Ransomware has reached headlines lately with several healthcare organizations globally falling victim, as seen in As Ransomware Crisis Explodes, Hollywood Hospital Coughs Up $17,000 In Bitcoin. Breaches are top of mind in healthcare as far as security and privacy, and within many types of breaches ransomware is the highest priority across most healthcare organizations I have worked with over the last six months.
Compliance with regulations, laws and standards is important, but increasingly organizations realize they need to go well beyond basic regulatory compliance to effectively mitigate risk of breaches, and they are motivated up to the board level with the strong desire to not be the next breach or ransomware victim and headline.
While most security concerns to date have revolved around breaches of confidentiality, or unauthorized access to patient information, ransomware is not a breach of confidentiality, but rather of availability. In security speak, “availability” is timely and reliable access to patient information. Ransomware prevents access to patient information by encrypting this information and withholding the decryption key until a ransom is paid. Exacerbating this, paying a ransom is no guarantee of provision of the decryption key.
As we have seen, this can compromise mission critical services to where hospitals need to turn patients away. Healthcare is particularly vulnerable to this type of breach because they are generally lagging other verticals in security, and have a very low tolerance for disruption. I suspect this problem is a lot worse than most people realize because many ransomware infections go unreported, as many countries lack breach notification rules, or those rules cover compromise to confidentiality, but not availability as in the case of ransomware.
A real danger in securing against this type of breach is the tendency to gravitate to one particular safeguard, such as backup and restore, which while important is just one of many things you can do to secure yourself against ransomware. In this blog, I explore several different safeguards you should consider as part of your holistic, multi-layered, defense-in-depth approach in securing against ransomware. None of these alone is a panacea. Together they represent a very effective, holistic, multi-layered, defense-in-depth security posture against ransomware.
- Policy: ransomware often starts with employee actions and mistakes. Examples include clicking malicious links in emails or websites, opening email attachments, plugging in malware infected removable storage devices such as USB keys and so forth. Policy governs employee actions. Is your policy accurate, complete and up to date, especially as it pertains to employee actions that can lead to ransomware infections?
- Audit and Compliance: policy is a critical foundation of your security practice. To ensure employees are following it you need audit and compliance, in particular to ensure employee compliance with policy in the areas that could lead to ransomware infection.
- Risk Assessment: risk assessment is a key tool to identify risks to confidentiality, integrity and availability of patient information, including for risks such as ransomware. You can prioritize risks by impact and probability of occurrence, triage the top risks and address them through application of safeguards. The business impact of ransomware goes well beyond the ransom that may be paid since it can disrupt your mission critical business systems and processes and effectively halt your business.
- Anti-malware: having a good anti-malware solution installed on all endpoints, updated and effective is key in detection and remediation, for example quarantine, of malware including ransomware. You will not catch all ransomware this way, but many, especially older variants, will be caught.
- User Awareness Training: most ransomware infections start with employee actions. Training can help employees detect and avoid actions that could lead to infections. Again, not a perfect safeguard, but important in your overall anti-ransomware defense. Spear phishing training is particularly important to include in your overall training program.
- Email Gateway: email is a key ransomware infection vector, with spear phishing emails containing malicious links coaxing employees to click them, in which case a drive-by-download and infection of ransomware can result. Your email gateway can oversee emails and detect and block many of these.
- Web Gateway: web browsing (and clicking) is another key infection vector, with employees visiting websites and inadvertently clicking on malicious links that cause ransomware infections, again by drive-by-downloads. A good web gateway can detect many such websites, and help block these types of infections.
- Vulnerability Management and Patching: vulnerable devices and software create openings for malware and ransomware infections. A good vulnerability management program can identify vulnerabilities, for example in old, unpatched, or misconfigured software, and proactively remediate such vulnerabilities to block ransomware.
- Security Incident Response Plan: in the event of an infection such as ransomware, how your organization responds is key to faster resolution and minimizing business impact. Having a good, tested plan that employees can execute to quickly and efficiently, with good coordination, is key to enabling this. This plan should include PR and communications for breach notification if needed.
