Article Updated: 8/19/2020
No dental office is safe from ransomware.
I’ve recovered from ransomware about a half dozen times now in the past 10 years. It’s getting harder each time. The hackers are getting patient, they are well-funded organizations that operate with impunity and over the weekend of august 26th 2019 they landed a blow at the most hardened of all targets. They managed to encrypt 400 dental offices AND the remote backups from a company that SPECIALIZES in backups designed for ransomware prevention. The IT Provider’s advertisement ironically reads “I am taking steps to protect myself from ransomware, I refuse to become a statistic”. The incident was an exact combination of threats that I’m always discussing with my peers. These dental offices installed a backup product called DDS Safe by Digital Dental Record that came bundled with a Remote-Access tool. This remote-access tool would become the attack vector for the virus. The hackers took care to wipe out the backups and pretty much left the owners of the remote-access tool, PerCSoft, with no other option than to pay the ransom which they appear to have done. That’s a several hundred thousand dollar education and I’d like to see if we can learn some lessons.
1. Use a hyper visor to prevent hackers from encrypting your backups.
If your backup drive is attached to the server or reachable via the network it can and will be encrypted. If your backup is a piece of software that uploads your data to the cloud a hacker could disable these backups and wait for them to get old enough that you would pay a ransom rather than recover from a 6 month old backup.
Here is what I recommend: We virtualize the client’s servers and host those servers on a virtual host that WE control. There is ZERO trust between the dental office’s server and our host server. Our backups are hidden from view and completely inaccessible to a hacker. Our remote backup tools require a password to make changes and we audit (by hand) all servers monthly.
2. Remove unused remote access tools.
There is a trend happening in the IT world where all the different software companies are trying to “add value” by adding a remote support tool to their software. For an example, you could cancel your logmein subscription and instead use the AVG antivirus with remote-access built in. These remote-access modules are appearing all over the place and it’s a huge attack surface that is often overlooked. To reduce this threat you must go through your list of installed programs and remove all the remote support tools that you are not explicitly using. A short list of remote tools that you may want to question: splashtop, bomgar, screenconnect, kaseya, labtech, logmein and teamviewer. Beyond that you should inspect the applications that are running on the system for any menu options indicating unattended remote access may be enabled. Lastly, when installing software always choose the custom option and make sure you are not opting into any sort of “assistance” program or service.
UPDATE: I’ve changed my mind on this point. When I wrote this a year ago I wanted to kill off all the entry points to the computers and what I’ve found is that many practices use outsourced labor and that alot of these cheap-o remote support programs are perfect for mom and pop billing companies, marketing and even accountants. My new advise is to require 2 factor authentication on all remote-enabled machines. If a computer has a sticky note that says “Don’t turn this computer off” then I want to see 2FA configured. The key advantage here is that when the unknown-but-trusted actor dials into the computer or server they will get a message immediatly that says something to the effect of “Hey, our IT guys don’t know your cell phone number. Please email support@Standardcomputer.com and get setup for 2FA”. We receive the request from the billing person, confirm they are trusted (and have a BAA) then we enable their access. It’s more security and plays nice with everyone. I’ll write an article about how to do this later one day.
3. You must have at LEAST 2 competing backup products/companies.
There are a number of obvious problems with having one backup routine. Such as if the backups ever break you are immediately in risk and if you have just one backup it can leave you in a lurch should it have any imperfection in it’s restorative ability. Beyond these common needs there is another, ransomware specific, reason to have COMPETING backup products. To explain that need I want to make sure you understand how the money works in ransom situations. The money is anonymous. It’s so anonymous that the police have a REALLY hard time keeping people from stealing the money out of the evidence room. The anonymous quality of it makes it impossible to know who stole it. It would be relatively easy for an employee of an IT support company to push a ransomware virus out to all the clients of that company. The employee would anonymously get the ransom money. So far the ransomware software has been really hard to get ahold of, you have to be well connected to the deep dark internet. Eventually ransomware on a commission or as-a-service ransomware product will be widely available for evil employees to use. When that happens you do not want to be stuck using just one company for backups. I hope you can read between the lines a bit and see that I have a theory as to how a company that specializes in ransomware prevention could itself and all it’s client become victims of ransomware.
If you DO get hit, don’t stress your IT guy out.
A stressed out IT guy is going to operate at 80% his normal intelligence and when sleep deprivation hits, mistakes will happen. That will end up pushing your recovery time further than you may expect and as frustrating as that may be- you must not vent this disapproval to your IT guy. It’s a bad plan to yell at a fireman in a blaze or heckle a police officer during a shoot-out. Instead, ask your questions like so: “I know you have alot of moving pieces right now and I’m not looking for specifics. The organization needs to make some decision about what it does and those decisions are based on if our computers will be back online in 4 hours or 24 hours or longer than 24 hours. ” Always buy pizza, leave a key, and get out of the way. Don’t ask a bunch of “why” questions. “Why didn’t our antivirus protect us” for example will just set their hair on fire. Once things are operation again then you can revisit your HIPAA documentation and see what you wrote down for your risks and perhaps update that with your newly found attack vector.
If they can Hack the Digital Dental Record… they can get you.