Why regaining control of data doesn’t mean a ransom incident is over
Some hospitals that suffer a ransomware attack don’t recognize the incident as a reportable data breach, because the data is locked up. Or they believe that, because the data was locked up and the ransom was paid, as long as they have access again to their data, there’s no breach.
They are wrong, says Jack Danahy, chief technology officer at Barkly, a vendor of software to recognize malware based on behavior patterns and block execution of viruses. If an organization is not in control of its data, and if it cannot access the data, it is a HIPAA-reportable event.
Some hospitals also don’t understand that even after paying ransom and getting the data back, or mitigating the attack and regaining data access, they still don’t have full control of their data. The data is back, but the attacker almost always retains a copy, Danahy notes. The same program that encrypts files can also copy files. The organization paid a ransom, but the hacker still has a copy of the files and can sell the data.
Thus, even an organization with great data back-up processes may believe it regained all of its data, but that data’s likely could be out on the street being sold. Some organizations do know this but may not acknowledge it or fully consider the ramifications, he adds.
Further, an organization may backup data regularly, yet the backups are vulnerable to attack because they are on a shared network supporting other applications that can be attacked along with the backup. “You need to put backup on a separate network,” Danahy advises. “Don’t have it where an affected machine can get access to the backup.”
Other tips from Danahy include:
Do not allow users or administrators to do browsing or receive email on the backup server.
Do not put the backup server on the same subnet as the machines it is backing up to reduce the likelihood that ransomware will also infect it.
Do not use shared drives from the backup server, as those drives can be infected and act as a source for transmission of the ransomware payload.
Minimize the services that run on the backup server to decrease the vulnerable surface in case other systems on the network do get infected.