On May 12, 2017, WannaCry ransomware infections reportedly took hold of 200,000 computer systems in 150 countries. The rise of ransomware has been a function of how cheap financial data has become to obtain on the dark web and the desire of criminals to branch out with other sources of income.
Ransomware is quite effective given it purposefully seeks to panic victims into clicking additional links thereby causing a user’s system to become infected with more pernicious malware. For example, after seeing a screen blink on and off several times ransomware victims may next see the following message on their screen: “Your computer has been infected with a virus. Click here to resolve the issue.” Clicking on that link, however, will download additional malware to the system – thereby precluding possible quick fixes to the initial exploit. It is such additional malware – coupled with very vulnerable legacy systems and procedures, that likely helped WannaCry promulgate so quickly.
Given slow patching and continued widespread use of legacy Windows products, Microsoft sought to slow the spread of WannaCry by offering free patches for its older Windows systems such as Windows XP. Although helpful in curtailing replication, timely patching will not completely stem this threat. Newer exploits such as WannaCry likely exist – and will continue to exist for some time, given the underlying code was reportedly created by the National Security Agency and is only a small sample of the “treasure trove” of spying tools released by WikiLeaks in March. In fact, the WikiLeaks released material includes the source code used to evade anti-virus detection so entry-level hackers apparently now have the ability to immediately up their game.
Given that healthcare data is now considered the most valuable data by thieves, it is no surprise that the healthcare industry was especially hit hard by the WannaCry ransomware exploit. Succumbing to WannaCry, Britain’s hospital network canceled or delayed treatments for thousands of patients. In an effort to stem the tide in the US, HHS quickly offered covered entities access to loss prevention resources – including a link to its ransomware fact sheet and a link to the US-CERT response to WannaCry. US-CERT offered last year helpful tips regarding ransomware loss mitigation techniques.
It is suggested that covered entities take to heart HHS’s desire to warn regarding ransomware exploits. Given that OCR recently fined a covered entity $2.4 million simply for placing the name of a patient on a press release, ignoring HHS warnings regarding ransomware will likely result in significant penalties to HIPAA covered entities should they fall prey to such an exploit.
In addition to security procedures and implementations – such as whitelisting acceptable programs, aggresive email settings, and limiting user permissions, proper training remains the best antidote to both an exploit as well as an OCR or some other regulatory fine if an exploit ultimately succeeds. And, the best training remains having users react to a continuous barrage of decoy exploits aimed at sharpening their skills.
Today’s phishing exploits that are being used to transmit ransomware often rely on some other person’s scraped contact information so that they can appear to come from known associates of the user. These exploits may also use content that appear relevant to the user – such as a bar association communication. And, finally the links themselves are masked so that it is not even possible to accurately determine where a link takes the user. Given these indicia of authenticity, users often click on the embedded link rather than hit the delete button. After exposure to numerous training exploits users are in a much better position to make sound decisions on how to treat actual exploits. During the course of security training, it is suggested that some form of reward be given to those users who score the highest on the phishing training exercises – any money spent today to build an effective training program will pay significant dividends down the road.