By Susan Biddle, Sr. Director of Healthcare, Fortinet
Twitter: @Fortinet
Three Strategies for Defeating Ransomware in Healthcare
The havoc that Ransomware creates is real, its immediate impact and implications clear: workstations are disabled, files are encrypted and systems are shut down. The screen tells you what’s wrong and how much you’ll need to pay to fix it. It’s a straightforward transaction that everyone understands, and it’s driving IT security budgets around the world.
Medical record breaches reached a frightening high last year, but they only affected a small number of organizations, so it can be difficult for many to see breaches as a clear and present danger. Ransomware, though…everybody gets that. With a large, and growing, number of variants, Ransomware attacks on healthcare organizations are becoming a near-daily occurrence. They don’t require sophisticated hacking tools and complex reconnaissance – just a simple phishing email or a compromised web server and a single vulnerable device.
Healthcare workstations suffer from certain vulnerabilities that workstations at other kinds of organizations don’t. For instance, they are commonly in areas accessible by the public, often lagging in the latest security patches, and usually running out-of-date versions of vulnerable applications like Adobe Flash and Java because of compatibility issues with older applications. On top of that, they’re frequently operated by many, many different users – very busy clinical staff focused on patient care and have little interest in cybersecurity or other technical matters. This creates an environment of extreme vulnerability from an almost unlimited number of attack vectors.
The news isn’t all bad, though. There are ways to close off those attack vectors, prevent compromises and remediate the attacks that do get through. It’s easy to get overwhelmed by the ubiquity and enormity of the threat, but don’t fall into the trap of believing in the “universal panacea” sometimes offered up by security vendors. There is no silver bullet to make you invulnerable to Ransomware, but there is a lot you can do to protect yourselves.
Know Your Enemy
Some basic facts about Ransomware are in order. It isn’t new, and it isn’t more powerful, more sophisticated or more insidious than any of the other Malware threats that are out there. What it is, is more obvious, more immediate, and potentially, more patient-safety threatening than most. So a good defense against Ransomware needs to focus on the basics: education, prevention and remediation.
Every year, you teach employees about things like infection control, fire safety, how to clean up or escape from biohazard spills, and proper computer safety procedures. But while fire hasn’t really changed much in thousands of years, and spills are slow and limited, cybersecurity threats change daily and are updated hourly. Approximately 35,000 new websites are created every hour, but only 4,200 new domains are registered in that same time. The logical conclusion is that a significant number of those sites are used for malicious or illicit purposes.
It certainly sheds light on how hard cybercriminals are working to take advantage of us all, so your education programs need to keep up. Phishing remains the leading attack vector for Ransomware, with some reports showing up to 93 percent of malicious email payloads carrying one of the many Ransomware variants. Making matters worse, the 2015 Verizon Data Breach Investigations Report found that nearly 50 percent of users open e-mails and click on phishing links within the first hour,
“with the median time to first click coming in at one minute, 22 seconds across all campaigns. With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.”
In short, you need targeted education and training. Your annual HIPAA Security Assessments should be identifying your greatest areas of vulnerability. Use those assessments to target your education programs, and also to target your internal testing. Next, look to the industry. What threats are people talking about and predicting for the next six to12 months, and what are the potential threat vectors involved? In this case, we’re talking about Ransomware, so while there are a variety of threat vectors, the number one avenue remains phishing emails.
So, it’s past time to step up your anti-phishing education. Get some examples of real phishing emails that carry Ransomware payloads—either primary or secondary payloads, zeroing out the payload and malicious links, of course—and then craft them into some general education for your users. Then test them. Send out the same emails that you used for training with live (non-malicious) links and gather statistics on pass/fail rates. If you’re doing well, follow up with some further testing using previously unseen examples. See if your users are making the connection. Focus follow-up training on those who fail more than once.
Lastly, consider creating an incentive program. Make detecting malicious emails a positive experience for the users. Create a Help Desk email account specifically for users to forward possibly malicious emails to for evaluation. Make it a contest. Every month, have a drawing for a gift card or similar prize and enter everyone who submitted a legitimately malicious email for inspection. Turn the game on its head and make all your users threat detectors.
A Holistic Prevention Plan
The follow-on effect of Ransomware awareness and training is that any processes, procedures and systems you implement to prevent Ransomware will also protect you from almost every other type of Malware out there. And that can help protect you from data thieves as well. As mentioned earlier, the concept and threat of Ransomware is digestible at all levels. That means it can often generate budget where no budget previously existed. The key is to use that budget in a way that can protect the organization from not just Ransomware, but from all those other types of Malware as well. This could be a solid win for every healthcare system.
