The first death directly caused by a cybersecurity attack in Germany last September demonstrated that the effects of cyber attacks are not limited to damages to data and IT infrastructure, or even monetary losses. When compromises in cybersecurity are suffered by critical industries such as healthcare, it can now mean a life or death situation.
The health industry is old in general, with some institutions built over a hundred years ago, making them vulnerable to attacks as some systems are still running legacy software and applications. In addition, as instruments and devices used for patients are meant to last for a long time, they likely rely on outdated systems, which can leave them exposed to ever-evolving cyber attacks.
“This leaves a window for potential attackers to access data on these devices, or to use them as an access point to then pivot within the network to access sensitive data elsewhere. If these devices don’t need to be connected to the internet for any business-critical reason, then ensure they’re not connected. And when there is a concern, network segmentation based on potential risk should be considered”, suggested Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group.
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC), added that hospital systems face a resource challenge that is strained further when a crisis is present in the community. Priority is given to tending to the sick, and cost centres like cybersecurity are secondary. Unfortunately, patient data is something that is uniquely identifying to a person and something that can’t be changed. Attackers know this, which makes hospital systems and healthcare providers prime targets in the best of times.
“The core cybersecurity challenge is that you want clinicians to have ready access to relevant patient data without requiring them to perform unnecessary steps, but the underlying data should be secured from unauthorised access. This is where contextual access becomes an important concept - clinicians don’t need full access to all data under all circumstances, and neither do other employees. There are many ways to limit access while without introducing complex security measures, and access virtualisation technologies like VDI can provide a protective barrier around systems processing electronic health records”, he said.
Mitigating Rising Ransomware Attacks
Attacks on hospitals have only escalated. Just last month, two more hospitals were hit with ransomware attacks. A report by C5 Alliance states that attacks on the healthcare sector have increased by over 150% since the pandemic started.
According to data from Check Point Research, in APAC in October, there was a 33% increase in ransomware attacks against the healthcare industry. The uptick in ransomware attacks in APAC is mostly shown in Singapore (133% increase in attacks against the healthcare industry) and India (20% increase).
“It is no secret that ransomware hackers' main incentive is money and sometimes disruption or sabotage. While the pandemic has already recorded a shocking number of deaths globally, we witnessed another attack last September involving Ryuk, one of the leading ransomware strains out there”, said Tony Jarvis, Chief Technology Officer, Asia Pacific, at Check Point Software Technologies. The implications of such attacks could be catastrophic for hospitals, especially when they are packed with patients during the pandemic.
Tony added that the Ryuk ransomware is responsible for 75% of the ransomware attacks on the U.S. healthcare sector in October. Unlike the common ransomware, which is systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored, targeted attacks, making it more dangerous for the healthcare industry.
Ryuk, along with other ransomware, is forcing these organisations to pay the ransom so they can focus on saving lives. With that, Tony suggested the following steps and tips in preventing ransomware:
Raise your guard towards the weekend and holidays: Most ransomware attacks over the past year took place over the weekends and holidays when people are less likely to be watching.
Virtual Patching: The Federal recommendation is to patch old versions, which could be impossible for hospitals. Therefore, it is recommended to use an Intrusion Prevention System (IPS) with the latest packages as a way of virtual patching to the most recent available exploits.
Anti-Ransomware: The encryption process is very extensive and anti-ransomware with a remediation feature is an effective tool to revert back to operation in a few minutes if an infection takes place.
Education: Training users on how to identify and avoid potential ransomware attacks are crucial. As many of the current cyber attacks start with a targeted email that does not even contain malware but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered one of the most important defences an organisation can deploy.
Ransomware attacks do not start with ransomware: Ryuk and other ransomware purchase infection base in targeted organisations. Security professionals should be aware of Trickbot, Emotet, Dridex and CobaltStrik infections within their networks and to remove them using threat hunting solutions – as they open the door for Ryuk.