For a long time, particularly in the hard-core hacker underground, the idea of attacking hospitals and other institutions of goodwill was completely unacceptable. The consensus in these communities was that these should be “no-go” areas, totally off-limits to cyberattacks. Such hacker idealism praises the taking from the rich and strong to give to the poor and vulnerable, and, of course, pocketing some loot for the effort.
But the surge in hospital ransomware attacks in early 2016 suggests there is a growing number of Dark Net Dillingers and Tony Sopranos among cyberspace’s Robin Hoods. The poor IT security state of many hospitals has led such criminals underground to their back doors.
Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a recipe for trouble. Such circumstances have lured ransomware attackers away from consumers to focus on organizations with weak security and a strong reliance on their information systems to provide life-saving care.
According to a recent study by the Ponemon Institute, half of all healthcare data breaches in the last year were the result of criminal attacks, as opposed to errors or omissions by employees. At the same time, the primary security worry of these same organizations is employee negligence. So it comes as no surprise that phishing and other human-weakness exploits are key attack vectors.
These attacks often affect medical machinery, which is more challenging to protect and clean up than servers and workstations. Security is often not a part of these specialized devices’ development lifecycles, creating easy exploits to compromise medical data. An example of this is the case of a US hacker who found a vulnerability in the remote desktop implementation of a particular vendor. He exploited the vulnerability, stole millions of records, offered them for sale on the Dark Net, and attempted to extort money from the victimized hospitals with the offer to return the data.
And the ransom costs are a small fraction of the costs of downtime, system recovery, and cleanup. Affected hospitals that have gone public have experienced partial or complete network downtime of five to 10 days. Intel Security’s Advanced Threat Research team identified at least 24 known incidents of hospital attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.
What can hospitals do to protect themselves? Here is our top 10 list for protecting healthcare systems from ransomware and other malware infections:
- Use network segmentation to separate critical devices required for patient care from the general network.
- Keep backups completely disconnected from the production network so that ransomware payloads cannot corrupt your backup data.
- Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.
- Develop an incident response plan so that if your systems are compromised, you can get back in operation quickly.
- Train your users. Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.
- Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.
- Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.
- Use whitelisting on medical equipment to prevent unapproved programs from executing.
- On more general purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.
- Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.
To learn more about recent hospital ransomware attacks and what you can do to protect against them, download the September 2016 McAfee Labs Threats Report.