Ransomware - a real and credible threat

Ransom demands are reported to be climbing, from an average of US$6,000 in 2018, to US$84,000 in 2019, and US$178,000 in 2020. The funds are usually requested to be transferred electronically, often in untraceable cryptocurrency such as Bitcoin.

Prevalence

According to the Notifiable Data Breaches Report January-June 2021 from the Office of the Australian Information Commissioner (OAIC):

• ransomware made up 24 per cent of the 192 cybersecurity incidents notified as a data breach to the OAIC from January to June 2021.
• data breaches from ransomware incidents increased to 46 notifications from 37 in the last reporting period
• across all types of breaches, the health sector was the highest reporting industry sector, notifying 19 per cent of all breaches.

Impact

Being unable to access computer files will have immediate and severe impact on the running of most medical practices.

• A cardiology practice in Florida hit by ransomware in 2021 had its phone lines and IT systems shut down, and was still operating at a reduced capacity several months later.
• Victorian hospitals hit by a ransomware attack in 2019 had to cancel some elective surgery and appointments.
• In 2017, WannaCry – a global ransomware attack – infected the NHS in England, causing thousands of appointments and operations to be cancelled. And in five areas, patients had to travel further to Accident & Emergency departments.

Prevention

Protective measures are outlined in the Australian Cyber Security Centre’s (ACSC) ransomware prevention and protection guide. These involve seven steps:

1. Update your device and turn on automatic updates
2. Turn on multifactor authentication
3. Set up and perform regular backups
4. Implement access controls
5. Turn on ransomware protection
6. Prepare your cyber emergency checklist
7. Remain vigilant and informed

Backups are vital

Recovering from ransomware is almost impossible without comprehensive backups – preferably both to an external storage device and to the cloud. Backups should be done regularly to minimise gaps in the data, and this can usually be automated via your system settings. Backups should also be checked regularly to ensure they have worked. You can get more guidance on backups from the Australian Digital Health Agency (ADHA) and the Royal Australian College of General Practitioners (RACGP).

What to do if it happens to you

The ACSC has an emergency response guide which provides simple step-by-step instructions on what to do. Outlined steps include immediately disconnecting the infected device, running a malware scan, and seeking professional IT assistance.

The ACSC recommends not to pay the ransom. There is no guarantee that paying the ransom will fix your devices, and it can make you vulnerable to future attacks.
Refusing to pay the ransom requires that your backup can recover all or most of the files or data. Without sufficient backup, you may have no option but to pay the ransom. Unfortunately, paying the ransom won’t guarantee getting everything back.

A recent global survey found that on average only 65 per cent of the encrypted data was restored after a ransom was paid, and only eight per cent of organisations were able to restore all of it.

Case study: As it happened at a practice insured by MDA National

One morning at a specialist practice, the receptionist started the computers and tried to open the records and billing software (BlueChip). When she couldn’t get it to open, she phoned the practice’s IT provider who sent a staff member to the practice straight away. He found that the files on the shared drives had been encrypted, and a ransom in bitcoin had been demanded to provide a decryption key. He identified one machine as the source of the infection and shut it down.

Later that day when the IT provider tried to restore data from the backup server, he found that the backup server’s internal data and external backup drive had also been locked. The police were notified.

The practice owner decided to pay the ransom. Communication with the scammers over several days led to two attempts to decrypt the data, but the data was not completely restored. Three weeks’ worth of patient reports were never recovered. It took five days for the practice system to be functional. Fortunately, there was no evidence that patient records had been accessed by the scammers.

To prevent this happening again, the practice now only allows remote access through a secure VPN. The administrator passwords and file-share permissions to the backup server were changed, and additional backups now include multiple offsite and offline copies of data kept in rotation – so there are at least four copies of business data less than 10 days old at any time.

Subscribe to MDA National’s biannual Member publication, Defence Update, for the latest medico-legal updates, articles and case studies.

Subscribe now

Subscribe to MDA National’s biannual Member publication, Defence Update, for the latest medico-legal updates, articles and case studies here.