Hackers are changing their approach to healthcare ransomware attacks
Ransomware attacks continue to rock IT systems nationwide, proving that they’re a cybersecurity plague that’s here to stay.
In July, for instance, to choose just one extreme example, Louisiana Governor John Bel Edwards declared a state of emergency in response to ransomware attacks on three public school districts in the state.
When it comes to hackers’ ransomware targets, however, the healthcare industry is still perhaps the biggest. But while healthcare remains unchanged as a prime target, the way hackers are going about ransomware attacks is changing.
Organizations hamper hackers’ old approach
“Criminals previously relied on automated ransomware as an easy money-maker by setting a modest ransom fee, making paying up the quickest and easiest way to return to normality,” explained Tom Van de Wiele, principal security consultant, cybersecurity services, at F-Secure, which specializes in threat detection and response.
“However, following a number of high-profile automated ransomware attacks – such as the infamous WannaCry and NotPetya – many organizations have now implemented measures to either prevent or at least hamper automated ransomware attacks.”
On the other hand, some companies have continued to pay ransoms in a bid to restore their operations as quickly as possible – encouraging more criminals to use the technique.
“Most of the ransomware attacks we now see today are highly opportunistic in nature – the attackers will often focus on a particular group of companies or industry and carry out large-scale phishing and attack campaigns to gain access to the network, before taking a more targeted approach once they gain a foothold,” Van de Wiele explained. “From here, they can implant ransomware and take action to hinder recovery by deactivating security solutions and destroying backups.”
How to combat the hackers
The majority of victims F-Secure has investigated could have reduced the impact of being hit by ransomware with a combination of the right tools and basic security best practices, he contended.
Being equipped with sufficient email and gateway defenses will greatly reduce the chances of the initial phishing and attack campaigns succeeding, while strict controls around privileged accounts and remote access will help prevent attackers from establishing persistence inside the network and spreading the ransomware, he said.
"This does not mean resorting to fatalism and just doing the bare minimum while hoping for the best, but rather looking at the most common ways an attacker would target the organization and its interactions and raising the cost of attack for a cybercriminal."
Tom Van de Wiele, F-Secure
“And having a strong response strategy, including mitigating a spreading attack and ensuring back-ups are reliable and well-tested, will drastically reduce the impact of an attack,” he added.
Without these steps in place, ransomware victims will be forced to endure lengthy and costly downtimes as their security team restores functionality and combs through their systems to ensure the malicious files are properly removed, he said.
Ransomware in healthcare
Ransomware attacks aimed at the healthcare sector have been looming ever since computers were first used in the world of healthcare services. The first ransomware attack dates back to 1989. Called the “AIDS virus,” this computer virus was a deliberate attack aimed at doctors and people in the healthcare industry.
“What has changed over the years is that computers are more prevalent today compared to three decades ago, data is far more critical and payout is a lot easier for criminals with the rise of cryptocurrency,” Van de Wiele explained.
“Most medical equipment nowadays is running on native or embedded computers and medical data is stored digitally,” he said. “Healthcare sector CISOs and CIOs should be focusing on cybersecurity that goes beyond compliance and focuses on the actual threats aimed at gaining access to data or disrupting access to it.”
Unfortunately, most healthcare providers and industry players are still playing catch-up and usually do not have the budget or interest in doing anything beyond compliance. They then experience disastrous and crippling consequences when an attack occurs.
“This can result in permanent health damage, reputational damage for the individual or even loss of life,” Van de Wiele said.
“The reason for the current status quo is that the healthcare sector is up against trying to reduce the risk in a sector with a high amount of interactions and stakeholders, sensitive data, legacy software, regulatory compliance and, on top of that, trying to reduce the friction experienced in people’s daily work when suggesting and enforcing security measures in a way that does not negatively impact the organization’s culture. A tall order indeed.”
Attackers change their ways
The combination of the rise of the interconnected world of computers, the fact that most medical data is digital, and combined with the rise of cryptocurrency, has made attacks on the healthcare industry a common practice for cyber criminals.
“Cybercriminals have to make investments when performing large-scale attacks,” Van de Wiele said. “The wider they can cast their net and spread their ransomware, the more payout they receive. For most cybercriminals – such as individuals and organized crime – the initial approach was very opportunistic and was aimed at basically anyone vulnerable to their ways of getting the ransomware introduced to any computer system that was able to run it.”
Criminals have become a lot better at trying to maximize their profits and get as much return as possible from their investments. That means attacking computer systems where payout is almost guaranteed because of the sensitive nature or required availability of certain data.
“Knowing that the data is so vital to the organization and knowing that some medical institutions do not have nearly as much budget for focusing on cybersecurity, the pressure is a lot higher to get the data back at all cost,” Van de Wiele explained. “And that includes paying the criminals in cryptocurrency and hoping to get the data back.”
Medical data will always be valuable and attacks against the healthcare industry will only increase over time as medical data is used and shared over the internet, he added.
“Initiatives like HIPAA in the United States and GDPR in Europe help set basic requirements but managing and maintaining these or trying to go beyond them requires a lot of resources in the form of know-how, time and technology,” he said. “Resources that most CISOs and CIOs do not have at their disposal unless an incident occurs, after which it can already be too late for the people involved.”
What can healthcare provider CIOs and CISOs do
A ransomware attack will be successful at some point somewhere in the organization, Van de Wiele contended. For this reason, CIOs and CISOs should base their security strategy on an “assume breach” mentality, he advised.
“This does not mean resorting to fatalism and just doing the bare minimum while hoping for the best, but rather looking at the most common ways an attacker would target the organization and its interactions and raising the cost of attack for a cybercriminal,” he said.
The most important steps to take, Van de Wiele advised, can be broken down as follows:
- Step 1: You can’t protect what you don’t understand. This means first and foremost knowing where critical data is located, what interactions and dependencies exist, who can access what and from where, and to understand what data recovery capabilities the organization has versus the nature of the data.
- Step 2: Being able to detect abuse or anomalies on the network and within the context of an application’s ecosystem is the first step in making sure the organization knows what to do when an incident does occur and what priority the incident needs to receive. Knowing what data and interactions are at stake can be the linchpin between a major data leak or outage resulting in permanent damage or death, versus being able to appropriately respond to an attack and reduce its impact.
- Step 3: Last but not least, the process of detection, response and recovery needs to be regularly tested as table-top crisis management exercises, and combined with technical attack simulations to ensure that the process is still aligned with the requirements. Cybersecurity is and has always been a moving target and attacks only get better and cheaper.
As the healthcare sector will always be a target, being able to detect the most relevant attack scenarios against your organization buys you time to respond to them,” Van de Wiele concluded. “Based on this approach, finding out what works and what doesn’t is what makes your cybersecurity budget smarter and more realistic. It is what will ultimately increase an organization’s resilience against these kinds of attacks, and raise the cost of attack, forcing an attacker to go elsewhere.”