Healthcare ransomware attacks are increasing – how to prepare

Cybercriminals are becoming skilled at using legitimate tools to launch more severe, weaponized ransomware attacks on healthcare providers. In addition, they’re avoiding detection by relying on Living off the Land (LotL) techniques that turn attacks into a prolonged digital pandemic. Using native Windows and standard remote-management tools, malicious ransomware actions blend in undetected with regular system admin activity. As a result, there has been a 94% increase in ransomware attacks targeting healthcare in the last year alone. 

Sophos’ recent study, “The State of Ransomware in Healthcare 2022,” finds a 69% jump in the volume of cyberattacks and a 67% increase in their complexity just this year. Another survey found 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. One in four employees knows someone who has sold access to patient data to outsiders. It’s no surprise that insiders initiate 58% of all healthcare breaches. IBM’s recent data breach report found that 83% of all enterprises interviewed have experienced more than one breach; among the most significant factors are remote work and internal employees willing to sell their privileged access credentials. 

Healthcare ransomware: An accelerating digital pandemic  

Healthcare providers are prime targets for ransomware attacks because they often spend less than 10% of their IT budgets on security, and patient data is often used for launching fraud and identity theft. Accellion’s paying an $8.1 million settlement in January, the CaptureRX cyberattack that affected 17 hospitals, and the Scripps cyberattack that impacted five hospitals and 19 outpatient facilities costing an estimated $106.8 million quantify how severe this digital pandemic is.   

So far in 2022, there have been 368 breaches affecting 25.1 million patients, according to the U.S. Department of Health and Human Services HHS Breach Portal. 206 of the breaches started with the network server being compromised with malware, and 95 started via email phishing and privileged credential abuse. 

“We know that bad guys, once they’re in the network and compromise the first machine, in about an hour and 38 minutes, on average, they can move laterally to the next machine, and then the next machine, and the next machine. So once they’ve figured that out, the chances of you having a ransomware breach and having data exfiltrated from your environment increase,” Drex DeFord, executive strategist and healthcare CIO at CrowdStrike, told VentureBeat during an interview.

The growing threat of increasingly sophisticated ransomware-as-a-service (RaaS) groups is compounding healthcare providers’ risks from repeated ransomware attacks. The HHS Cybersecurity Program found that ALPHV/BlackCat, Conti, Hive, LockBit and SunCrypt are the five most active RaaS groups targeting healthcare. 

Each RaaS group has expertise in automating ransomware attacks using native Windows and common remote management tools that exceed what organizations can block or contain. When attackers initiate ransomware attacks with existing tools, their intrusions are difficult to identify as their behavior blends into legitimate admin activities.

How zero trust can help 

Ransomware attacks often start when endpoints, privileged access credentials, and gaps in identity management are compromised. Many healthcare providers have more machine identities to protect than human ones, making identity access management (IAM) and privileged access management (PAM) central to their zero-trust network access (ZTNA) initiatives. Designing for greater resilience needs to be the goal. CISOs and their teams need guardrails to stay on track while also realizing that many vendors misrepresent their zero-trust solutions. 

Two standards documents provide guardrails for healthcare security and risk management professionals in defining their ZTNA initiatives. The first is the recently published update from the the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE), “Implementing a Zero Trust Architecture.” 

John Kindervag, who created zero trust while at Forrester and who currently serves as senior vice president, Cybersecurity Strategy and ON2IT Group Fellow at ON2IT Cybersecurity, and Chase Cunningham, Ph.D., chief strategy officer at Ericom Software, were among several industry leaders who wrote the President’s National Security Telecommunications Advisory Committee (NSTAC) Draft on Zero Trust and Trusted Identity Management. The NSTAC document defines zero trust architecture as “an architecture that treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized.” The NSTAC document and the new NCCoE guidelines are essential for healthcare providers planning and implementing their zero-trust initiatives. 

Where healthcare providers need to start 

Healthcare ransomware attack strategies are becoming more challenging to identify and stop. RaaS groups actively recruit specialists with common Windows and system admin tools expertise to launch more LotL attacks. Perimeter security isn’t slowing these attacks down, while the core principles of ZTNA implemented enterprise-wide are proving effective. 

Healthcare CISOs and their teams need to consider the following strategies for getting started:   

Get a compromise assessment done first and consider an incident response retainer

CrowdStrike’s DeFord says that healthcare CISOs must first establish a baseline and ensure a clean environment. “When you have a compromise assessment done, get a comprehensive look at the entire environment and make sure that you’re not owned and … just don’t know it yet, is incredibly important,” he told VentureBeat during a recent interview.

