- The WannaCry ransomware attack was a wakeup call for healthcare organizations across the globe, especially with the UK’s National Health Service being severely impacted from the attack. This is further proof why strong cyber hygiene is necessary for entities to properly prepare for a potential ransomware incident, according to ICIT Co-founder and Senior Fellow James Scott.
The ransomware pandemic is just going to become worse, Scott said in an interview with HealthITSecurity.com. Smart cyber hygiene comes down to seemingly simple things, such as not clicking on email links when you’re not familiar with who’s sending the email, he explained.
From an organizational perspective, employees should not be checking personal social media or surfing the web for personal interests at work, even during their breaks.
Citing recent ICIT best practices released in the wake of WannaCry, Scott also maintained it was important to hover the cursor over a link prior to clicking to ensure that the URL matches the hyperlink. Shortened links, with applications such as Bitly, could be an easy way for a hacker to try and get a user to download ransomware, he said.
“When it comes to exploits, such as malware, healthcare is the most vulnerable and sought after to exploit,” Scott warned. “A lot of organizations don’t even know where their data is. They’re not using encryption, they’re not bringing data into silos – they still have one massive treasure trove of health records.”
Healthcare organizations must remember the basics, he explained. This includes user behavior analytics, which is a mandatory pre-requisite to guarding against situations such as a hacker who spear phished an employee with a key logger. From there, the hacker can record the employee’s key strokes, gain the user credentials for access and move laterally throughout the network to gather intelligence.
“We’re going to see more with ransomware, more of a compiled payload,” Scott cautioned. “It’s not just going to be ransom, it’s going to have things like screen capture, network mapping capabilities, Trojans, etc.”
“It’s going to get more sophisticated,” he continued. “Again, the most vulnerable and easily exploited critical infrastructure silo is the health sector, which means that’s where these new compiles of ransomware payloads are going to be tested.”
The WannaCry ransomware attack was all the more dangerous because it was a ransomware worm, Scott explained. It self-replicates, meaning that it’s going to parasitically intertwine itself throughout the network.
“It’s kind of like a seek-and-ransom for everything that is connected to that computer,” he said.
Failing to have data backed up is one of the first mistakes healthcare organizations can make with ransomware, Scott warned. Backing up data in real time is critical, but entities must also be sophisticated enough to have a disconnect.
Individual files and the entire PC should be backed up. There should also be a system image, which is a snapshot of all the files and applications on a system at a particular time.
“It’s not enough to just back up your data in real time,” Scott maintained. “You have to have an auto disconnect of that external server or hard drive because a worm will find its way in to that backup system.”
Essentially, cyber hygiene must evolve.
The WannaCry strain also capitalized off of an operating system that was lacking updates and patches, he pointed out. Microsoft’s EternalBlue OS now has necessary updates available, but organizations must remain current on all available patches and updates for operating systems and applications.
“If you’re using Excel, anything Microsoft, the second an update comes, you have to do it,” Scott advised. “Now more than ever with their vendor relationships, healthcare organizations have to have cybersecurity and updates scheduled, such as a software or patch schedule built into that contract. Some healthcare organizations are starting to do that now, but if they’re not they definitely should be.”
Another common ransomware debate is whether organizations should pay the demanded fee or not pay it. Scott observed that it really depends on how ill prepared an entity was, or what the potential damage may be if they do not get the information back.
“It’s a 50-50 crap shoot if they’re going to get the data back or not,” he asserted, adding that terrorist organizations may also benefit from ransomware money. “At the end of the day, you have to do what you have to do, but it’s better to just be prepared.”
Healthcare organizations should also understand that ransomware is the new DDoS, Scott said. When it comes to distracting an organization with an initial bump, such as the ransomware infiltration itself, everyone becomes chaotic. Nobody is looking at the network activity, he stated.
“Chances are, especially in healthcare, somebody is going to be in that network, mapping it, finding the vulnerable places, setting up beachheads for future attacks, setting up additional kinds of malware – time triggered ransomware, and Trojans,” he said. “They could also create remote access through backdoors. They’re going be looking for the treasure troves of patient health records to try and exfiltrate for sale.”
Once they’ve exhausted a network, they’ll go on forums and sell access as a service to other attackers,” Scott continued. “Then they start the whole thing over again. And here the organization thinks, ‘We paid the ransom, we got this data back, everything is safe and sound.’ What they don’t know is their network is just pulsating with hacker activity.”
Overall, strong cyber hygiene paired with a layered defense strategy will go a long way in helping healthcare organizations prepare for a potential ransomware attack, Scott concluded. No entity can definitively predict such incidents, but organizations can take critical steps to minimize their exposure and limit the infection.