Ransomware continues to be a growing problem, especially in healthcare. While much has been written about, little actionable advice has been offered. With that in mind, Health IT Outcomes spoke with Symantec Health Information Technology Officer David Finn to find out why healthcare is a hacker’s ideal target, what the next phase of ransomware attacks will look like, and what can be done to defend against present and future attacks.
Ransomware continues to be a growing problem, especially in healthcare. While much has been written about, little actionable advice has been offered.
With that in mind, Health IT Outcomes spoke with Symantec Health Information Technology Officer David Finn to find out why healthcare is a hacker’s ideal target, what the next phase of ransomware attacks will look like, and what can be done to defend against present and future attacks.
Q: What is ransomware and why is healthcare being targeted with it?
Answer: Ransomware is a type of malware or malicious software that cyber criminals use to deny access to legitimate users of systems or data. The hacker holds the system or data hostage until a ransom is paid. Typically, after an initial infection, the malware tries to spread itself to other systems or shared storage on the network. If the ransom demands are not met, the system or encrypted data remains inaccessible or may be deleted.
There is both binary and non-binary ransomware. A non-binary ransomware threat does not use executable files or block access to the underlying operating system. Instead of executable files, non-binary threats may use languages such as JavaScript or HTML. To become infected, the user must navigate to a server hosting the non-binary threat through their web browser where they are shown a ransom note. The threat attempts to prevent the user from closing the web page. Symantec’s focus is on the binary-based ransomware that is an attack on your systems and resources, which can prevent an entire organization from accessing systems.
While ransomware attacks to date have been largely indiscriminate, there is evidence attackers have a growing interest in hitting healthcare with targeted attacks. The reasons are obvious – the impact of a ransomware infection could be devastating, therefore they are more likely to pay up. Additionally, because healthcare has lagged first in digitizing their business and then in protecting that digitized data, it tends to be an easier target. The value of healthcare data is much higher than say, just a credit card number. Healthcare tends to aggregate information about patients to make it easier to provide care and process claims.
Q: Why is ransomware so difficult to defend against?
Answer: Prevention is the best defense against ransomware. The bad news is we don’t do a very good job of it. In some ways, the best defense is pretty basic IT management and good training of your users. Key points on prevention:
- implement awareness and training for all users — end-users are targets and become the first line of defense
- strong spam filters to limit phishing attacks
- email scanning (in- and out- bound) to detect threats and executable files
- configure firewalls to block known malicious sites and keep them current
- patch all your systems (operating, software, and firmware) timely
- deploy and configure anti-malware and anti-virus appropriately and keep it current
- manage use of privileged accounts and configure access controls for systems, directories, files, and network shares with minimum necessary as a goal
- disable macros from Microsoft Office files transmitted via email
- implement software restriction policies or other restrictions to limit execution from common locations
- back up data regularly and verify and secure them — backups should not be permanently connected to the systems and the networks they are backing up
Q: Have we seen the worst, or will attacks become more frequent/more severe in the coming months/years?
Answer: The bad guys are making a lot of money doing this right now with the average ransom demand jumping from just under $300 in 2015 to $679 already in 2016. I think we are going to see this continue for some time with factors contributing to ransomware’s growth including the fact encryption tools are easy to get; there are very effective infection vectors (email, exploit kits, other malware, server-side vulnerabilities, SMS messages, and app stores); the adoption of more advanced techniques; and ransomware as a service. It isn’t going to go away anytime soon.
Q: Who is responsible for ransomware attacks, both in terms of unleashing them and — from a health system’s perspective — defending against and/or resolving one?
Answer: Like so much of the commerce on the dark web, ransomware started out as pretty sophisticated hackers or gangs. Now it is a commodity sold for anyone who wants to buy it. You can find Ransomware-as-a-Service or you can buy your own ransomware if you don’t want to “outsource” your criminal activities. So, it can be almost anyone, anywhere launching these attacks.
