The FBI and other government agencies last night issued an emergency alert warning U.S. healthcare providers of an imminent threat of ransomware attacks targeting these organizations to disrupt patient services.
The CISA/FBI alert is here: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Cyber-attacks against the healthcare sector, ranging from attacks on coronavirus drug makers to telehealth and IoT devices, have been making headlines as of late. This is largely because the attack surface is rapidly expanding due to business practices and trends of healthcare organizations. Acquisitions and consolidations create security gaps as entities work to unify their IT networks and applications. Smart medical devices and electronic record systems introduce new vulnerabilities and increase the attack surface. And of course, the rise of remote work has also increased the attack vector.
Advanced Ransomware Threats (ARTs) are the biggest concern of all. ARTs combine Advanced Persistent Threat (APT) techniques with ransomware techniques. Like an APT, sophisticated ransomware attackers target and navigate to carefully selected strategic assets on the network that hold business-critical information. Attackers then take those assets hostage using advanced evasive ransomware techniques, massively disrupting hospital operations and saying they will stop only in exchange for a very high fee. Organizations without proper ART-protection have no choice but to pay the fee to avoid further disruptions, loss of money, and worst off loss of life.
These threats are serious, but they are not insurmountable. To beat an attacker, you need to think like an attacker. When a security team thinks like an advanced attacker, it can know what the attacker is after and can focus on those assets. Every healthcare organization needs to be able to view the attack landscape, map attack pathways and know where the high-risk critical assets are, which will be fundamental for building a strategy for pre- and post-breach penetration.
IT security teams at healthcare organizations need to focus on active detection to minimize, or even prevent, damage from a ransomware attack. This should include the ability to detect lateral movements within the network. Deception technology is a category of security tools designed to detect attackers who are already in the network and prevent them from doing damage. It works by distributing deceptions that mimic genuine IT assets throughout the network. Instead of relying on traditional signatures, deception technology alerts are generated by real attacker movements within a network. The IT team will be able to see, in real time, any malicious lateral movement that is happening on the network and can mitigate the attack, protecting the computer systems that literally keep people alive.
The FBI\’s and DHS\’s hastily scheduled news conference warning U.S. hospitals and healthcare providers of imminent ransomware attacks from a determined Russian cybercrime gang is more than just a wake-up call for the entire healthcare industry – it is a call to action that must be taken seriously. Cybereason is well-versed in the Ryuk crime gang and their actions in previous years to deploy ransomware around the world. The Ryuk crime group has laid a path of destruction around the world, victimising companies in many industries stealing money and sensitive information.
\”When you compare the number of hospitals and health systems facing possible threats, the risk is many times greater than 2017\’s global WannaCry ransomware attack and the potential devastation is insurmountable. For hospitals, no more excuses; it\’s time to practice cyber hygiene alongside medical hygiene. Plan to be resilient so you can spring back from any damage. If healthcare computer networks are taken offline, patient care will be stalled and lives could literally be at stake. While no wide-scale ransomware attacks have thus far been confirmed, the potential risks are real as healthcare providers are part of the country\’s critical infrastructure. Cyber terrorists are raising the bar and the ability of healthcare providers to defend against these possible ransomware attacks could be a matter of life and death. Let me be clear that the FBI\’s and DHS\’s suggestions for hospitals to unplug their systems and not to open emails isn\’t a guarantee to protect critical systems and patient data, but it will certainly disrupt the ability to serve patients. The newest suggestions feel more like Y2K, only this time it\’s ransomware posing risks.
Hospitals are a global element of societal and economic critical infrastructure. As such, they should be secured to the extent possible to protect sensitive patient and/or hospital data. Network segmentation is an important, albeit complex, aspect of security that must be implemented in hospital systems in order to minimise their risk of a data breach. One major cybersecurity hurdle with medical devices in use in hospitals is that they have a very long lifespan—they were designed to last for many years. And while the software in use in these devices may have followed the best practices at the time they were designed and manufactured, they may be incredibly insecure now if they weren’t designed to be updated, or if they haven’t been maintained responsibly. Thus, leaving a window for potential attackers to access data on these devices, or to use them as an access point to the pivot within the network to access sensitive data elsewhere. If these devices don’t need to be connected to the internet for any business-critical reason, then ensure they’re not connected. And when there is concern, network segmentation based on potential risk should be considered.
The advisory from several government agencies warning of increased ransomware attacks on healthcare organizations during an ongoing public health crisis demonstrates that ransomware operators will stop at nothing to get their payouts. While some gangs previously announced they planned to pause attacks on healthcare providers during COVID-19, attacks like the one on UHS earlier this month prove they aren’t slowing down. This warning doesn’t come as a surprise – hitting industries like healthcare while they’re vulnerable is par for the course for cybercriminals. But, that doesn’t mean these organizations can’t fight back by implementing proactive data protection, business continuity, and disaster recovery protocols.
Given that healthcare organizations rely heavily on interconnected IoT devices that often can’t be fully secured with just traditional endpoint protection, it’s important to integrate cybersecurity protocols with backup and disaster recovery to make the process of thwarting attacks smoother. In line with the guidelines from the FBI, healthcare organizations should have a strong backup system to safeguard patient data – treating backups as critical IT infrastructure will help ensure they don’t become compromised and irrecoverable. With lives on the line, the importance of protecting critical healthcare data cannot be underestimated.
The reason these attackers are going after hospitals is because they’re easy money and easy to attack. Hospitals need to have these records and, even prior to COVID-19, hospitals are known to have issues with allocating budget for security staff and resources in order to help prevent and respond to data breaches like these.
Even if a hospital pays the ransom, that doesn’t necessarily mean that the attacker just hands over the key and then deletes it all on their end. Health profiles are worth a lot more than social security numbers, and attackers can turn that data around and sell it for a lot of money. So for attackers, getting health profiles is the cream of the crop – they’re gold.
I strongly believe that these types of attacks can all be avoided by just being more paranoid with emails, text messages, and phone calls. Every single person holds the key to opening the door for an attacker. And the one thing hospitals can do to help prevent these types of attacks is to simply train their staff. Realize that every single staff member needs to be on their guard at all times. Make training a priority – pretend you’re going through a breach. Make sure you run updates. Be running the latest firmware. Patch what needs to be patched, and know what to prioritize. Attackers don’t typically go after security personnel these days, they go after IT folks, admin staff, anybody that ever has access to any network within the hospital.
You can’t just be waiting for something to happen. You have to be proactive. If hospitals don’t have the staff to stay on top of this stuff, they just need to hire. They have the money – there’s really no excuse. It’s pandemic times – hospitals are absolutely targets and, at the end of the day, any funds put toward security is an investment by the hospital in its staff and its patients.