Healthcare organizations have not been immune to the plague of ransomware. In 2019 alone, scores of hospitals and health systems were infected with ransomware, with a combined estimated cost of $4 billion. While already an alarming number, this only accounts for the monetary losses predicted in the wake of these outbreaks, not the damage to reputation, stress on the workforce, and the residual effects of breaking through a ransomware event.
2020 has actually been even worse for ransomware in healthcare organizations. In September, a patient died because of a ransomware attack. When The Dusseldorf University Hospital in Germany suffered a ransomware attack, a patient had to be rerouted to a different hospital 20 miles away. While fatalities have always been a concern of a ransomware attack, this is the first example of it occurring. Also in September, Universal Health Services (UHS) shut down systems at their facilities due to a ransomware outbreak. Providers found themselves unable to look up patient’s records, were unable to call up imaging scans, and radiologists had to interpret scans in the imaging booth. University Health Care’s IT team advised staff that they might not have access to systems for several days. In March the publication Bleeping Computer reached out to those who operate several strains of ransomware, asking them to commit to not attacking hospitals or healthcare facilities during the pandemic. Many agreed or indicated that they never targeted hospitals. However, this cease-fire only lasted until the pandemic started to stabilize as seen with the attacks in Germany and on UHS.
In response to the increase in ransomware campaigns and the true costs of such an incident, the healthcare industry has worked with an increased focus on preventing these events before they happen, mitigating the impacts of an incident, and decreasing the time to recovery after an incident.
How Hospitals and Healthcare Organizations Are Protecting Their Data.
Endpoint Detection & Response
At the base level of hardening their defenses, many organizations within the healthcare industry have shifted from protecting their devices with a traditional anti-virus which looks for known bad files to an endpoint detection and response (EDR) system. While EDR can and will block known malware, it also analyzes the activity on your machine for signs of zero-day infections and file-less attacks. To specifically detect ransomware, EDR analyzes applications and flags if systems are encrypting files that it should not, or if it’s using a foreign encryption method. Once this is detected it can stop the process before an entire system is compromised.
Subnetting & Air Gapping
Some hospitals are utilizing a combination of subnetting and air gapping their networks. By dividing their networks into smaller systems and not allowing all networks to communicate with each other the hospitals minimize the attack surface that can be exploited. This way, if an administrative system is compromised, it can be contained strictly to that subnet or network blocking it from spilling over into the network used for treating patients.
While preventing an attack is always preferable, many organizations have looked for ways to reduce their Mean time to recovery (MTTR). With the proliferation of ransomware and ransomware-as-a-service (RaaS), there is no indication that ransomware is going away any time soon. Not having access to files and systems is a critical situation in any organization, but in an environment where patient information is stored digitally, it is imperative to get systems back up and running in as little time as possible. To reduce their MTTR many in the healthcare industry have been leveraging cloud solutions for additional backup peace of mind and have been testing their incident response plans with regular simulations.
Actions to Take NOW
When evaluating your organization’s defenses for ransomware hardiness there are few checkpoints that can help to lower your threat surface substantially.
- Ransomware often uses Word and Excel documents with macros, executable files, and zipped folders to deliver the malicious payload. By disabling these files and folder types from being sent via email, you will greatly reduce the threat of ransomware delivered by email.
- Utilizing EDR software that monitors for behavior as well as signature helps to bolster your defenses if email filtering has a shortcoming and ransomware does infect a system. The ability of your EDR to shutdown processes when malicious behavior is invaluable.
- The single most valuable thing you can do to protect your organization from ransomware is to build a robust employee awareness training program. Your human firewall is the last line of defense between your organization and a cyber incident. By teaching your users how to identify malicious emails, links, and downloads you strengthen the weakest link in your cybersecurity chain. Regular phishing simulations, presentations, and reminders of how to report phishing messages give your users the tools and knowledge necessary to not fall for phishing attacks that often lead to ransomware.
A cooperative approach with your user base helps to instill a culture of collaboration and understanding that cybersecurity is a shared responsibility. We understand that as a healthcare provider, your number one priority is patient care. Partnering with a healthcare IT provider like Corsica Technologies helps you focus on that goal by guiding you to the best path forward. Our number one priority is ensuring that your systems are protected and reducing the risk of your organization becoming a news headline for a ransomware attack. If you are interested in learning more about our services and how we can help protect your workforce, you can read more here or schedule a call with one of our security professionals.