DeFord also advises healthcare CISOs to get an incident-response retainer if they don’t already have one. “That makes sure that should something happen, and you do have a security incident, you can call someone, and they will come immediately,” he advises. 

Remove any dormant, unused identities in IAM and PAM systems immediately 

Do a hard reset on every IAM and PAM system in the tech stack to the identity level to make sure no dormant credentials are still active. They’re the front door to the IAM and PAM servers that cyberattackers are looking for. Purge access privileges for all expired accounts as a first step. Second, reset privileged access policies by role to limit the type of data and systems each user can access.    

Implement multifactor authentication (MFA) across all verified accounts 

Cyberattackers target the companies that healthcare providers regularly work with to steal their identities and privileged access credentials and then gain access to internal systems. The more privileged access an account has, the greater the probability it will be the target of a credential-based attack. Roll out MFA across every external business partner, supplier, contractor and employee in the first phase of any zero-trust initiative.

Automate endpoint device configurations and deployments from a single cloud platform to reduce the ransomware attack surface 

Forrester’s recent report, The Future of Endpoint Management, provides insights and useful suggestions for healthcare CISOs and their teams on how to modernize endpoint management. Forrester defines six characteristics of modern endpoint management, endpoint management challenges, and the four trends defining the future of endpoint management in 2022 and beyond. Andrew Hewitt, Forrester analyst and author of the report, told VentureBeat, “Most self-healing firmware is embedded directly into the OEM hardware itself.”

“It’s worth asking about this in up-front procurement conversations when negotiating new terms for endpoints. What kinds of security are embedded in hardware? Which players are there? What additional management benefits can we accrue?” Hewitt advised. 

Forrester found that “one global staffing company is already embedding self-healing at the firmware level using Absolute Software’s Application Persistence capability to ensure that its VPN remains functional for all remote workers.” Absolute provides self-healing endpoints and an undeletable digital tether to every PC-based endpoint. The company recently launched Ransomware Response based on its insights gained from protecting against ransomware attacks. Other leading vendors who can automate endpoint device configurations and deployments include CrowdStrike Falcon, Ivanti Neurons, and Microsoft Defender 365.

Automate patch management to further reduce the risk of a ransomware attack

Automating patch management offloads IT and helps relieve desk staff from the heavy workloads IT teams already have supporting virtual workers and high-priority digital transformation projects. A majority (71%) of IT and security professionals perceive patching as too complex and time-consuming, and 62% admit they procrastinate about devoting time to patch-management work. They’re looking for a way to move beyond inventory-based patch management to a more automated approach based on artificial intelligence (AI), machine learning and bot-based technology that can help prioritize threats. 

Leading vendors include Blackberry, CrowdStrike Falcon, Ivanti Neurons for Patch Intelligence, and Microsoft. Ivanti’s acquisition of RiskSense last year combined Ivanti’s expertise in streamlining patch intelligence with RiskSense’s diverse dataset of ransomware attacks, which are considered the most comprehensive in the industry. RiskSense’s Vulnerability Intelligence and Vulnerability Risk Rating was also a core part of the acquisition. The acquisition reflects the future of AI-driven patch management as it consolidates all available data into a risk assessment in real time to identify ransomware attacks while automating patch management to reduce the exposed threat surfaces of healthcare providers. 

Creating more resilience is key 

Earlier this week on CNBC, CrowdStrike President, CEO and cofounder George Kurtz said that 80% of breaches are identity-based. He emphasized that boards of directors must see that the most significant risk to their businesses is cyber-based, “the systematic risk of a business going down with things like ransomware,” while compliance continues to become more complex, as he also mentioned during the interview. 

Based on Kurtz’s comments, it is clear that CISOs must be included as part of the board to help manage risk while automating compliance. Hardening endpoints is one of the most effective strategies for protecting identities, as Kurtz said during his CNBC interview. 

In an interview earlier this year with VentureBeat, Paddy Harrington, senior analyst, security and risk at Forrester, said there are three factors defining the future of endpoint platforms. They are isolation, containment, and segmentation; automation; and intelligent reporting. On automation, Harrington says, “AI, machine learning, scripts, preconfigured processes reduce the amount of human interaction and have consistency. Unfortunately, IT/security operations staffing is not growing to keep up with the diversifying environments, and the added complexity is only lengthening response times. Attacks are also becoming more complex, and an analyst’s misstep or response delay can have serious consequences.”

In the meantime, cyberattackers will continue targeting healthcare endpoints to launch ransomware attacks because endpoints the perfect distribution point for additional payloads. The key to reducing healthcare ransomware attacks is hardening endpoints and making them more resilient and self-healing while defining and implementing an enterprise-wide ZTNA framework.