Trending Topics

The ransomware epidemic: What EMS agencies need to know

Don’t get caught paying to access your data; use these tips to prevent, identify and recover from EMS ransomware attacks

By Ryan Stark

The ransomware epidemic is spreading as we enter the latter half of 2017 and it shows no signs of stopping. International attacks are locking down the computer systems of thousands of companies, including health care providers [1].

In fact, the health care industry is the most targeted [2]. That means EMS providers and their vendors are at a high risk for a ransomware attack. Why?

  • Infrastructure. Many providers are still running on insecure, antiquated and sometimes unsupported systems that are very easy to hack.
  • Resources. The health care industry continues to lag behind other sectors in the amount resources and training devoted to data security.
  • Valuable Data. Providers and their vendors also hold critical data, such as employee records, social security numbers, member ID numbers and sensitive health information. Hackers know you need to access this data. They also know that medical information is worth much more than a credit card number on the black market today.

What is ransomware and how does it work?

Ransomware is a type of malware (malicious software) that denies access to data by encrypting it and then demanding a ransom to get a key to unlock the data.

Ransomware can infiltrate your system in several ways. A user can unintentionally download malware by opening a malicious email attachment or visiting a malicious website. Once downloaded into your system, ransomware begins locking down (encrypting) your files so that you cannot access them.

After a critical amount of information is encrypted, the malware phones home to tell the hacker to make a ransom demand. Then, the infected party receives a message – pay up or lose access to your encrypted data, forever. Typically, the ransomware directs the user to pay the ransom in a cryptocurrency, such as Bitcoin, to receive a decryption key.

Telltale signs that you’ve been infected with ransomware

Agencies are typically alerted to ransomware only after it has encrypted the data and alerted the user to its presence by demanding payment. But, there are some early indicators of a ransomware attack, including:

  • An employee realizes that a link that was clicked on, a file attachment opened or a website visited may have been malicious. For example, the user might have been unable to close a window or an attachment prompted another action on the computer.
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason. For example, the dates modified listed on files and folders are changing rapidly due to ransomware searching for, encrypting and removing data files.
  • An employee is unable to find or access certain files. Ransomware can encrypt, delete, re-name and/or relocate data.
  • IT personnel detect suspicious network communications between the ransomware and the attackers’ command and control servers. This activity would most likely be detected by IT personnel via an intrusion detection or similar solution.

What should you do if you discover ransomware?

Here’s what to do if you discover ransomware on an EMS-agency owner desktop, tablet, laptop or smartphone:

  • Isolate the infected computer systems to halt propagation of the attack. This action may include disconnecting the workstation, server or other machine from the internet and the company’s network.
  • Determine the scope of the incident to identify what networks, systems or applications are affected.
  • Determine the origination of the incident (who/what/where/when) by scanning machines with anti-malware software.
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents.
  • Investigate how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).
  • Recover from the ransomware attack by restoring data lost during the attack and returning to business as usual operations.
  • Conduct post-incident activities, which could include a deeper analysis of the incident.

Your ransomware defense checklist

There are serveral ways to fend off a potential ransomware attack before it infiltrates your system:

  1. Conduct ongoing staff awareness activities and training on how to spot and report ransomware.
  2. Maintain updated firewalls and antivirus protection with intrusion detection/prevention.
  3. Employ email spam filters that block known malicious attachments.
  4. Configure Microsoft Office to disable automatic running of macros.
  5. Only grant access to data based on business need.
  6. Patch and update systems as soon as updates are available.
  7. Backup, backup, backup – backup frequently and keep backups segregated from the network.
  8. Periodically test your backups.
  9. Segment networks to reduce spread of infection.
  10. Consider getting insurance to cover the cost of ransomware attacks.

1. Ng Alfred (2017, June 28). The global ransomware epidemic is just getting started. Retrieved from

2. Institute for Critical Infrastructure Technology (2016). Hacking health care IT in 2016: Lessons the health care industry can learn from the OPM breach. Retrieved from

For over 20 years, PWW has been the nation’s leading EMS industry law firm. PWW attorneys and consultants have decades of hands-on experience providing EMS, managing ambulance services and advising public, private and non-profit clients across the U.S.

PWW helps EMS agencies with reimbursement, compliance, HR, privacy and business issues, and provides training on documentation, liability, leadership, reimbursement and more. Visit the firm’s website at