The Surge of Ransomware in Healthcare

“To Pay or Not to Pay” is the question

 Photo of a healthcare working in surgery room

Ransomware attacks have continued to plague healthcare providers during the past 12 months. Cyber criminals have realized healthcare institutions are soft targets given the sensitive nature of patient data and the dependence on IT systems to run clinical workflows. Just imagine not being able to access lab records in an emergency department, disrupting care for the critically ill, or doctors unable to provide a diagnosis due to compromised medical records. If a patient’s life is on the line, then paying the ransom might seem to be the best way out.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Allen Stefanek, the president of Hollywood Presbyterian Medical Center noted in a statement after they found themselves in this situation. “In the best interest of restoring normal operations, we did this.”

Ransomware has been around for years but it has never been so public nor profitable as it is now. The FBI finds that U.S. companies paid $25 million in ransom last year while more than $209 million have already been paid to cybercriminals in the first three months of 2016.

Unlike other types of malware that attempt to exfiltrate data, ransomware seeks to cause disruption by encrypting your valuable files and data or locking your system until the demands are met.  Since committing credit card fraud has become increasingly difficult – as banks and merchants place controls at each step to detect and prevent fraudulent transactions – ransomware, on the other hand, requires fewer steps and takes advantage of the urgency and panic it creates to force a payment. Additionally, the anonymity of the TOR Network (Dark web) and bitcoins provides a perfect getaway to successfully execute a ransomware attack.

A typical attack vector for ransomware:

More often than not ransomware starts with a phishing email or “spear phishing,” a more targeted approach to phishing that comes with even greater efficacy. How likely are you to click on an email that seems to be from your primary care provider with an attached lab report? Once you click the link, it opens up a spoofed website triggering a drive-by-download to install ransomware. Hackers will also execute ransomware through infected USB stick, exploiting vulnerabilities on unpatched software applications, or malvertisements.

Many traditional security controls often fail to detect ransomware, as they only look for unusual behavior and standard indicators of compromise. Once on the system, ransomware behaves like a security application and denies access to other systems and programs. It usually leaves the underlying files and systems unaffected and restricts access to the interface. In addition to traditional computing devices, mobile phones, medical devices, wearable devices and IoT sensors are also vulnerable. Last year, FDA and Department of Homeland Security issued a warning about a vulnerability in infusion pumps that could be exploited through a ransomware style attack.

Ransomware can also behave like an encryption program and silently run in the background encrypting specific file types like PDFs or Excel sheets. Followed by a ransom demand, the attacker will give a time limit after which the decryption key will allegedly be permanently destroyed. Once the ransom is paid, the decryption key is sent to the victim to recover the files. Some of the recent ransomware strains to hit healthcare organizations are Samsam, Maktub Locker, Locky, TeslaCrypt and WinPlock4. Based on figures for the first two months of the year, ransomware attacks are projected to increase by 250 percent in 2016.

How to protect against ransomware:

User training within healthcare organizations is paramount and the first step to safeguard against ransomware. Providers, clinicians and individuals working in the healthcare industry alike should treat any suspicious email with caution by checking for spelling mistakes, reviewing the signature and the legitimacy of the request, and hovering on links to check where they lead. If a URL seems suspicious, directly type the website address in a search browser or manually look it up on search engines, and deploy an email security solution that scans all attachments. Healthcare IT managers should also get involved by implementing periodic user training and risk assessments and conducting phishing vulnerability tests. Despite all the training, accidental mistakes still happen.  A key best practice around user identity management is to implement a role-based least privilege access model and contain the lateral spread of ransomware.

Successfully managing devices is also a crucial, yet potentially challenging step. Individuals within hospitals frequently interact using both personal and corporate computing devices. Managing these multiple devices requires taking into consideration the multiple form factors and operating systems introduced. These endpoints are particularly at risk if not managed or don’t have the right anti-malware protection. Most anti-virus solutions are signature-based and prove ineffective if not updated regularly. Many users also turn off their virus scans so that they don’t slow down the user’s system. To address these challenges and limitations, there are endpoint security solutions that use advanced machine learning and artificial intelligence to detect malware.

Mobile devices are particularly vulnerable as noted in the 2016 Dell Security Annual Threat Report with the emerging ransomware threats on the Andriod platform. Choosing a solution that is able to automate patching and version upgrades in a heterogeneous device, OS and application environment, will go a long way in addressing a range of cyber threats including ransomware.

Unfortunately for healthcare organizations targeted, most ransomware will try to spread from the endpoint to the server or storage where data and mission critical applications reside, segmenting the network and keeping critical applications and devices isolated. Having an enterprise firewall deployed within a healthcare organization that is able to scan all traffic, irrespective of file size, is critical. There is always a risk of downloading encrypted malware that is invisible to traditional firewalls; however, an enterprise firewall should be able to monitor both incoming and outgoing traffic, and block communication with blacklisted IP addresses as ransomware tries to establish contact with its command and control servers. Finally, as soon as a new malware variant is detected, the firewall should have an automated update and centralized management process to rollout updates quickly and consistently.

For remote users outside the healthcare organization’s enterprise firewall perimeter, VPN based access should not only establish a secure connection, but also conduct a level of device interrogation to check for policy compliance on the device. If a device does not have the required security updates then it will not be allowed on the network, or it will be granted access to only a limited set of resources.

After deploying a new electronic medical records (EMR) system, healthcare services company Green Clinic Health System needed to ensure critical systems and patient data was protected. The organization deployed an intrusion protection service, alerting IT staff if the firewall is attacked and supporting detailed reporting on potential security threats – while being HIPAA compliant. They also rolled out endpoint management solution to automatically push software updates and security patches. As new software vulnerabilities are discovered, it is critical to apply these patches quickly and consistently across all endpoints.

Another safeguard against having to pay ransom is a robust backup and recovery strategy. Depending on how quickly the compromise was detected, how far it spread and the level of data loss that is acceptable, recovery from a backup could be a viable option. This calls for a smarter backup strategy that is aligned to the criticality of your data and the needs of your organization. Recover the most critical data in the least amount of time, and periodically test disaster recovery and business continuity.

According to research conducted by Dell, mid-sized healthcare organizations are more concerned with adhering to compliance regulations than they are about protecting themselves against hackers. However, addressing the threat of ransomware needs to rapidly become a top priority for all healthcare organizations. There is legislation being discussed that will expand HITECH act to include breach notification requirements for ransomware attacks. This will place additional liability and financial burdens on providers to put remediation plans in place, so there is no time like the present to start protecting your organization’s information.

Learn more and download our ebook: How ransomware can hold your business hostage.

About the Author: Susmit Pal