet location and connected back into your secured, carefully managed medical clinic.
  9. Network Security:  Install a commercial grade firewall with active web filtering. The cost will more than pay for itself if it prevents a breach.  Physically segregate critical data on different systems to limit risks.
  10. Focus on awareness and training:  Make sure your staff knows the risks involved, and what to do to prevent ransomware from hitting your clinic.  The most common contributor to successful phishing attacks is a lack of knowledge and human behavior. To protect your clinic from ransomware, an intelligent human firewall is one of the best defenses you can have.

The Doctors Technology Office (DTO) at Doctors of BC has an excellent technical bulletin that may be of help. Further advice can he found in advisories by Public Safety Canada (2013 and 2016), advisories issued last September by the US-CERT , the FBI , and No More Ransom, a site built through the work of several European police agencies, Kaspersky and Intel.

If you need help, contact usPrevention is much less costly.

In the next post in our series of privacy and data security best practices, we will discuss what you can do to reduce risks to your clinic in case of a security breach.