Skip to main content
The State of Security
ONYEKA JONES | FEB 13, 2018

Ransomware attacks against healthcare providers aren’t new.

In 2017, two crypto-malware infections affecting medical organizations made The State of Security’s top list of ransomware attacks for the year. The first involved an unknown strain that targeted Arkansas Oral & Facial Surgery Center, an incident which affected X-ray images, documents, and patient data related to recent appointments. The second was the now-infamous outbreak of WannaCry, ransomware which affected 34% of National Health Service (NHS) trusts in England. (Most NHS trusts still have a “considerable amount” of work to do to prevent an attack like WannaCry from occurring again, says the Department of Health.)

So, why are ransomware attackers targeting healthcare providers?

First, these intended targets are inclined to follow the example of Hollywood Presbyterian Medical Center and Hancock Health by paying the ransom if they lack data backups. Healthcare providers offer critical services that draw the line between life and death; as a result, digital attackers figure that hospitals and similar organizations are less likely to shrug off an affected server or spend weeks trying to recover their encrypted data.

Second, attackers can monetize healthcare records to an extent that utterly eclipses other stolen data sources. As reported here, a stolen credit card can net someone 30 AUD (approximately 23 USD) on the dark web. That pales in comparison to medical records, which sometimes go for as much as $1,350.

With those factors in mind, ransomware attackers will likely continue to target healthcare providers in 2018. Some did just that in January 2018 when they singled out electronic health record (EHR) solutions provider AllScripts. One Twitter user said the security event, which involved SamSam ransomware, “dramatically impacted patient care and disabled practices nationwide” because it limited medical professionals’ ability to access patients’ medical records and some e-prescribing systems.

Using Foundational Controls to Prevent a Ransomware Attack

When SasmSam ransomware brought down Allscripts’ systems last month, it negatively impacted medical professionals’ ability to provide appropriate patient care for more than a week. While this particular attack went after the vendor, an attack like SamSam could very well take a more localized approach of going after healthcare providers directly (find out how Tripwire can protect your EHR environment here).

The consequences of not being able to treat patients effectively should be a reminder for health care providers to ensure they have fundamental security controls in place to protect the integrity of their own environments.

Many healthcare organizations take the threat of a ransomware attack, however. They think they have a strong security program by way of passing their audit. Unfortunately, this isn’t the case.

Alignment to frameworks like CIS, PCI, NIST, and DISA can effectively decrease the likeliness of suffering from a cyberattack, but that depends on the extent to which these frameworks are implemented. Often, organizations can pass audits by implementing only specific parts of these frameworks, so they limit their focus to those few areas. However, measures considered out of scope for an audit could be the ones essential for preventing and detecting a cyberattack, for example, the EHR environment.

Organizations that really strive to implement CIS, PCI, NIST and DISA frameworks beyond just the purposes of passing an audit are much less likely to be compromised by attacks like SamSam. Healthcare providers should look to implement the foundational security controls to prevent cyberattacks as best as possible and detect them when they inevitably do get through.

Below are two pieces of advice that healthcare organizations should follow to defend against ransomware and other digital threats using foundational controls.

Preventing Breaches by Hardening the Environment

Attackers will go after the easiest target. For example, a server left externally exposed to the internet. Misconfigurations, many of them easy to correct, have been the underlying reason for many successful breaches. Secure configuration management (SCM) is the control that assures systems are set up correctly and securely. While one cannot completely eliminate one’s attack surface, configuring systems properly greatly reduces the attack surface and ensures systems are not inadvertently left exposed to outside attackers.

Systems with known vulnerabilities also make for an easy target. Organizations should have vulnerability management (VM) processes in place to understand what vulnerabilities exist within their environment, what risks they present, and if patching is required.

Detecting Intrusions with Continuous Monitoring and Alerts to Change

After the environment is hardened and attack surface minimized, organizations will want to monitor their environments and be alerted to changes.

What’s popularly known as file integrity monitoring (FIM) might be more accurately described today as “system integrity monitoring,” a fundamental and foundational security control because it answers the key question: are systems still in a secure, trusted state, and if not, what changed?

Implementing FIM would show when new files are dropped into one’s environment. In the case of SamSam, which has a known hash, a good FIM solution would alert when this known bad file has been placed on the host so the security team can act quickly keep it contained. Ports and services can also be whitelisted and/or blacklisted to notify your security team of any established or listening ports that fall outside of the expected system integrity state.

Again, organizations won’t want to stop at the bare minimum here. Some FIM solutions only show that a change occurred, not whether the change was bad or good, who did it, and whether it’s introducing risk or non-compliance. Without a good FIM solution giving that additional context, users would not be able to easily identify if a change might be SamSam or some other kind of malware-related issue.

Recognizing the Necessity of Security

With cyberattacks continuing to prove dangerous to healthcare providers and their patients, the industry needs to invest in building up its security posture, not just in passing audits. Security is an absolute necessity for ensuring patients get the essential health services they deserve.