Cyberattacks that involve ransomware are now at their peak. In fact, a recent study has found a 715% year-on-year increase in detected – and blocked – ransomware attacks. While such attacks can be damaging to any organisation regardless of its size or industry, for the healthcare sector they might be especially critical. In fact, for healthcare organisations, ransomware not only impacts money and reputation, but also human health and lives – which during the current pandemic, means health organisations are more vital and fragile than ever. In the recent Netwrix 2020 Cyber Threats Report, it was noted that every third healthcare organisation experienced a ransomware attack during the past few months, which is the highest result among all industries surveyed, above education, finance and public sector.
Indeed, a ransomware attack might be a real disaster for any healthcare organisation. Today’s healthcare strongly depends on IT; without access to health data and IT systems, doctors cannot provide treatment to patients and make decisions. What is worse, if intensive care units and life-support devices, which are typically connected to the network, are blocked by ransomware, this puts lives of critically ill patients at risk. Such damage is incomparable to losses in terms of reputation and money, which, yet still follow for healthcare organisations just like for any other one.
One of the most common reasons why the healthcare industry is vulnerable to ransomware is that major part of the hospitals in Europe operate vast amounts of legacy systems that can be easily exploited by hackers. For example, in the UK, only one NHS trust was considered truly secure according to the recent National Audit Office (NAO) report. Experts say the NHS faces challenges of upgrading hardware which is still relying on legacy operational systems like XP, or software that is no longer maintained. In France, healthcare organisations also suffer from legacy systems; even though country’s Regional Hospital Grouping initiative was supposed to enhance cyber security across the sector, experts say that in reality purchases and implementation of security tools depend on budgets and lack governance.
What makes hospitals even more vulnerable to cyber criminals is that their IT departments are understaffed and are prone to errors as they are facing additional pressure and have to support remote work due to the pandemic. In fact, a recent Netwrix study showed that 39% of healthcare organisations suffered from admin mistakes during the past few months. Such mistakes might include improper configurations changes or failure to install updates in a timely manner, which result in vulnerabilities. For example, the infamous ransomware attack in Dusseldorf hospital was a result of a vulnerability in VPN appliance.
In this situation, the sad reality is that any hospital might fall a victim of ransomware. Therefore, it makes sense to get ready for the worst scenario, taking under consideration the shortage of resources that organisations in this sector are facing. Here are five major areas to focus on:
1. Replacing legacy systems with modern cloud tools.
Cloud services offer advanced security against external attackers and are easy to maintain. However, it is important that organisations do not forget to address cloud-specific security challenges that arise such as insider threats, and take their responsibility to secure their network and data in the cloud.
2. Regularly training employees.
It is important that that all staff are aware of how to identify a malicious email as well as whom to report a security incident to. For that, training should be regular and relevant to the job function. If every physician is aware of disastrous consequences a ransomware might bring to the hospital and patients, they will consider following cyber security hygiene as important as hygiene in their everyday job.
3. Enforcing fundamental cyber security practices.
Paying regular attention to the mundane practices, such as vulnerability management and patching, network segmentation, endpoint security, anti-malware technologies, and email security is the core prevention measure against ransomware. Another important task is to minimise attack surface by limiting access to sensitive data, especially valuable patient data, and regularly revoking excessive privileges. For that, an organisation needs to identify what types of data it stores and where it resides, and to eliminate data overexposure. Automation makes these tasks achievable even for understaffed IT teams.
4. Enhancing detection capability.
Enforcement of auditing is an affordable yet efficient measure that enables an organisation to quickly react to attacks such as ransomware as they are accompanied with anomalies in user behaviour. This includes multiple logon attempts, massive file modifications, VPN logon attempts from untypical geographical locations and access attempts during non-working hours, or a combination of a few. IT teams should be alerted about such anomalies and react immediately.
5. Having an actionable remediation plan at a hand.
Using reliable backups (preferably, a combination of an online and offline formats) is one of the most, if not the most, important defences against ransomware. However, it is also important that an organisation rolls out a solid remediation plan, which also documents processes, stages and roles of the entire processes. It should cover the scenario if sensitive data is made public, with all necessary stages of notifying authorities, investigating root cause and communicating with individuals.
Security experts agree that paying the ransom is a poor practice. In fact, the majority of ransomware victims who pay do not get their files back, either because the attackers cheat them and do not share the promised keys, or because hackers have implemented the encryption/decryption algorithms so poorly that the keys don’t work. Rather, it is important that healthcare organisations follow fundamental practices outlined above as this will help them avoid falling victims of the next widespread ransomware attack.
By Ilia Sotnikov, VP of Product Management at Netwrix