How ransomware emails impact healthcare security

Ransomware attacks pose a severe and multifaceted risk to organizations and individuals because they compromise the data an organization collects. This is an especially dangerous threat to healthcare organizations due to the sensitive nature of the data they handle and the risk it poses to patient care.

Ransomware and HIPAA

A ransomware attack is a type of cyberattack in which malicious software (malware) is deployed by hackers to encrypt a user's data, denying access to it. This encryption is done with a unique key known only to the attacker. Once the user's data is encrypted, the ransomware demands a ransom payment, typically in cryptocurrency like Bitcoin, in exchange for providing the decryption key.

How ransomware and HIPAA are related ties into HIPAA's mandate for security measures and incident response procedures to protect electronic protected health information (ePHI). When ransomware infects computer systems and encrypts ePHI, it triggers HIPAA's breach notification requirements. Covered entities and business associates must assess the breach's risk and notify affected individuals, the Secretary of HHS, and possibly the media if the risk of compromise is not low.

How hackers use email to deliver ransomware

Ransomware attacks often occur via email phishing campaigns, a common delivery method for this type of malware. In a typical scenario, malicious actors send deceptive emails to potential victims, disguising themselves as trustworthy entities or individuals. These phishing emails may contain malicious attachments or links that, when clicked or opened, trigger the installation of ransomware on the recipient's computer. 

Once inside the victim's system, the ransomware encrypts files and data, often including email archives, rendering them inaccessible. This tactic is especially concerning for organizations that rely heavily on email communications, as the loss of email access can disrupt critical business operations. 

Learn more: HIPAA Compliant Email: The Definitive Guide

What is the impact of a ransomware attack?

1. Data encryption: Ransomware encrypts the victim's data, including email archives, making them inaccessible. This can lead to a loss of critical information and disrupt day-to-day operations.
2. Financial costs: Victims may face substantial financial costs, as ransomware attackers typically demand payment in cryptocurrency to provide the decryption key. Organizations may pay the ransom, incurring those costs, or incur expenses related to recovery efforts and potential regulatory fines.
3. Operational disruption: Ransomware attacks can paralyze an organization's operations, including email communication, leading to downtime and reduced productivity.
4. Recovery efforts: Recovering from a ransomware attack can be time-consuming and resource-intensive. Organizations must restore encrypted data from backups, verify their integrity, and ensure their systems are malware-free.
5. Breach notification: If the ransomware attack results in a breach of unsecured PHI or PHI is accessed by an unauthorized individual, breach notification requirements under HIPAA must be followed. Covered entities must notify affected individuals without unreasonable delay, the Secretary of HHS, and, if the breach affects more than 500 individuals, the media.
6. Post-incident evaluation: After resolving the ransomware incident, organizations should conduct a post-incident evaluation to assess their response and recovery efforts. Lessons learned from the incident should be incorporated into their security management process to enhance future incident response effectiveness. 

See also: Refusal to pay is the newest strategy to combat ransom attacks

Practices to adopt to prevent ransomware attacks through email

Email filtering and scanning

Implement advanced email filtering and scanning solutions to detect and block malicious emails before they reach users' inboxes. These solutions often use AI and machine learning to identify phishing and malware-laden emails.

Sender authentication

Implement email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of incoming emails. This helps prevent email spoofing.

Content filtering

Employ content filtering mechanisms that scan email content for malicious attachments, URLs, and suspicious keywords. Such filters can automatically quarantine or reject potentially harmful emails.

Attachment sandboxing

Use sandboxing technology to isolate and analyze email attachments in a safe, controlled environment before allowing them to be delivered to users. This can help detect and block malicious payloads.

URL link scanning

Utilize URL link scanning services that check the safety of embedded links in emails. These services can flag or block URLs, leading to malicious websites.

Patch and update management

Regularly update and patch email servers, email client software, and all endpoint devices to address known vulnerabilities. Ransomware often exploits unpatched software.

Least privilege access

Apply the principle of least privilege to limit user access to sensitive systems and data. Users should only have access to resources necessary for their roles, reducing the potential impact of a ransomware infection.

Backup and recovery

Maintain robust backup and disaster recovery procedures. Regularly back up critical data, ensure backups are isolated from the network, and test data restoration processes to ensure quick recovery in case of an attack.

Remote desktop protocol (RDP) security:

If RDP is used, secure it with strong passwords and consider using a Virtual Private Network (VPN) to restrict access to authorized users.

See also: What is DKIM and why you need it