If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware.
By this time last year, 105 healthcare breaches had been reported to the U.S. Department of Health and Human Services (HHS) for a total of over 92 million lost records, compared to “only” 81 breaches and 3.5 million records so far in 2016. Good news, right? Well, sort of.
Unfortunately, this seemingly positive trend does not reflect the actual threat landscape in the healthcare industry. Healthcare organizations subject to HIPAA only need to report breaches to HHS if 500 or more patient records are exposed. Many types of cyberattacks on hospitals, like ransomware, impact systems and possibly patient care, but do not result in breached records and hence are not reported to HHS (although there are currently opposing views on whether a ransomware attack should be reportable under HIPAA).
Ransomware is a type of malware that restricts access to files or systems with encryption until the victim (the hospital) pays the ransom for the key to unlock them. In a previous post I outlinedhow hospitals can track down the infected PC when an infected PC somewhere on the network encrypts the contents of an entire department shared drive.
As a former security operations lead for a hospital network, I responded to numerous ransomware infections firsthand as a result of targeted phishing campaigns against the hospital. The incident response team followed the same procedure for each incident: isolate the infected PC and restore the corrupted (encrypted) files on the department shared drive from backup. In such isolated instances, there was no impact to clinical operations and patient care. However, the story would have been different in the case of widespread infection on the network.
Several healthcare providers in Washington, California and Kentucky were publically impacted in 2016 by what appears to be widespread ransomware infection across many different devices in a short amount of time.
Prevent and Minimize the Impact of Ransomware
There are many things that your healthcare organization should be doing to minimize the impact of successful ransomware attacks. Here are a few tips to get you started:
|High||Minimize Impact||Develop and execute a plan for an end user awareness program
|High||Minimize Impact||Review / Validate Server Backup Processes
|Medium||Minimize Impact||Review network drive permissions to minimize the impact that a single user can haveEnd User Privilege Reviews
Administrator User Privilege Reviews
|High||Prevention||Disable macro scripts from MS Office files using AD Group Policy
|High||Prevention||Review your monthly patch management processes
|Medium||Prevention||Evaluate your inbound spam / malware protection
|High||Prevention||Deploy a next-generation firewall to protect the hospital network
|High||Prevention||Deploy advanced endpoint protection to protect the endpoint
These suggestions range from low-tech to high-tech and vary in cost, but all contribute to create a hospital environment that is highly resistant to ransomware with the least amount of manual management. Decide for yourself which combination of mitigating activities is best for your environment.
If you want to read more about the history of ransomware – take a look at The Rise of Ransomware, a recent paper from our threat intelligence team, Unit 42.
[Palo Alto Networks Research Center]