Healthcare Organizations: Moving to High Alert for Ransomware

Healthcare facilities are currently a favorite target of criminals who use ransomware (aka malicious software) to launch attacks.

These disruptive attacks – which lock up systems and demand the victim pay a ransom in cryptocurrency in exchange for regaining access – can disable endpoints and encrypt critical files that include essential information for patient care.

Ransomware attacks on healthcare organizations also tie up hundreds of IT staff hours responding and recovering, impact multiple branches and clinics, and damage hard-earned business reputations.

Numerous healthcare facilities were attacked in the last year, including one incident in Germany that lead to a death when ransomware locked systems and a patient needing critical care was turned away. Amid a global pandemic, the stakes are even higher. Once the pandemic outbreak began, attacks on healthcare organizations grew, says Chester Wisniewski, principal research scientist at Sophos.  

At the height of the pandemic, federal agencies issued a warning about the potential for an attack to US hospitals and healthcare providers. The joint cybersecurity advisory from the Cybersecurity Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warned against “an increased and imminent cybercrime threat.”

“Since COVID, a lot of attackers are trying to take advantage,” says Wisniewski. “If you send out 100 malicious emails, you are more likely to get hospitals or schools to take the bait because these institutions have been underdefended.”

What’s more, funding for cybersecurity in healthcare has typically been woefully low due simply to prioritization, he notes.

“The argument is ‘Why are we spending on security when we have people dying of heart attacks?’ When a hospital spends on security, someone will ask why. There is always a better place to spend money than on computer security. That is why we see them overrepresented in the ransomware victim list,” he notes.

Many emergency COVID-19 facilities set up without planned security of IT infrastructure only added to the concern. Factor in remote healthcare support workers who needed overnight accommodations and the security gaps are gapingly large.

How Healthcare Providers Can Prepare

While the concern is high, and budgets are often tight, there are a number of considerations healthcare IT and security leaders should keep in mind around ransomware mitigation.

Lock down endpoint protection. Ransomware attacks start at the endpoint when a user falls prey to a malicious link or attachment that then executes and downloads the software that locks up systems. The first place to start protecting your healthcare facility is at the endpoint. Look to tools and strategies that can stop both local and remote unauthorized file encryption. Endpoint protection technology should stop the delivery and installation of ransomware, block ransomware before it can run, and prevent the malicious encryption of files.

Employ human-led threat hunters. Even the best defenses don’t always work, because ransomware techniques are becoming increasingly human-driven. Attackers often work alongside specialized associates with expert tools and techniques that evade detection. Commonly used solutions are also abused to disguise an active attack. While most organizations know to defend against malicious code, they should monitor for malicious behaviors using human-led threat hunting and managed threat response. In other words, you need human defenders to stop human-driven cyber attacks.

If hit, find experts to respond immediately. If your organization is under attack, don’t wait. You need immediate incident response assistance. Seek out assistance from experienced incident responders to both identify and neutralize active threats as quickly as possible to minimize damages.

Sophos can assist you with your ransomware mitigation efforts. Learn more at Sophos.com.