How prepared is your organization for the next ransomware attack? Ransomware continues to plague healthcare organizations. Cybercriminals see a tremendous opportunity for financial gain by disrupting the normal operations of healthcare organizations and holding their patient data hostage. And they will keep on attacking until that opportunity no longer exists.
Healthcare organizations are not defenseless, however. With the right prevention strategy, your organization can prevent full-blown attacks and mitigate damage. Here's how you can prevent successful ransomware attacks.
Backing up sensitive patient data and mission-critical systems should be a top priority. If you have a complete, up-to-date copy of data and the ability to keep essential apps running, you might be able to avoid operational disruptions, maintain access to patient information, and refuse attackers’ demands.
Of course, attackers know that backups could ruin their scheme, so, many attempt to infect backup copies of data as well as primary data stores. Storing backups in an air-gapped, offline environment or in a separate network segment can help prevent attackers from reaching that data. This strategy might slightly complicate your backup process or slow your recovery effort, but it can also spare your organization from millions of dollars in losses.
Test and validate your backups regularly, ensuring that you have a complete set of data, free of errors. You should also run your recovery process periodically to make sure that you can restore all your data and applications to clean environments in the event of an attack.
Preventing ransomware incidents requires robust security policies as well as plans for how to respond when attacks occur.
Your security policies should touch every application, system, and person that might be affected in a ransomware attack. For example, you need policies for how authorized individuals access sensitive information, what information they can access, and what they should do if they believe they have become a vector for an attack. You’ll also need policies for how to respond to ransom demands, which authorities to notify, and when to contact patients or customers whose personal information might have been compromised.
Having an incident response plan in place is critical for handling an attack swiftly and minimizing disruptions. That plan should include processes for detecting attacks early, isolating or shutting down systems, conducting forensic analyses, restoring data from backups, cleaning systems and decrypting data, and contacting patients or customers.
Set clear security roles and responsibilities before an attack happens. You should know who is responsible for isolating systems, identifying the pathway for infection, decrypting data, and conducting the recovery process. Dividing responsibilities will help speed responses and avoid the chaos that can ensue during an attack.
Most ransomware attacks start with endpoints. Attackers might launch a phishing scheme hoping to trick employees into providing login credentials through a spoofed website. Or they might trigger a download of malicious software onto a user’s computer. Hardening endpoints will play an important role in preventing attacks.
Software and operating system vendors are continuously working to identify and patch vulnerabilities in their products. Make sure your organization is deploying those patches and other security updates completely across all devices that your employees use to access your systems. It might take only one security vulnerability in the browser of one employee to start an enterprise-wide ransomware attack.
Endpoint protection solutions can help you block malware and also prevent user behaviors that could put endpoints at risk. These solutions might enable you to detect and shut down attacks, prevent employees from installing unsecured software, and stop users from visiting suspicious websites.
Meanwhile, firewalls can help ensure that malware does not penetrate the company network. Firewalls monitor and filter network traffic based on rules set by IT and security teams. They can be an effective means of preventing known malware strains from wreaking havoc in your environment.
Several ransomware variants use remote desktop protocol (RDP) or server message block (SMB) ports in the attack. You should review your settings, for both on-premises and cloud environments, and determine whether you need to leave them open. At the very least, you might want to ensure you are restricting RDP access to authorized personnel as part of your access control policies.
Since many ransomware attacks start through email phishing, you might be able to improve ransomware prevention by enhancing email security.
Email filtering and anti-spam solutions inspect emails for signs of phishing and ransomware. They might spot numerous messages from the same domain or identify language within the body of the message encouraging the recipient to urgently click on a link or download an attachment. These solutions can also block access to suspicious URLs and scan attachments for malware.
You might also implement email authentication protocols as part of your domain’s DNS settings. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication Reporting and Conformance (DMARC) protocols can help prevent attackers from sending emails on behalf of a domain they don’t own. These protocols verify the sending domain for emails and mark certain emails as spam. When emails are marked as spam, it’s less likely that a user will read them or follow the urgent commands within them.
Ransomware prevention might require some changes in how you approach enterprise security. Adopting a new model will also require implementation of capabilities that restrict who can access particular data.
In the past, many organizations used a perimeter model of security. It was difficult to gain access to the network, but once inside, people and devices were trusted: They were able to access data and apps freely. The problem with this approach is that it allows attackers to implant ransomware fairly easily once they have entered the network.
The Zero Trust approach to security trusts no one and nothing by default. Every person and device must be verified before accessing data, apps, or other resources. That verification is required even if people or devices are within the network. A Zero Trust approach can slow or shut down ransomware attacks by placing additional barriers in front of attackers.
