In September 2020 alone, multiple ransomware attacks at major hospitals globally downed critical systems, locked patient data, and cost at least one life (that we know of). Factor in the strain that the COVID-19 pandemic has put on hospital resources and a lot of healthcare security teams are losing sleep these days, wondering if their hospital or clinic could be targeted next—and if they are prepared to handle it.
The harsh reality is we should expect more ransomware attacks against hospitals and health systems in the future. The culprits are highly organized bad actors after a treasure trove of data that lives in healthcare environments, much of which is critical to patient care. They know that when lives are at stake, their targets will pay up to protect them. And the pandemic has made hospitals even more inclined than usual to pay ransom, as any downtime could spell disaster when ICUs are overflowing and hospital staff are already stretched beyond their capacity. This coincides with hospitals aggressively trying to ramp up elective procedures again to shore up their financial health—so when attackers arrive to put a halt on all operations, it just furthers the financial strain.
The ransomware trend exposes structural and systemic issues in hospital cybersecurity
There is another contributor to the current rise in ransomware and healthcare breaches in general: the way hospital technology environments are designed, connected, and communicate with each other. Traditionally, a more siloed approach to securing different parts of a hospital or health system has been the norm. It’s just the way hospitals have been built and expanded. In addition, the rise of electronic health records (EHRs)—which share data across hospitals, clinics and devices—has led to increased attacks against hospitals.
Overlooked in some of these good intentions is the unique nature of the healthcare IT environment, which is not segmented like other industries—meaning it is significantly harder to contain a breach to a single system or location. Moreover, these disparate entities are connected and often not segmented so that an intruder can move laterally with ease. Yet no security tools have existed to allow the security team to track that lateral movement, as the environments aren’t communicating with each other from a security standpoint. This “visibility gap” has always existed in healthcare, and now attackers are leveraging it to launch ransomware attacks with alarming frequency.
Ransomware threats demand a proactive and holistic defense from healthcare CISOs
From the early reports on the attack at UHS, it seems that all three environments were affected. This lack of visibility into the entire security landscape—and importantly, context on what is happening in each environment—is one of the biggest challenges for healthcare security teams. It’s a challenge that is unique to healthcare, which is why existing, industry-agnostic security tools have not been able to detect attacks and stop them before it’s too late and the ransom note is already written. Scope Security entered the market to solve this problem and provide a comprehensive view into threats across the entire healthcare environment and alert security teams rapidly so they can respond in real time when an attack is detected.
In the wake of these recent attacks, some cybersecurity professionals have said they are focused on prescribing a standard treatment to the problem of ransomware, namely the implementation of a layered defense based on security patching, backups, network segmentation, good firewall, and access control rules. The unique challenges of the healthcare operating environment preclude such measures from being fully effective.
As mentioned, many hospitals are part of a broader network or group of hospitals that share many interconnected assets. Therefore, a weak link in the chain can have a negative impact on the whole. In such an environment, malware can move laterally across the network with great speed, often before detective controls will pick up any threat activity.
“It’s a challenge that is unique to healthcare, which is why existing, industry-agnostic security tools have not been able to detect attacks and stop them before it’s too late and the ransom note is already written”
Once a vulnerable or infected asset is identified, even the standard response to isolate and contain or disable that asset can be risky, because its loss may impact deployed clinical technology that’s vital to patient safety and care. The immediate availability of clinical technology is often a matter of life and death, which is why ransomware can exert a disproportionate impact within a healthcare organization as opposed to financial services or other industries.
Healthcare systems should prepare for a ransomware attack with the assumption, and the urgency, that they are already being targeted
The specific nature of healthcare requires specific preparation to help prevent attacks:
- Before an incident occurs, time and attention should be invested in asset discovery and inventory management. Networked medical devices and clinical endpoints should be identified across the environment and properly catalogued, particularly noting important information such as operating system, patch revision level, dependencies, and MDS2 information from the medical manufacturers that details the security features available on the device. This information is crucial for incident responders to have on hand during an incident, so that appropriate action can be quickly identified to contain the threat.
- Next, passive vulnerability scanning can be effective to safely enumerate security vulnerabilities of sensitive clinical technology. That said, efforts should also be made to identify which devices have been certified by their manufacturers as being compatible with vulnerability scanning, so that more in-depth, active scans can also be run (or devices should be scanned in safe conditions where they present no medical risk). Vulnerability scoring information is important to have available when an incident begins as it can be used as an indicator to determine how susceptible a given asset is to become part of the “blast radius” of compromised assets. This information is crucial when prioritizing incident response steps and activities. Effective patch management also relies upon the availability of such information.
- Lastly, the most important control mechanism to implement to address ransomware is to have threat visibility across all three environments. Having broad threat visibility across endpoints and networks, but also within EHR/EMR systems and medical devices, is crucial to early detection of ransomware activity. Detecting attacks as early as possible along the cyber kill chain will determine the magnitude of the impacts that are experienced by the healthcare organization. This is especially true given the timeline of most modern ransomware attacks: while early ransomware attacks started encrypting assets as soon as they gained access, modern attackers will compromise assets and use that access to determine the most important assets to encrypt that will maximize payment. This means that broad visibility across the environment should be used to detect and eliminate latent infections before encryption begins. But these attackers can use assets across all three parts of the environment to surveil and determine their strategy—this calls for a comprehensive strategy that sees the entire environment—not just traditional IT assets.
The kind of visibility that’s needed to support early threat detection is not only detailed telemetry from critical software, services, networks, and devices; technology that understands and analyzes that telemetry to produce actionable insight is needed as an incident is evolving. As new malware variants, attack vectors, and techniques emerge on a daily basis, the likelihood that ransomware will be detected by protective technology from the onset of a malware campaign is decreasing day by day. It’s therefore more important to look for outliers within the environment that might indicate threat activity in progress. This could range from detecting the execution of powershell scripts or system commands outside of scheduled maintenance windows to detecting clinical endpoints that are connecting to external addresses that are unrelated to the health system or the manufacturer. Similarly, with EMR systems, accounts that query data when the assigned healthcare practitioner is not on-shift or from locations that are impossible (e.g. an employee logged in from California accessing the system from eastern Europe at the same time) can be an indicator of threat activity. Bulk data query or collection from an EMR should also be monitored and investigated as an indicator of abuse.
As attacks against healthcare organizations are exponentially increasing, it’s important that cybersecurity operations be approached from a more holistic perspective. The interconnected nature of hospital networks and infrastructure necessitates that cybersecurity strategies are interwoven into the entire fabric of healthcare operations. There is a cybersecurity dimension to every aspect of the business of healthcare, from administrative to financial to quality control, case management and care coordination. For cybersecurity in healthcare to succeed, security leaders must understand the tripartite nature of the healthcare environment and employ solutions and strategies that provide full visibility and actionable context into all of it.