Healthcare

HealthCare is a Growing Target for Attacks

Cybercriminals are increasing their attacks on the healthcare industry.

Healthcare was the most targeted sector of 2019. Sixteen percent of all incident response matters were in healthcare-related businesses (including healthcare delivery organizations, healthcare device manufacturers, and technology providers). Ransomware was the attack type of choice against healthcare organizations in 2019 — they suffered more ransomware attacks than any other kind and represent a significant 22% of all ransomware cases (crypsisgroup).

According to the US Department of Health and Human Services, as of October, 2020, there have been 672 attacks on medical health records affecting 500 or more people in the last 24 months. While many of these attacks are not ransomware, healthcare is a target rich environment for bad actors.

Key Factors that hackers use to pick their targets

The value of the data the target organization controls and maintains
The perceived security posture of the market sector
The actual security deployed in the organization
The criticality of ongoing operations

When a ransomware attack succeeds, the hacker demands a ransom payment and will claim to provide a method to the victim to regain access to their data. There is no guarantee that a victim of an attack will recover their data or access to systems. Without adequate disaster recovery and backup plans, many businesses are forced to pay the ransom.

The first documented case of hospital ransomware occurred at Surgeons of Lake County in Illinois in 2012. A similar attack occurred two years later at Clay County Hospital in Illinois.

The extent of the ransomware attack was not reported in either case; a ransom was believed to be paid in both cases, but the amounts were never disclosed. After the highly publicized February 2016 ransomware attack at Hollywood Presbyterian Medical Center in Los Angeles, hackers began to actively target healthcare facilities.

In the Hollywood Presbyterian attack, the staff lost access to patient records, x-rays, and other equipment, or and was unable to restore equipment. The hospital agreed to pay the ransom. Reports at the time claimed that the initial demand was a ransom of $3.6 million, but the ransom was negotiated down to approximately $17,000.

After the successful attack on Hollywood Presbyterian Medical Center, hackers targeted the healthcare industry more frequently, with two hospitals attacked later that month and five hospitals targeted the next month. These affected hospitals did not pay the ransom but instead were able to restore information from their backups.

Hackers have found it easy to attack hospitals with ransomware because of hospitals’ rapid adoption of IT systems in recent years, without a concomitant increase in the number and sophistication of IT support staff. This rapid IT adoption occurred after the government allocated funds for the Meaningful Use program, which encouraged the use of electronic health records (EHRs).

Many healthcare facilities have been unable to adopt or deploy adequate network security and other information technology resources to combat potential attacks. Without sufficient funds, many hospitals do not have the staff to employ simple barriers to hackers (such as the quick installation of electronic patches). According to a 2016 report by Verizon, 85 percent of successful exploits take advantage of vulnerabilities such as old patches.

Legal experts have identified four risk categories associated with ransomware attacks in healthcare:

Medical malpractice
Data privacy
Property and reputation
Cost and expense issues

Although medical malpractice has long been a concern for hospitals, there could be an additional risk of medical malpractice during a ransomware attack if patient care is affected or if a patient is harmed as a result of ransomware, for example, if a medication error affected a patient when the computerized prescription order entry (CPOE) system was down.

If a hospital relying on a CPOE system were to lose that system for any reason, the number of prescription errors associated with returning to a manual prescription system would increase substantially, especially during a forced transition when individuals who were familiar with the CPOE system would have to be retrained or trained to use the manual method.

The second threat has been the risk of patient data privacy loss, which could lead to HIPAA violations. During the first response to a breach, it is vital for staff to identify (if possible) the type of malware that has infected their network. After the malware has been detected, professionals should assess the risks of that particular malware and whether a solution to decrypt the files can be found.

Unfortunately, decryption without the necessary key is extremely unlikely, and no free tools are currently available to decrypt files. The risk of reputation loss and loss of future business are substantial.

The final risk is increased costs and expenses. As we have seen during the COVID-19 epidemic, hospitals, medical clinics and individual physicians have been dramatically impacted by mandated shutdowns to slow the spread of the virus. A ransomware driven shutdown can severely impact financial stability.

Protecting your Organization

The impact and costs of Ransomware are escalating quickly. The velocity and creativity of attacks continue to grow. Attackers exploit a variety of tools, tactics and techniques against an ever-increasing diversity of targets, which further reduces the ability of Security and Risk Management (SRM) leaders to anticipate and prevent security failures.

Stop the attack before it starts

We have discussed mitigation strategies for how to limit losses and how some organizations have felt compelled to pay ransom.

A more effective solution is to adopt technologies that stop an attack at the very beginning, before malware can damage or encrypt systems, and before ransomware can spread through a targeted network.

Antivirus is only a part of the strategy

Many health care providers have relied on antivirus tools to help protect against ransomware, without understanding that it is a completely different problem that antivirus tools are not equipped to solve. Most of these tools only check against known lists of malware.

The rapidly changing ransomware threat means that the newest threats simply change their file names to mirror what the tool thinks are acceptable. Then the antivirus software simply allows the attacking file without understanding what has happened.

Zero Day Threats

Many traditional vendors try to build and update tools to prevent any access to systems from bad actors. We believe that while defenses keep improving, hackers will always find new exploits to access devices and networks. This plays out every day as successful attacks are reported in the news media.

It is particularly difficult for traditional vendors to detect Zero Day attacks where the malware uses new or unrecognized methods. Traditional antivirus systems miss these attacks precisely because they are new.

A Different Approach

At Hackerstrike, we understand that regardless of the defenses that are in place, hackers eventually gain access to a network. We are focused on what happens next. While other vendors look for known malware, Ransomstrike utilizes advanced Machine Learning (ML) as part of our extended detection and response (XDR) solution to recognize and halt anomalous behavior.

Ransomstrike recognizes behavioral changes of systems. We then stop the processes on the device from damaging infected systems or propagating to other devices over a network. This approach also helps reduce the incidence of false positives that plague SRM leaders.

Ransomstrike

Organizations of all sizes need tools that work with but go well beyond the function of traditional antivirus solutions. Ransomstrike is a full-protection platform designed from the ground up to provide real-time detection and protection of all of your systems using A.I.-based continuous learning technology. By examining metadata obtained from the Operating System, our ransomware detection and prevention solution can understand, identify and detect ransomware behavior and stop it, even if traditional antivirus tools can’t find the issues.

Applying Ransomstrike to standard defensive metrics

The continuous learning Machine Learning (ML) engine in Ransomstrike is constantly scanning devices and the network for any anomalies that fall outside of normal operating behavior.

When an attack is launched after an employee or contractor clicks on a link in a spear phishing email (for example), Ransomstrike immediately detects the behavior of the malware, alerts administrators and takes the appropriate steps based on the device and user under attack. This can include actions such as quarantining the device from network access for example, to prevent the malicious code from replicating to other devices on the network.