Comment: The surge of ransomware in healthcare – to pay or not to pay

In this article, Dell experts outline the increasing threat of ransomware on healthcare organisation and what operators can do to mitigate the risks

Tackling ransomware from the perspective of healthcare IT, one of the hardest-hit sectors thus far, this article focuses on how organisations can secure themselves from strains like Locky, TeslaCrypt, and Maktub Locker. Dell advocates employing solutions that begin with user training and extend to strong VPN device interrogation and endpoint security

Being prepared to address the threat of ransomware is rapidly becoming a top priority for healthcare organisations

A recent survey from HIMMS showed that over 50% of healthcare providers in the US were affected by a ransomware attack in the past 12 months.

Although this worrying trend is largely absent in Europe, with the exception of two German hospitals suffering a recent breach, healthcare institutions should take adequate measures to ensure that ransomware in healthcare does not sweep across the continent.

Cyber criminals have realised that healthcare institutions are soft targets given the sensitive nature of patient data and the dependence on IT systems to run clinical workflows. Imagine not being able to access lab records in an emergency department disrupting care for critically-ill patients, or doctors not being able to carry a diagnosis because they cannot access medical records. If a patient’s life is on the line, then paying the ransom might seem as the best way out.

Ransomware has been around for a long time, but it has never been so popular or profitable.

Unlike other types of malware that attempt to exfiltrate data; ransomware seeks to cause disruption by either encrypting your valuable files/data, or locking your system until the demands are met.

To steal a credit card number and use it to commit fraud has become increasingly difficult as there are multiple steps involved and banks/merchants have put in controls at each step to detect and prevent the transaction.

Ransomware, on the other hand, requires fewer steps to execute and takes advantage of the urgency and panic that it creates to force a payment. Additionally, the anonymity offered by the TOR Network (aka Dark web) and BIT Coins, provides a perfect getaway.

According to Forbes; the Locky ransomware is infecting approximately 90,000 systems a day, and it typically asks users for 0.5-1 bitcoin ($420) to unlock their systems. Beazley Breach Response Services has found that 18 healthcare breach incidents were reported that could be attributed to ransomware in the first three months of 2016.

A typical attack

More often than not ransomware attacks start with a phishing email. The 2015 Verizon Data Breach Investigation report showed that 23% of recipients open phishing emails, and 11% actually click on the attachments. This means that out of 100 recipients, two will fall victim - a staggering statistic.

Many of the traditional security controls often fail to detect ransomware if they are only looking for unusual behaviour and standard indicators of compromise

A more-targeted approach to phishing, often called ‘spear phishing’, comes with even-greater efficacy. How likely are you to click on an email that seems to be from your primary care provider with an attached lab report? Or an email from law enforcement for a speeding violation at a date/time/location that matches your daily commute and a link to additional details on the fine?

Once you click the link it opens up a spoofed website triggering a drive-by-download to install ransomware on the endpoint. Other methods include infected USB sticks, exploiting vulnerabilities on unpatched software applications, malvertisements - clicking on an advertisement can redirect users from an innocuous site to a malicious landing page - and others.

Many of the traditional security controls often fail to detect ransomware if they are only looking for unusual behaviour and standard indicators of compromise. Once on the system, ransomware behaves like a security application and it can deny access to other systems/programmes. It usually leaves the underlying files and systems unaffected and only restricts access to the interface.

Coupled with social engineering, this can be quite effective. A scenario starts with the display page showing that law enforcement has locked the computer because of downloaded pirated movies, which is followed by a call from an ‘agent’ demanding payment. Aside from traditional computing devices which are vulnerable, any connected device can be affected including mobile phones, medical devices, wearable devices, and IoT sensors.

Ransomware can also behave like an encryption programme and silently run in the background encrypting specific file types (eg Excel, PDF, Word, .pst and others). The encrypted files will have a modified extension and cannot be opened by their native applications.

