On May 12, 2017, a worldwide ransomware attack assaulted businesses and government entities in 150 countries, including Britain’s national health system, FedEx, Spain’s Telefónica, and the Russian Interior Ministry. The virus dubbed “WannaCry” was designed to access servers through vulnerabilities in Microsoft Windows software. Many users’ systems were infected by opening a seemingly harmless email. This virus was different from others in that it had the ability to spread throughout computer systems without any type of user interaction.
The main targets of the virus were users of Microsoft Windows who had not implemented a patch distributed by Microsoft in March and users still operating on the Windows XP platform since their systems were the most vulnerable. The attack was slowed after a researcher identified a “kill switch” for the virus. The kill switch couldn’t help devices the virus already infected, but it bought time to patch systems that hadn’t yet been hit. However, most computer security experts do not believe it has been halted completely, and there is at least one new strain of the ransomware that is unaffected by the kill switch, which has been slowly spreading.
So far, Britain’s national health system has been the most impacted health care organization worldwide. Because of the virus, many British hospitals were forced to cancel critical surgeries and divert patients to other hospitals when they could not access patients’ medical records. Although the attack has not been reported to be as prevalent on the U.S. healthcare systems, the U.S. Department of Health and Human Services (HHS) issued a report urging healthcare organizations to be cautious in their cybersecurity practices.
Taking that advice, there are several lessons we can learn from the WannaCry attack. We suggest the following best practices to protect yourself from ransomeware attacks through email:
- Ensure that your computer and antivirus software are up to date. Be sure to regularly check for patches and updates to your operating system and install the patches and updates as they become available. The same goes for your antivirus software.
- Regularly backup your data and test to see if the backups can be restored. Restorable backups can mean the difference between significant business disruption and simply restoring the data.
- Only open email messages from people you know and messages you are expecting to receive.
- Never click on links in emails if you weren’t expecting them.
- Conduct regular security awareness training to remind your staff of the importance of good email hygiene. Phishing attacks with software downloads or links and attachments to malware are often the first sign that a ransomware event is looming.
- Before your practice has been attacked by ransomware, review and update your security incident response plan as well as your disaster recovery plans.
- Never Pay Ransom. Payment of ransom by one provider emboldens attackers and proliferates the attacks, placing other healthcare providers at risk.
If you were attacked, or know someone who was attacked, it is important to be aware of the HHS guidance on ransomeware. HHS advises that when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.
Keep in mind that policies and procedures implemented prior to a ransomware infiltration will dramatically affect the outcome of a ransomware attack. As they say, an ounce of prevention is worth a pound of cure.
For questions, please contact:
Megan Hopfer | Attorney
2105 Coronado St | Idaho Falls, ID 83404
(208) 523-5171 | firstname.lastname@example.org
This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Beard St. Clair Gaffney PA or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Beard St. Clair Gaffney PA. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.