Ransomware attacks are starting to feel inevitable. A recent HIMSS Analytics survey found that about 50% of hospitals have been targeted by ransomware in the past year, and near-weekly announcements from hospitals and health systems across the nation make it seem like the walls are closing in fast.
Since this form of cyberattack can be particularly devastating to hospital operations—as a growing list of victims have found out—it’s important to stay vigilant and take preventative actions that are within your control. As with many cultural change initiatives, user education plays a vital role, and efforts to improve security awareness and hygiene cannot be downplayed.
Improve security education efforts with infiltration pattern training
For the unfamiliar, ransomware allows outside parties to take control of your data, encrypt it, and then request a sum of money in return for the decryption key.
Staff members need to understand what an infiltration looks like and how to react to it. The most common attack vector for malware, including ransomware, is email. Attackers send out well-crafted emails with wording and logos that are increasingly difficult to distinguish as dangerous and prey upon our natural tendency to open everything. These malicious emails contain either an infected attachment or URL link (for example, a link to download a Google Document). A simple click on the ‘Enabling Macros’ button in the document is all it takes to unleash the ransomware at this point.
But don’t think you're safe as long as you don’t open any attachments: ransomware infections can happen simply by surfing the Internet. An exploit kit, which runs on web servers and seeks out machine vulnerabilities to execute malicious code, requires no interaction with the user. They are often hidden in promoted content links on unsecure websites and the hidden code tells the browser to download the ransomware.
Address the clicking
Education and security awareness training are important, but don’t become overly reliant on education for prevention. It takes just one errant click to defeat all your training efforts, so you must address the clicks that will happen regardless of the amount of security training you invest in. There are several concrete actions that hospitals can take that complement security education:
1. Craft a zero-tolerance security policy.
A zero-tolerance security policy that includes reprimands up to and including termination can make the ramifications of poor security hygiene very real to employees. Use caution though; if advertised too strongly or used in a heavy-handed manner, staff morale may suffer. Overall, it’s important for management to be able to use their judgement in responding to staff incidents, so establishing a policy that says staff may be disciplined up to and including termination is valuable.
2. Leverage effective email and web gateways.
Email gateways can prevent users from even having the opportunity to click or view malware by blocking or filtering emails determined to be malicious. Only emails and attachments deemed safe are passed on to the user. Web gateways, sometimes called web proxies, analyze web traffic and prevent users from visiting malicious or risky websites or domains.
To manage internet traffic, a more radical step is to employ whitelisting. Your organization could use a whitelist, like Alexa, to limit user web traffic only to sites considered safe. Often such lists are restricted to the top 10,000 sites accessed by the organization.
These filters do come with costs and there are always exceptions to the rule. For example, an HIV researcher may need to access sites that would otherwise be forbidden. Be cautious and ensure that users have an easy-to-use avenue to get legitimate access restored. Consider getting email and web gateways if your organization doesn’t already use them or enhancing, replacing, or supplementing any existing email or web gateways.
3. Manage your machines—particularly clinical workstations—a little bit differently.
While server access for clinical nursing stations is imperative, it’s not imperative that these machines be used for regular email and web-surfing functions that could expose the machine and your organization to attack. Isolate or segment an internet-connected, non-clinical workstation that users can use for checking email and surfing the web. Consider taking both clinical and non-clinical workstations to the point of where no data is stored directly on the machine itself. This would, of course, require educating the end user on where to save data on servers or other cloud storage points, like Box.
Another more radical approach is application whitelisting. This functionality prevents any application not previously approved to execute on enabled machines. Even if the end user clicked an infected link, any malware would fail to execute. Most operating systems already come with some form of built-in application whitelist capabilities. Certain versions of Microsoft may call it a Software Restriction Policy and Apple calls it AppLocker. While initial set-up of this new process can be time-consuming—it would require taking an accurate inventory of all applications on user machines and fine-tuning to make sure everyone has access to the business applications they need—it is extremely effective and doesn’t require any additional purchases.
Additionally, ensure you have backups that are not drive mounted and are therefore less accessible to infiltration. Focus patching efforts on any software or hardware exposed to access from the Internet and ensure all default passwords are changed.