With COVID-19 infection rates spiking across the US once more, healthcare systems are preparing for the many seriously ill patients who are sure to arrive. But according to federal agencies, healthcare organizations must be on high alert for a surge in ransomware attacks as well.
Attacks aiming to cripple hospital and medical center operations and steal data have accelerated in recent weeks. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, and Department of Health and Human Services, the situation could soon become much worse.
The alert points to specific malware threats for which Security teams need to be on the lookout, including the Trickbot trojan and Ryuk ransomware-based attacks. As Ericom Software CTO Nick Kael highlighted in a recent blog, healthcare organizations have been the focus of other recent CISA alerts as well. Why healthcare? Due to the life and death nature of their work – especially now, with a pandemic raging – healthcare organizations are assumed by hackers to be likely to pay ransom in order to get systems back online quickly. Sadly, a recent attack resulted in the tragic death of a patient whose care was delayed when the local hospital could not admit patients since its systems were shut down.
The CISA alert presents a valuable list of recommendations for organizations to implement to prepare for the coming ransomware storm. While all are useful and ideally, should be implemented, I’d prioritize these three for immediate action:
Develop and Communicate a Well-Defined Ransomware Response Plan
The reality is that this type of attack might very well successfully compromise your systems, so it’s important to be prepared. Develop a plan, in advance, to deal with a potential ransomware situation, rather than winging it in mid-incident. CISA provides a Ransomware Response Checklist, but also have a look at MITRE’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook. Once the plan is defined and accepted by key stakeholders, make sure that all parties likely to be involved in ransomware incident response are aware of the plan. Proactively brief the group on all pertinent details. Lastly, trust your plan and follow it if ransomware strikes – don’t, in the heat of the moment, forget it when you need it the most.
Improve Defenses at the Points Ransomware is Likely to Enter – via the Web and Email
The data is clear: Ransomware primarily gets into networks by way of an endpoint that’s compromised via an interaction with the outside world – typically an infected website, a download from the web, or an email link or attachment. Hackers focus on these vectors because they are easy and reliable – in short, they work. Despite training, with enough tries, one employee will click, at some point, on some link that they shouldn’t. And just one click that unlocks malware is sufficient to bring your operation to its knees. Given the stakes, signature-based scanning techniques designed to spot ransomware in web, email, and document content are simply not enough, since malware evolves faster than these solutions can be updated.
That’s why hospitals like ALYN have moved to an isolation-based approach to secure their endpoints and networks. Remote Browser Isolation (RBI) effectively “air-gaps” devices from web-based threats like ransomware. RBI executes web content in a remote, isolated cloud-based containers. Whether users browse to a malicious site or click a link in a phishing email, they are completely safe since web content never executes directly on their device. Yet a safe, fully interactive, seamless user experience is provided by rendering information that is sent from the website to the user device browser.
For additional phishing protection, websites launched from links in emails can be rendered in read-only mode to prevent users from entering credentials on phishing sites. Attached files can be sanitized before being transmitted to endpoints, ensuring that malware within downloads cannot compromise user devices.
Limit Ransomware Spread by Cloaking Network Apps and Data
Consider a scenario that has — unfortunately — played out numerous times in recent months: An employee comes to the office after working remotely for a number of weeks. They bring their own device, or perhaps a corporate device that they’ve been using on their home network for personal browsing as well work. Some stealthy malware – maybe ransomware – has made it onto the device and now, since the employee just connected to the in-office network, it is entering your network and about to move laterally to find bigger fish – your organization’s apps, databases, servers and other resources.
What if, when the user connected to the network, the ransomware could not “see” anything there? It Could not encrypt data or disrupt systems, since it would not be aware that they were there, or know where to find them. This capability, application isolation, mitigates the damage that ransomware can cause by making apps and data invisible to any unauthenticated program or device trying to discover and access network-connected resources.
By microsegmenting access to resources using this technique, ransomware – whether introduced within the office from a compromised device, or remotely through a crack in the network’s armor (such as a VPN vulnerability), the impacts of ransomware can be dramatically reduced.
We, at Ericom, take our hats off to the dedicated warriors – both medical and cyber – who are giving their all to keep our patients, healthcare systems and healthcare providers safe during these challenging times. The coming months will be difficult ones, on both medical and cyber frontiers. If the CISA alert is correct, I am confident that the skills, judgement, defenses, and planning that healthcare cybersecurity staffs bring to bear will meet the challenge. We salute them for being the heroes behind the heroes in the fight to keep us all healthy and safe.