By Ilia Sotnikov, vice president of product management, Netwrix.
New warnings from the FBI report “an increased and imminent cybercrime threat” to U.S. hospitals and healthcare providers. Experts say the ransomware, called Ryuk, was seen by at least five U.S. hospitals in October. This isn’t unexpected.
In fact, recent research has found that every third healthcare organization experienced a ransomware attack during the past few months. This is the highest exposure across all industries surveyed, above education, finance and public sector. It has disrupted patient care at up to 510 facilities.
So with cyberattacks in healthcare at their peak, it’s time to take heed. Particularly since ransomware in the healthcare sector not only impacts money and reputation, but also human health and lives. And with the current pandemic, healthcare organizations are more vital and fragile than ever.
Today’s healthcare strongly depends on IT; without access to health data and IT systems, doctors cannot provide treatment to patients or make decisions. What is worse, if intensive care units and life-support devices, which are typically connected to the network, are blocked by ransomware, this puts lives of critically ill patients at risk. Such a damage is incomparable to losses in terms of reputation and money, but these still follow as well for healthcare organizations just as they do in other industries.
One of the common reasons why the healthcare industry is vulnerable to ransomware is the frequent use of legacy systems that can be easily exploited by hackers. Making hospitals even more vulnerable to cybercrime is that their IT departments are understaffed. This makes them prone to errors, particularly as they face additional pressure and the demand to support remote work due to pandemic.
In fact, 39% of healthcare organizations suffered from admin mistakes during the past few months. Such mistakes might include improper configurations changes or failure to install updates in a timely manner, which result in vulnerabilities.
The sad reality is that any hospital might fall a victim of ransomware. Therefore, it makes sense to get ready to the worst scenario, taking under consideration the shortage of resources that organizations in the health sector face. Here are five major areas to focus on:
- Replace legacy systems with modern cloud tools. Cloud services offer advanced security against external attackers and are easy to maintain. However, it is important that health organizations do not forget to address cloud-specific security challenges that arise such as insider threats and take their responsibility to secure their network and data in the cloud.
- Regularly train employees. It is important that that all staff is aware of how to identify a malicious email as well as to whom to report a security incident. For that, training should be regular and relevant to the job function. If every physician is aware of disastrous consequences a ransomware might bring to the hospital and patients, he/she will consider following cyber security hygiene as important as hygiene in his everyday job.
- Enforce fundamental cyber security practices. Paying regular attention to the mundane practices, such as vulnerability management and patching, network segmentation, endpoint security, anti-malware technologies, and email security is the core prevention measure against ransomware. Another important task is to minimize the attack surface by limiting access to sensitive data, especially valuable patient data, and regularly revoking excessive privileges. For that, healthcare organizations need to identify what types of data they store and where it resides, and eliminate data overexposure. Automation makes these tasks achievable even for understaffed IT teams.
- Enhance detection capability. Enforcement of auditing is an affordable yet efficient measure that enables an organization to quickly react to attacks such as ransomware as they are accompanied with anomalies in user behavior. This includes multiple logon attempts, massive file modifications, VPN logon attempts from untypical geographical locations and access attempts during non-working hours, or a combination of a few. IT team should be alerted about such anomalies and react immediately.
- Have an actionable remediation plan. Using reliable backups (preferably, a combination of an online and offline formats) is one of the most important defences against ransomware. However, it is also important that a healthcare enterprise roll out a solid remediation plan, which also documents processes, stages and roles for the entire processes. It should cover the scenario if sensitive data is made public, with all necessary stages of notifying authorities, investigating root cause and communicating with individuals.
Security experts agree that paying the ransom is a poor practice. In fact, the majority of ransomware victims who pay do not get their files back, either because the attackers cheat them (and continue to withhold promised keys) or because hackers have implemented the encryption/decryption algorithms so poorly that the keys don’t work. Rather, it is important that healthcare organizations follow fundamental practices to avoid falling victim to the next widespread ransomware attack. Only then can we ensure the health and safety of patients as well as the technology used to deliver their care.