Raising defenses against ransomware in healthcare

More than half a decade has passed since ransomware-wielding attackers started focusing on healthcare providers. Despite some initial misgivings about targeting life-saving organizations expressed by the denizens of cybercrime-oriented underground forums, the healthcare sector has, in the intervening years, become ransomware gangs’ target of choice.

Why healthcare organizations make good targets

It’s easy to see why: hospitals and other healthcare organizations need to access current information within patient records to provide care, so they are more likely to pay a ransom to avoid delays that could endanger lives. (And with the advent of COVID-19, quickly restoring systems and access to patients’ information has become even more important.)

There are, of course, other factors that play a role in the attackers’ preference for healthcare-related targets: the talent shortage for cybersecurity experts with healthcare expertise, the fact that most healthcare employees still don’t make cybersecurity a priority, the fact that many of the devices and technologies they use run on antiquated operating systems – to name just a few.

“A study done in 2020 by HIPAA Journal found 83% of IoT devices still ran legacy, unsupported operating systems such as Windows XP. This presents cyber adversaries with opportunities to exploit and compromise medical and health care organizations,” Jon DiMaggio, Chief Security Strategist at Analyst1, told Help Net Security.

But even when organizations are secure on that front, adversaries can always simply send phishing email after phishing email to healthcare employees, to steal information or deliver malware that can provide them with initial access.

There might come a time when cybersecurity becomes a (small) part of medical curriculums – in the meantime healthcare organizations can significantly lower the number of successful attacks with the proper defenses and training, DiMaggio notes.

How to make the attackers’ job difficult

Unfortunately, it often takes a major breach to occur before security is taken seriously. But with attacks against healthcare organizations constantly in the headlines, more and more organizations are working to improve their cybersecurity posture and more employees will hopefully accept the fact that they are part of their organization’s defensive line against cyber attacks.

“The reality is you cannot prevent all attacks. However, you can significantly reduce them and make the attackers’ job MUCH more difficult,” DiMaggio pointed out.

Organizations should avoid money-saving shortcuts that will provide them with a false sense of security and instead opt for adopting security best practices and defenses: restricting user access, segmenting networks, using endpoint detection and protection solutions, raising employees’ security awareness.

“Healthcare organizations must insist on vendors developing software required to function on up-to-date, supported operating systems. If an X-ray device runs on Windows XP, they should purchase them from a competitor whose equipment runs on a supported platform. Such a shift in the industry would force vendors to develop equipment based on security and not ease of access,” he noted.

Regularly hunting for cyberthreats inside the org’s systems and networks is also a good way to prevent ransomware attacks.

“Most enterprise ransomware attackers spend days and even weeks in a targeted organization’s environment. They use already present administrative and dual-use tools to ‘stage’ the environment, they enumerate devices on the network(s), escalate privileges and disable security defenses. Threat hunters can identify these malicious goings-on and foil the attack before crucial data is encrypted and held for ransom. Having trained threat hunters with the appropriate tools will increase the chances of success,” he opined.

The increased number of people working from home due to the pandemic have provided a larger attack surface for attackers, but there are some simple and cheap solutions that go a long way in protecting organizations, the end users and their data, he adds.

Two-factor authentication is one of the cheapest and efficient ways to drastically reduce risk of account theft due to phishing attacks. Regularly patching all public facing infrastructure and ensuring unnecessary ports and protocols are not left open and unsecured costs little and will make the attackers’ job more difficult.

“Make sure that administrative tools are removed and not available to users or on systems that do not require them. Almost all instances of ransomware attacks I have investigated involved the attacker using the legitimate administration tools like PowerShell, PSExec and similar,” he advised.

“Finally, if you do not need certain filetypes (e.g., .RAR, .EXE or .HLP), block them from being delivered via your email servers. These filetypes/extensions are often used by attackers to deliver malware via phishing emails. You can use these filetypes in your environment, but they don’t need to come into the environment via email.”

Sharing attack information should be customary

As ransomware gangs ramp up their targeting of all organizations, including those in the healthcare sector, and try out different approaches to get their hands on as much money as possible (e.g., combining ransom requests and blackmailing of users/patients, as in the Vastaamo attack and other attacks mounted by the Maze and Sodinokibi attackers), targeted organizations could help the rest of their industry by sharing threat information and details of the attack.

“Many groups and tools exist to share threat information. ISACs, or Information Sharing and Analysis Centers exist in almost every industry you can think of. The certainly exist for healthcare. These groups allow organizations, even direct competitors, to share details of breaches without repercussion. Sharing usually includes attack details such as threat indicators (malware hashes & samples, infrastructure, phishing attributes, etc.) with peer organizations that might be targeted by the same attackers,” Di Maggio noted, and said that organizations that fail to do that should be held accountable and fined.

“In the end, no harm is done to the sharing organization, especially when the breach is already public, but the benefits to the rest of the targeted industry can be great: peer healthcare organization could look for the activity on their network or be better prepared to identify the adversary should an attack be executed. It is a win-win scenario and is becoming a common business practice across industry verticals.”