After writing about the effects of ransomware on the healthcare industry as part of an ongoing series of analyses, Ian Bolland caught up with blog author Allan Liska about the challenges healthcare faces. You can read his analysis, here.
How can healthcare providers become less of an ‘easy’ target to ransomware actors?
Strong defences are the surest way to avoid becoming an easy target. Knowing the ways in which ransomware is spread is a good first step towards establishing a good defence. We primarily see three types of attacks:
- Phishing attacks, in which the attacker sends an email with a fake invoice or trojanised document attached and entices the victim to open the document or click on a link.
- An attack where the attacker accesses the network through an open or vulnerable service that is Internet accessible, such a Microsoft’s Remote Desktop Protocol (RDP).
- Attackers will also use trusted partners to gain access. So, the attacker compromises a service provider who already has access to multiple high value targets and piggyback on that access to launch their attacks.
Establishing good cyber defence can be especially challenging for healthcare providers. Many healthcare systems are locked down by vendors, so system administrators can’t always patch them as easily as they can in other industries. This means that healthcare organisations have to take other measures to protect themselves. Some of the things that healthcare providers can do to protect themselves include better network segmentation to prevent these attacks from spreading, enabling two-factor authentication, continuous phishing training and maintaining and testing a robust backup system.
You reference the United States a lot in your analysis – how big a problem is it in other countries?
While our analysis has focused on the United States, ransomware is a global problem. The healthcare industry presents one of the most famous international examples when in 2017 WannaCry caused major disruptions to the UK’s National Health Service. That year, the same ransomware affected as many as 150 countries. Beyond that attack, there have been many others. Just recently several towns in Spain were infected with ransomware and one of the largest healthcare systems in Australia was hit with ransomware that disrupted 10 hospitals. There are some challenges with data collection for overseas ransomware incidents that we are trying to overcome, which will allow us to maintain a more global view of the ransomware problem.
The lack of reporting of a ransomware attack – should this be something that alarms us? What do you think the intent is behind not reporting them?
There are a few reasons why an organisation may not report a ransomware incident. They may be doing their own damage control trying to protect their reputation and brand. They may view the incident as a one-off and assume that as long as they can decrypt files and clear the malicious software from their own systems, that reporting only brings about bad press. The problem is that failure to report makes it more difficult for law enforcement and other cybersecurity professionals to identify groups and tactics that may be targeting other systems. For instance, if the delivery mechanism for ransomware was an email attachment, then reporting that to CISA can lead to better coordination with vendors who block malicious emails and software developers who can patch exploitable vulnerabilities.