The healthcare industry is one of the most targeted verticals for ransomware attacks. According to IBM’s data breach report, “in healthcare, 50% of data breaches [in the US] were due to malicious attacks” at an average global cost of over $7 million per breach. With the shift to remote working capabilities, due to COVID-19, organizations are facing increased exposure to cyber attacks.
May 2021 was devastating for the healthcare sector. The Scripps Health ransomware attack exposed around 150,000 patients’ private data, including their protected health information (PHI), names, addresses. Further to this, 2.5% of this data also included social security numbers and driving licenses.
Conti, now synonymous with stealing and encrypting files worldwide, has affected over 400 organizations. After 16 separate US healthcare attacks, the FBI finally issued a flash warning to increase awareness of malicious email links and attachments, appeal for information and provide guidance on how to protect against ransomware. This precaution followed the Irish Healthcare System attack, where Conti threatened to leak sensitive medical data, after the local government refused to pay the $20 million ransom.
A government advisory was subsequently published in order to highlight the pattern of tactics, techniques, and procedures (TTPs) utilized in a ransomware attack against the healthcare industry.
The damage to patients and healthcare providers caused by ransomware attacks
Reliance on a detection and response approach to ransomware protection has devastating real world consequences, with patients bearing the brunt.
“Healthcare organizations are easy targets for ransomware attacks because they cannot afford to lose access to patient records” Paul Bischoff, Editor of Comparitech
- Compromised medical records: Confidential data is stolen, then leaked or sold on the dark web. Alongside COVID-19, there is a rising tendency toward digital communication to meet everyday needs. As more files are being sent electronically, including for medical needs such as prescriptions, diagnoses and photos, there has been an increase in threat actors utilizing compromised legitimate infrastructure. For example, Word documents embedded with malicious PowerShell scripts are being used to gain a foothold in the endpoint and entry into the organization.
- Delay of service and inability to receive timely care: Ransomware can take down entire IT networks, paralyzing healthcare facilities in the wake of the attack. It then becomes impossible to schedule appointments, access and keep records up to date. Urgent care facilities struggle to continue operating and patients are met with delays and cancelations. The reliance on ‘old fashioned’ paper and manual-only-processing means blood tests and diagnostics take longer.
- Medical practitioners cannot confidently access medical records remotely: Remote working capabilities are vital for doctors, researchers and medical employees to consult and complete back-office administration. Patient records must be protected remotely against potential threat actors. Connecting with unmanaged devices leaves networks open to ransomware attacks.
Most organizations tend to rely solely on VPN’s or VDI’s for ransomware protection which creates an easy target for exploitation by hackers who are aware of the security gaps. The host checker does not prevent malicious code from travelling within the protected VPN so the organization network data is open to exposure from an unmanaged device. The VDI may eliminate the ransomware at the end of a session preventing infection of the operating system itself, but any user data managed to be encrypted during the session will remain encrypted without restoring backups.
Unmanaged private devices don’t have the same level of ransomware protection as the organization network. The unsecure endpoints are then used to connect to the VPN’s or VDI’s, which are subsequently used by threat actors to complete successful ransomware attacks, take screenshots, steal keyloggers and vital private medical data.
The disturbing reality is that whether or not the ransom is paid, recovery from an attack is extremely expensive and time consuming with downtime of weeks and months. “The cost of downtime to healthcare organizations in 2020 was around $20.8 billion.” To balance this loss, the cost of medical care is increased. Payment of ransom only establishes the company as an attractive future target and unfortunately does not guarantee a decryption key or the safe return of stolen data.
To protect against attacks, Minerva Labs ransomware protection focuses on pre-execution threat prevention that stops evasive malware (the number one cause for ransomware attacks) before it infects the endpoint. A preemptive and automatic response to threats, allows even the slightest damage to be prevented, ensuring that healthcare facilities, medical offices and their patients are safe.
To enable healthcare organizations to work from home with confidence, Minerva Labs has additionally developed a remote user protection product, which applies secure anti-malware safeguards. This remote user protection product complements the protection that VPN products and similar products cannot provide, in protecting the organization from the endpoint itself. Packaged as a transient agent with a portable executable, it is easy to use and runs seamlessly with user systems, security tools and software. Addressing privacy concerns, Minerva Labs remote user protection is only activated when trying to establish a secure VPN connection and is disconnected and deactivated at the end of the session.
Built to prevent modern threats at the beachhead stage, before any damage is done through combat, Minerva's platform also supports Embedded systems, and all Windows OS, including XP, 7 etc. Minerva’s scalable platform can be adopted across all healthcare facilities and medical offices to enable protection from ransomware attacks today. (Our healthcare organization clients can attest to that!)