TO TOP

Ransomware Alert: Why Hospitals Should Take Notice

The world took a pause on Friday, May 12, 2017, when a series of ransomware attacks compromised multiple organizations worldwide. By the end of the weekend, the list of impacted computer systems included a number of hospitals in the United Kingdom, Spanish telecommunications company Telefonica, FedEx, the Russian Interior Ministry, and several others.

In addition, the U.K. National Health Service has confirmed that up to 25 NHS organizations were compromised by the ransomware, a variant of Wanna Decryptor called “WannaCry.” After first infiltrating the organizations’ infrastructures, the malware then locked down hospital computers so clinicians and doctors could not access patient records unless they paid a $300 Bitcoin ransom.

While patient health and experience are a hospital’s first priority, the extensive damage of the WannaCry infections and ensuing chaos should be a major wake up call to also prioritize security. In the aftermath of these attacks, healthcare organizations and their IT teams should be taking the necessary steps to protect the confidential and highly sensitive information they store on a daily basis.

What is ransomware?

Ransomware is malware that holds the victim’s computer to ransom, either by restricting access to the computer by locking the desktop or by encrypting the files. The malware then displays a ransom note with specific guided instructions on what to do next to fix the problem.

The most common way that ransomware spreads and infects is through SPAM email attachments. Once opened, the malware infects the computer and then spreads itself quickly through the network to infect other machines. Ransomwares also use infected websites to spread themselves.

Why should hospitals care?

As this was a highly “successful” operation from the criminals’ standpoint, we can expect that the intensity, sophistication, and velocity of the attacks will only continue to grow. Further, today’s cyber-attacks are targeted, complex, and can cause devastating damage to the victims and their networks, such as loss of reputation and the tarnishing of brand recognition.

Hospitals have never been more at risk thanks to rapid advances towards digitization. With the widespread adoption of electronic medical records, hospitals’ infrastructures now carry a wealth of sensitive patient health information (PHI) data–such as patient records, clinical diagnoses, prescription information, and hordes of other valuable information.

Perpetrators are constantly looking for the weakest link, and when compared to traditional enterprises, hospitals’ infrastructure and security hardening still has quite a long way to go. After all, financial entities and industries have painfully suffered similar attacks for a decade (or more), and have rightfully adapted to protect themselves.

Perhaps most critically, any amount of disruption to normal hospital activities or unavailability of resource systems can result in significant loss of revenue and decreases in customer satisfaction. When you factor in the amount of electronic-based systems used in a hospital on a minute-to-minute basis, it’s easy to see how real-time decision-making can be suboptimal if the reliability and accuracy of this information is compromised.

For a tangible example of this, consider that the WannaCry attack impacted Barts Health, the UK’s largest hospital trust in London, so significantly that they were experiencing delays and cancellations of appointments as late as Wednesday evening. As a result, hospital leaders had to greatly reduce the volume of planned operations and clinics on Thursday to make sure the hospital can run all services safely.

Moving into the second half of 2017 and beyond, hospitals must be hyper-vigilant to defend information systems and resources from malicious and unauthorized users. As the WannaCry situation shows, cybersecurity can no longer be a secondary priority for healthcare organizations; it has to be one of top priorities alongside care delivery and resource allocation.

Recommendations and Safety Procedures

For those looking to improve, below is a comprehensive list of initial recommendations your organization can take to protect from ransomware and other security threats:

  • Install software updates periodically and make it as part of your IT security policy
  • Turn on auto-updates where available
  • Deploy leading Anti-virus (and malware) products
  • Have a well documented backup and recovery contingency plan
  • Employ encryption both at-rest and at-transmission
  • Approve access to perform remote administration activities only when accompanied by one of the following methods — VPN, SSH, etc.
  • Develop ‘incident response’ policies that define critical, priority -1 and -2 issues
  • Employ safety-training procedures in the company
  • Mandate compliance with regulations and conduct periodic audits to monitor

 

How to Be Proactive Now

While the recommendations above outline some specific steps hospitals can take to be ready for an attack, there are three main things all facilities should be doing now.

  • Invest in leading security technologies and best practices, including:
    • Server Hardening, Configuration Management.
    • Host Firewalls, IDS/IPS, Web Firewall, Anti-Virus, Anti- Malware, Keyloggers, Rootkits, Spyware.
    • Centralized Log Collection, Analysis, and Alerting.
    • Perform periodic Vulnerability Scanning at all layers.
    • Perform Log Monitoring, Reviews and Incident Response.
  • Enforce a well- defined Incident response plan.
    • Risk assessments.
    • Collection of evidence (forensic analysis) after an incident.
    • Initiate an effective communication and escalation policies (using outside experts / law enforcement).
    • Invest in Threat Containment and Isolation technologies.
    • Eradication and Recovery.
    • Training – perform employee awareness training and lifecycle training.
  • Protect PII and Customer confidential data .
    • Share customer data with co-workers only on a need-to-know basis.
    • Employ encryption both at-rest and at-transmission.
    • Employ proper AAA (Authentication, Authorization and Access) controls.
    • Enforce strict password security controls, install commercial Anti-Virus and Malware detection tools, screensaver controls etc.

 

For more technical details and specific instructions on how to reduce the risks of the attack, please visit the Symantec link @  https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-051310-3522-99.