Use the budget created by the Ransomware buzz to protect the organization from the much, much higher cost of an ePHI breach. But to do that, you need to make sure that you know exactly what you’re getting from that new budget. All too often, new systems are implemented because somebody read an article, saw a presentation or played golf with someone who said they should check out this “new, revolutionary technology.” The problem is that “new” and “revolutionary” don’t always equate to “effective.” So, how do you pick a good technology that can help you meet your security needs?
The selection process begins with finding a solution that can help shore up your weak areas first. When it comes to Ransomware, what we’re most worried about are unprotected and under-protected devices, and new variants. So, you need the technical equivalent of your Risk Assessment. Analyze your traffic flows; find out what applications are in use on your network and what Malware is already present. Track them down to find your original points of compromise.
Then, once you know your technical vulnerabilities, put together a holistic plan to deal with them. Don’t just react to the biggest or scariest item on your vulnerabilities list. Really evaluate all of the vulnerabilities and put together a plan to deal with them. Depending on your budget, it may take a few years—or more—to fully enact the plan, so you’ll want to re-evaluate it each year as threats and vulnerabilities evolve and change. The important thing is that you put together and document your plan well so you can get executive buy-in to support it.
As you’re putting that plan together, something to give very serious consideration to is an Advanced Threat Protection (ATP) solution, aka sandboxing. Cybercrime is a multi-billion dollar industry, which means there is significant R&D going into the Malware and hacking tools that criminals are using to get into your networks. The discovery of 35 new Zero Day vulnerabilities in 2016 adds up to more Zero Days combined with more criminal R&D. This means more new exploits and more new Malware variants that cannot be detected by signature-based systems. That means you are completely vulnerable to these attacks without an ATP solution.
But that doesn’t mean rush out and buy a sandbox tomorrow. It means work it into your holistic security plan to ensure that the sandbox you buy can integrate with your security solutions and effectively cover multiple—preferably all—threat vectors. For example, integrate your sandbox with your secure email gateway. Remember that the primary inroad for Ransomware is phishing emails. Having a secure email gateway that can inspect attachments—looking for unusual files that may have not triggered malware signatures—and submitting them to a sandbox for behavioral analysis before it even reaches the end user is a solid, advanced Ransomware detection mechanism. This will reduce the potential of a security incident due to human error. Keep in mind that just having a sandbox doesn’t help you if you don’t have it deployed effectively and act on the alerts it gives you.
The last note on the prevention side for now is that it may be time to re-evaluate your endpoint protection plan. The needs of endpoint protection have changed a lot in the last few years. Like your users, your endpoints are your most vulnerable and most important line of defense. The idea of changing out your endpoint protection can be daunting, but it needs to be considered. Making sure that your most vulnerable devices are effectively protected could be the most important thing you do.
Fixing All the Broken Things
Gartner recommends that all organizations should behave as if in a state of constant compromise. The FBI says it a little differently: There are two types of companies – those that know they’ve been hacked and those that don’t. Either way, the gist is that you need to acknowledge that a compromise is highly probable, especially while you’re still working on putting together that holistic security plan.
Several actions are necessary to effectively remediate a Ransomware attack. First, you really need to know whether or not you’re willing to pay the ransom. We all agree that in principle, paying ransom is a terrible idea, but in reality there may be situations where a system or data are so critical that you have no choice. Identifying those systems in advance can help you move through the process more quickly and could possibly allow you to find an alternative to paying that ransom.
The rest of the remediation plan is fairly straightforward. Rotating, offline backups are a necessity. Several variants of Ransomware are able to seek out online backups and delete or encrypt them BEFORE encrypting PC and shared files and announcing themselves. If you’re using live disk backups, you could lose your backups and be unable to restore. Time to drag those tape backup systems out of storage or schedule your backups and then sever the connection so the Ransomware can’t find it.
Next, put together a specific incident response plan for this type of attack and, most importantly, TEST IT. Do tabletop exercises to make sure everyone knows their role and what to do, and then fully test your restore plans to ensure that they work correctly. There are horror stories about real-life restore attempts that failed because they’d never been tested. Backups aren’t any good if they can’t be restored.
Lastly, having an educated workforce becomes part of your remediation plan because once again, they’re your best weapon. Teach your users what a Ransomware compromise looks like and what to do when they see one. A quick report to IT can help a lot, especially against those Ransomware variants that spread via worm-like behavior. And having users that know that they shouldn’t bring their compromised laptop onto the corporate network could save you a lot of pain and suffering.
Ransomware looks like it’s here to stay, so you need to be prepared for it. But it doesn’t have to be a nightmarish chore to plan your strategy to defeat it. A well educated staff, along with a solid, rehearsed process and the appropriate technology solutions, will help you avoid the frozen ransom screen that puts your patients and your reputation in danger.