One of the best (or is it worst?) kept secrets in channel media finally made it to mainstream news last month: the growing number of ransomware incidents. While it's been a hot topic on the security front for some time, it's still only garnering little attention among the general public. The attack on Hollywood Presbyterian Medical Center is just the latest to make headlines, a story which is drawing attention to the real threat these incidents present, one which will hopefully get more people to start doing something about it (end users included).
While extensive details most likely won’t be shared with the public, several publications reported a trojan spread quickly through the hospital’s systems, encrypting critical information including the facility’s electronic health records. Without access to those files, operations were significantly impacted, limiting employees to the use of paper documents, phones and fax messages.
This situation threatened more than email and data, as it would in most organizations; It potentially risked the lives of patients. Think about that for a minute. Next time your customers suggest a virus won’t impact their business, ask them to consider the protection hospitals put in place. In all likelihood, Hollywood Presbyterian's security applications were solid. Chances are good that an employee simply clicked on a link or opened an attachment containing CryptoLocker or some other form of ransomware ̶ unwittingly unleashing a worst-case scenario for their IT team and administrators.
Sure, their protection measures should have identified and neutralized the threat, but no system is perfect. This was, most likely, a people failure. Did their staff ever receive training in IT security best practices? Were they given reminders concerning internet threats and what suspect messages and attachments might look like? If not, the hospital might be subject to fines and additional scrutinization from state and federal healthcare regulators.
Recovery and Assessment
So how did the Hollywood Presbyterian Hospital IT team rectify the problem? Media reports suggest they did what FBI officials have been suggesting (off the record, of course) ̶ they paid the approximately $17,000 bitcoin ransom. After receiving the encryption key, the hospital staff and the technical experts they brought in were able to restore their files and ensure their systems were secure. Of course, when you consider all the downtime and expertise required to bring those back online, this single attack surely cost the hospital significantly more (think hundreds of thousands…or higher).
The hospital directors will face further scrutiny as well. A number of media sources, including Computerworld, have speculated that the facility must not have had an adequate backup and disaster recovery plan in place. If so, they failed to fulfill their responsibilities. One critical requirement of the HIPAA Security Rule is to have a disaster recovery plan in place to ensure the confidentiality, integrity and availability of protected electronic health information.
Another stipulation of that regulation: the healthcare facility has to prove their DR plan works. The rule states “On a basic level, testing backup and recovery of data must occur periodically and when new systems and applications come online.” While details of the frequency are often debated, those in charge of healthcare technology systems know this step is crucial to compliance. Many inquiring minds want to know if Hollywood Presbyterian met that standard, or if, in this case, the systems simply failed. Is someone on the hot seat for this? We may never know…
The Channel’s Role
When it comes to ransomware, a comprehensive and proactive security program is the best approach. IT professionals know that with increasing complex and intuitive malware, nothing remains 100 percent bulletproof. Today’s cyber criminals are quite ingenious, dedicating to thinking up new ways to fool unwitting computer users. That’s why MSPs have to do more to ensure their clients and employees understand the threats they face and the methods they must follow to keep episodes like this from happening.
What does that mean? For starters, you should be implementing layered IT security programs, including antivirus, antispyware and firewalls, as well as further protection measures. A proactive, managed system allows MSPs and their clients to better address the most common network threats. That’s a great foundation. In addition, there are three less conventional but high-value offerings that every channel company should consider offering their clients:
- Comprehensive security assessment
- Disaster recovery and backup plan development
- End user training
If you want to ensure your customers are truly protected from ransomware and similar attacks, make sure they have these three areas covered. Everyone who has access to their company’s email and business systems has to know and follow standard best practices for preventing malware infections and data breaches.
On the end user security training side, CompTIA offers a program channel partners can rebrand and deliver themselves. CompTIA CyberSecure™ includes best practices every business should be following, and the association’s premier members even get 50 seats free to use as they please. This new offering leverages video, animation and interactive scenarios to help employees understand how their behaviors could compromise the company’s network and data protection. CyberSecure includes real-life scenarios and highlights the actions each individual should take to assure their connections and communications are safe (and secure).
It’s a great tool for MSPs who want to expand their security capabilities (and make some money doing it). Those who leverage training programs like CyberSecure and hone their planning and technical skills will be better prepared to battle the likes of CryptoLocker, BitCrypt and other malware̶, as well future security threats. Is your team ready, willing and most importantly, able to neutralize these threats?
Brian Sherman is Chief Content Officer at GetChanneled, a channel business development and marketing firm. He served previously as chief editor at Business Solutions magazine and senior director of industry alliances with Autotask. Contact Brian at Bsherman@getchanneled.com.