At the end of October – in an apparently coordinated ransomware attack – a Russian cybercrime group compromised dozens of US hospitals with the Ryuk variant and attacked potentially hundreds more. It forced key IT systems offline, leading to the cancellation of appointments and diversion of patients to other facilities.
It’s a scenario feared by the NHS, reminiscent of when it was severely hit by WannaCry in 2017. The threat such attacks pose is now arguably even greater, as they are more targeted and harder to stop.
The UK’s healthcare organizations (HCOs) need to build on security best practices that help with prevention, enhancing resilience and rapid threat detection and response. Nothing less will do in this new era of “human-operated” ransomware.
Raising the stakes
The scale of the threat facing UK healthcare is unknown, though one report claims the sector was the third most frequently hit by ransomware in Q3 2020, accounting for more than 11% of compromises. As yet, UK HCOs have avoided the kind of coordinated campaign seen in the US.
However, alarm bells started ringing back in September when Universal Health Services, which has facilities in the UK, took its IT systems offline after an attack. NHS Digital has since warned the health service to be aware of the evolving tactics of those behind Ryuk attacks.
Hospitals all over the world have been targeted throughout the year. Both Microsoft and Interpol warned of an increased threat in April, for example, and it’s easy to see why: HCOs are stretched to the limit fighting COVID-19 and have access to highly sensitive information that makes them an attractive target – the stakes couldn’t be higher.
There have been major incidents in the Czech Republic, France and Spain over recent months. Perhaps the most notable, and tragic, came from Germany, where a patient died after being forced to redirect to another facility because of a ransomware-related outage.
While this kind of risk exposure will be playing on the minds of every healthcare CISO, there’s also concern associated with potential data theft. Increasingly, ransomware gangs are not just encrypting, but also stealing data. This can then be used as a secondary method of extortion, designed to catch-out victim organizations that have backed-up and are refusing to pay.
Some reports suggest that even if victims pay up, the group may still publish the stolen data online. There’s also a chance that they may look to monetize that data by selling it on; RSA FraudAction intelligence reveals that healthcare records are now selling for between $100 and $500.
A sitting duck?
Part of problem facing HCOs is that investments in cloud services, IoT devices and other digital transformation projects have grown their attack surface considerably since WannaCry struck in 2017. The mix of digital and legacy technology from multiple suppliers, and the recent explosion in remote working endpoints, has made visibility and control even more challenging for IT security managers.
We have a perfect storm where hospitals are more exposed to online attacks through their expanded technology footprint, but also more reliant on IT systems and at risk of being extorted. Added to the challenge for NHS trusts is the constant issue of funding shortfalls. Figures claim that NHS IT investment, “can be as little as 1-2% of the annual budget...compared with 4-10% in other sectors.” Meanwhile, one poll of UK healthcare decision makers reveals that just a quarter (24%) feel cybersecurity budgets are adequate.
These challenges are exacerbated by the fact that ransomware attacks are becoming increasingly sophisticated. For example, a Ryuk attack may start with an automated TrickBot compromise, but then attackers will use their foothold inside a network to spend the next few days, weeks or months performing reconnaissance.
Off-the-shelf pen-testing tools like Cobalt Strike, and “living off the land” techniques like legitimate Windows features, WMI and PowerShell, are used to steal credentials, move laterally and find sensitive data stores. All of this takes place while flying under the radar of many security controls. Then, when the time is right, they’ll hit the launch button to deploy the ransomware payload.
Time to get ready
Network compromise is unfortunately inevitable today. The big question is what can UK healthcare IT bosses do to mitigate the risk of these attacks escalating, protect their patients and the bottom line?
Prevention is always a good place to start. By practicing good IT hygiene, HCOs can make themselves a harder target. Think prompt risk-based patching, multi-factor authentication, strong passwords on user accounts and RDP endpoints, and regular phishing training for employees. Regular data backups are also a useful insurance policy, as there’s no guarantee that even if you pay, you’ll get your data back. Follow the best practice 3-2-1 rule here.
However, what happens when you come up against a sophisticated enemy wielding multi-stage, APT-style tools, tactics and procedures? Visibility and control across the entire IT infrastructure are vital for security operations center staff in this scenario, as is the ability to track and flag suspicious behavior, and respond quickly and efficiently with as much automation as possible.
Finally, it’s time to build resilience. Practicing incident response drills and developing post-breach strategies can massively reduce the impact of future disruptions. However, ensuring identity and security operations practices have breadth of visibility, capability, and applicability is also crucial for organizations to prepare for whatever tomorrow may bring.
There’s no end goal here; good cybersecurity is a continuous process of adaptation, overlayed by a considered risk management program. Hopefully, the UK ransomware onslaught will never materialize, but if it does, let’s make sure we’re ready.