David Higgins, EMEA Technical Director, CyberArk, explores three reasons why healthcare organisations are extra vulnerable to ransomware
We’ve all aware of the heavy toll the impact has had on certain industries. The plight of businesses in retail and hospitality for example has drawn plenty of concern, but it’s the healthcare industry that has rightly taken centre stage in the nation’s minds, given its role in helping us navigate the last 18 months.
You might think the virus and lack of resources were the main challenges the sector faced. But the healthcare industry was fighting – and continues to fight – against another invisible adversary: a persistent wave of ransomware-based cyberattacks.
It’s a mighty adversary, too. Hospitals being offline presents a critical threat to patient care; in many cases during the pandemic health staff were denied access to electronic patient health information (ePHI), or internet-served medical equipment due to cyberattacks, and resorted to documenting records by hand. This shouldn’t have to happen. Healthcare is a business of life and death and simply cannot afford to negotiate ransoms while systems are held hostage.
The threat of ransomware isn’t new, either. Between 2014 and 2020 a third of NHS trusts were successfully attacked with ransomware, causing an estimated 206 days of downtime, and these figures no doubt increased during the pandemic. Just a few months ago, events across the Irish Sea demonstrated just that, with an attack on Ireland’s healthcare system reducing appointments by more than 80%, creating a knock-on impact for patients.
By now, ransomware is a known evil. But what can providers do to better negate the risks it poses?
Hospitals’ innate vulnerability
Devices are everywhere in hospitals: from portable monitors at nurses’ stations to operating theatres. They give staff to access critical, live data that informs patient care, but their easy-access design makes them – and the swathes of patient records and vital information they provide – vulnerable to hackers.
Those managing healthcare IT haven’t heeded this lesson. Many trusts still run old software which is open to vulnerabilities, instead of implementing modern operating systems and patches. Others aren’t reacting to attackers’ efforts to seize medical Internet of Things (IoT) devices quickly enough. You only need cast your mind back to the large scale WannaCry attack on healthcare systems to know how a nightmare scenario could play out.
Removed barriers to ransomware
Anyone can exploit vulnerable IT systems thanks to ransomware ‘kits’, which are easy to purchase on the dark web. Healthcare services are an attractive target because they usually store ePHI records with confidential information about patients, which aren’t always stored in line with industry standards. The records cannot be deleted after a set amount of time either, as is common practice in other industries.
Seasoned attackers are also becoming more skilled at targeting weaknesses in organisations’ IT infrastructures. Many spend time lurking on systems before launching an attack, often taking advantage of old faults or leftover user accounts from old contractors.
Once they have achieved access, attackers’ next objective is to harvest credentials with greater access, and look for more machines and valuable data to extort. Once they have gained the right credentials, they often look to extract large amounts of sensitive data, such as personally identifiable information (PII).
From there, they will use their stolen credentials to avoid detection, take control of users’ identities and seek ways to ‘live off the land’ – i.e. take advantage of pre-installed programs and processes on a compromised computer. Using the victim’s own tools against them makes attackers appear legitimate, making it difficult for security teams to identify malicious activity. Plus, attackers don’t lose time and risk red flags by building or distributing new tools.
Finally, they use built-in trusted software distribution channels that the organisation uses routinely to execute their ransomware kit. This is highly effective, as it allows the attackers to disable – or sometimes completely circumvent – existing security controls.
During attacks, ransomware threat actors seek ways to stealthily disrupt backups, delete shadow copies and unlock files to maximise their impact. In many ransomware scenarios, attackers will not only demand payment for decrypting target data but also threaten to leak it unless additional payment is made. F-Secure research suggests nearly 40% of ransomware families discovered in 2020 used such double-extortion methods.
The release of data isn’t always the end of the story, either. If businesses fail to take necessary steps to identify an attack’s root cause and secure their network, attackers can use the same techniques to re-deploy the same ransomware and force the organisation to pay another hefty ransom.
Getting ahead of ransomware attacks
As ransomware attacks become more sophisticated and targeted, healthcare organisations must ramp up their security posture to both protect critical infrastructure and preserve patient care and trust.
The implementation of a ‘Zero Trust’ framework and the principle of least privilege is a must. This mandates that organisations should not automatically trust or give access to any ‘thing’ or user until it has proven its identity. Once online, this user should then only have access to information they actually need. In a hospital, such controls might look like a cardiologist only having access to their own patients’ records, rather than all cardiology patients. If a hacker gets access to their login then they only gain access to a few patients’ records, significantly reducing an attack.
Least privilege, access and identity restrictions should form the core, identity-centric foundation for an endpoint security strategy based on a Zero Trust approach. Identity security solutions help detect and block ransomware itself, and also work to stop identity and privilege abuse at critical points in the attack chain by “trusting nothing and verifying everything”. As a result, threats can be found and stopped before they do harm.
Once these controls are in place, healthcare organisations can focus on enhancing cybersecurity awareness and skills training, and hardening and backing up critical hospital systems to protect against future attacks. Their role is to look after us, so it’s important they take steps to keep themselves running in the safe way they and the public deserve.