A group of federal agencies recently released an updated set of guidelines to help healthcare organizations protect themselves from ransomware attacks and the data breaches that often follow.
The guide was authored by the Federal Bureau of Investigation, National Security Agency, Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center. The organizations’ recommendations were grouped by the following six ways that bad actors gain access to providers’ systems.
Access vector #1: Internet-facing vulnerabilities and misconfigurations
To avert attacks originating from this access vector, the guide instructs healthcare organizations to conduct regular vulnerability scanning to limit their attack surface. Many vulnerability scanning services, like the one offered by the Cybersecurity and Infrastructure Security Agency, are free to use.
Providers should also limit the use of remote desktop services and ensure that they are regularly patching and updating their software and IT systems to the latest available versions. In addition, healthcare businesses must guarantee that all devices — whether they are on-premise, cloud-based, mobile or personal — have security features enabled.
Access vector #2: Compromised credentials
There are a few actions providers can take to prevent ransomware attacks that stem from compromised credentials. Most of these recommendations have to do with usernames and passwords, such as instating policies that require unique passwords of at least 15 characters, disabling browsers’ capabilities to save passwords and enforcing account lockout policies after a certain number of failed login attempts.
The guidelines also advises providers to use identity and access management systems, as well as consider subscribing to monitoring services that search the dark web for compromised credentials.
Access vector #3: Phishing
One of the best ways to prevent against phishing attacks is to mandate a user awareness and training program for employees, according to the guide.
Healthcare businesses can also take some action within their email server — such as ensuring that external emails are flagged and filters are in place to delete emails with known malicious subject lines or file types that commonly contain malware.
Access vector #4: Precursor malware infection
To prevent precursor malware infection, healthcare organizations should use cybersecurity products that block unauthorized software and deploy these on all of their assets. These products include allowlisting and/or endpoint detection and response solutions, according to the guide. Providers must also activate automatic updates for their antivirus and anti-malware software and signatures.
For further protection, providers can also deploy an intrusion detection system to find command and control activity and other potentially malicious network activity.
Access vector #5: Advanced forms of social engineering
Some advanced forms of social engineering include search engine optimization poisoning, advertisements that coax users into visiting websites that will steal their data, and seemingly legitimate websites tricking users into unintentionally downloading malicious code.
Employees’ cybersecurity awareness training is a huge part of preventing data breaches that stem from advanced forms of social engineering. The guide also gives a couple other suggestions for healthcare businesses to take note of: using a protective domain name system that is meant to block malicious internet activity at the source and implementing sandboxed browsers to protect against malware that comes from web browsing.
Access vector #6: Third parties and managed service providers
The first step healthcare organizations can take to address this access vector is to review the cybersecurity practices of the third parties or managed service providers with which they partner. If a third party or managed service provider is responsible for maintaining and securing a provider’s backups, the provider must ensure this company is adhering to best practices.
Additionally, healthcare businesses should create policies letting third parties and managed service providers know that they only have access to devices and servers that are relevant to their role and responsibilities.
Photo: Traitov, Getty Images