What You Need to Know About the Recent Hospital Ransomware Attacks

What You Need to Know About the Recent Hospital Ransomware Attacks

By Moran Tomer

Regional hospital computer networks in Australia were shut down on September 30th due to a hospital ransomware attack – impacting hospitals belonging to the Gippsland Health Alliance and to the South West Alliance of Rural Health. The cyber incident blocked access to several systems and led to the shutdown of some of the patient records, booking and management systems, causing disruptions primarily to outpatient care.

The next day, a separate attack in the U.S. hit the DCH Health System, a regional hospital and medical complex in Alabama – leaving three satellite hospitals turning away all but the most critical new patients. Estimates are that DCH paid between $400,000 and $700,000 in ransom – because it would have taken months to rebuild the hospital’s data systems. In response to these incidents, the U.S. Senate approved new legislation authorizing the Department of Homeland Security to developIR teams to help organizations battle ransomware attacks.

Where does this most recent outbreak of hospital ransomware attacks leave us? Or more to the point: How do you ensure that your organization is protected when a new attack hits?

Here are 8 key strategies for positioning your organization to ensure your security system is optimally set up to avoid ransomware – or, in the worse-case scenario, to allow you to mitigate any potential damage in case your organization is attacked:

1. Integrate layered security

Let’s start with the assumption that you might not be able to avoid a ransomware attack. But you can do everything in your power to make the life of attackers more difficult, placing obstacles in the way of a threat actor to buy time. The longer it takes for a potential attacker to reach the target, the better the chances for a timely detection and response. 

01@150x-8

For starters, assess your organization’s security from a layered perspective, providing protection from the core and upward – i.e., designing independent security controls for your assets, for the network layer, for the application layer, etc. Each layer should have its own security controls that are strong enough to keep attackers at bay: procedural controls such as incident response processes, management oversight, and security awareness training – and technical controls such as user authentication (login), logical access controls (see below), Endpoint Protection software, and firewalls.

2. Exercise user access restrictions

Be smart about who receives administrative privileges. Strive to ensure that your employees can access only the information and resources that are necessary to do their jobs – and nothing more. Restricting access to exactly what is needed for each user’s required functions is an important design consideration in enhancing the protection of data and functionality from malicious behavior.

Bottom line: When a user opens an email attachment that is malicious, if that user has administrative privileges (or other additional permissions or privileges), the malware will spread more broadly. But if the user has access to fewer assets, the malware will not be able to spread as far, mitigating damage.

3. Focus on user training

Conduct periodic employee awareness campaigns, training your team to avoid opening suspicious emails and clicking on attachments. At the end of the day, it’s the users who let ransomware get an initial hold on an organization’s network – and they are your most vulnerable link. Take the time to educate all members of your organization on how to spot phishing and mail spam. They should learn to be suspicious of any emails that have a sense of urgency and should be trained to think twice about opening emails that ask users to bypass standard procedures or contradict common sense.

02@150x-84. Develop a good backup plan

The most definitive way to make sure ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks and including the use of an image to restore attacked resources guarantees that no remnants of the infection remain. Therefore, to ensure you have the option of recovering data from safe backups, establish a strong backup strategy as part of your IR plan that maintains copies of all of your documents, media files, application data, and crown jewels. In case your organization is attacked, separate infected computers from each other, from shared storage, and from the network to prevent the infection from spreading – and use your safe backups and program and software sources to restore the affected environment to normal. A key issue is storing the backups in a way that ensures they are not accessible to ransomware, and this generally means the backups must be stored offline so that ransomware can’t “leap” to a backup drive.

5. Implement a strong email security policy

Invest time and resources in adopting the right email security software. Email security gateways monitor inbound and outbound email traffic and block problematic emails with antivirus, antispam, and anti phishing technologies – and may provide data loss prevention or email encryption functionality. Some solutions offer sandboxing to evaluate potentially malicious files. In addition to implementing an effective software package, make sure users are choosing strong, unique passwords and that they change them regularly – and consider implementing two-tier authentication, which makes it harder for hackers to get into your emails. For any employees who are working remotely or using WiFi hotspots, set up the use of a VPN.

6. Keep up with vulnerability scanning and patch management

03@150x-8

Keeping patches up to date is crucial in eliminating the kind of vulnerabilities that can leave you open to attack. Putting the right processes in place for patching endpoints, servers, apps, and services – whether these are on premises, in the cloud, or on the Internet – provides increased protection. Explore the different options for tools that offer continuous monitoring and inventorying and detect missing critical updates. Be aware of the patch release schedules for different manufacturers and make sure everything in the organization’s IT landscape continues to be current – including operating systems, applications, and end device firmware. Use vulnerability scanners to detect and identify vulnerabilities in the organization’s infrastructure, as this – along with the patching – creates a preemptive defense circle.

7. Develop a strong IR plan

Creating a good IR plan takes time and requires thought and several different processes of development. It requires identifying your organization’s most critical business processes and assets, documenting the potential weak points of the organization, defining the people within the organization and outside of the organization who are responsible for handling IR and assigning each person a specific role, creating a system for assessing incident severity, and developing response guides for handling specific scenarios. Part of IR development includes doing test runs and tweaking the response to make it work optimally. Putting into place a process for disaster recovery should also be part of the plan.

8. Work with an advanced Security Services Provider

An advanced Security Services Provider provides in-depth security monitoring that reduces an organization’s degree of cyber risk. It offers the kind of incident enrichment and threat intelligence – as well as automations based on AI and Machine learning – that help an organization act quickly and stop a ransomware attack from spreading before it can hurt the business. An advanced Security Services Provider like CyberProof, for example, leverages advanced forensic methodologies to quickly learn the 4 w’s of an incident – “the what, the when, the where, and the who” – that help our expert cyber analysts cut the time required to mitigate events. We work with each of our customers in developing a customized IR – providing the kind of advanced contingency planning that allows isolation, containment, and mitigation of a ransomware attack in real time.

Interested in learning more? Speak to one of our cyber experts today.

Moran Tomer
Written by Moran Tomer
Moran is the Vice President of Global Solutions at CyberProof. He has over 15 years of experience in cyber security operations that include defining, designing, implementing and managing global security operation centers (SOC). Moran brings a wealth of knowledge and experience in multiple cyber disciplines and is focused on adding value to CyberProof’s clients by launching the most innovative technologies and services the market has to offer. Moran holds a BA in Business Administration, numerous cyber security certificates and diplomas, and has won several design awards for his contribution to designing some of the largest SOCs in Israel including the Israeli national CERT.


Share this article