With the rampant spread of ransomware variants like Cryptolocker and Cryptowall, we recommend users practice safe Internet habits. Unfortunately, there is no magic solution to the issue of ransomware or malware. Many security companies would like you to believe they offer a single solution that is the answer to your problem. However, real-world instances of infection prove otherwise. Even Fortune 500's with multi-million dollar security budgets still get infected. (e.g the recent Cosco Ransomware Attack)
Recovering from a ransomware infection is typically very expensive. The ransom amount is typically indexed to the value of some untraceable cryptocurrency like Bitcoin which at one point was valued at twenty-thousand US dollars per coin. Also, there's no guarantee that if you pay the ransom, they will actually give you the unlock key. There have been many instances where the ransom was paid and the hackers extorted the business for more money or gave no key at all. The only real solution is to restore from backups. Most people have never tested their backups to see if they actually function which is especially scary since 60% of business that suffer this type of data loss are often shut their doors within 6 months.
Even those who subscribe to IT and Managed Service Contracts may find it costly. Many of those companies may classify infections resulting from these events as (gross) negligence on behalf of the business and do not cover them due to the cost involved. Those that do cover ransomware infections often charge extra for a Disaster Recovery service. In the event of an infection, often ALL machines and servers will need to be erased and restored from backups or factory new status. This results in major downtime for the business as well as major labor costs for the IT Provider. We here at LT Medical understand mistakes happen and offer a 1-Strike policy for our Standard Help Desk Subscribers. We, in most cases, will absorb the costs of a ransomware recovery for a single instance. A second ransomware infection is unfortunately not covered.
Despite the aggressive nature of ransomware, there are a few strategies you can employ to greatly limit your exposure. Isolation has often proven to be the most effective way to protect your data. Keeping your production as isolated as possible. Most of our customers are using an RDS server in their office and such isolation is much easier to achieve. Users can simply do their risky browsing (emails/searches) on their desktops instead of the RDS server. Ideally we would completely disable Internet access on the production networks however this can create many procedural challenges for inexperienced users. As such we have devised a few strategies that can mitigate the the spread of a ransomware infection.
Most ransomware is transmitted through email links and attachments which is why we strongly advise all users not to open emails on production systems. It's typically better to have a single practice email that has malware scanning on all incoming messages (e.g. Office365 with Advanced Threat Protection). It's very easy for an attacker to spoof an email address or transpose a few letters to make you think it's from a sender you recognize. (e.g. Bank0fAmerica.com) This is why email is typically used as the medium for spreading the malware.
Furthermore, we tend to find that data exchange between emails and the production data is often unnecessary. Users can still copy and paste information from emails into their production server if needed. This is largely predicated on the idea that email shouldn't contain protected healthcare information (HIPAA). In general it's not a good idea to open E-Mail (especially E-Mail attachments) in your production environment. For users with RDS servers, it's best to minimize your session and read emails on the client machines if needed.
Access only necessary work websites (hospital portals, insurance portals, etc.) when connected to the server. While there is a risk with accessing any website, there is a much lower risk that a major hospital portal or insurance portal will be spreading malware. However, many users misinterpret this suggestion as using the internet for work-related purposes (e.g. searching for billing codes or provider information is safe.) That would be very misguided. Even work-related internet usage may prove detrimental. Some examples:
If you are using a search engine (e.g. Google/Bing/Yahoo) to get your destination, that's a pretty good indication that you're browsing and not accessing a site directly. Searching for billing/diagnosis codes is a prime example of something that is work-related but very risky. Many malware writers intentionally target these types of searches and/or websites. These searches are best conducted on your desktop instead of the production server.
Practicing restraint may prove difficult for some offices and in such cases, advanced web filters are advised to ensure users aren't engaging is risky behavior. This often requires maintaining a list of safe websites that users can access or subscribing to a website filtering service.
Many practices without dedicated production environments may find these suggestions difficult to follow. Our recommendation to those practices is to do your best to mitigate the threat: use updated malware protection and ensure you have multiple backups. As malware gets more sophisticated with time, we believe most businesses will go back to keeping their critical business data isolated from outside threats.
If you're interested in isolating your production data, we have many server options available for your practice.