FBI Warning on Healthcare Ransomware: What You Need to Know

Jon Hallberg, CISSP, Information Security OfficerCybersecurity & Compliance

Late last week, the FBI issued a warning to healthcare organizations to be on high alert for ransomware after a “wave of data scrambling extortion attempts…designed to lock up hospital information systems” (AP). The increase in ransomware threats comes at a time when many healthcare providers are under pressure due to spiking COVID-19 cases.

Unfortunately, the healthcare industry is a frequent target of cybercriminals, and it appears that this current flurry of attacks is both aggressive and has been well-orchestrated by a Russian cybercriminal gang to inflict significant damage – estimated to target more than 400 healthcare facilities in the US (Krebs on Security).

Hospital and medical care facilities are often targeted by criminals because the impact of the attack can literally be a matter of life and death, casting a more serious consequence to being compromised. In addition, the healthcare sector is well-known for its widespread use of legacy technology, making it an easier target.

Last year, for example, researchers determined that “39 percent of IoT Devices and 53 percent of common medical devices are still operating on traditional, legacy platforms, which poses a patient safety risk.” Examples could include MRI machine consoles still running Windows 7 (Microsoft stopped supporting that OS on Jan 14, 2020) and ultrasound carts, scanning machines, or other medical devices attached to your network. Segregating these devices away from other hospital systems is critical as recovering these local devices may be impossible if the software they run is no longer supported. Also some of these systems can act as jumping points, allowing ransomware to spread faster once an outbreak happens.

Netgain’s security team has been monitoring the situation (and client environments) closely. We’ll highlight below some of the security measures inherent to your environment, as well as the additional measures you should take considering the imminent threat. Some items are in Netgain’s control and some in yours, so it’s imperative we collaborate and recognize security as a shared responsibility.

Best practices to review:

Ultimately, ransomware’s threat relies on human actions and interactions. By limiting which actions can be conducted in your hosted environment, you greatly reduce the risk of ransomware being introduced. Common restrictions include limiting general purpose web visits, as well as access to non-business email and social media.

Antivirus – All Netgain systems run a centrally maintained anti-virus/anti-malware solution that is updated automatically. Although anti-virus software will not stop 100% of malware, it is a critical first line of protection.  

Backups – Daily backups of your systems and data are available in case we ever need to do a full restoration. Note this process takes time as restore times are very dependent on size of system, number of files etc. 

Software Restriction Policy (SRP) – SRPs can be set to limit what software users can install (specifically the freeware/adware or other third-party applications that can contain vulnerable code that puts your system at greater risk for infection). Limiting your users’ ability to modify their systems adds a layer of protection. If you don’t already have one in place, we can work with you to enable one. 

Email – As many malware infections come from the email channel (phishing), this avenue always needs special attention. Netgain has a security package that includes inbound mail filtering/AV checks that can scrub messages before your users receive them. Run regular phishing simulations to help educate your users on what to look for. In addition, review your email server hygiene to make sure your SPF, DKIM, and DMARC records are set up properly. Strict record checks on inbound email can drastically limit spoofed messages.

Internet – Limit browser sprawl (you don’t want users using Internet Explorer for example – it’s old technology and thus more vulnerable). Pick and support only one primary modern browser. i.e. Edge , Chrome, Opera, Safari, Firefox etc. and keep it updated. Have an approved “backup” browser in case you have system incompatibilities. The Netgain team can help to enforce this. Limit use of known vulnerable internet plug-ins like Flash and Java.

Vulnerability Management/Patch management – Netgain regularly scans critical servers (Domain controllers, Data Base servers, File servers etc.) and patches known vulnerabilities accordingly.

“Least Access” mindset – Control exposure with a least-access approach. Instead of determining what data and which systems should be blocked from a given user, think critically about what they need to access. In healthcare, we recommend taking this one step further: For your power users, consider assigning two accounts so that privileged credentials are used only for administrative tasks that require that privilege, and all other, non-administrative tasks are accessed through the lowest level of privilege necessary.

Ransomware recovery tests – This is a good time to test your offline procedures – what could your staff do if your systems were unavailable for 24-72 hours?

Educate, educate, educate – Train, educate, enforce, and make better security practices easier. Teach your team to take a “security-first” mindset that questions everything and reinforces that security is everyone’s responsibility. This includes automated log off procedures so that systems don’t remain on when not in use (shutdown overnight!). Once ransomware gets in – it hides and crawls looking for systems to infect. 

Password management – Limit password re-use and force strong passwords (a corporate password manager can help here). Do NOT share passwords between users; it limits your ability to change accounts, track user activity, and react quickly.

Multi-Factor Authentication – With multi-factor authentication, criminals would need access to multiple components to access a target’s data. Text-based two-factor authentication is not enough, so given the choice, practices should require authenticator apps which are far harder to hack.

Stay vigilant!

Security is a hefty responsibility, and warnings such as the one issued by the FBI last week are a  reminder that we’re under continual threat. But we can take these warnings as an opportunity to review and reevaluate security procedures and controls. Netgain is here to assist you in maturing your security posture; we will work with you to implement and strengthen your chosen controls.

Any Netgain client interested in a security consultation should reach out to their account manager to schedule.