Ransomware attacks on healthcare organizations are increasing and, unfortunately, they are also becoming incredibly more costly.
Attacks are increasing in complexity and sophistication as well, and in many cases, common preventive controls just aren’t working, leaving healthcare providers and their business partners at increasing risk. Even with a strong security posture, there’s still a decent chance your organization can fall prey to an attack.
Why the uptick? Ransomware is a lucrative and growing business. Just like a healthcare organization looks for ways to be more efficient and scale to make more money, so do these bad actors. They’re always looking for new ways to infiltrate systems and make more money from ransom demands.
Today, you don’t even have to be tech savvy to get into the game. Ransomware-as-a-Service is available on the Dark Web. A novice can go out onto the Dark Web and purchase ransomware services with zero hacking or coding skills. It’s just further increasing both demand and attacks.
The reality is, as attack surfaces expand, assets increase in both volume and diversity, and attack vectors grow, managing preventive controls can be costly. On top of that, many healthcare organizations operate with small IT and InfoSec teams that are often overwhelmed chasing down vulnerabilities, patching systems, and tracking needed updates.
There is also an additional layer of complexity when it comes to employees as a potential attack pathway. Even with quality, consistent, routine education about the risks and what to do and not to do, attacks still get through.
Further, we’re seeing a growing number of healthcare providers misplacing their trust in their cybersecurity liability policies. A survey conducted by Sophos reveals that 20% of organizations’ cybersecurity insurance policies do not cover ransomware. And for those that do, we see increasing expenses for cyber liability coverage with deductibles that were once around $1 million, easily reaching as high as $5 million or more.
Of global ransomware incidents, 59% were in the U.S. health and public sector. Further, of those incidents, 72% of victims can confirm that there was data exfiltration and 34% had to pay the ransom to get their data back.
What may be startling for most organizations that fall prey to ransomware is just how quickly a successful malware infection can spread throughout an entire network. On average, 97% of ransomware infections take less than four hours, and some of the most malicious variants can take over an entire system in less than 45 minutes.
The increase in successful ransomware attacks demonstrates that even healthcare organizations with mature cybersecurity controls can be a potential victim. That’s why our response planning should now be more about what we need to already have in place when this happens, not a singular focus on what we can do to completely prevent an attack from happening.
Employee education and awareness remains among the top challenges for organizations combating ransomware impact. That’s because every single person in your organization who has Internet access or an email account is a potential vector of compromise.
Spam and phishing emails lead the top of the list as a successful attack pathway, opening the door to some 67% of successful attacks followed by:
- Lack of Security Training: 36%
- Weak Passwords: 30%
- Poor User Practices: 25%
- Malicious Websites: 16%
While we should adjust our response planning to focus on how we will respond to a successful ransomware breach, we shouldn’t overlook the important role preventative controls play in building a strong defense against potential attacks.
Here are some recommendations for how you can build protections against some of these most common attack paths.
- URL and file scanning and sandboxing. Spam filters. Spoofing prevention (DMARC, SPF, DKIM)
- Strong vulnerability management program
- Re-evaluate standards for the time allowed to patch critical vulnerabilities
- Implement a strong patch management process
- Ensure critical security updates are being deployed as quickly as possible
- Penetration Testing
- If you’re not doing internal and external penetration tests, you’re leaving yourself open. In many healthcare organizations, critical and known vulnerabilities often go unmitigated for more than 90 days. Attackers are looking for those known exploits to get in and take over your systems.
- User Permissions
- Conduct routine permissions reviews to eliminate excessive permissions and enforce least privilege
- Ensure each employee has access to the least number of permissions they need to do their jobs
- Network Access Control
- Technically prevent unauthorized systems from connecting to the network
- Application Management
- Technically enforced application whitelists
- Of note here: It’s no longer good enough to just not allow users to run executables because there are many applications downloaded straight from the Internet that don’t rely on that.
- Conduct continuous scanning for unauthorized applications
- Remove unapproved applications from your assets
- Technically enforced application whitelists
- Multi-factor Authentication
- Protect network resource access with two-factor or multi-factor authentication. If an attacker successfully steals credentials, you have another layer of protection before access is granted to your systems.
- Privileged Access Management
- Require privileged users to go through a privileged access management (PAM) to gain administrative system access
- Endpoint Protection
- Utilize endpoint security including static and behavioral detection, as well as immediate response actions (isolation, sandbox, rollback) security
- User Training
- Social engineering and phishing tests with retraining
Even with preventive controls in place like those listed above (and more), ransomware infections still happen. And when they do, you need to be aware of infection in real-time so you can take steps to stop the attack and prevent further infiltration.
