By Tracy Cohen, Information Security Engineer, Biopharma/Biotech Industry
Healthcare is the most targeted sector for data breaches and ransomware attacks were responsible for almost 50% of all healthcare data breaches in 2020, according to the US Department of Health and Human Services Cyber Security Program 2021 Forecast.
While ransomware has been a favorite among attackers for years now, the rate continues to rise each year. The ransomware industry has displayed resilience and determination. Hacktivists and nation state actors are drawn to the disruption it can cause. Cybercriminals are drawn to the profits it can bring in, especially for public health records which can sell for up to $1,000 each on the dark web. In a survey of healthcare IT workers by SOPHOS earlier this year, a third reported they had been hit by ransomware attacks. The bill paid by healthcare providers for a ransomware attack is staggering. The average cost – including the ransom, people time, downtime, equipment, and other impacts on business operations – is $1.27 million.
We can make some assumptions about factors that are causing the steady increase in ransomware attacks: the emergence of “ransomware-as-a-service” platforms; the rapid inflation of cryptocurrency prices is a boon to attackers as bitcoin is used for most ransom payments; healthcare facilities have been overburdened and distracted by the COVID-19 pandemic; tensions between countries has spurred a rise in cyber warfare and criminals internationally.
We have seen ransomware strains come and go just for new and improved versions to take their place. A major evolution in tactics observed over the past year is ransomware being used not only to encrypt the data but also to exfiltrate and hold it for ransom under the threat of leaking the information to the public. An example of this is the breach at Vastaamo, a major Finnish psychotherapy clinic reported in October 2020. Patient files and therapy session notes were compromised, encrypted, and exfiltrated. Even after Vastaamo paid the ransom, the attackers shifted to contacting the patients directly and threatened to release their sensitive therapy data if they did not pay an additional ransom. Therapy session notes and personal data of many patients were leaked publicly, which was incredibly damaging to these victims.
The headlines from the past year have made it clear that ransomware is a major problem. But what can healthcare organizations do about it? There are four key best practices that should be followed to increase protection against ransomware significantly. Let’s explore:
Lay out a “who/what/when/where/why” for critical data
Do you know what your most sensitive data is, where it lives, and how your systems interact with it?
The first area to tackle to protect the organization against a ransomware attack is gaining a “who/what/where/when/why” understanding of its critical data. Start by identifying what types of data are critical, who can access it and when, where it is stored/sent to/acquired from, and why is it accessed?
Next, develop a solid backup and recovery strategy for the critical data following the 3-2-1 rule for backups – three copies of the data, on two types of media, and one copy offsite for disaster recovery. With proper backups and disaster recovery planning, it is possible to recover from a ransomware attack that has encrypted all files. However, since malicious adversaries may exfiltrate the organization’s data and leak it to the public, it is top priority to take steps to avoid being infected in the first place.
The most common initial access and infection methods for ransomware are related to compromised credentials or malicious emails containing ransomware. Credentials are typically compromised through phishing emails or brute force attacks, so the first thing to do is secure all accounts. Strong password policies, multi-factor authentication, and credential monitoring are three critical controls to implement to ensure user accounts remain secure. After these methods of protection have been established, it is time to switch gears and look at vulnerabilities from the human element.
User training is immensely valuable in combatting phishing and credential harvesting, thus essential in protecting against ransomware. An effective security awareness program trains users to do the following:
● Recognize the red flags of a phishing email;
● Look for login pages that are secure and legitimate;
● Use caution when opening attachments or downloading files from external (and internal) sources;
● Handle sensitive company/personal data with care; and
● Always follow all security policies and procedures.
Many organizations do the bare minimum for user training just to check a box for an audit, but it is important to take this training opportunity seriously. Employees are the front lines of an organization’s security posture. You can build a fortress, but if someone is going to just open the door and let the enemy in, your efforts are futile.
The Two Es: Email and Endpoints
Email filters grow more intelligent every year. Next-gen filtering can examine email content and context to draw intelligent conclusions well beyond the capabilities of older static scanners. Bolstering email filtering will lower the risk that malicious emails reach end-users in the first place.
Endpoint protections are improving at a rapid rate as well. The introduction of special ransomware protections and machine learning intelligence in the newest antivirus/endpoint detection and response platforms have proven to be greatly effective against even unknown ransomware strains. Detecting the behavior instead of just the static signatures of the ransomware gives organizations an advantage over malicious actors who have learned to bypass more traditional protections. Endpoint and Network-based data loss prevention (DLP) solutions can also effectively prevent sensitive data from being exfiltrated outside the corporate environment. They should be considered once more basic controls are established and tuned.
The Criticality of Patching
Organizations must patch, patch, and patch again. Although system and software exploits are not the most common avenue of ransomware infections, healthcare organizations should not slack on protecting against these attacks. Always keep all user systems, servers, firewalls, and security controls up to date with the newest security patches, threat signatures, etc. Organizations may not always face the most sophisticated threats. Sometimes the defense is as simple as having a vulnerability remediated by a quick update or up-to-date signatures deployed in the antivirus solution or firewall.
Make the company a target not worth the effort
Defense-in-depth is best when it comes to protecting against any cyberattack. Malicious actors are bound to find a way around most roadblocks eventually. Still, with enough layers and intelligence in an organization’s security controls, the company can effectively become too difficult to target.
If you feel you are properly protected, test it. Perform a pen test or simulations. Really get in there and test these controls in real time. You will find there will always be room for improvement. Attackers will continue to evolve to evade and compromise us, and we will continue to evolve to stop them, and no company wants to be the next story on the six o’clock news.
By deploying these best practices, continuously testing and improving them, and tuning in to threat intelligence feeds to stay ahead of the curve, healthcare organizations can be significantly more prepared to face a ransomware attack.
About the Author
Tracy Cohen is an information security engineer working in the biopharma/biotech industry with special interests in incident response, security optimization, and threat actor behavior. She enjoys the thrill of keeping up with the constantly evolving cybersecurity world, and when she’s not at work she gets her thrills as a licensed skydiver.