How to build an effective ransomware defense
Ransomware continues to plague healthcare organizations, despite the best efforts of IT security professionals. Recent incidents in Wichita, Kan., and DeKalb, Ind., are only some of the latest and they surely won’t be the last.
Ransomware has proven popular with cyber-criminals because while only a small percentage of attacks are successful, the effort required to launch them is minimal and the reward can be great. The FBI estimates that crooks extorted $209 million in ransoms in the first three months of 2016 alone.
In the past, it was mostly individuals who paid the ransoms. More recently, however, large healthcare organizations—such as Hollywood Presbyterian Hospital in California—have paid off their attackers to restore access to their healthcare data.
Healthcare organizations aren’t the only businesses falling victim to these attacks, either. But the unique threats that ransomware poses to healthcare—including not just risks to operations and revenue, but also to reputation and the ability to deliver patient care—make malware attacks particularly worrisome for this industry.
Of course, giving in to cyber blackmail should be the last resort. By following a few best practices for IT security, healthcare organizations can significantly reduce their risk of falling prey to ransomware:
* Make sure all systems are promptly updated with the latest operating system security patches.
* Enforce anti-malware scanning across all departments, and ensure your malware signature databases are up to date.
* Implement content-based scanning and filtering on email servers, particularly where access to cloud services such as Gmail, Yahoo Mail, and Outlook.com are permitted from the enterprise network.
* Restrict users’ access to only those systems that are necessary for their roles. Avoid “access sprawl.”
* Use two-factor authentication, so a stolen password isn’t enough to grant access.
* Ensure user accounts are de-provisioned promptly. There should be no orphaned accounts of former employees, especially if they served in a technical role.
* Deploy and maintain a comprehensive backup system, including offsite storage, in the event that files need to be restored.
As important as these and similar measures are, however, they won’t be enough to inoculate organizations against ransomware as long as one major attack vector remains: the hands behind the keyboards within the organization.
The popular perception is that hackers sneak malware onto enterprise systems through secret backdoors and vulnerabilities, but the truth is that one of the biggest elements of risk for a healthcare organization is its own staff. It only takes one employee to click on an innocuous-looking link in an email claiming to be from the CEO to unleash havoc on the network.
That’s why IT security education is absolutely essential for every employee, with a particular focus on phishing, spear phishing, “social engineering” and similar deceptions designed to trick employees into doing the hackers’ work for them.
But even education isn’t always enough. Another factor that has left healthcare organizations vulnerable to malware attacks is the legacy-based nature of healthcare IT systems. Often, there are applications on the network that have been running reliably for years, meaning there’s little reason to remove them from the mix of how patient care is delivered. However, they’re now so old that they require versions of operating systems or other components that are no longer supported and may be exposed to attack.
We’re not just talking about ancient, arcane mainframe systems anymore, either. For example, Microsoft has not released any security updates for Windows XP since 2014, and then only for customers who paid for costly Extended Support contracts; everyone else was cut off in 2009. If unreported security flaws still exist in Windows XP now, they’ve been wide open for years and will never be patched, leaving every application and device within the organization that runs on XP vulnerable. In many cases, upgrading the OS isn’t an option.
This is a tough challenge, but it’s not insurmountable. What meeting it will require, though, is for healthcare organizations to rethink how they approach their IT infrastructures by exploring new technologies that are powering the modern, software-defined data center (SDDC).
Through virtualization, both of application workloads and of the network underpinning them, IT administrators can gain unprecedented control of their data center environments and help nip threats like ransomware in the bud.
Modern network virtualization tools, such as the VMware NSX platform, enable administrators to segment their networks so that critical data center assets can be isolated from everything else in a Zero Trust model. The result is that users who shouldn’t have access to these critical systems can’t see them, and servers that shouldn’t be communicating with them can’t reach them. And even if the isolated servers become compromised with malware, they can’t escape their “private worlds” on the network to infect anything else.
Still other tools can be used to tighten security of end-user systems. By employing policy-based configuration management, for example, system administrators can ensure that endpoint systems across the organization are running a consistent desktop environment, with no hidden vulnerabilities caused by rogue settings.
Naturally, even these tools are no silver bullet for the ransomware problem. The threat landscape is constantly shifting. New variants of ransomware are now being discovered almost daily. Some of the newer types even exhibit worm-like properties, where they can propagate themselves over a network without human intervention. (So much for user training.)
Still, with the right combination of new technology and policy measures in place, and an emphasis on education and vigilance, forward-looking healthcare organizations can prepare themselves not just for the next wave of ransomware, but whatever new threat comes next.
What that next thing will be, nobody will know until it hits us. The important thing is that when it does hit, that the impact be minimal or contained. If organizations can manage and contain these threats at every level of the organization—from the depths of a data center to behind the keyboard—healthcare IT teams can give these attackers a run for their money.