Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a monumental job. Unfortunately, this is the state of many hospitals, leading the criminal underground to their back doors.
Ransomware attackers have shifted focus, moving from consumers to organizations with weak security but a strong reliance on their information systems. Victims appear to be paying. One ransomware developer posted a screenshot of his digital wallet that showed a balance of US$94 million, earned in about six months.
Hospitals have become a prime target because they usually operate legacy systems and medical devices with weak security and they have a life or death need for immediate access to information.
According to a recent study by the Ponemon Institute, half of all healthcare data breaches in the last year were the result of criminal attacks, as opposed to errors or omissions by employees. At the same time, the primary security worry of these organizations is employee negligence. So it comes as no surprise that phishing and other human-weakness exploits are the primary attack vector.
Ransomware attacks often affect medical devices, which are more challenging to protect and clean up than servers and workstations. Recovering from these attacks not only includes the ransom payment but also the costs of downtime and system recovery. Some hospitals have experienced partial or complete network downtime of five to 10 days. The Foundstone Incident Response team identified at least 19 hospital ransomware attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.
What can you do to protect your hospital? Our Top 10 list for protecting healthcare systems from ransomware and other malware infection:
- Develop an incident response plan, so that if your systems are compromised you can get back in operation quickly.
- On general-purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.
- Whitelist medical equipment to prevent unapproved programs from executing.
- Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.
- Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.
- Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.
- Use network segmentation to separate critical devices required for patient care from the general network.
- Keep backups completely disconnected from the production network, so that ransomware payloads cannot corrupt your backup data.
- Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.
- Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.
To learn more about these recent hospital ransomware attacks and what you can do to protect against them, download the McAfee Labs Threats Report: September 2016.