How Can Healthcare Organizations Protect Against Cyber Extortion

In its January 2018 Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights drew attention to the rise in extortion attempts on healthcare organizations and offered advice on how healthcare organizations can protect against cyber extortion

Ransomware Attacks Have Risen Significantly

Ransomware attacks on healthcare organizations have increased significantly over the past two years. Healthcare providers are heavily reliant on access to electronic data and any attack that prevents access is likely to have a major impact on patients. The inevitable disruption to services – and the cost of that disruption – makes it more likely that a ransom will be paid.

The relatively high probability of a ransom being paid, coupled with the ease of attacking healthcare organizations, has made the industry an attractive target for cybercriminals.

It may be more cost effective and better for patients if a ransom to be paid instead of recovering data from backups. That was certainly the view of Hancock Health. A ransom payment of 4 Bitcoin was paid to minimize disruption when data could have been recovered from backups.

Paying a ransom may seem preferable, but there is no guarantee that data will be recoverable. This year has seen wiper malware used that mimics ransomware. In such cases, there are no keys to unlock encrypted data. There have also cases of ransoms being paid, only for further demands to be sent, such as the 2016 ransomware attack on Kansas Heart Hospital.

Data Theft and Threats of Data Dumps

There have been numerous cases of data theft by hackers followed by threats to dump the data online if a ransom payment is not made – The modus operandi of the hacking group, TheDarkOverlord. The hacking group was responsible for many cyber extortion attacks on healthcare providers over the past 2 years.

Typically, this type of attack sees vulnerabilities exploited to gain access to data. Brute force attacks allow weak passwords to be guessed, and the past year saw several healthcare organizations have data stolen as a result of misconfigurations of databases and unsecured Amazon S3 buckets. Several attacks saw data deleted from healthcare organizations’ databases after data had been exfiltrated, adding an extra incentive to pay the ransom demand.

As with ransomware attacks, there is no guarantee that the attacker will return data, make good on a promise not to publish data or delete any copies of stolen PHI.

DoS and DDoS Attacks

Not all cyber extortion attempts involve the theft of data or use of encryption to prevent PHI access. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks direct large volumes of traffic to computers and servers rendering them inaccessible. Demands for payment are often issued to stop the attacks, or threats of attacks are made unless payment is made.

How Can Healthcare Organizations Reduce Cyber Extortion Risk?

There are several ways that healthcare organization can reduce the risk of cyber extortion attacks, most of which are general cybersecurity best practices which should already have been adopted. Others are requirements of HIPAA Rules.

The most important measure, and one which so many healthcare organizations fail at,  is to perform a comprehensive, organization-wide risk analysis covering all systems and devices containing ePHI and systems/devices that can be used to access PHI. A risk management program must also be implemented that addresses all identified vulnerabilities and reduces them to an acceptable level.

Since so many cyber extortion attacks take advantage of unplugged vulnerabilities, healthcare organizations need to ensure all software and operating systems are kept up to date and patches are applied promptly. Robust inventory and vulnerability identification processes are necessary to ensure the accuracy and completeness of risk analyses.

Healthcare organizations should consider signing up with information Sharing and Analysis Organizations (ISAO) and other providers of threat intelligence to discover new threats and vulnerabilities in time to block attacks.

Ransomware attacks often occur as a result of healthcare employees responding to malicious emails. Unless a security awareness training program is implemented, employees will be a major weak point in security defenses. Technologies should also be implemented to block malicious emails and prevent them from reaching end users’ inboxes.

While anti-malware, anti-virus, and other signature-based malware defenses are not as effective as they once were, they are still an essential part of security defenses for healthcare organizations. Firewalls and other perimeter and network defenses should also be deployed, while internal defenses should be hardened to slow down attacks and prevent lateral movement within a network. Network segmentation is strongly recommended.

Just as encryption can prevent breaches when portable devices are lost or stolen, encryption can also prevent attackers from gaining access to sensitive data if the network is breached. Regular backups should also be created to ensure data recovery is possible without paying a ransom. A good backup strategy is the 3-2-1 approach. At least three copies of data, on two different media, with one copy stored securely off-site.

Backups are only of use if data recovery is possible. Backups should therefore be tested to make sure data has not been corrupted and can be recovered in the event of a cyberattack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.