Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/26/2016
02:05 PM
Christiaan Beek
Christiaan Beek
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Ransomware: Coming To A Hospital Near You?

10 ways to protect healthcare systems from ransomware and other malware infections.

For a long time, particularly in the hard-core hacker underground, the idea of attacking hospitals and other institutions of goodwill was completely unacceptable. The consensus in these communities was that these should be “no-go” areas, totally off-limits to cyberattacks. Such hacker idealism praises the taking from the rich and strong to give to the poor and vulnerable, and, of course, pocketing some loot for the effort.

But the surge in hospital ransomware attacks in early 2016 suggests there is a growing number of Dark Net Dillingers and Tony Sopranos among cyberspace’s Robin Hoods. The poor IT security state of many hospitals has led such criminals underground to their back doors.

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a recipe for trouble. Such circumstances have lured ransomware attackers away from consumers to focus on organizations with weak security and a strong reliance on their information systems to provide life-saving care.

According to a recent study by the Ponemon Institute, half of all healthcare data breaches in the last year were the result of criminal attacks, as opposed to errors or omissions by employees. At the same time, the primary security worry of these same organizations is employee negligence. So it comes as no surprise that phishing and other human-weakness exploits are key attack vectors.

These attacks often affect medical machinery, which is more challenging to protect and clean up than servers and workstations. Security is often not a part of these specialized devices’ development lifecycles, creating easy exploits to compromise medical data. An example of this is the case of a US hacker who found a vulnerability in the remote desktop implementation of a particular vendor. He exploited the vulnerability, stole millions of records, offered them for sale on the Dark Net, and attempted to extort money from the victimized hospitals with the offer to return the data.

And the ransom costs are a small fraction of the costs of downtime, system recovery, and cleanup. Affected hospitals that have gone public have experienced partial or complete network downtime of five to 10 days. Intel Security’s Advanced Threat Research team identified at least 24 known incidents of hospital attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.

What can hospitals do to protect themselves? Here is our top 10 list for protecting healthcare systems from ransomware and other malware infections:

  1. Use network segmentation to separate critical devices required for patient care from the general network.
  2. Keep backups completely disconnected from the production network so that ransomware payloads cannot corrupt your backup data.
  3. Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.
  4. Develop an incident response plan so that if your systems are compromised, you can get back in operation quickly.
  5. Train your users. Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.
  6. Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.
  7. Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.
  8. Use whitelisting on medical equipment to prevent unapproved programs from executing.
  9. On more general purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.
  10. Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.

To learn more about recent hospital ransomware attacks and what you can do to protect against them, download the September 2016 McAfee Labs Threats Report.

Christiaan Beek manages threat intelligence research within Intel Security's Office of the CTO. He leads research in advanced attacks and assists in cyberattack take-down operations. In previous roles, Beek was director of threat intelligence in McAfee Labs and director of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christiaan.Beek
50%
50%
Christiaan.Beek,
User Rank: Apprentice
9/30/2016 | 9:27:12 AM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
IMHO concerning part here is that for example a stolen credit-card and data can be easily changed. You call to block your card and within a few business days you have a new card and the compromised data changed. With Medical data it's quite different, it can't be changed easily...
DavidF740
50%
50%
DavidF740,
User Rank: Apprentice
9/28/2016 | 9:45:32 AM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
Backup is the last line of defense. Yes, Harden the front end Network and Systems, Train the users and create and deploy an  Air-Gapped Backup system.
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
9/27/2016 | 3:46:14 PM
Re: Ransomware is fast.
True, there are generally two problems when it comes to ransomware:

1. The person in the chair, as you call it. In many cases it's a person that instigates the ransomware through a phishing email, and the only way to solve that problem is through training. There are certainly some good technologies that can reduce the chances a phishing email gets through or prevents a user from clicking on a known bad link, but if someone is willing to click on something they shouldn't, the bad guys will always take advantage of the opportunity.

2. The files getting encrypted - Once the person in the chair has set the process in motion, automation is the only way to stop the attack while underway. Having an automated system that can investigate, identify, and understand that the files are being encrypted and then stopping the process, severing the remote connection, and removing all traces is the only way. Otherwise, you're right: you have to just re-image the whole thing and restore from backup. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:36:10 PM
Train train train
While backup is reactive approach, training people is actually proactive approach to ransomware problems. It is better to spend time and money in awareness.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:33:26 PM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
"... ransomware could be the single largest cybersecurity threat facing consumers ..." I would think it is the most impactful. There are companies paying to get the decryption key, that shows how successful it is.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:31:29 PM
Re: Ransomware is fast.
"... automation must be considered ..." I would say yes if the automation is reducing user interaction. The proeblem is the person on the chair as we know it.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:30:05 PM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
"... 400,000 healthcare records ..." This is a big number when we consider they charge per record.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:27:19 PM
Backup backup backup
There is no really easy solution for ransomware. The only option we are left with is to take backup and keep it somewhere without overwriting it for a while.
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
9/27/2016 | 1:07:21 PM
Ransomware is fast.
Per your point:

Develop an incident response plan so that if your systems are compromised, you can get back in operation quickly.

With the speed by which ransomware can spread, automation must be considered when developing an incident response strategy. 

ChandanaP946
50%
50%
ChandanaP946,
User Rank: Strategist
9/27/2016 | 7:17:38 AM
More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
Cybersecurity firm OWL recently discovered over 400,000 healthcare records on the Dark Web. Some of these files were swiped during traditional system hacks. But, said OWL's president and CEO Mark Turnage, ransomware was responsible for the majority of the leaks. In the near future, ransomware could be the single largest cybersecurity threat facing consumers, companies, and organizations. https://cyware.com/news/more-than-400000-sensitive-healthcare-records-leaked-on-the-dark-web-dcec7889
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.