The question of who is responsible for defending against it is much simpler: anyone who is responsible for using a computer, getting or sending emails, and sharing or saving files. Organizations have a responsibility to protect their assets and people and buy and deploy appropriate tools, but at the end of the day we all have to accept responsibility for what we send and receive. Good training and common sense will go a long way.
Q: The FBI does not support paying a ransom in response to a ransomware attack, saying, “Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.” Do you agree with this advice?
Answer: Certainly, this is my first response. These aren’t nice people you want to do business with. That said, in a healthcare setting we’re talking about serious impacts — in some cases, life threatening. If a doctor can’t get an allergy list and prescribes a medication you can’t take, or if you are on a surgical table and the doctor is looking at images or critical notes and they disappear, you have a situation that makes paying a ransom a simple choice. And still you have no guarantee you get the data back.
We’ve seen cases recently where the ransom was paid and the same group hit the victim again or the original ransom amount was raised. There is no doubt paying the ransom encourages the business model — we’ve seen a 300 percent increase from roughly 1,000 attacks per day in 2015 to 4,000 attacks per day the first half of 2016.
Q: What advice would you offer a health system being held ransom?
Answer: If you can’t prevent becoming infected — which would be my first piece of advice —- you need to:
- isolate the infected computer(s) as soon as possible
- isolate or power off affected devices that are not yet completely corrupted
- Secure your backup data and systems by taking them offline
- contact law enforcement
- execute your cyber security event incident response plan (which should include a ransomware scenario) and your business continuity plan
- engage your security consultant and external incident response team
- collect and secure any portions of the ransomed data that may exist
- change all online account passwords and network passwords once off the network
- may exist
- change all online account passwords and network passwords once off the network
- after the event, you should revisit your Risk Assessment, including all the stake holders
- review your cybersecurity insurance
- review all incident response plans from the lowest level to the system or corporate response plan
- reassess the governance and organizational structure of security — is it strategic or IT focused
Q: How can a health system decrease the chances of becoming a victim?
Answer: Well, in my opinion the most important thing, and frankly the biggest bang for you security dollar, is a comprehensive, on-going training and awareness program. This must include everything from classroom sessions to simulated phishing tests for everyone to expanded training for security professionals. This can’t be a burden or feel like punishment for the staff, though. It must be engaging at a personal level and if you can make it fun, even entertaining, so much the better. Then you have to have the tools and the staff understands how to use and maintain them, as well as tune them to changes in the environment — internal and external. And of course, regular patching, system maintenance, managing all the assets (hardware, software and data), and current, well secured backups.
Q: Is ransomware prevention more about education or technology?
Answer: Both. It has to start with the education and awareness, though. All the technology tools in the world can’t protect you from an end-user trying to get their job done that gets that compelling email with the malicious link. So, while you are training your people you should be patching, deploying spam and mail filters, keeping up firewalls, deploying and verifying deployment of anti-malware and end-point protection, and so on. You can’t ever stop checking, verifying protections, and updating and validating your practices and the training — it has to change to meet the threats. The bad guy only has to be right once; you have to be right every time.
Q: What questions should health systems be asking vendors about ransomware?
Answer: That can be a misleading question but it speaks to the issue we are having today. Security is not one problem you fix and then move on to the next problem; that is how we wound up where we are. So, don’t ask about a specific issue, ask how ransomware fits into a security plan and strategy.
Security is now a strategic function of the business. It is not a product or some set number of specific products. It requires a strategy, a vision. Once you’ve been able to share that story and, frankly, sell it to the organization, you start building that vision. We saw this on the clinical side in healthcare: the power of the EMR is you’ve pulled five, 10, 15 systems into a single integrated tool. This is how security is going to have to work in the future. Your anti-malware will need to talk to your email gateway. Those will have to talk to your data loss prevention product. You’ll need to understand users not just from a who they are perspective, but from multiple perspectives: where they are, what device are they on, and what data are they trying to access. Integration of information — just like patient care — is going to help you take better care of your data and users.