- Backup and Restore: currently the “safeguard du jour” for ransomware, backup and restore is critical. Have it, use it (everywhere you have data), test it (test restore regularly), and make sure it is versioned, and some versions air-gapped with offline backup archives. Ransomware may get into your backups too, depending on when it occurs in your backup cycle, and how quickly you detect it and stop it, but if you have versioning and / or an air-gapped backup then you will have a workable backup version to restore. Keep in mind this is not a panacea though, since rolling back to a previous backup version effectively undoes updates since then, and missing patient information updates can translate into direct risks to patient safety and business impact. This is why backup and restore is necessary but not sufficient. It is far preferable to avoid ransomware in the first place.
- Device Control: this is the ability to enforce policy regarding removable storage. For example if an employee plugs in a ransomware infected removable storage device such as a USB key, this safeguard can enforce policy preventing ransomware jumping from the device to your IT network.
- Penetration Testing and Vulnerability Scanning: as seen in FBI raises alarm over ransomware targeting U.S. businesses ransomware can enter your network through vulnerable or unpatched software, especially software facing the external Internet. Proactive penetration testing such external facing applications and interfaces to identify and remediate such vulnerabilities is key to mitigating risk of this type of ransomware infection.
- Endpoint DLP: Data Loss Prevention software running on endpoint devices can enforce policy and help prevent user actions that can lead to malware infections such as ransomware.
- Network Segmentation: segmenting your network can help quarantine or localize any malware infections to prevent propagation across your network. This can limit the extent of infection, lessening business impact, and enabling faster resolution.
- Network IPS: a network Intrusion Prevention System can monitor network traffic to detect and prevent malicious activity, such as that which could lead to a ransomware infection.
- Whitelisting: useful on endpoint devices, whitelisting limits which applications can execute to a small list of approved applications. If ransomware was to get onto a machine with whitelisting it would be benign on that machine since it is not on the approved list of applications and therefore blocked from executing, and therefore unable to encrypt any patient information. This type of safeguard can be particularly useful on medical devices that don’t get patched or updated frequently.
- Network DLP: this type of DLP runs on a network and can enforce policy, including detection and prevention of network interactions and traffic that could lead to ransomware infection.
- Digital Forensics: in the event of an infection, digital forensics can help identify the type of ransomware, the extent of infection, and how it occurred, which are key to reducing business impact, and preventing future infections.
- SIEM: Security Information and Event Management can help provide realtime analysis of security alerts from across your applications and network, enabling faster detection and remediation of ransomware.
- Threat Intelligence Exchange: this can enable realtime exchange of threat information between safeguards in your network, and a global threat intelligence backbone from your security provider(s), helping orchestrate defense against ransomware. This is a critical part of the “immune response” of your organization to ransomware, which will help stop it and kill it as fast as possible.
- Business Continuity and Disaster Recovery: as we have seen some recent high profile ransomware infections have essentially shutdown the information technology systems of healthcare organizations, crippling mission critical business processes to the point where they had to send patients elsewhere. Having a good BC / DR capability with mirroring of data and hot standby can be helpful in keeping mission critical systems going while remediation is occurring. The effectiveness of this safeguard against ransomware depends on ransomware not propagating to your hot standby system, as can be prevented by various safeguards discussed previously.
No organization wants to be “at the back of the herd” or “low hanging fruit” for attacks such as ransomware. It has been difficult in the past for healthcare organizations to measure or benchmark their breach security against the rest of the healthcare industry. It is one thing having a gap in your safeguards if everyone else has that gap. However, if you have a gap and most others don’t then you could be relatively vulnerable.
Intel Health and Life Sciences and several industry partners are currently conducting complementary, confidential breach security assessments for provider, payer, pharma and life sciences organizations globally. Through this one hour engagement healthcare organizations are able to benchmark their breach security across 42 safeguard capabilities and 8 different types of breaches, including ransomware, against the rest of the industry to see what percentile they are in terms of readiness, and gaps and opportunities for improvement they may have.