You’ve. Been. Hacked.

Three words that no business owner wants to read while opening their daily email, yet it happens more and more every year.

“Some surveys have shown that ransomware losses for businesses can average $2,500 for each incident, with businesses willing to shell out upwards of close to a million dollars to decrypt their data in some instances.

The threat is only growing, as some reports find. The Beazley Group, for example, found that small-to-midsized businesses were at the largest risk. The highest ransom the company paid out for its clients in 2018 was over $930,000.”

It is Only a Matter of Time

The reality many companies face is that it’s not “if” your systems will be compromised, but “when”.  Our team sees this reality play out over and over again. Cybercriminals will go to great lengths to access your data, and while many of these breaches aren’t large enough to make the headlines they still affect families, businesses, and bank accounts on a weekly basis across North America.

Online’s Principal Consultant and Healthcare Practice Lead, Adam Kehler was on vacation when he was alerted of a ransomware incident, and he shares his story with us here today:

hacker

This is a Real Life, Worst-Case Scenario

Last week I was just finishing up a week of vacation with my family, getting ready to leave for the airport, when I got a phone call. It was a contact I had met at a conference a few months ago. He told me he had a client that had been infected with ransomware and didn't know what to do. Their terminal servers were down, their EMR server may or may not have been infected, and because the IT team was new to the organization, they did not know if they had usable backups.

This is a worst-case scenario and a place that no organization wants to wake up to on a given morning. Incidentally, the workshop at which we met this contact was one that Rob Harvey and I led where we walked through exactly this scenario: "You are notified that your systems are affected by Ransomware. What do you do?" 

Unfortunately, this particular health center was not one of those that attended this workshop.

What Should you do?

The greatest take-away from the day was: Incident Response is not just a technical issue. In fact, it is largely administrative. Decisions related to communications, documentation, downtime procedures or when to close the doors, when to pre-emptively take down critical systems such as EMR are generally operational and business decisions. While the IT manager may provide input and be part of the decision-making process, the decisions ultimately relate to keeping the business running and mitigating operational risk.

There are things your organization can do to avoid being in this situation – and some of them are most certainly technical in nature:

Make SURE you have good backups and test recovery to ensure you can restore properly.

  • Patch systems quickly
  • Implement multi-factor authentication
  • Segment your network to reduce the spread

These are protection basics that every organization should have in place. As attacks get more sophisticated, sometimes these basics aren’t enough and ransomware and other malicious attacks still get through. If and when that happens you want to do know exactly what to do so that you don’t have to come up with a plan at the last minute.

Avoiding the "they didn't know what to do" portion of the phone call I received is not about having done the right technical things but making sure you are ready as an organization with an Incident Response Plan. In this plan we recommend that you include:

    • Who needs to be part of the Incident Response team Develop communications plans for both internal communication and external communication?
    • List the contact information of key stakeholders and relevant vendors
    • List additional contact information for help. This may include a Lawyer, Security Consultant, US-CERT, or local FBI office
    • Plan for documentation of the incident and collection/maintenance of evidence
    • Clearly document Breach Notification Requirements

Once you have your plan you must TEST it. An organization will not know the effectiveness of their plan until they test it. This is generally executed in the form of tabletop exercises.

As it turned out, this organization was able to locate and restore from backups, their EMR server was not affected, and they were able to recover without too much impact to patient care. They were lucky. Many organizations are not as lucky. Online recommends that all organizations regardless of size take proactive steps to ensure they are prepared for when, not if, they experience Ransomware or another type of attack.

------------------------------

If you’re a small-to-medium sized business and you are wondering what the status of your current security system’s capabilities are, I invite you to reach out.

If security is not something your organization is confident about, then it could be a matter of time before the wrong people take notice of that – today is the right time to get ready.