On October 29th, just before Halloween, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning of impending ransomware attacks against healthcare providers. Specifically, Advanced Persistent Threats (APTs) using TrickBot and BazarLoader. Once the attackers get one of these tools into the environment, they can proceed however they want. Malware. Ransomware. Data theft. Or, more than likely, a combination that includes all of the above.
The CISA alert is timely, since we’ve been seeing more attacks across the spectrum of healthcare providers and medical research organizations of late. With the world still mired in a global pandemic that’s seen over 230K deaths in the United States and over 1.2M worldwide, it seems especially, well, evil, to be targeting hospitals and research organizations when people’s lives are, literally, at stake.
While no company likes to lose money to a ransomware attack, the risk for healthcare providers isn’t just the loss of cash and customer confidence. People can literally die. When healthcare providers suffer a cyberattack, they need to act quickly to get their systems back online as rapidly as possible. Whether that entails relying on their disaster recovery plan with backups and business continuity procedures, or paying the ransom and hoping for the best, matters less than keeping their patients alive. However, from the attacker’s perspective, this is what makes healthcare providers a prime target. It’s precisely because lives are at stake that ransomware and related attacks can be so effective.
Fortunately, medical professionals still know how to do things “the old fashioned way” – using hard copy charts and everything else they were doing to track patient conditions before everything became completely digitized. They know how to do their jobs whether they have modern systems or not, which is a testament to the training and dedication of our medical professionals. But losing communications, easy record transfers, coordination between departments, doctors, nurses, and pharmacies can slow patient care, which can lead to some unfortunate circumstances.
Law Enforcement gets the unenviable task of tracking down the perpetrators and bringing them to justice. This is a task that becomes significantly harder when the attackers can be operating from anywhere in the world. They may actually have the tacit approval of their own home government to execute the attacks. Insurance companies can cover the financial losses, which are ultimately spread across everyone. But stopping the attacks from happening in the first place, or mitigating the effects when they do, falls to the Information Security teams at the targeted providers.
It’s not just the security teams, though, who play a part in the defense. Many of these recent attacks were the result of attackers Spear Phishing individuals at the target organization or by Cast Netting the entire user base. One compromised system is all they need to get malware into the environment. From there, they can further their attacks to exfiltrate patient records, commit fraud, deploy ransomware, or anything else on their agenda.
Securing the users is reasonably straightforward. Education is the first line of defense, so they are less likely to fall for any kind of phishing attack in the first place. Follow that up with good password hygiene so a password revealed elsewhere doesn’t translate into a password used to break in somewhere else. And now, finish those off with a solid multi-factor authentication – preferably using some kind of physical token. The challenge is balancing convenience with security in a fast paced, often stressful, strictly regulated, healthcare providers setting. But it’s not an insurmountable challenge and medical professionals are both smart and motivated.
The Information Security team has a similar set of challenges. The organization is fast-paced, and information needs to get seamlessly between people and departments. Patients are treated effectively and efficiently, not to mention respectfully and compassionately. At the same time, the environment needs to be kept secure. Patient records can be the target of data theft, while some of the systems that are directly keeping people alive can be tied directly to the network. That makes them a potential target for malware or ransomware attacks and knocking them offline could have dire consequences. This topic’s important enough that we have a webinar on the subject, Securing Internet-Connected Devices in Healthcare: Life Saving Technology.
From the Information Security perspective, it’s a matter of employing industry best practices for process, tools, training, and implementation. That means making sure you’ve got the right security stack in place at every step. For example, you can’t have users performing best practices if you allow weak passwords, short term reuse, haven’t implemented MFA, etc. You need to make sure the perimeters are secure, the VPN’s are patched, as are the routers, switches, access points, and the rest of the network kit. Same goes for the servers, workstations, tablets, and all the connected IoT medical devices. And you need to make sure you’ve got tools in place that can monitor everything, which includes behavioral analytics. Gurucul’s Unified Security Analytics platform can spot behavioral anomalies that indicate a breach before the malware is spread or the patient records are exposed.
Healthcare providers are coming under attack. Why attackers have switched from targets that can make them a fast buck to ones that can threaten people’s lives is anyone’s guess. But we have the tools to blunt the attacks, even as these miscreants change tools and tactics.