Tips to Prevent Ransomware in Healthcare Environments

• Yes, I know it’s difficult to get approval to send regular hospital-wide security advisories, but smarter end users will surely result in fewer ransomware incidents.

• Some organizations don’t realize their backups are compromised or were configured improperly until it’s too late.  You may need them to restore service.
• Start with your File Servers that host network shares for critical hospital departments
• Ensure you have backups that are not accessible by end users – ideally off-site.  Backup administrator roles should be assigned sparingly, used sparingly and regularly audited.
• Test your backups regularly to validate they can be restored properly. 

• Assign a project manager to organize an effort to evaluate permissions that users have on mapped network drives. Implement the principle of least privilege to minimize the impact that any single user can have on the organization’s network shared drives. 
• This process could turn into a large, complex effort, so start with network drive locations used by critical departments (Emergency, Organ Transplant etc).

Administrator User Privilege Reviews

• Audit privileged roles used by the Server, Backup & Network Teams to validate appropriate access.
• Ensure administrators are assigned normal restricted accounts, separate from their highly privileged accounts.
• Require administrators to only use their highly privileged accounts when they need them.
• Remove automatic network drive mappings from administrative accounts, where possible.
• Restrict administrative accounts from receiving email.

• According to Microsoft, 98% of Office-targeted threats use macros. Disabling macro scripts from MS Office files will stop ransomware such as Locky.
• Office macros are usually not required for the majority of PCs used in healthcare environments. Enable macros for exceptions or certain departments only.

• Many hospitals struggle to patch their systems within 30 days of Microsoft’s “Patch Tuesday” monthly patch release.  
• Review your patching processes and look for opportunities to remove roadblocks.
• Consider deploying an advanced endpoint product that prevents exploits due to missing patches and malware.

• Ensure you are configured to block inbound mail as per recommendations from your email server vendor (i.e. block executables in attachments etc)

• Ensure your firewall automatically blocks known threats based on a threat feed that constantly updates.
• Ensure your firewall provides sandboxing capabilities so you can stop unknown threats (URLs and executables) before they reach the endpoint. Sandboxing is the best way to detect new variants of ransomware that constantly appearing in the wild.
• Configure your firewall/proxy to require user interaction for hospital end users communicating with websites uncategorized by the network proxy or firewall (i.e. click a “proceed” button). Many uncategorized websites are used in targeted phishing campaigns to distribute malware.

• Traditional antivirus is not effective anymore against advanced malware like ransomware which continuously changes to avoid detection. Your endpoints need advanced protection capable of stopping processes that exhibit malicious behavior, rather than checking for individual known bad files.  
• Whitelisting can work for some organizations but most hospitals need to permit hundreds of applications across their departments so it is often difficult for IT to manage the list.Behavior-based malware detection tends to be very effective, and also lightweight on the endpoint.