Ransomware has been an ongoing threat to healthcare entities for years.1 Once impacted by this form of attack, entities ranging in size from large hospitals to small physician practices struggle with issues such as if and how to pay a ransom, which often requires some form of cryptocurrency (e.g., bitcoin), or how to maintain a safe patient environment with a critical system down.
After the devastating WannaCry attack on British healthcare systems in 2017,2 every person leading a healthcare organization in the US knows the ransomware threat is real. With 1% of the National Health Service (NHS) impacted during the height of the ransomware attack, the consequences included an estimated 19,000 canceled appointments, which cost NHS more than £90 million in revenue and clean-up expenses.
What cannot be estimated is the overall impact on patient health due to canceled appointments and hospital staff having to make do without their usual procedures while computer systems were unavailable. A study3 comparing outcomes from patients admitted to the hospital due to myocardial infarction on marathon versus non-marathon days found delays in transporting patients to the ER and increased 30-day mortality associated with patients in the cities that hosted a marathon. While no study of a large-scale ransomware attack—such as WannaCry in the UK or a more local attack that disrupted a regional hospital—has yet been completed, the results of the marathon-impact study suggest similar negative outcomes may result when entities are impacted by ransomware.
The NHS was criticized for the ransomware finding widespread targets because in 2018 many entities were still using computers running Windows XP, an outdated and unsupported operating system (OS). In 2020, Windows 10 is the currently supported Windows OS, and entities will soon have to move from Windows 7 to Windows 10. By some estimates, Windows 7—a successful OS for Microsoft—is still present on 200 million computers in 2020.4 It’s critical that healthcare entities use this time to ensure legacy Windows 7 devices are upgraded as soon as possible. Bad actors know that Windows 7 is end of life which makes it a significant target.
Healthcare organizations often lack the IT resources needed to upgrade to newer, supported OSs, so outdated OSs are present despite the organization’s best efforts to maintain a secure environment. But lack of resources is just one of the reasons for unsupported operating systems to be present in healthcare settings. Sometimes, legacy systems running Windows 7 or other unsupported operating systems must remain in place so applications can interface with them. In these cases, isolating these devices reduces the risk that the device will affect other computers during a ransomware attack. Implementing VLAN segmentation and limiting outbound access to target devices, are effective methods of isolating such systems. These devices should be seen as single-purpose workstations and should not be used to browse the web or check email.
Many hospital administrators are concerned about medical devices. Patching and maintaining updated inventories of these devices are areas many healthcare organizations are just beginning to tackle. According to a January 2020 study,5 70 percent of medical devices are still running Windows 7. Since End of Life for this version was January 14, 2020, this presents a major problem for the healthcare industry. While a medical device network can be isolated as much as reasonably possible and still allow normal workflows to occur, it’s my opinion that it will be only a matter of time before a malware attack will impact medical devices, resulting in significant outages.
During the WannaCry attack in 2017, isolated evidence showed that some medical devices had been impacted. An article published in 2017 showed a Bayer MEDRAD device with a ransom note on its screen in a US hospital.6 Bayer confirmed that its devices were infected without disclosing specifics about the number of devices impacted and the specific version of the software running. Bayer further promised to provide a patch quickly. Unfortunately, hospitals are often at the mercy of medical device manufacturers for patches, and until then, hackers find healthcare targets attractive, not only through stealing PHI but also through extorting money by infecting devices with malware.
So are hospitals just sitting ducks caught between bad guys, resource constraints, and device manufacturers that are slow to provide patches? Not quite. The delivery vehicle used for ransomware attacks has been around for decades. Most ransomware attacks start with a phishing email. Prior to ransomware, most phishing emails captured account credentials that attackers then repurposed for spam attacks. But with the advent of ransomware, attackers found a more lucrative outlet for their “creative” ideas. Studies predict there will be a ransomware attack on businesses every 14 seconds by the end of 2019 and, by 2021, it’s projected that attacks will increase to every 11 seconds.7 Educating users not to click on phishing emails is more important than ever and is a critical first step in preventing ransomware attacks. Take this within context of the current COVID-19 crisis, and it’s important to know bad guys know how to exploit a pandemic by creating fake COVID-19 sites and phishing scams that pose as official communications about the virus outbreak or pretend to notify users about closings in the area. I cannot stress enough how important it is to train, retrain, and train again.
But what is the most effective way to train users to avoid the 1.5 million new phishing sites that are created each month?8 In addition to regular security awareness training that explains how to pick a strong password, companies should amend their training to include phishing awareness.
Phishing emails have come a long way from the old days—when typos were standard and bad English reigned supreme—and it’s important that healthcare organizations now step up users’ training on how to spot these “improved” phishing attempts. Graphics, such as the one below, can highlight the most common phishing tactics and provide users with basic awareness. Familiarize users with how to determine the target for a hyperlink, understand URL domain information, and differentiate between a legitimate link for companyA.com and a (likely) malicious link leading to companyA.com.ransom.com. As in traditional social engineering attacks, ransomware relies on a sense of urgency, hoping that users in their haste will miss some of the suspicious components in the phishing email. It’s important that users understand that an attempt to quickly answer an email before leaving work may cause an interruption that lasts hours or days.
Since phishing emails have become more prevalent and attacks are more sophisticated than in the past, many companies have begun augmenting staff training with in-house phishing campaigns, and we’ve seen demand for Agio’s Cybersecurity Awareness Training skyrocket in the past few years. Clients can pick an appropriate campaign—such as an Amazon-based email to coincide with “Prime Day”—and provide a user list to target and Agio will provide the rest. The report will show relevant metrics, such as how many users clicked through and how many entered credentials. Since repetition is key when training users, running several campaigns can provide trending to show whether user response is improving, such as through a reduction in the number of users disclosing credentials, following recommended procedures and deleting the email (and notifying security or IT), or alerting IT staff about the suspicious email.
No matter how prepared a company feels in handling phishing emails, ransomware may still find its way into the network. It’s essential that organizations prepare in several ways. One recommended solution organizations can use to recover from ransomware is to ensure good backups. Since affected servers may stay encrypted if an organization opts out of paying the ransom, having good, recent backups will allow an organization to switch to an older data set and continue work with a minimal data loss. In addition to minimizing business interruptions from ransomware or other types of security incidents, it’s important for companies to have incident response procedures in place that outline not only external communication procedures—such as a website message during an outage—but also how backups will be restored and what will happen to affected servers and laptops.
As with any process that requires quick reaction, preparedness is key. Regularly updating the organization’s incident response procedures, properly training staff in incident response and in how to spot indicators of phishing, and testing your backups are steps any organization can take now to minimize the risk of falling victim to ransomware and causing a prolonged business outage. In these times with COVID-19 on the minds of a lot of people, remember hackers are quick to exploit and weaponize a bad situation. So be extra cautious when receiving emails related to COVID-19 that promise information on testing locations or virus infections because besides malware, you may also be at risk for a ransomware attack. It is best to seek information about COVID-19 from official sources that you have bookmarked on your computer rather than an unexpected email in your inbox.
If you have any concerns about your current state of
cyber-affairs, contact us. We’re here to help.