Remember, your entire network can be compromised in as quickly as 45 minutes. Often, attackers get in unnoticed and sit and watch activity, then install additional malware that will thwart your attempts to stop lateral movement in your network.
Your detection strategies should focus on what you’ll do when you detect the attack coming and then how you can limit that damage.
Here are a few detection recommendations that may be beneficial for your organization:
- File Activity Monitoring
- Large amounts of files renamed
- Monitor for known file extensions
- Detection of Unknown Network Scanners
- AngryIP, Advanced Port Scanner
- Detection of Specific Applications
- MimiKatz-used to steal passwords and login details
- User Monitoring
- Excessive user logins
- Administrator account creation and activity
With the reality that your organization may experience a successful ransomware attack, it’s important that your response planning includes mitigation strategies to decrease impact.
Here are a few recommendations to help minimize potential ransomware damage:
Many organizations face the same problem: They don’t have an accurate asset inventory and they also don’t know where all of their sensitive data is, which systems have access, and which people it’s available to. Knowing where all of your sensitive data is and who/what can access it is a critical component of your security strategy. If you don’t know where that data is, you can’t be confident your controls are protecting it.
It’s also more than just knowing where the data lives. You also have to look at transmission and data at rest. Where does the data go as it moves from one application to another? Is it shared with a third-party vendor? Where is it and how is it handled there?
- You must know where your sensitive data is in order to provide reasonable and appropriate data protection
- Maps of sensitive data flows should include all of its paths, entry and exit points, and storage locations
- Include security devices and applications such as firewalls, routers, IDS/IPS
- Update the map whenever you add a new data flow or you change a security feature
If a ransomware attack is successful, you can assume the attackers will encrypt your data. Likewise, you can encrypt your own sensitive data at rest as an effective mitigation technique for security.
- Encrypting data-at-rest prevents hackers from accessing your data
- Although hackers may exfiltrate your data, they cannot release it
- You may still have to conduct a HIPAA Breach Notification Rule Risk Assessment, but properly encrypted exfiltrated data likely will not constitute a reportable breach per HHS guidance
- Encrypted data should enable you to restore data from backup without having to pay the ransom, if you have implemented a backup strategy (offline backups) that ransomware is not able to affect
- Network segmentation prevents the lateral movement of malicious software
- Segment your networks to protect your most sensitive data and assets
- Strictly control traffic (access lists, etc.) by only allowing the minimum required access
- Consider micro-segmentation to enable segmentation as far down as the process level
For more on this subject, register for our upcoming webinar on How to Build an Effective Network Segmentation Strategy.
- Hackers use port-scanning tools to identify exposed RDP ports, and Remote Desktop Protocol (RDP) was the most common intrusion method in 2020
- Once identified, hackers will use brute-force tools or stolen credentials to access the target system
- When access is achieved, hackers may disable anti-virus, delete backups and deliver malicious payloads
- “3-2-1” data backup plan: Three copies of your data stored across two storage mediums/locations and one cloud storage provider stored across two storage mediums (if possible, choose geographically disparate locations for your backups)
- Ensure your offline backup is only connected when necessary and otherwise has physical separation from your network
- Offline backups should have a different authentication method than the network authentication
This is the single most important administrative-type control you can employ. While your overall incident response plan should be targeted to general threats, you should develop specific sub-plans that contemplate a ransomware attack.
- Test your Incident response capability and update based on test results
- Testing should assume a hacker has encrypted and exfiltrated your most valuable data
- Include executive leadership in testing and training. They may be required to make decisions on response and recovery. They may have to make decisions around paying the ransom if controls have not been implemented to restore the affected data
Need help implementing and testing controls or building a mitigation or response strategy for your healthcare organization? Here are a few tips to get started:
- Align your controls to the cybersecurity lifecycle: identify, protect, detect, and respond.
- Conduct a ransomware assessment
- If you’re unsure how, Clearwater can help. As part of Clearwater’s assessment, our technical testing team will do an “assumed breach” test to assess the possibility of an attack as well as the likelihood of successful lateral movement without your network. Our team can also help with gathering information and making control and strategy recommendations about your existing anti-malware controls, email server configuration, and back-up processes.