Tips for protecting hospitals from ransomware as cyberattacks surge
One of the last things a healthcare CIO, CISO or CEO wants is to learn is that their organization has been victim to ransomware, like in the high-profile attacks that recently crippled Hollywood Presbyterian and MedStar Health.
The number of ransomware incidents in healthcare, however, is increasing as attackers shift their efforts away from the now well-defended finance and retail industries to the sitting duck that is healthcare.
“Ransomware has been an inconvenient truth for a while, a tried and tested dance where an attack is launched and the ransom is modest, just enough where many organizations pay it to make the problem go away,” said Ryan Witt, vice president and managing director of the healthcare industry practice at Fortinet, an information security technology vendor. “But demands for funds are soaring, and the problem is organizations are paying. Ransomware will get worse before it gets better.”
This story is part of a special reporting package on the increase of ransomware attacks against the backdrop of an evolving threat landscape. Articles include a look at the new cybersecurity era ushered in by organized criminals, hacktivists and nation-states; a chat with noted cybersecurity expert Richard Clarke about preparing for a large-scale cyberattack, and an attempt to answer the increasingly unavoidable question: Hackers have your data locked, should you really pay to get it back?
Look no further for proof than the stream of ransomware perpetrated against Hollywood Presbyterian, MedStar Health in Washington, D.C., King’s Daughters Health in Indiana, Methodist Hospital in Kentucky, and three Southern California hospitals owned by Prime Healthcare Services.
What’s more, the overall threat landscape is changing such that the concept of having an external perimeter is vanishing, according to Elliott Frantz, CEO of ethical hacking firm Virtue Security
“Organizations used to have an internal network and they could secure the outside of it to make sure an external hacker could not penetrate it,” Frantz said. “It’s easier than ever to gain access inside a hospital's network and compromise a device.”
That said, there are steps a hospital or health system can take to bolster its defenses against hackers and stop ransomware attacks in their tracks — and many of them are not terribly difficult.
Backup your data
It might seem that backing up data is a tactic so simplistic that it does not even merit mentioning. But cybersecurity experts’ answers to this question are emphatic and the very same: “Why do you think healthcare organizations pay the ransom?”
“You might think it seems so obvious, but look at the ransomware cases,” said Glen Whitley, director of the Georgia Center of Innovation for IT. “Ransomware is getting more brazen, and ransomware works when organizations do not backup their data and thus have no choice but to pay in order to get it back. Healthcare organizations must make sure they are routinely backing up their data. There are many cases where organizations simply have not backed up their data.”
Sometimes vendors that specialize in the process of backing up and safeguarding data can be of help, and know the ins and outs of helping an organization protect itself from cyberattacks like ransomware.
“In a recent case that made headlines, a hospital was hit by ransomware hackers who demanded $17,000 to restore access to data,” said Bill Carey, vice president of marketing at GoodSync, a backup and synchronization software vendor. “Real-time backup capabilities are essential in combating this type of ransomware attack because if the targeted data is backed up securely, the organization will maintain access to the critical information without having to pay a hacker to get their data back. That removes the motivation for hackers to conduct this type of attack.”
Keep a ‘gold image’ of systems and configurations
In addition to having data backed up, healthcare organizations can help protect themselves from ransomware attacks succeeding by essentially backing up their systems and configurations. This particular kind of backup is what many in information security and software circles call a “gold image.”
“Every healthcare organization needs some kind of strategy to quickly and effectively take care of ransomware issues, and one solution is to keep a data backup offline while maintaining a gold image,” said Adrian Sanabria, senior analyst, information security, at 451 Research, an information technology research and consulting firm. “A gold image is a term for essentially what an organization needs to get things back to normal, an image an organization can place back on systems to be back up and running very quickly. A backup will have all of your current data, while a gold image will reset things back to Day One.”
If a system requires data where said data changes from day to day, then an organization needs the combination of the offline data backup and the gold image, 451’s Sanabria emphasized.
Craft a plan for when systems get hijacked
While preparing to fend off ransomware attacks, healthcare organizations must know, in advance, what would happen if a ransomware attack breaks through defenses. In this way, organizations can prepared to manage a ransomware situation and potentially thwart the attack without having to pay any ransom.
“Healthcare organizations should have good risk assessments and business impact analyses, and should make a list of the systems that would put them in hot water if the systems stopped functioning,” Sanabria said. “There should be various tiers in a business impact analysis. Tier Zero, we are really screwed, we cannot function. And then up the tiers from there.”
Tier One would be systems an organization can afford to have down for an hour, Tier Two would be down for a day, and so on, Sanabria explained.
“A healthcare organization must have this list of systems and thus an understanding of how it would manage ransomware on any system,” he added. “If an organization cannot afford for a particular system to be down at all, it has to build for that. If a system can be down for an hour and the organization can reimage it and restore a backup in an hour, that’s different. This kind of planning for ransomware is key, especially because we see that the bad guys are very, very interested in hitting hospitals because hospitals have been paying the ransoms. That’s flies to honey.”
