Tech Talk: A Framework for Combating Ransomware

Mike Robey, MS, AAO-HNS/F Senior Director, Information Technology

For most practices, cybersecurity is not your highest priority. However, a single incident could be catastrophic. Hackers are starting to target small businesses since these organizations are perceived as softer targets, particularly for ransomware attacks. Ransomware encrypts your data until you pay the ransom for the encryption key. To combat the threat practical guidance is needed for managing your cybersecurity risks. At a high level, information security encompasses people, processes, and technologies and concentrates on how to protect the confidentiality, integrity, and availability of information.

Possible impacts of an incident are:

• Loss of patient and other business data
• Adverse effect on reputation
• Decreased productivity
• Loss of income
• Recovery expenses

Based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, this article provides practical guidance for managing the risk ransomware poses to your practice. NIST’s framework helps organize actions into a standard methodology.

The NIST cybersecurity framework consists of five areas: Identify, Protect, Detect, Respond, and Recover. At right is the outline of the NIST framework, along with subordinate actionable steps in each of the five areas.

Identify: Increases your practice’s understanding of your resources and risks 

• Identify and control who has access to your business and patient information
• Require individual user accounts for each staff
• Create policies and procedures for information security (e.g., password policy, internet usage, etc.)
• Inventory all applications and identify the data these applications use and create
• Identify where these applications are hosted and who provides support

Protect: Supports the ability to limit or contain cybersecurity event impacts

• Limit data and information access to a need-to-know basis
• Install surge protectors and uninterruptible power supplies
• Patch operating systems and application software on a regular basis
• Use software and hardware firewalls on all equipment connected to your network
• Secure your wireless access point and networks
• Set up web and email filters
• Encrypt sensitive business information
• Dispose of old computers and media safely (Include printers, too, as they contain hard drives)
• Implement cybersecurity awareness training for all staff

Detect: Enables timely discovery of cybersecurity events

• Install and update antivirus, spyware, and other malware programs on all devices
• Maintain and monitor firewall logs
• Conduct regular health checks on all computers and devices on your network

Respond: Supports the ability to contain or reduce the impact of a cybersecurity event

• Develop a plan for disasters and cybersecurity incidents. The plan should cover roles and responsibilities, what to do when an incident is detected, and who to call in case of an incident
• Develop a communications plan
• Ensure the soundness of the plan with tabletop exercises

Recover: Helps to resume normal operations after a cybersecurity event

• Ensure full backups are done on all systems and data
• Make incremental backups of databases
• Ensure backups are stored off premise or in a different hosting environment
• Ensure you have an adequate number of days backed up (two weeks)
• Regularly test the ability to restore from backups
• Consider cybersecurity insurance
• Review IT processes/procedures/technologies regularly to foster improvements

Developing a robust cybersecurity protection plan to combat ransomware may seem like a daunting task. The NIST framework provides an excellent place to start. Balancing security with the needs and risks of your practice is not easy. Below is an exercise to help discover your risks.

• Identify what information your practice stores and uses
• Locate where is this information hosted (on-site server, Software-as-a-Service provider)
• Estimate impact on your practice if this information was compromised
• Determine if backups of this information are adequate to protect against loss or corruption
• Identify the last time restoration was tested. Backups are great. The ability to restore data is essential

Conclusion

In closing, ransomware attacks are insidious. From a technology perspective, the best defense is to ensure you have adequate backups and that your data can be restored. Addressing the human element may be even more important. Cybersecurity awareness training for all staff needs to be mandatory. Perhaps the most critical piece of advice is to get people to slow down and comprehend their email before responding. Today’s work environment is stressful. When it comes to phishing emails designed to trick you into clicking the wrong thing, the axiom “speed wins” does not apply. If we took the time to carefully read our emails, we would more easily identify the ones that are fake. “Slow down and read your email” should be the new mantra for cybersecurity.

References

1. National Institute of Standards and Technology. Cybersecurity framework profile for ransomware risk management (preliminary draft). June 2021. https://csrc.nist.gov/publications/detail/nistir/8374/draft 

2. National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity. April 2018. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf 

3. National Institute of Standards and Technology. Small business information security: the fundamentals. November 2016. https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf