10 ways to protect healthcare systems from ransomware and other malware infections.

Christiaan Beek, Threat Intelligence Research, Office of the CTO,Intel Security

September 27, 2016

3 Min Read

For a long time, particularly in the hard-core hacker underground, the idea of attacking hospitals and other institutions of goodwill was completely unacceptable. The consensus in these communities was that these should be “no-go” areas, totally off-limits to cyberattacks. Such hacker idealism praises the taking from the rich and strong to give to the poor and vulnerable, and, of course, pocketing some loot for the effort.

But the surge in hospital ransomware attacks in early 2016 suggests there is a growing number of Dark Net Dillingers and Tony Sopranos among cyberspace’s Robin Hoods. The poor IT security state of many hospitals has led such criminals underground to their back doors.

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a recipe for trouble. Such circumstances have lured ransomware attackers away from consumers to focus on organizations with weak security and a strong reliance on their information systems to provide life-saving care.

According to a recent study by the Ponemon Institute, half of all healthcare data breaches in the last year were the result of criminal attacks, as opposed to errors or omissions by employees. At the same time, the primary security worry of these same organizations is employee negligence. So it comes as no surprise that phishing and other human-weakness exploits are key attack vectors.

These attacks often affect medical machinery, which is more challenging to protect and clean up than servers and workstations. Security is often not a part of these specialized devices’ development lifecycles, creating easy exploits to compromise medical data. An example of this is the case of a US hacker who found a vulnerability in the remote desktop implementation of a particular vendor. He exploited the vulnerability, stole millions of records, offered them for sale on the Dark Net, and attempted to extort money from the victimized hospitals with the offer to return the data.

And the ransom costs are a small fraction of the costs of downtime, system recovery, and cleanup. Affected hospitals that have gone public have experienced partial or complete network downtime of five to 10 days. Intel Security’s Advanced Threat Research team identified at least 24 known incidents of hospital attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.

What can hospitals do to protect themselves? Here is our top 10 list for protecting healthcare systems from ransomware and other malware infections:

  1. Use network segmentation to separate critical devices required for patient care from the general network.

  2. Keep backups completely disconnected from the production network so that ransomware payloads cannot corrupt your backup data.

  3. Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.

  4. Develop an incident response plan so that if your systems are compromised, you can get back in operation quickly.

  5. Train your users. Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.

  6. Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.

  7. Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.

  8. Use whitelisting on medical equipment to prevent unapproved programs from executing.

  9. On more general purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.

  10. Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.

To learn more about recent hospital ransomware attacks and what you can do to protect against them, download the September 2016 McAfee Labs Threats Report.

About the Author(s)

Christiaan Beek

Threat Intelligence Research, Office of the CTO,Intel Security

Christiaan Beek manages threat intelligence research within Intel Security's Office of the CTO. He leads research in advanced attacks and assists in cyberattack take-down operations. In previous roles, Beek was director of threat intelligence in McAfee Labs and director of incident response and forensics at Foundstone, Intel Security's forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa. Beek develops threat intelligence strategy, designs threat intelligence systems, performs malware and forensic analysis, and coaches security teams around the globe. He is a passionate cybercrime specialist who has developed training courses, workshops, and presentations. He speaks regularly at conferences, including BlackHat and BlueHat. Beek contributed to the best-selling security book "Hacking Exposed."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights