We all know the immense challenge the pandemic has posed to the healthcare industry. You only need walk around your nearest street corner to see homemade messages in front windows thanking healthcare workers for their sacrifices in the last 18 months. But what you might not know is that the healthcare industry was also fighting against another invisible adversary: a wave of cyberattacks via ransomware.
It’s a fierce adversary, too. Hospitals being offline presents a critical threat to patient care, and in many cases during the pandemic health staff were forced to document records by hand when denied access to electronic patient health information (ePHI), or internet-served medical equipment due to cyber-attacks. This shouldn’t have to be the case. In the business of life and death, healthcare organisations simply cannot afford to negotiate for days or weeks while their systems are held hostage.
The threat of ransomware shows no sign of abating, either. In the healthcare sector alone, a third of NHS trusts were successfully attacked with ransomware between 2014 and 2020, causing an estimated 206 days of downtime, while the U.K.’s National Cyber Security Centre (NCSC) warned in its most recent annual review that it had handled over three times more ransomware incidents between September 2019 and August 2020 than in the previous year.
This all points towards healthcare organisations facing an increasing volume of ransomware attacks. Recent events across the Irish Sea serve as further evidence too, with an attack on Ireland’s healthcare system in May reducing appointments by more than 80%, creating a knock-on impact for patients.
Some actions are already being taken to defend against ransomware, but what can providers do to further mitigate the risks they pose?
The open nature of hospitals leaves them vulnerable
Devices are omnipresent in hospitals: they’re in every doctor’s office, portable monitor at nurses’ stations, scanning room and operating theatre. They give healthcare staff to access critical, live data which informs how they can best care for patients. Unfortunately though, the easy-access design that makes these systems so useful also makes them – and the swathes of patient records and vital information they provide – vulnerable to hackers.
It is important to design healthcare IT with cybersecurity with this in mind, but unfortunately, many healthcare organisations are yet to heed this lesson. Plenty still run old software such as Windows XP leaving them open to vulnerabilities that wouldn’t be a problem with modern operating systems and patches. Others aren’t reacting to attackers’ efforts to commandeer medical Internet of Things (IoT) devices with increasing frequency, either. You only need cast your mind back to the large scale WannaCry attack on healthcare systems, which saw many internet-connected medical devices taken offline and many hospitals left without vital equipment for the duration of the attack, to know how that scenario could play out.
Ransomware on the rise
Ransomware ‘kits’ are easy to purchase on the dark web, meaning anyone can exploit vulnerable IT systems. Healthcare services are an attractive target for hackers because they usually store ePHI records, which include confidential information about individual patients. In practice, however, these records aren’t always stored in line with industry standards, plus the records cannot be deleted after a set amount of time, as is standard protective practice in many other industries.
In addition to this, attackers are becoming far more skilled at targeting the IT weaknesses of their target organisation. Many spend a long time lurking on systems before making the attack, often taking advantage of old faults, or leftover user accounts from old contractors, which could be prevented if modern tech and zero-trust protocols were used.
Once they have achieved access, the attackers’ next objective is to harvest credentials with more access and look for more machines and more valuable data to extort. Once they have gained the right credentials, they often take these steps:
- First, they extract large amounts of sensitive data, such as personally identifiable information (PII).
- Then, using the credentials they have stolen to avoid detection, they take control of users’ identities and look for ways to ‘live off the land’. This means taking advantage of pre-installed programs and processes on a compromised computer. Using the victim’s own tools against them makes attackers appear legitimate, making it difficult for security teams to identify malicious activity. Plus, attackers don’t have to bother building or distributing new tools, which takes time and resources and can raise red flags.
- Finally, they execute their ransomware kit using built-in software distribution channels that the organisation trusts and uses routinely. This is a highly effective tactic, as it allows the attackers to disable – or sometimes completely circumvent – existing security controls.
Explaining extortion
During their attacks, ransomware threat actors look for ways to stealthily disrupt backups, delete shadow copies and unlock files to maximise their impact. In many virtual hostage situations, attackers will not only demand a ransom payment for decrypting target data but also threaten to leak it unless additional payment is made. According to F-Secure research, nearly 40% of ransomware families discovered in 2020 utilised such double-extortion methods.
The release of the data isn’t always the end of the story, either. The NCSC recently shared a cautionary tale of an organisation that paid millions in bitcoin to recover its files but failed to take necessary steps to identify the attack’s root cause and secure their network. As a result, the same attackers came back just two weeks later, using the same techniques to re-deploy the same ransomware, forcing the organisation to pay another hefty ransom. For this reason, it is important to address the root of the ransomware attack – how did it get there?
How can healthcare get ahead of ransomware attacks?
As ransomware attacks become more sophisticated and highly targeted, healthcare organisations must proactively ramp up their security posture to protect critical infrastructure and preserve patient care and trust.
The implementation of a ‘Zero Trust’ framework and the principle of least privilege within healthcare is a must. This essentially means organisations should not automatically trust or give access to any ‘thing’ or user until it has proven its identity. Once online, this user should then only have access to the information they actually need. In a hospital, these identity-centric controls might look like an oncologist only having access to their own patients’ records, rather than all oncology patients. If a hacker gets access to that oncologist’s login, for example, then they only gain access to a few patients’ records, and the potential damage is significantly reduced.
Least privilege, access and identity restrictions should form the core, identity-centric foundation for a defence-in-depth endpoint security strategy based on a Zero Trust approach. Not only can identity security solutions help detect and block ransomware itself, but by “trusting nothing and verifying everything” they also work to stop identity and privilege abuse at critical points in the attack chain. As a result, threats can be found and stopped before they do harm.
Once these controls are in place, healthcare organisations can focus on enhancing cybersecurity awareness and skills training, revisiting digital security fundamentals and hardening and backing up critical hospital systems to protect against future attacks. They provide us with a vital service, so it’s important that they take steps to keep themselves running in the safe way that they and the public deserve.
By David Higgins, EMEA Technical Director, CyberArk