The healthcare industry is facing a pandemic on two fronts, COVID-19 on one, and ransomware on the other.
The healthcare industry is worth more than $8.45 trillion in the global economy. The services it provides are the difference between life and death for many. It should come as no surprise then that these organizations are a prime target. This is true especially for cyber criminals using ransomware to carry out their malicious ends.
These attacks, carried out by advanced adversaries, cripple healthcare institutions and facilities. They render networks unusable. The attacks prevent access to critical information used for patient care. And they can also cause loss of hard-earned reputation from leaked confidential information.
Healthcare organizations have always been a target of interest for cyber criminals due to their critical role in society. This targeting, however, has seen exponential increase since the beginning of the pandemic.
The evidence of this assault is staggering. Since November 2020 there has been a 45% increase in attacks targeting healthcare. This increase came on the heels of a previous 71% increase from only the month before. These attacks have also been widespread, from the US, Germany, Spain, UK, and hundreds of others around the world. And these attacks have not appeared to subside, even in the face of increased availability of the COVID-19 vaccine.
Amongst the largest perpetrators of these attacks have been the gangs behind the Ryuk and Sodinokibi ransomware. The damage these groups have caused is significant. In early 2020, a single compromise of Ryuk cost United Health Services more than $67 million dollars. Over the last year, the gang is believed to have amassed more than $150 million in Bitcoin ransomware payments.
Even government agencies have begun to ring the alarm bell.
In late 2020, several US government agencies, including CISA, the FBI, and HHS, issued a warning to healthcare organizations. Shortly after that UK’s NCSC also issued a warning, saying:
“… Ransomware is a significant cyber risk and we continue to work closely with government and the NHS to ensure that we are taking all available measures to counter the threat…”
Canada, Australia, and even Interpol have all also followed suit, highlighting the severity of the situation.
The global COVID-19 crisis has only further complicated this on-going attack. Many hospitals have had to cope with rapidly changing environments. Temporary emergency facilities to deal with the pandemic were often not designed with security in mind. Additionally, many organizations are still triaging the situation around remote workers. This reality paints a frightening picture with a dire prognosis for infosec professionals.
How Healthcare Can Take a Proactive Approach to Defense
Many healthcare organizations are stretched thin, both from a resource and budgetary perspective. In spite of this, there are key considerations security personnel in healthcare should consider.
Take a Proactive Approach with Threat Hunting. A common feature of many compromised organizations is that they relied exclusively on reactive security. Even the best reactive security doesn’t deter advanced adversaries. This is because many of these compromises are human-driven. Many of these adversaries also team up with criminal specialists. These specialists are capable of evading automated security controls using advanced techniques often days or weeks before the cyber criminals begin the the full attack. Healthcare organizations need to focus their efforts on proactive, human-led, threat hunting. This type of defense uses human-led hunt teams to identify suspicious and malicious activity. Automated security controls can detect traditional malicious code; but, it takes a human to hunt down human adversaries.
Move Beyond Indicators of Compromise (IoCs). Many organizations continue to rely heavily on reactive and outdated indicators of compromise . These IoCs are outdated in hours, and worthless in days. Adversaries will cycle through infrastructure and deploy bespoke malware avoiding detection by teams relying on IoCs. Healthcare security teams need to focus instead on adversaries tactics, techniques and procedures (TTPs) and behaviours. By detecting behaviours associated with lateral movement, internal reconnaissance, and privilege escalation it makes it harder for adversaries to conceal themselves in an environment. This gives healthcare security teams the time needed to detect the cyber criminals before they detonate the ransomware in the environment.
The Endpoint is the New Castle. The conventional approach to security is to treat the organization as a castle and defend it. In today’s remote workforce, that centralized, one-size-fits-all, approach doesn’t always hold true. Instead, organizations need to look at every endpoint as its own castle. And every castle is unique. Security teams need access to threat content designed for their unique environments.
