The threat of ransomware attacks on health care facilities is greater than ever as cybercriminals see the opportunity to make money by encrypting health data in EHRs and demanding payment to unlock it.

CIOs and CISOs, meanwhile, understand that security tools are only one piece of the puzzle when it comes to safeguarding patient data. Another critical aspect not to overlook, of course, is user training.

“While preventing all ransomware attacks is not possible, there are a number of steps healthcare organizations can take to reduce their risk as well as mitigate potential harm,” according to Dean Sittig and Hardeep Singh, MD.

[Also: Buyers Guide to intrusion detection and prevention tools]

Sittig is a professor at the University of Texas School of Biomedical Informatics and Singh is the Chief of Veterans Affairs Health Policy, Quality and Informatics Program. Sitting and Singh wrote "A Socio-technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks," published in Applied Clinical Informatics.

In the paper Sittig and Singh put forth an approach to defending against ransomware, based on the National Institute of Standards and Technology's Cybersecurity Framework.

Their strategy involves four steps healthcare organizations should take to secure EHRs and the underlying computing infrastructure.

Step 1: Configure computers and networks with security protections in mind then backup data and update software regularly. To start, hospitals need to create system-wide backup processes for data. And it is critical to keep all software programs up date with the latest patches, including operating systems, applications, browsers, plug-ins, firmware and anti-virus tools. The authors also recommend that healthcare organizations develop and maintain a whitelist of software programs that users are allowed to run, another list of those programs that are at risk of bearing malicious code and employees are prohibited from using.

Step 2: Implement user-focused strategies to make defense systems more reliable. Hospital security staff have to train users to operate apps and devices securely, and to spot email messages likely carrying malicious code. Sittig and Singh recommend conducting simulated phishing attacks to educate employees as well as routine risk and impact assessments to prioritize applications that can experience downtime, and for how long, should an attack happen.

Step 3: Monitor any and all suspicious activities comprehensively. Sittig and Singh recommend using systems to conduct surveillance for suspicious activity, such as receipt of email messages from known fraudulent sources, executable email attachments, unexpected changes in key files on network-attached drives, unknown processes encrypting files, or significant increases in network traffic on unexpected ports. The external environment should also be monitored for new security incidents including zero-day exploits, and address gaps and deficiencies as they are identified.

Step 4: Respond, recover, investigate, and track lessons learned. Once an attack has occurred, computers and networks should be shut down immediately. After containing the threat, personnel should contact their organization’s insurance provider, a computer forensics expert, and the FBI’s Internet Crime Complaint Center. When the attack is over, hospitals should convene a multi-disciplinary investigation team encompassing health IT professionals and clinicians to identify root causes and prepare for preventing and mitigating future attacks.

“Similar to approaches to address other complex socio-technical health IT challenges,” Sittig and Singh wrote, “the responsibility of preventing, mitigating, and recovering from these attacks is shared between health IT professionals and end-users.”

Twitter: @HealthITNews

Like Healthcare IT News on Facebook and LinkedIn