Healthcare ransomware attacks have become a security nightmare for many organizations over the last couple of years.
Ransomware is a type of malware that prevents or limits users from accessing their systems, either by locking the systems’ screens or by locking the users' files unless a ransom is paid.
Ransomware attacks are a key cybersecurity threat for all organizations, not just healthcare. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), ransomware is the most common type of malware. It is found in 39 percent of malware-related data breaches, double the percentage from last year’s DBIR. Ransomware accounted for over 700 cyber incidents in 2017.
The DBIR discovered that ransomware accounts for 85 percent of all malware targeting the healthcare industry.
What’s more, Verizon’s analysis shows that ransomware attacks are now moving into business-critical systems, which encrypt file servers or databases, inflicting more damage and commanding bigger ransom requests.
Last year, the WannaCry ransomware campaign targeted the global healthcare industry, hitting the UK’s National Health Service hard, and this year SamSam ransomware attackers are going after healthcare organizations.
Suzanne Widup, senior consultant for network and information security with the Verizon RISK Team, said that ransomware attackers go after healthcare organizations because they are “soft” targets that the attackers have had success with in the past.
Also, healthcare organizations have a heightened sense of urgency when they can’t get into their systems.
“It is a life or death situation if they can’t access data. So, they are more likely to pay up, at least in the criminals' view they are,” Widup told HealthITSecurity.com.
“There are so many different kinds of criminal elements targeting healthcare; it is not surprising that we are getting specializations in their attack types,” she said.
Phishing is the most popular method for initiating an attack. Phishing involves pretending to be a legitimate source in an email into order to steal credentials to access the system or trick the victim into downloading malware by clicking on a file or link.
It is a life or death situation if hospitals can’t access data. So, they are more likely to pay up.
One of the best ways to prevent ransomware attacks is to educate employees about how to avoid falling for phishing and other social engineering ploys.
To prevent ransomware attacks from succeeding, ICIT Co-founder and Senior Fellow James Scott advised healthcare organizations to train their employees on cyber hygiene. That is the best defense against ransomware.
“Don't believe what you read in an email if it’s coming from a source that you're not familiar with…. Cyber hygiene is thinking before you click, not surfing the internet for personal reasons like going to Google or Facebook or checking your Twitter feed from a workstation computer,” Scott advised.
“Cyber hygiene is not putting yourself in a situation where you're going to be surrounded by malicious links,” he said.
But healthcare organizations need other mitigation strategies in place to contain ransomware if it does get into a computer or system, said Widup. “We recommend that people include malware outbreaks in their training plans for incident response,” she said.
Widup cautioned healthcare organizations against paying the ransom. First, it encourages criminals to continue these attacks. And second, there is no guarantee of getting the encryption key.
“The best strategy is to have good backups that have been tested and be able to restore processes, so you are not reliant on someone to give you the key,” she advised.
HHS recommends the same response. Healthcare organizations should not pay the ransom because it encourages the criminals to continue their attacks on other organizations.
Whether an organization should pay the ransom depends on how badly they want their data back. If a company needs to pay the ransom, often they can get the Bitcoin from their legal firms, which are starting to accumulate Bitcoin, Scott said.
Even if an organization pays, it’s a 50/50 chance it won’t get the data back, he added.
SamSam ransomware attacks slam healthcare
In its March report on SamSam ransomware, HHS said that at least eight cyberattacks had been carried out on healthcare and government organizations so far this year: Indiana-based Hancock Health Hospital and Adams Memorial Hospital, cloud-based electronic health record (EHR) provider Allscripts, the municipality of Farmington in New Mexico, an undisclosed US industrial control system company, Davidson County offices in North Carolina, Colorado’s Department of Transportation, and the City of Atlanta’s systems and services.
In the Hancock Health Hospital attack, the attackers accessed the hospital system by using a remote-access portal and logging in with a vendor’s username and password.
The hackers used compromised account credentials to target a server located in the hospital’s emergency IT backup facility and made use of the electronic connection between the backup site and the server farm on the hospital’s main campus to deliver the SamSam payload. The hospital ended up paying the $50,000 ransom in Bitcoin to get file access back.
In the case of the Adams Memorial Hospital attack, an outpatient clinic and three physician offices were unable to use that hospital’s network to access patient history or schedule appointments, affecting between 60 and 80 patients.
The ransomware attack against Allscripts prevented 1500 customers from using its cloud EHR applications, including InfoButton, regulatory reporting, clinical decision support, direct messaging, Payerpath, and the electronic prescription of controlled substances service. The SamSam ransomware variant that infected Allscripts was different than the variant that infected the Indiana hospitals, HHS related.
HHS explained that the signature of SamSam attacks is the encryption of files and data with the “.weapologize” extension, the display of a “sorry” message, and the use of a “0000-SORRY-FOR-FILES.html” ransom note.
