By Dan Schiappa, Chief Product Officer, Sophos
Globally, ransomware attacks have been one of the biggest threats to cybersecurity, particularly in the healthcare sector. In fact, in November 2020 the United States FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency issued strong warnings of an “increased and imminent” threat of ransomware attacks on hospitals and other healthcare providers. This announcement followed a previous attack on Universal Health Services (UHS), on one of the largest chains of healthcare facilities in the U.S., that knocked its systems offline. While patient care was still safely provided while UHS restored its computers, the fact that adversaries even targeted UHS and then succeeded at the attack is eye opening.
How did we get here? In one sense, this has been a long time coming. Hospitals and health systems are, quite unfortunately, ripe for ransomware and other cyberattacks. Some of the factors most responsible for the rise in healthcare-targeted cyberattacks are due to the nature of the industry itself, like decentralized operations across hospitals and healthcare providers, and exponentially growing volumes of patient health information being captured and stored electronically (i.e. electronic health records) by health systems.
COVID-19 is also, in many ways, a culprit for these accelerating healthcare ransomware attacks. The sudden onset of the pandemic forced healthcare providers to very quickly set up emergency COVID-19 facilities, with little time to plan out robust IT security infrastructures to protect these facilities. On top of that, the practically overnight shift to telehealth and remote working meant scores of new security gaps were opened – and discovered by attackers – just as quickly.
This trend has moved in tandem alongside another disturbing one: a growing sophistication among ransomware groups. Instead of large-scale, brute force attacks, ransomware attackers have rapidly shifted to more focused, strategically planned and executed strikes – resulting in more precise attacks that are harder to detect and defend against. This is no assembly line, mass-produced product; this stuff is the craft beer of malware. And it’s the reason why resurgent ransomware gangs like Ryuk, which has been credited with one-third of all ransomware attacks occurring in the past year, have had such devastating success by targeting healthcare providers.
So how do they respond? Here are four key steps every healthcare provider needs to undertake to get ahead of their growing ransomware problem.
1. Identify your weak points.
Ransomware attackers move alarmingly quickly. If a target opens a phishing email attachment, it only takes a little over three hours for the cybercriminals to begin performing recon across the target’s network; within a day, they’ll have accessed a domain controller and begun deployment of their ransomware package. So knowing where your vulnerabilities are is critical. Servers with Remote Desktop Protocol (RDP) enabled, unpatched web servers, and a lack of multifactor authentication for logins are all common and key weak points that attackers will exploit.
2. IT hygiene + companywide awareness and education.
The obvious next step once you’ve identified your weak points is to patch them. Don’t have two-factor authentication? Implement it. Security definitions out of date? Update them. RDP servers are enabled? Shut them down or put them behind a VPN. This is as much an awareness issue as an IT one. Anyone in the organization that sends an email, has a password, or uses a device to log onto a network needs to know and practice basic IT hygiene, including creating stronger passwords and knowing how to spot spear-phishing emails. If they don’t know what that means, they need to be taught. The security of a hospital’s network is only as strong as its weakest password.
3. Implement EDR with human-led threat hunting.
Endpoint detection and response (EDR) shores up security defenses for every device linked to a network, while also providing crucial information on potential threats to response teams who track down and neutralize these issues. This goes hand-in-hand with the human touch of a threat hunting team, whose expertise at recognizing red flags and attack patterns, and parsing the context of impending threats, empowers organizations to proactively go after the problem – ejecting ransomware packages from networks and neutralizing threats at their root cause – rather than sitting in a reactive position.
4. Deploy lightning-fast incident response.
Ransomware moves fast, so healthcare providers need to be able to move faster. Sophos Rapid Response does exactly that: a first-of-its-kind offering that accelerates hospitals’ and health systems’ ability to identify, neutralize, and expel cybercriminals from their networks. The speed of your response is critical; it’s the difference between an executed or thwarted ransomware deployment – and potentially, life or death for patients. Sophos Rapid Response provides the lightning-fast edge that healthcare providers need to stay a step ahead of ransomware gangs, minimizing the damage done to their networks, recouping otherwise lost costs, reducing recovery time, and ultimately helping to preserve the speed and quality of patient care – even potentially saving lives.
With ransomware, the clock is always ticking and every second counts. It’s not an unbeatable threat, but being able to tackle the ransomware problem means hospitals and health systems can’t waste any time on deploying a combination of robust security defenses and proactive, rapid response measures.