What is the threat?
There has been a significant increase in ransomware attacks in recent months and the healthcare industry appears to be the prime target for these hackers. SKOUT CYBERSECURITY is tracking a recent trend where medical providers and other healthcare-related companies are being increasingly targeted by ransomware attacks. Five US healthcare organizations have reported ransomware attacks in the past seven days. Boardman, Ohio provider NEO Urology, Colorado-based Estes Park Health, Boston-based ResiDex Software. New York-based Olean Medical Group & California-based Shingle Springs Health and Wellness Center. Additionally, as reported in an earlier Advisory, several medical laboratories were breached via an attack on a third-party billing company whom they all worked with.
Why is this noteworthy?
According to the US Department of Homeland Security, ransomware is the fastest growing malware threat targeting both individuals and organizations. Ransomware can render critical services unavailable and be costly for organizations. Officials at NEO Urology reportedly paid the $75,000 ransom to regain access to their systems. A Florida city also paid $600,000 in ransom to hackers to retrieve their records and revive critical services such as their email system and the ability for 911 dispatchers to be able to enter calls on their computers. They had to spend a further $1M to get new systems and restore their data. Currently, some providers are still operating without the use of computer systems while others are paying the ransom to regain access to their files. While ransomware is an ever-present risk, healthcare organizations and facilities do appear to be recent targets of at least one ransomware campaign. While no conclusive evidence of a pattern yet exists, the number of recent healthcare-specific infections does give strong indication of a trend. Healthcare facilities –-especially smaller clinics and more rural facilities –-have a propensity to avoid hardware and software updates due to lack of staffing, budgetary restrictions, and a host of other reasons. This makes them easy targets for all malware that relies on known vulnerabilities; including ransomware that leverages these already-discovered holes in defenses that may not yet have been patched in these environments.
What is the exposure or risk?
Ransomware can slow down business operations by making critical data and resources inaccessible. Olean Medical Group has been driven back to pen and paper while EPH was left without phone service or network access. As ransomware has the ability to destroy data (through encryption withthe possibility of the threat actor not possessing or not releasing the means to decrypt it), health records and other data may be lost if un-effected backups are not available. This, in turn, may result in inability to complete regulatory and population reporting. Loss of digital systems may also render facilities unable to use medical imaging or other vital systems that rely on computers and workstations.
What can you do?
SKOUT recommends ensuring that critical data is regularly backed up in a secure location in order to prevent it from being rendered inaccessible during a ransomware attack. Preferably, using a backup provider that maintains previous versions of files (“file rewind,,”“file versioning,”,“previous version protection,”etc.) is best, as some backup jobs may run before the ransomware is discovered. Having an incident response plan insplace is recommended to quickly contain a ransomware attack from propagating. Endpoint protection such as Cylance is also recommended to block malware from running on a victim machine.
Critically, all Windows workstations, desktops, and laptops should be on Windows 8 or higher. Windows Servers should be running at least Windows 2012R2. Linux devices should be running fully updated versions of their distribution of Linux – and that version should be no older than four years old. All devices – workstation, server, laptop, desktop, integrated, mobile, etc. – should be kept updated with all available patches and service packs. Patches and updates marked as critical, important, or specifically identified as a security updateby the manufacturer should be applied immediately, while other updates can be delayed by a reasonable amount of time for testing before deployment.
SKOUT also recommends training employees to be aware of phishing emails, identify suspect attachments, andto not click on any suspicious links. A common way for ransomware to penetrate a network is through phishingmalicious email, and filters and other email hygiene tools may not catch everyemail attack; especially if it is a new form of email threat..
SKOUT does not recommend paying the ransom unless no other possible method of recovery is available. Paying the ransom encourages more threat actors to partake inthis activity; and multiple threat actors have taken ransom payments but failed to provide decryption and/or return data that they had encrypted.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.