The SamSam hackers focused their attacks on open remote desktop protocol (RDP) connections to carry out brute-force attacks against these endpoints.
HHS offers strategies to deal with ransomware attacks
To stop this strategy from succeeding, HHS recommended that healthcare organizations restrict access behind firewalls with RDP gateways and virtual private networks, use strong/unique username and passwords with two-factor authentication, limit users who can log in using remote desktop, and implement an account lockout policy to help thwart brute force attacks.
Despite implementing these strategies, a healthcare organization could still get infected with ransomware. Here’s what HHS advises if that happens:
Developing a culture of security to reduce vulnerability
Scott observed that because of the increasing threat from ransomware and other cyberattacks, more companies are putting cybersecurity experts on the board of directors.
Unfortunately, there is a cybersecurity skill shortage, and it is difficult to attract qualified candidates in the health sector because the sector cannot offer the kinds of salaries other industries offer.
“I think it comes down to seeing the value in what these people have to offer and adjusting your budget, so you can afford them. I don't think that health sector companies or organizations are doing that,” he said.
If attackers do succeed in infecting an organization with ransomware, Scott recommended that the security team have the entire network forensically analyzed to catch any mutating malware in addition to taking the steps outlined above.
“If the network is not forensically analyzed, malware could be incubating somewhere in your network on a timing mechanism, where in seven days, it’s exposed in your network again and spreads,” he said.
Scott also advised locking down the endpoints and using artificial intelligence and machine learning as part of an endpoint security solution.
Healthcare companies are a prime target for attackers because their data is so valuable. “You can do anything with a complete electronic health record,” Scott said.
Implementing best practices to combat future threats
Frost & Sullivan analyst Vijay Michalik explained in a recent commentary that the rise of ransomware can be attributed to the proliferation of easy-to-use ransomware tools and ransomware-as-a-service on sale in the cybercrime underworld.
These tools can be easily customized, which has helped create a growing list of successful attacks that generate significant revenue for cybercriminals.
Frost & Sullivan believes an inflection point is near in cybersecurity, although key barriers remain such as lack of technical understanding and reticence to invest.
Businesses need to invest heavily in technology, internal security personnel, and training of staff to identify and avoid threats, Michalik said.
Key sectors such as healthcare will be pressured to adapt by governments if they do not do so on their own. As a result, Michalik predicted an annual growth rate in healthcare cybersecurity of 13.6 percent in the US alone.
Mike Suby, vice president of research at Frost & Sullivan’s Stratecast unit, agreed with Scott and Michalik about the need to train staff on security best practices.
“It’s important to train end users to help them identify and not click on communications coming from unknown sources or documents that seem shaky,” he told HealthITSecurity.com.
“There’s no silver bullet as it applies to ransomware and malware in general. It is a matter of best practices,” he said.
Suby also agreed with Scott on the need for a strong endpoint security solution. “Make sure that you have competent endpoint security products because that’s where the first executable will land, typically on an end-user endpoint,” he suggested.
The endpoint security solution should be a combination of signature-based and behavioral-based components, and it should provide remote browser isolation that enables the browser to operate remotely in a container, he noted.
“Certainly, you want to have web and email security gateways. It doesn’t matter necessarily if it’s a dedicated appliance or a cloud-delivered service,” he said.
In addition, organizations should make sure security patches are up to date and make sure vendors are updating medical equipment.
“The other aspect is to make sure that the access privileges for end users are appropriate for their roles within the organizations, their departments, and their titles…. They should only be allowed to access what is absolutely necessary for their business or for their role,” he advised. This is called “least access privilege.”
For application security, he recommended that organizations use a combination of whitelisting (allowed) and blacklisting (prohibited).
There’s no silver bullet as it applies to ransomware and malware in general. It is a matter of best practices.
Healthcare organizations should establish a baseline of normal traffic within the network, so they can determine when there is abnormal traffic that might indicate the presence of malware.
Suby also recommended that healthcare organization use deception technology, such as honey pots, to detect the attackers before they do damage.
“Create a virtual environment that looks very authentic to hackers; they basically trigger alerts that they’ve pulled in fake credentials, they’ve accessed fake file repositories, or they’ve accessed and tried to penetrate healthcare devices that are present within the healthcare environment,” he explained.
Organizations that follow these practices may have an easier time deciding what to do when ransomware does affect their systems.
“Because I’m practicing least access privilege, because I’ve done appropriate network segmentation, because I have a very good practice of putting in security patches on my devices, because I’m doing all the right things and I know this with a great deal of confidence, I may choose not to pay the ransom because I have confidence that even though I’m under attack, the impact is not going to be that great.”
Ransomware attacks are a key cybersecurity threat for healthcare organizations. To combat ransomware, organizations need to deploy technology that will prevent attackers from penetrating their systems and slow them down if they do get in.
But there is no substitute for doing the hard work of implementing security best practices and training employees on how to avoid falling for phishing attacks.