In recent weeks we've seen threat actors stepping up ransomware attacks against hospitals at a moment when saving lives is their most important focus. To keep critical care operating uninterrupted, it’s become more important than ever for hospitals to harden their environment with ransomware prevention.Without secure infrastructure, treatments and surgeries can and do grind to a halt. The operators of the Ryuk ransomware, for example, targeted 10 healthcare organizations over the course of the past month and are continuing to attack and encrypt data at healthcare organizations, according to Bleeping Computer.
That Ryuk’s operators continue to launch attacks during the global COVID-19 pandemic, when healthcare organizations are already stretched near to the breaking point, illustrates how much of a target hospitals are for ransomware. It also makes it even more critical that hospitals should focus on ransomware prevention; with a global pandemic upon us, front-line medical workers need tight cybersecurity to ensure that they can focus on saving lives.
There are a few ways that hospitals can secure their critical infrastructure during these trying times, but first it’s important to understand why hospitals make such an attractive target for threat actors.
Hospitals are arguably one of the most attractive targets for ransomware attacks. The reason is two-fold: electronic medical records can fetch upwards of $1,000 on the black market, and hospitals have tended to lag their peers in technology adoption. Taken together, these two factors make malware attacks extremely common in healthcare.
Hospitals experience cyberattacks so often, according to the 2019 HIMSS Cybersecurity Survey, that 82 percent of hospitals experienced a significant security incident in the last twelve months. A “significant incident” could have been trojans focused on credential theft, a ransomware attack, or a malicious internal person taking proprietary information.
Electronic medical records garner such a high black-market price largely because they’re immutable. If a hacker breaches a financial institution and steals credit card data, consumers can easily request a new card number and cancel the stolen one. In fact, there’s an entire response structure around financial data breaches to ensure consumers don’t suffer any ill effects.
Hospitals lack that capability because the protected health information they store cannot be altered. It follows consumers no matter where they go, which means that a hacker leveraging a ransomware attack can potentially blackmail individuals for life according to some experts. Moreover, HIPAA rules are among the strictest in the nation when it comes to data breaches and privacy; ransomware attacks need to be reported like they are a data breach, even if there’s no indication that data was extracted from the system.
Securing hospital data from ransomware attacks has a reputational dimension as well. In the 2020 Consumer Healthcare Threat Index, Morphisec found that 57 percent of consumers would consider changing their healthcare provider depending on how a breach was handled.
The data richness and slow pace of technology adoption have combined to create a perfect storm around hospitals, making them one of the most attractive ransomware targets and among the least prepared to repel such a threat. They also face additional challenges, including budget, a skills shortage, and a large attack surface from the sheer amount of technology within the average hospital.
Hospital technology budgets have historically gone toward fixed-function medical devices such as CT scans and MRI machines. As medical technologies increasingly go digital alongside the transition to electronic medical records, it becomes more and more critical to invest in ransomware prevention and other cybersecurity investment to ensure that EMRs remain secure and doctors and nurses can focus on saving lives. Hospitals have started to understand this as well, and 45 percent of healthcare organizations have invested up to 10 percent of their IT budget in cybersecurity.
An additional challenge is that hospitals often use virtual desktops that allow doctors and nurses to securely log into any workstation they come to. This is a good idea because it limits physical security risk while medical professionals move through the hospital and interact with different patients. This is what Citizens Medical Center, a Morphisec customer, does to ensure medical personnel can remain mobile.
However, a virtual desktop infrastructure creates issues because each new virtual machine is another endpoint that needs to be secured. This also increases the hospital’s attack surface, which results in additional cyber risk that needs to be mitigated. Most antivirus solutions don’t work in this situation because VDI tends to only have the precise amount of memory needed to run critical applications, and it takes too much time for an antivirus signature database to be updated for it to be effective.
Further, hospitals often lack the dedicated security staff that many other enterprises have. On a five-point scale, according to the 2019 HIMSS Cybersecurity Survey, hospitals rated the lack of skilled personnel as a 3.12, marking it as a serious challenge toward remediating security incidents. This could be because hospitals often have an IT department for general technology needs, such as installing new systems and ensuring network connectivity, but these general IT personnel might lack specific security experience. These IT teams often only operate during business hours and aren’t necessarily present in the middle of the night in case a security incident occurs.
The COVID-19 pandemic has brought into sharp relief that hospitals must emphasize ransomware prevention. The alternative is what happened to Brno University Hospital, shutting down operations while the infection is purged from the entire system. Given that more attacks will occur during the coronavirus response, as with a recent attack against the United States Department of Health and Human Services facing an attack themselves, hospitals must take care to ensure they’re protected.
One of the best ways for hospitals to prevent ransomware is through ensuring strong IT hygiene in the organization. This can take the form of adding multi-factor authentication to passwords and checking user privileges to ensure no one has administrative access who shouldn’t. The addition of MFA to passwords can help secure user access and make it so a brute-force attack can’t automatically crack a password. Correcting user privileges limits the number of people who can make systemic changes, and ensures that should a threat actor crack a password they don’t automatically have the rights they need to escalate privileges. However, during these times the lines between one site and remote workers are becoming increasingly blurred. This makes Windows Defender Antivirus already installed on every home Windows 10 computer a suitable choice to standardize on for all work and home workstations .
Hospitals should also deploy a lightweight solution, like moving target defense (MTD), to secure physical and virtual VDI endpoints against cyberattacks. Traditional and even next-gen antivirus solutions tend to have agents that are too heavy to secure virtual endpoints and require frequent updates to secure systems against threats like ransomware. With a moving target defense solution, there is no need to update a signature database or a detection algorithm; this makes an MTD protection solution uniquely suited to secure systems where memory is at a premium.
Lastly, hospital IT teams need to ensure that all systems are regularly patched against threats. A moving target defense solution can often serve as a virtual patch to ensure that systems, including Windows 7 are protected before an exploit is discovered, but ultimately it’s the responsibility of IT to ensure that any available software patches are deployed as needed. This includes
Hospital IT teams need to emphasize ransomware prevention in the age of COVID-19 more than ever before. Their patient databases provide rich sources of information for threat actors, and the critical work conducted in the age of a global pandemic means that cybersecurity must be tightened to ensure that doctors and nurses can focus on saving lives. By improving IT hygiene, conducting regular patching, and deploying a lightweight solution like moving target defense, hospital IT teams can secure their infrastructure and protect front-line healthcare workers during this critical time.