There’s no denying it – the need for stronger cyber defense is urgent. More ransomware attacks targeted healthcare in 2022 than any other critical infrastructure sector, according to the FBI’s Internet Crime Complaint Center (IC3). With attacks on healthcare negatively impacting patient care – including increased mortality rates – healthcare organizations must adopt proactive approaches to better protect their patients and sensitive information.
In the spring, the Multi-State Information Sharing and Analysis Center(MS-ISAC) released new guidelines aimed at supporting healthcare organizations against cyber-attacks. Developed through collaboration between the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA), the counsel includes best practices for prevention and response to the six most common vectors for ransomware – internet-facing vulnerabilities and misconfigurations, compromised credentials, phishing, precursor malware infection, advanced forms of social engineering, and third parties and managed service providers.
The guidance provides healthcare organizations and hospitals with a helpful starting point, offering a plan for implementing essential security steps. However, there are gaps where more can be done to better protect against ransomware.
For starters, phishing accounted for up to 60% of the attacks on the healthcare sector in the first quarter of 2023, according to DNSFilter’s State of Internet Security report. Even more unnerving? Research shows that healthcare employees are twice as likely to click on phishing links as employees in other sectors.
It’s time for the healthcare industry to take action – with a proactive approach to ransomware protection.
Start With an Incident Response Plan
The umbrella for ransomware defense is a thorough incident response plan, which is critical to protecting data and enabling a fast, effective response in the event of an attack. A plan should cover every aspect of an organization’s defense, including prevention, detection, response and recovery. In addition, it should incorporate a strategy for maintaining encrypted backups offline, should an attack occur.
The key to an effective incident response plan is in how it is maintained and communicated to employees. Response plans should be tested regularly and updated when necessary. And, everyone in an organization should be aware of the plan and their part in it.
A decent portion of the advice in MS-ISAC guidance concerns basic – but absolutely essential – measures. For example, steps to guard against compromised credentials are well-known, even if not always implemented. The basics of ransomware protection for healthcare organizations include:
- Always using multi-factor authentication (MFA), which has been proven to be highly effective against credential-based attacks such as those used in phishing campaigns.
- Updating the default usernames and passwords used for administrative accounts – an obvious precaution.
- Avoid root accounts for day-to-day access; attackers who gain access to these accounts can get persistent access to the entire environment.
- Educating all employees on proper password security in annual training.
The Importance of User Education
User education cannot be underestimated due to the sheer number of individuals who have access to Protected Health Information (PHI) and Personally Identifiable Information (PII). However, nurses, doctors and healthcare assistants are often not savvy in cybersecurity best practices. Thus, training must become standard in order to better protect the industry at large.
We must evolve to institute proper cybersecurity training as an ongoing activity, rather than once a year. Frequent, short bursts of information are more likely to be digested and retained than information from longer annual sessions. In addition to IT and cybersecurity professionals, which the MS-ISAC guidance focuses on, it’s imperative to educate ALL employees – as many outside the cybersecurity and IT scope still have access to sensitive information. The access those employees have – and the sensitivity of the information at stake – increases the attack surface for healthcare organizations, potentially putting not only data, but the wellbeing and even lives of patients at risk. A thorough incident response plan must ensure that all employees regularly receive ongoing training to protect medical databases. A good cyber posture requires a baseline of knowledge for every person within an organization.
Stay a Step Ahead of Phishing Attempts
In addition to broad phishing campaigns that attempt to get any one of many employees to click a link, attackers today also conduct targeted campaigns with more sophisticated tactics such as pretexting (posing as a trusted source to gather information), baiting (offering free music or movie downloads to get login information) or even posing as a C-level executive to trick employees into providing information or performing a function. Without proper education and training, how can we expect employees in the healthcare sector to understand how to properly identify these attacks? We can’t.
Many organizations omit continuous training simply because they aren’t sure where to begin. However, third-party resources are available, including Ninjio, which works with short, regular bursts of information and has kitschy but interesting videos. Or, there is ￼HackNotice, which along with its other services encourages accountability by enrolling employees and family members in breach reports.
Healthcare workers will make better choices when they feel they have autonomy, support and proper education. While mistakes will inevitably be made through human error, hospitals and medical offices can consider adding another layer of protection by implementing protective Domain Name Systems (DNS) services, which analyze queries and can block some malicious activity, including ransomware, at the source.
Other Best Practices
Asset management is a challenge for healthcare organizations due to the variety of connected devices in use, such as scanners, infusion pumps and monitoring devices. This includes monitoring devices that record private patient information like heart rate, blood pressure, and glucose levels. Not to mention the devices implanted inside patients, as well as devices many patients carry with them on a daily basis. While it can be a challenge to track and maintain an Inventory across every moving part in a healthcare system – asset management tools exist that fully eliminate that burden.
Third-party managed service providers (MSPs) can help small and mid-size companies implement security measures that are beyond the capability they are able to provide on their own. However, it is important to remember that complete information on the systems, data and processes that need to be protected must be provided, as MSPs can’t help protect against what they don’t know about.
As outlined in the MS-ISAC guidance, it’s imperative for healthcare organizations to ensure that least-privilege principles are applied across service providers. Service control policies to restrict access to specific services or prevent users from performing certain functions, such as changing cloud configurations or deleting logs, should be implemented.
The threat of ransomware isn’t going anywhere. As a profitable attack vector for cyber threat actors, hospitals and medical offices remain at risk. While the MS-ISAC guidance provides a strong foundation for implementing measures to enhance prevention, response and recovery – there are areas we must improve upon to better protect sensitive information from exfiltration. Through proper organizational-wide education, continuous training, proper phishing awareness, asset management and third-party MSPs – healthcare organizations can establish a more robust cybersecurity posture and better protect against today’s ever growing ransomware threat. Not only will this protect patient data, but patient lives as well.
About Rebecca Gazda
Rebecca Gazda is the Sr Director of Labs at DNSFilter where she is responsible for categorization innovation, classification accuracy, and threat protection. Rebecca has over 15 years of experience in data and analytics, statistics, data science, and technology team management. Her career has spanned several industries including psychology, neuroscience, cybersecurity, healthcare, academia, and clinical research. Her diverse background provides a perspective into cybersecurity that focuses on the human aspects of threats and threat protection.