Top Takeaways from the Airway Oxygen Ransomware Attack on the OCR Wall of Shame

June 30, 2017 Mac McMillan

Airway Oxygen reported the largest ransomware attack to date to OCR’s wall of shame on June 16th, 2017. It affected 500,000 individuals, making it the second largest breach so far in 2017. I believe there are several takeaways from this incident that the industry show know about.

Ransomware Attacks are on the Rise

First, I believe that we will continue seeing more ransomware attacks that cause a breach this year because the pace of these types of attacks are increasing and the targets are not just the big systems. The smaller organizations are more susceptible, as many of them have fewer resources for security, are more likely to have older systems no longer supported, and less sophisticated detection and alert capabilities.  It is a regular occurrence now, the good news is that only a few actually require notification, but the disruption caused is always costly.

Determining Ransomware Attack Versus Breach

Many organizations are still not clear when a ransomware considered a breach and are confused on what OCR’s ransomware guidance means. However, based on the incidents CynergisTek has been involved in is more common that they do not require notification. Regardless, you have to assess if information was compromise before notification. Identifying what the attacker accessed can be difficult and often organizations are hesitatnt to report the breach until determining.

What You Can Do to Protect Yourself

There are several things I would suggest on protecting yourself based on the incidents we’ve seen and this one, but a critical piece of information that is missing here. How did the attackers gain access? Many of these attacks are remote so first off employ two-factor authentication on any remote connections or web based access. More often than not, the attacker needs access to the system to download the malware. Where appropriate, organizations should remove administrative privilege via vaulting, and at a minimum deploy two-factor authentication for anyone with elevated privileges.

Additionally, organizations should increase the level of segmentation to protect critical systems and databases with real access restrictions. Deploy advanced malware detection both on the network and the end-point. Engage a Tier 1 SOC partner to increase visibility and alerting from log activity. Generally, enhance hygiene; update obsolete operating systems and software, improve vulnerability management, eliminate unnecessary services, etc.  Evaluate vendor access and security.

Hackers Continue to Lead the Reported Breaches

I do not see any abatement in the hacking incidents we’re seeing right now.  As long as they are successful and as long as organizations pay the ransom, bad actors will continue to carry out their attacks.

Making Progress but We Still Have a Long Ways to Go

Generally areas where we are making the most improvement of in combatting ransomware includes education of users and investment in advanced malware detection. However, we still lagging in the basic hygiene of the network, detection and alerting, response, and recovery.

Click here to read the entire story included in article, “Ransomware Attack Affects 500,000 Patients.”

Contact us to learn more about how CynergisTek can help you combat ransomware attack happening at your organization.

Previous Article
Analysis: Top Health Data Breaches So Far in 2017
Analysis: Top Health Data Breaches So Far in 2017

Next Article
A HIT Expert Stresses Third Party Verification When Selling EHR Security to Physician Practices
A HIT Expert Stresses Third Party Verification When Selling EHR Security to Physician Practices