Work with well-equipped cybersecurity vendors
In the fight against cyberattacks like ransomware, a healthcare organization can do well to have not just internal experts such as chief security officers and information security professionals but to also have external teams of experts who are immersed in the subject.
“If organizations are enlisting the help of good cybersecurity companies and using the companies to help pay attention to the best security practices of the day, that is how they can combat the ransomware problem,” said Whitley of the Georgia Center of Innovation for IT. “You have to have solid cybersecurity partners. Even if you have a really good plan in place, it’s good to find a cybersecurity partner to help with analysis. Some organizations get two or more companies so they can get different views.”
David Finn, health IT officer at Symantec, said all of the provider organization executives he spoke with at the recent 2016 Annual HIMSS Conference and Exhibition told him they had noticed an uptick in the number of ransomware hits.
“We have the tools to catch these attacks nowadays, but you cannot do it with a single product, you need a multi-layer defense strategy – if your end-point protection doesn’t stop a ransomware hit, for example, then maybe your network protection will get it,” Finn said. “Maybe a ransomware hit comes in through a web gateway rather than an e-mail, or maybe through a jump-drive someone got from who knows where. You cannot just look at e-mail and say all the bad stuff is coming in this way, you have to have multi-layered products, correlate data from these products, and use that intelligence.”
A firewall log, an end-point log, a network log, and so on, together create security intelligence, which gives healthcare executives a holistic picture of “the patient,” who in this case is the organization, Finn said.
“It’s like population health for your data, looking at it from different perspectives and correlating it so you don’t just have data anymore but have real and useful information you can apply and put into operational control to prevent ransomware and other attacks,” Finn said.
Virtue Security’s Frantz added that healthcare organizations must also remember to protect against insider threats.
“Security needs to be built in throughout a network,” Frantz said. “We used to be OK trying to prevent an intrusion, but that is sort of no longer really possible."
Don’t forget to test plans
Backing up data, creating a gold image, having a tiered systems plan and finding expert vendors is all well and good, but the combination doesn’t amount to a hill of beans if it doesn’t work. That’s why it is crucial that healthcare organizations test their security plans before they rely on them.
“A lot of organizations make plans, but they never test them,” said Sanabria of 451 Research. “If you have any kind of recovery plan or are bringing in a new product, whatever you are doing, if you do not test with your employees and systems, you have no idea how it will all work – especially at the time of an attack when you don’t have time to fix anything in a plan or change a product that you’re locked into. This is especially true when considering ransomware. There is no point in having a recovery plan if you have not tested it.”
Last but not least: user education
A chain is only as strong as its weakest link. That old saw couldn’t be more true when it comes to protecting an organization from ransomware and other forms of malicious code. And cybersecurity experts say it merits repeating again and again. All it takes is one uneducated system user.
“We’ve found very little end-user training going on at healthcare providers, and security, at the end of the day, is really a people issue – a PC does not click on a phishing e-mail or visit bad web sites, that’s a person doing these things because they have not been properly trained and do not understand the risk and the issues,” Symantec’s Finn said.
Ransomware attacks typically occur when hackers send what looks like a routine e-mail with an attached file, such as a Word document, said Carey of GoodSync.
“An employee clicks on the file, which triggers an Enable Content bar,” Carey explained. “The employee clicks the bar, and then malicious software locks internal files with a password or key that only the cybercriminal has. So in addition to making sure data is backed up and that the latest malware and antivirus protection is deployed, organizations should hold periodic cyber safety trainings for employees.”
Carey added a very specific tip to the mix: Healthcare organizations should make certain to tell all employees never to use USB flash drives unless the drives are obtained from a trusted source.
“Department of Homeland Security officials recently conducted a test in which DHS staffers dropped computer disks and flash drives in government buildings and contractor parking lots to see how many would subsequently be used,” he said. "Sixty percent that were picked up were plugged into office computers, and the installation rate rose to 90 percent for disks and drives bearing an official logo. The test revealed a huge security vulnerability.”
User education has to be blanket in nature, covering everyone from the receptionist to the CEO – especially the C-level executives, cybersecurity experts said.
“Healthcare is waking up to this problem; the high profile nature of the cyberattacks that have occurred within the past year or so have made healthcare security a kitchen table sort of topic,” said Witt of Fortinet. “However, I still hear some denial out there, that these were very high-level breaches of major health plans or ransomware attacks of hospitals in Hollywood, and that we are a community hospital so therefore it will not happen to us.
"That makes me nervous because everybody within a health system should feel exposed and should be concerned about this threat," he said. "We’re not out of the woods yet, because people across the board do not embrace the seriousness of the threat.”