Cyber Attacks and Ransomware in Healthcare | ARIA Cybersecurity

In the fall of 2020, a joint advisory from the Cybersecurity and Infrastructure Security Advisory (CISA), FBI, and Department of Health and Human Services (HHS) placed a startling spotlight on the tactics, techniques, and procedures used by cybercriminals to target the healthcare and public health sector, especially related to ransomware. 

What’s painfully clear is that these threats are increasing and evolving as healthcare organizations continue to cope with COVID-19.

The report presents a number of key existing security threats and coinciding indicators:

• Trickbot is a trojan malware deployed initially to target the banking industry and capable of a number of nefarious activities, including credential harvesting, cryptomining, and ransomware deployment just to name a few.
• BazarLoader/BazarBackdoor infect the networks in organizations using C2 infrastructures common among healthcare organizations. It has become an increasingly relied upon vector for ransomware deployment, notably phishing emails linking to actor-controlled files.
• Ryuk ransomware is frequently deployed as a payload from trojans such as Trickbot. Ryuk uses commercial products such as Cobalt Strike and PowerShell Empire to steal credentials and then use native tools to map the network and determine and move through weaknesses.

The FISA, FBI, and HHS have warned that they expect cybersecurity threats to increase dramatically as COVID-19 continues to surge. Some healthcare leaders have expressed they are better prepared when it comes to patient care. But are the same healthcare organizations prepared to mitigate security risks from compounding cyber threats?

Since the healthcare industry tends to lag when it comes to security protocols and systems, cybercriminals will rightly assume that most healthcare networks are more vulnerable in the face of COVID-19. The following are some key mitigating factors your healthcare security team can apply in the near term to help protect your organization from ransomware attacks and focus on community needs.

Confirm best practices are in place and enforced

Standing up to the COVID-19 pandemic has likely impacted nearly every facet of your organization—all hands on deck to meet the needs of patients and the community. As a result, some important IT tasks may have lapsed as focuses shifted. 

Now is the right time to confirm that critical best practices are being adhered to and take the necessary steps to reinforce them with everyone in the organization—and anyone operating within your network. Some open questions to consider as you evaluate the current state:

• Do you have a way to recognize medical devices or IoMT devices as they enter your network? If so, can you also take these devices offline if you need to remediate possible threats?
• Are you implementing OS, system and software patch updates as soon as manufacturers release them?
• Is your staff regularly changing passwords to network systems and refraining from reusing passwords for different accounts?
• Are you using multi-factor authentication whenever possible?
•  Have temporary and contract staff been authenticated as users accessing your network, and are they adhering to the same protocols as your permanent employees?
• Have you identified critical assets in your network infrastructure (e.g., patient databases) and created the necessary backups offline and away from your network?
• Are all of your antivirus and anti-malware solutions set to update and scan automatically?
• Does your crisis management team include someone from your security team?

Reinforce user awareness of security measures

In most organizations—not just healthcare—employees are a primary target for infiltration by cybercriminals. Make employees extra-aware of ransomware, phishing scams, and other cyberattacks and how they are delivered, and why it is critical they recognize and report these threats no matter how busy they are with patient care, as the threat to patient well being is real. 

Ensure that every employee knows who to contact if they observe suspicious activity or if they believe they have been the victim of a healthcare cyber attack. Every minute is critical to your mitigation strategy.

Engage information sharing organizations

Knowledge is power, and the more you are able to anticipate threats the better prepared you can be. The CISA, FBI and HHS Health Sector Cybersecurity Coordination Center (HC3) are essential for threat awareness and collaboration on best practices and risk assessment. The joint advisory also recommends joining healthcare information sharing organizations such as:

•   Health Information Sharing and Analysis Center (H-ISAC)
•   National Council of I-SACs
•   Information Sharing and Analysis Organization (ISAO)

Ensure all remote access endpoints are secure

With some members of your healthcare organization likely operating remote and/or using personal devices regularly, endpoint protection is critical. Ensure that employee laptops have the minimum viable endpoint protection configurations, and be cautious when providing access to corporate applications that store mission-critical or personal information from personally owned devices. Multi-factor authentication should also be used to ensure only authorized personnel have access to corporate applications and information when working remotely.

Finally, rely on your partners to ensure you are aware of changes in the security landscape. Be aware of what your system and supply chain vendors are doing with regard to security that will affect your organization. They may be prioritizing their own business concerns, so make sure you are asking the right questions to hold them accountable to security promises. Now more than ever your organization needs patient care to be a top priority. If it isn’t already, make it clear to your security solution vendors that you are counting on them to help you address emerging threats and alterations in your risk profile.

If all of this seems daunting, there is some good news. ARIA Cybersecurity Solutions are designed to help you overcome healthcare-specific cybersecurity challenges such as securing IoMT devices

Over-relying on the human factor

While all of these best practices may seem to be good in practice, they also rely on humans: manpower and employees use of not enough of or too many cybersecurity solutions. If hospital staff is already stretched too thin or doesn’t have the dedicated security resources it can apply to these challenges, chances are good that something will be missed.

Now the ARIA Cybersecurity Solutions provides an easy-to-deploy solution that can secure healthcare environments. For example, let’s take IoMT devices, ARIA ADR overcomes challenges posed by current security approaches. Since EDR and agents aren’t deployable when an attack on a device is suspected, or confirmed (if it was found at all)  the choice is to  either take out the device—not an option in healthcare settings where patients’ lives may depend on these devices—or shut down those applications the device communicates with. 

With ARIA ADR, healthcare organizations gain all the benefits of advanced threat detection and response capabilities normally found in a SOC at a fraction of the cost. It can be deployed in any environment and covers the entire threat surface--on-premises, data centers, remote devices (including staff working from home) and the cloud.  

• Automatically detecting and stopping cyber threats; especially those that land and expand, such as ransomware
• Never having to take devices offline and disrupt operations
• Stopping threat conversations only; not critical communications

Yet ARIA ADR can do so much more and can provide the following benefits in healthcare settings:

• Leverage advanced AI to find and stop zero-day malware attacks
• Network policies can be set and enforced automatically
• Internal networks can be monitored for abnormal communication paths
• Machine Learning threat behavior models will identify all types of threats without manual intervention. 
• Manage security operations from anywhere, even remotely, and by as little as a part-time resource

With ARIA ADR, users can find and remove threats at the network level to accelerate and improve the entire process related to detecting, investigating, containing, and protecting healthcare organizations against modern cyber-attacks.

For more information on ARIA ADR, please download our Five Critical Security Advantages solutions overview. 

Or, for more information on how to address IoT security, download our  eBook, “New Challenges Call for New Solutions: Advances in IoT Cybersecurity,” today.

About ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.