Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/26/2016
02:05 PM
Christiaan Beek
Christiaan Beek
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Ransomware: Coming To A Hospital Near You?

10 ways to protect healthcare systems from ransomware and other malware infections.

For a long time, particularly in the hard-core hacker underground, the idea of attacking hospitals and other institutions of goodwill was completely unacceptable. The consensus in these communities was that these should be “no-go” areas, totally off-limits to cyberattacks. Such hacker idealism praises the taking from the rich and strong to give to the poor and vulnerable, and, of course, pocketing some loot for the effort.

But the surge in hospital ransomware attacks in early 2016 suggests there is a growing number of Dark Net Dillingers and Tony Sopranos among cyberspace’s Robin Hoods. The poor IT security state of many hospitals has led such criminals underground to their back doors.

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a recipe for trouble. Such circumstances have lured ransomware attackers away from consumers to focus on organizations with weak security and a strong reliance on their information systems to provide life-saving care.

According to a recent study by the Ponemon Institute, half of all healthcare data breaches in the last year were the result of criminal attacks, as opposed to errors or omissions by employees. At the same time, the primary security worry of these same organizations is employee negligence. So it comes as no surprise that phishing and other human-weakness exploits are key attack vectors.

These attacks often affect medical machinery, which is more challenging to protect and clean up than servers and workstations. Security is often not a part of these specialized devices’ development lifecycles, creating easy exploits to compromise medical data. An example of this is the case of a US hacker who found a vulnerability in the remote desktop implementation of a particular vendor. He exploited the vulnerability, stole millions of records, offered them for sale on the Dark Net, and attempted to extort money from the victimized hospitals with the offer to return the data.

And the ransom costs are a small fraction of the costs of downtime, system recovery, and cleanup. Affected hospitals that have gone public have experienced partial or complete network downtime of five to 10 days. Intel Security’s Advanced Threat Research team identified at least 24 known incidents of hospital attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.

What can hospitals do to protect themselves? Here is our top 10 list for protecting healthcare systems from ransomware and other malware infections:

  1. Use network segmentation to separate critical devices required for patient care from the general network.
  2. Keep backups completely disconnected from the production network so that ransomware payloads cannot corrupt your backup data.
  3. Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.
  4. Develop an incident response plan so that if your systems are compromised, you can get back in operation quickly.
  5. Train your users. Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.
  6. Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.
  7. Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.
  8. Use whitelisting on medical equipment to prevent unapproved programs from executing.
  9. On more general purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.
  10. Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.

To learn more about recent hospital ransomware attacks and what you can do to protect against them, download the September 2016 McAfee Labs Threats Report.

Christiaan Beek manages threat intelligence research within Intel Security's Office of the CTO. He leads research in advanced attacks and assists in cyberattack take-down operations. In previous roles, Beek was director of threat intelligence in McAfee Labs and director of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christiaan.Beek
50%
50%
Christiaan.Beek,
User Rank: Apprentice
9/30/2016 | 9:27:12 AM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
IMHO concerning part here is that for example a stolen credit-card and data can be easily changed. You call to block your card and within a few business days you have a new card and the compromised data changed. With Medical data it's quite different, it can't be changed easily...
DavidF740
50%
50%
DavidF740,
User Rank: Apprentice
9/28/2016 | 9:45:32 AM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
Backup is the last line of defense. Yes, Harden the front end Network and Systems, Train the users and create and deploy an  Air-Gapped Backup system.
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
9/27/2016 | 3:46:14 PM
Re: Ransomware is fast.
True, there are generally two problems when it comes to ransomware:

1. The person in the chair, as you call it. In many cases it's a person that instigates the ransomware through a phishing email, and the only way to solve that problem is through training. There are certainly some good technologies that can reduce the chances a phishing email gets through or prevents a user from clicking on a known bad link, but if someone is willing to click on something they shouldn't, the bad guys will always take advantage of the opportunity.

2. The files getting encrypted - Once the person in the chair has set the process in motion, automation is the only way to stop the attack while underway. Having an automated system that can investigate, identify, and understand that the files are being encrypted and then stopping the process, severing the remote connection, and removing all traces is the only way. Otherwise, you're right: you have to just re-image the whole thing and restore from backup. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:36:10 PM
Train train train
While backup is reactive approach, training people is actually proactive approach to ransomware problems. It is better to spend time and money in awareness.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:33:26 PM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
"... ransomware could be the single largest cybersecurity threat facing consumers ..." I would think it is the most impactful. There are companies paying to get the decryption key, that shows how successful it is.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:31:29 PM
Re: Ransomware is fast.
"... automation must be considered ..." I would say yes if the automation is reducing user interaction. The proeblem is the person on the chair as we know it.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:30:05 PM
Re: More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
"... 400,000 healthcare records ..." This is a big number when we consider they charge per record.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/27/2016 | 3:27:19 PM
Backup backup backup
There is no really easy solution for ransomware. The only option we are left with is to take backup and keep it somewhere without overwriting it for a while.
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
9/27/2016 | 1:07:21 PM
Ransomware is fast.
Per your point:

Develop an incident response plan so that if your systems are compromised, you can get back in operation quickly.

With the speed by which ransomware can spread, automation must be considered when developing an incident response strategy. 

ChandanaP946
50%
50%
ChandanaP946,
User Rank: Strategist
9/27/2016 | 7:17:38 AM
More than 400,000 Sensitive Healthcare Records Leaked on the Dark Web
Cybersecurity firm OWL recently discovered over 400,000 healthcare records on the Dark Web. Some of these files were swiped during traditional system hacks. But, said OWL's president and CEO Mark Turnage, ransomware was responsible for the majority of the leaks. In the near future, ransomware could be the single largest cybersecurity threat facing consumers, companies, and organizations. https://cyware.com/news/more-than-400000-sensitive-healthcare-records-leaked-on-the-dark-web-dcec7889
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...