Access controls are an integral component of a Zero Trust security model. You should consider implementing role-based access controls and adopting the principle of least privilege, which asserts that a user should have access only to resources required to do their job. If attackers steal one user’s credentials, they will only be able to access the limited number of systems accessible by that particular user.
Multi-factor authentication (MFA) is another key capability for slowing or stopping ransomware attacks. Usernames and passwords are insufficient in protecting sensitive patient or customer data. With MFA, you require users to employ an additional means of authentication, such as using a USB key or facial recognition. MFA can work with single sign-on (SSO) capabilities to tighten security without making the user experience too difficult.
Attackers sometimes use websites or web-based applications as part of their ransomware attack. For example, they could use a website vulnerability to execute a cross-site scripting (XSS) attack as part of a phishing scheme. In one scenario, attackers inject malicious scripts into a website. They then try to trick individuals into visiting the website’s URL, which uses the domain name plus a malicious script appended to the end. That script triggers a download of ransomware. Protecting internet-facing applications, then, can help prevent attacks from starting and spreading.
Keeping web applications patched and updated is crucial. Attackers are continuously looking for and exploiting vulnerabilities. The sooner you can discover and patch vulnerabilities, the better chance you have of preventing an attack that involves your application.
Web application firewalls (WAFs) can provide a strong defense against the use of web applications in ransomware attacks. These firewalls monitor and filter traffic between an application and the outside world. They can filter out code known for attacking applications, and they can prevent the type of XSS attack in which your domain is coupled with a malicious script.
New ransomware variants and web application vulnerabilities appear all the time. You should conduct regular vulnerability assessments to identify how your web applications are at risk. Those assessments could incorporate penetration testing, in which you simulate attacks on a system to find potential security gaps.
How quickly could your organization resume normal operations if you were attacked? Having redundant systems in place can help you return to normal rapidly.
If an attacker can lock your authorized users out of a mission-critical system or app, your organization might be forced to halt patient procedures or stop insurance payments. If you have redundant systems in place, you can minimize that disruption. In the best case, you would have a complete, up-to-date copy of data available and fully redundant systems in place. You could failover to those systems with little to no downtime.
Distributing data and systems across locations can help thwart attackers and minimize disruptions. You might keep data stored in your primary data center with a complete copy in a remote, offline location. Even if attackers completely lock you out of all data within your primary location, they might not reach the secondary site. You could continue operating with the backup data in the remote location.
Educating employees must play a central role in your ransomware prevention plan. Employees are often your first line of defense against attacks.
Employees should learn how prevalent phishing and ransomware attacks are in the healthcare industry, and they should be aware of the potentially devastating financial consequences of an attack. Their responsibility is to help stop attacks before ransomware reaches the enterprise network. To fulfill that responsibility, they should learn how to identify potential phishing emails—for example, by spotting incorrect email addresses, misspellings in content, urgent requests, or odd links. They should also know what to do and who to contact in the event they receive a phishing message.
Many organizations conduct phishing simulations to determine whether employees are sufficiently trained to avoid costly errors. Rather than embarrassing individual employees, the goal of these simulations is to provide feedback to the teams running awareness and training programs. Simulations highlight what practices employees have successfully learned and what areas still need work.
Ransomware prevention strategies can help reduce the likelihood of a large-scale, damaging attack. But developing and implementing these strategies can require significant resources. In many cases, organizations benefit from working with outside experts.
Engaging with cybersecurity professionals and consultants can help your organization better assess your existing vulnerabilities, devise a comprehensive prevention strategy, and implement the right combination of security solutions and services. By working with security experts, you can tap into the latest threat intelligence and the experience they have accumulated from numerous client engagements. As a result, you can be sure you are implementing best practices and best-of-breed tools to stop attacks.
Employing managed security services for threat monitoring and response can relieve your internal resources from potential time-consuming tasks. You can rest assured that you have expert teams continuously watching out for new threats and preparing to respond rapidly.
Whether working with external teams or going it alone, you should make a concerted effort to stay up to date with the latest ransomware trends and best practices. Consider participating in forums and communities both in healthcare security and cybersecurity more generally. The more informed you are about shifting tactics used by attackers and successful measures for prevention, the better prepared you will be for whatever lies ahead.
Cloudticity has been helping healthcare organizations stay secure in public clouds like AWS, Azure, and GCP since 2011 and we've never had a breach. With our cloud managed security services, advanced technology platform, and proven processes we can help you implement a manage a cybersecurity strategy that keeps your data safe, while reducing the security burden on your team.
Ready to strengthen your ransomware prevention strategy? Contact the experts at Cloudticity for a free consultation today.