Guest Column | April 5, 2018

Let SamSam Ransomware Serve As A Reminder To Lock Down Your Environment

By Onyeka Jones, product manager, Tripwire

Preventing Healthcare Ransomware

When SamSam ransomware brought down Allscripts systems last month, it negatively impacted medical professionals' ability to provide appropriate patient care for more than a week. While this particular attack went after the EHR vendor, an attack like SamSam could very well take a more localized approach of going after healthcare providers’ EHR environment directly. The consequences of not being able to treat patients effectively should be a reminder for health care providers to ensure they have fundamental security controls in place to protect the integrity of their own environments.

Many healthcare organizations think they have a strong security program by way of passing their audit. Unfortunately, this isn't the case. Alignment to frameworks like CIS, PCI, NIST and DISA can effectively decrease the likeliness of suffering from a cyberattack, but that depends on the extent to which these frameworks are implemented. Often, organizations can pass audits by implementing only specific parts of these frameworks, so they limit their focus to those few areas. However, measures considered out of scope for an audit could be the ones essential for preventing and detecting a cyberattack, for example, the EHR environment.

Organizations that really strive to implement CIS, PCI, NIST and DISA frameworks beyond just the purposes of passing an audit, are much less likely to be compromised by attacks like SamSam. Healthcare providers should look to implement the foundational security controls to prevent cyberattacks as best as possible and detect them when they inevitably do get through.

Preventing Breaches By Hardening The Environment

Attackers will go after the easiest target. For example, a server left externally exposed to the internet. Misconfigurations, many of them easy to correct, have been the underlying reason for many successful breaches. Secure configuration management (SCM) is the control that assures systems are set up correctly and securely. While one cannot completely eliminate one's attack surface, configuring systems properly greatly reduces the attack surface and ensure systems are not inadvertently left exposed to outside attackers.

Systems with known vulnerabilities also make for an easy target. Organizations should have vulnerability management (VM) processes in place to understand what vulnerabilities exist within their environment, what risks they present and if patching is required.

Detecting Intrusions With Continuous Monitoring And Alerts To Change

After the environment is hardened and attack surface minimized, organizations will want to monitor their environments and be alerted to changes. What's popularly known as file integrity monitoring (FIM) might be more accurately described today as “system integrity monitoring” – which is a fundamental and foundational security control because it answers the key question: are systems still in a secure, trusted state, and if not, what changed?

Implementing FIM would show when new files are dropped into one's environment. In the case of SamSam, which has a known hash, a good FIM solution would alert when this known bad file has been placed on the host so the security team can act quickly keep it contained. Ports and services can also be whitelisted and/or blacklisted to notify the security team of any established or listening ports that fall outside of the expected system integrity state.

Again, organizations won't want to stop at the bare minimum here. Some FIM solutions only show that a change occurred, not whether the change was bad or good, who did it, and is it introducing risk or non-compliance. Without a good FIM solution giving that additional context, users would not be able to easily identify if a change might be SamSam or some other kind of malware-related issue.

With cyberattacks continuing to prove dangerous to healthcare providers and their patients, the industry needs to invest in building up its security posture, not just in passing audits. Security is an absolute necessity for ensuring patients get the essential health services they deserve.

About The Author

Onyeka Jones is a product manager at Tripwire. As the product manager focused on healthcare solutions, she has a deep understanding of the IT security challenges in the healthcare industry, and is passionate about developing software solutions that address customer problems