October is National Cyber Security Awareness Month, and one of the main themes for 2020 is Securing Internet-Connected Devices in Healthcare. Securing IT devices in healthcare is critical, as any system downtime can lead to deaths and degraded response to emergencies. One of the biggest cyber threats to healthcare organizations in recent years is ransomware attacks which can lead to system-wide IT outages and take out internet-connected medical devices like CAT scanners and X-Ray machines that are critical for diagnosing patients, as well as servers that hold medical records. Securing against ransomware is one of the most important aspects of cyber security for healthcare providers.
What is Ransomware?
Ransomware is a type of attack designed to infect and encrypt computer systems to hold them “ransom” until a payment is made. Once the ransom is paid, the ransomware operators will sometimes (but not always) provide a working decryption key to regain access to the system. These ransomware attacks can effectively shut down entire organizations until the systems can be decrypted, and often ransomware operators will take the ransomware payments and run, leaving organizations with unusable encrypted systems. Ransomware attacks are becoming increasingly sophisticated and will often utilize other malware like Emotet for the initial compromise and TrickBot to locate and deploy ransomware to critical systems.
Ransomware and Healthcare
The healthcare sector is especially susceptible to ransomware attack because organizations cannot allow system downtime due to the risk of patient death and have a higher rate of paying ransoms than other sectors. Some ransomware operators have stated that they will avoid attacking healthcare organizations in 2020 due to the COVID-19 crisis but ransomware campaigns against healthcare targets continue to occur. The first documented case of a patient dying from a ransomware attack occurred on September 2020 in Germany, and in the same month Universal Health Services had a large portion of their network taken offline by a ransomware attack in one of the largest recorded attacks on a US healthcare network. Protecting healthcare IT environments from ransomware attacks is critical to ensuring patient safety and maintaining availability of essential services in healthcare facilities.
Protecting Healthcare Infrastructure from Ransomware Attacks
Mitigate Phishing Attacks
Phishing, sending fraudulent emails to execute malware or steal personal information, is the most common attack vector utilized by ransomware attacks. Training employees to never open links or files from untrusted sources and to identify and report phishing emails, is a great first step to mitigating phishing attacks. Additionally, employing email scanning and filtering is an effective way to block phishing emails before they can get to an employee’s inbox. Deploying an endpoint security solution is a good way to identify and quarantine malware dropped by a phishing email before it can spread to other machines on a network.
Employ Robust Network Segmentation
Flat networks allow ransomware operators to move laterally, mostly uninhibitedly and extremely quickly, and a robustly segmented network is crucial to containing a breach and inhibiting movement. Make sure to keep zero trust in mind when implementing access control to different segments of the network to ensure that the least privileged permissions are being used. Segmented Networks can dramatically decrease the scope of a ransomware breach and can protect critical systems such as networked medical devices and medical records from attack.
Monitor Environment for Threats
Utilizing a Security Operations Center (SOC) is a great way to detect ransomware attacks before they can spread and deploy encryption to targets. Threat detection solutions such as SOCs can monitor a network and identify a malware campaign in real time, allowing for a quick and decisive remediation before ransomware attack can propagate and encrypt systems. SOC teams can augment traditional security controls and catch events that slip through the cracks of a firewall or automated IDS solution.
Implement Secure Backups
In the event of a ransomware attack, being able to quickly restore data from backups is critical to responding to an attack and getting systems back up. Restoring from backups is often the quickest (and cheapest) way to recover from a ransomware attack and allows an organization to completely bypass interacting with ransomware operators to get systems back online. Ransomware operators have recently been seeking out local backups to encrypt along with the original targets to knock out the ability to restore from backups, so backups should be stored off-site and adequately isolated. Test the backup and recovery process regularly to ensure that there will be a smooth recovery if an attack occurs. Backups are not useful if you are unable to recover data from them!
Protecting against ransomware is a critical aspect for any healthcare provider. Making sure that phishing attacks are mitigated, internal networks are robustly segmented, the environment is adequately monitored for threats, and backups are secured and ready to go are some of the best things you can do to prevent and mitigate ransomware attacks and protect patients. Looking for a risk assessment, a penetration test, or just want some advice? As your end-to-end security provider, NuHarbor is here to help!
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.