In this final article in our 3-part series on ransomware in healthcare, we discuss current trends and, more importantly, how companies of all sizes can protect themselves and the PHI they hold from this growing threat.
One trend relates to how criminals are targeting their victims. Depending on how secure the target is, it may require a large investment of time to penetrate a system. If someone takes all week to break into a system and deploys ransomware only to find that the victim refused to pay and simply restored its systems from off-site backups, then all that time was wasted. What if, instead, the hacker spends that time breaking into an MSP (Managed Service Provider) that manages IT for 300 small businesses? While this might be somewhat more difficult, the payoff can be orders of magnitude greater as it could yield unfettered access to hundreds of other systems that the MSP monitors and controls. The attacker can then extort money from the MSP as well as its clients. In such a situation, an MSP can be highly motivated to pay a ransom. 2019 was the breakout year for this trend and there is no end in sight.
A related and even more ominous trend is seen in the software supply chain where hackers infiltrate a software supplier. Everyone running this software can potentially be affected by this. The recent Kaseya and SolarWinds attacks are prime examples of this and the impact can be FAR worse than an attack against even a large MSP. If a threat actor controls your anti-virus or network management or security software, then the possibilities for the hacker can be nearly limitless.
Phishing campaigns are yet another trend in ransomware deployment. Here, the vulnerability isn’t so much technical as it is human. Innocent users are sent emails with malicious attachments which, when clicked on, install malware that infects the user’s computer. Emotet is a common example typically distributed via infected Word or Excel documents which may, in turn, deploy additional software such as Cobalt Strike. While phishing emails are often blocked or can be spotted by well-trained users as originating from outside the organization or containing bad spelling or grammar, they can often be rather sophisticated. A trend within this trend is to compromise a trusted user’s email account (such as a high level IT or finance employee) and use that to send a new wave of phishing emails to fellow employees. Since the phishing emails are now coming from a trusted source instead of a suspicious external domain, they are much more convincing.
So, what can organizations do to protect themselves from all this? Making sure you perform your due diligence in selecting an MSP can help, but isn’t foolproof as we’ve seen. Regularly monitoring activity on your information systems is another method. This is required by HIPAA, so it needs to be done anyway and can help you avoid regulatory fines as well. Training your staff to detect, guard against, and report phishing emails and other forms of malicious software is also required by HIPAA regulations and is effective protection against phishing attacks, but people make mistakes and may still fall victim to these attacks. However, all is not necessarily lost if a user opens a malicious attachment. One of most cost-effective ways to safeguard your environment is to adopt the principle of “least privilege.” In general, users should not have administrator rights to their workstations. Phishing emails with malicious attachments often rely on a user’s privileges to install malicious software. If they don’t have this ability, then opening a malicious attachment might result in a failed deployment. The beauty of this simple, but effective, safeguard is that it does not require the purchase of expensive software or payment of any ongoing software maintenance fees. The lesson here is that not all security measures have to be costly.