The ransom demand will soon follow, often with a time limit after which the decryption key will allegedly be permanently destroyed. Today, we see that attackers are using industry standard algorithms (RSA, 3DES, AES) more frequently and asymmetric key encryption techniques, making it nearly impossible to decrypt without the key. Once the ransom is paid, the decryption key is sent to the victim to recover the files.

Some of the recent ransomware strains to hit healthcare organisations are Samsam, Maktub Locker, Locky, TeslaCrypt and WinPlock4.

Protecting against ransomware

User training and awareness is paramount and probably the first step to safeguard against ransomware. Treat any suspicious email with caution; look at the domain name that sent the email; check for spelling mistakes; and review the signature and the legitimacy of the request. Hover on links to check where they lead to and if any URL seems suspicious, and type the website into a browser or look it up on search engines as opposed to clicking the link in the email. To increase security, organisations should deploy an email security solution that scans all attachments besides filtering for spyware and spam. Along with periodic user training and risk assessments, they should also conduct phishing vulnerability tests.

User training and awareness is paramount and probably the first step to safeguard against ransomware

Since most users primarily interact with personal/corporate devices, the endpoints are particularly at risk if they are not managed or don’t have the right anti-malware protection. Most anti-virus solutions are signature based and prove ineffective if not updated regularly. The newer ransomware variants are uniquely hashed and thereby undetectable using signature-based techniques.

Many users also turn off their virus scans so that it doesn’t slow their system down. To address these limitations, there are endpoint security solutions that use advanced machine learning and artificial intelligence to detect malware. They also have a small footprint causing minimal performance overhead.

Management of endpoints is also a growing challenge as devices with multiple form-factors and operating systems are introduced in hospitals. Mobile devices are particularly vulnerable as noted in the 2016 Dell Security Annual Threat Report, which discovered an increasing amount of ransomware affecting the Android ecosystem. Choosing a solution that is able to automate patching and version upgrades in a heterogeneous device, OS and application environment, will go a long way in addressing a range of cyber threats including ransomware.

Most ransomware attacks will try to spread from the endpoint to the back-end infrastructure, via the corporate network, where data and mission critical applications reside. Segmenting the network and keeping critical applications and devices isolated on a separate network or virtual LAN can limit the spread. Having the right next-generation firewall that is able to scan all traffic irrespective of file size is also critical.

With the rapid increase in SSL encrypted traffic, as indicated by the Dell Security Threat Report, there is always a risk of downloading encrypted malware that is invisible to traditional firewalls. Hence it is important to ensure that the firewall/IPS is able to decrypt and inspect encrypted traffic without slowing down the network. The solution should be able to monitor both incoming and outgoing traffic, and block communication with blacklisted IP addresses as ransomware tries to establish contact with its command and control servers.

Finally, as soon as a new malware variant is detected, the firewall should have an automated update and centralised management process to roll out updates or policies quickly and consistently across all nodes.

Choosing a solution that is able to automate patching and version upgrades in a heterogeneous device, OS and application environment, will go a long way in addressing a range of cyber threats including ransomware

For remote users who are outside the corporate network perimeter, Virtual Private Network (VPN) based access should not only establish a secure connection, but also conduct a level of device interrogation to check for policy compliance on the endpoint. If an endpoint does not have the required security updates then it will not be allowed on the network or it will be granted access to only a limited set of resources.

Another safeguard against having to pay ransom is a robust back-up and recovery strategy. Depending on how quickly the compromise was detected, how far it had spread, and the level of data loss that is acceptable, recovery from a backup could be a good option. However, this calls for a smarter back-up strategy that is aligned to the criticality of your data and the needs of your business around recovery point and recovery time. Recover the most-critical data in the least amount of time. Finally, just having a strategy is not sufficient. Periodic testing of disaster recovery and business continuity is just as important.

Being prepared to address the threat of ransomware is rapidly becoming a top priority for healthcare organisations. There is legislation being discussed that will expand HITECH acts to include breach notification requirements for ransomware attacks. This will place additional liability and financial burdens on providers to put remediation plans in place.

Companies