The Healthcare Security Pro’s Guide to Ransomware Attacks

Healthcare professionals are performing heroics on a daily basis, working to the point of exhaustion and putting themselves in harm’s way as they try to save as many patients as possible. We applaud them every day in communities around the world with displays of our respect and gratitude.

However, some malicious actors view them and their organizations as targets and have used the COVID-19 pandemic as a catalyst to ramp up their efforts to cause harm. Email is still the access vector of choice for attackers, as malicious actors serve up cleverly crafted emails that feed on our fear of the unknown and our desire to be informed. Many of those emails are scams, and others deliver something even more nefarious: ransomware.

What is ransomware?

Ransomware, a common threat faced by healthcare organizations, is malicious software that covertly encrypts your files so you are unable to access them, then demands payment for their safe recovery.

In the best of times, organizations can roll out elaborate awareness campaigns and track training to gradually build a solid prevention program. While these are very important elements of any security strategy (and should be pursued), we are not currently in the best of times. Healthcare professionals and the teams dedicated to supporting them have less time now to scrutinize each email they receive. They need more technical controls to help prevent attacks, and they need the right detection and response tools and processes to help identify problems and remediate them before they disrupt the vital functions of medical treatment.

An ounce of prevention is worth a pound of cure

On the prevention front, the tried-and-true methods of utilizing multi-factor authentication (MFA) and blocking Microsoft Office macros still apply. Prevention and detection are dishes best served over multiple courses—there is no one security tool to rule them all. Layered defenses provide much greater protection (though still not 100%) than placing the burden on one piece of technology.

Ransomware succeeds by spreading. While granting all users administrative privileges on their laptops and allowing code execution from any location does provide great freedom of movement for your user population, this also provides ransomware with an easy way to traverse your network. This could lead to disastrous consequences in a very short time frame. Tightening permissions not only for users but also for code execution and file write access can help to prevent propagation of malicious files and drastically limit the damage done by ransomware.

An ounce or two of detection and response certainly helps, too

When something does make its way past your defenses, mitigating the damage is key. Ransomware acts quickly to lock up files and disrupt operations. Even the most prepared organizations will likely spend time on restoring backups and bringing files back online. Health care facilities cannot simply grind their operations to a halt while this happens. This is why planning is of the utmost importance.  

And finally, in your response actions, understand that even the best responders may not be able recover your files. Forensic investigations can help discover the initial attack vector and the scope of the incident, but incident response work very rarely uncovers decryption keys. And even if they did, there is a chance that the ransomware damaged files to the point at which they cannot be recovered.

So, if this happens, can you continue your operations without those files? While most organizations have prepared for natural disasters and bad weather, many have not considered a global pandemic. This does not mean an entirely new plan of action has to be devised. Chances are, one of your existing plans will work. The scenario may be different, but the impact may be very similar. The sooner your caregivers return their focus back to caring for their patients, the better off you are.