While cyber attacks present a very real and growing threat to every kind of organization, they pose a particular danger to hospitals and other healthcare providers.
These organizations have an incredibly low tolerance for service outages and downtime. Worse, attackers know it. That makes them a popular target and even more vulnerable.
Take, for example, Hancock Health, a regional hospital in Indiana that just paid hackers $55,000 to get its critical systems back up and running after they were infected with SamSam ransomware. Even though the hospital had backups of the files that were encrypted during the attack the executive team determined that recovering them would take too much time and be too costly. They simply could not afford the downtime.
Or take Allscripts — in an even clearer example of just how disruptive healthcare-targeted attacks can be, the electronic health records company suffered a week of downtime after two of its data centers were infected with ransomware (also SamSam). The impact was felt acutely by physician practices across the country, prompting temporary closures and crippling financial losses.
Unfortunately, the IT professionals tasked with keeping healthcare organizations safe from these threats don’t have time to constantly retool and adapt their security to address ever-changing gaps. They’re often too busy fighting the fires directly in front of them.
To help healthcare IT leaders make more strategic, forward-thinking decisions about their security in 2018, the team at Barkly has identified three key trends in malware evolution. These trends highlight important shifts in attack techniques that every healthcare organization needs to be ready to face.
Trend #1: Hackers are relying less and less on end-user mistakes
Long considered “the weakest link in IT security,” end users have historically been primary targets of malware campaigns designed to trick them into downloading malicious email attachments or visiting compromised websites. Organizations have identified this vulnerability and have invested in email security and employee security awareness training accordingly.
While these are smart steps, when you look at infection trends it’s evident that many attacks are actually evolving to avoid user interaction altogether. The SamSam ransomware infections at Allscripts and Hancock Health are two recent examples. In both cases, attackers took a more direct approach and gained access to the organizations via vulnerable servers.
In 2018, we expect attackers to continue targeting vulnerable servers, unsecured ports, and leveraging other “clickless” ways of infecting organizations. In response, IT professionals should make it a priority to identify and secure open ports immediately.
Trend #2: Cyber attacks are using organizations’ administration tools against them
One of the most troubling trends of 2017 was the prevalence of attacks that abused otherwise legitimate system tools and processes to evade detection and spread infections through networks. Because this approach relies solely on programs that are already present on the system, it’s sometimes called “living off the land.” And since no traditional malware is involved, traditional antivirus solutions have an extremely difficult time detecting it before it’s too late.
NotPetya was one high-profile example of this kind of attack. The initial infection was triggered by users installing an update for a Ukrainian accounting software, and it spread via PSExec and Windows Management Instrumentation (WMI). Because these tools are widely used by system administrators and don’t typically raise any security warnings, the attack quickly spread laterally throughout victim networks.
To help mitigate the risk of attackers living off the land or making use of other fileless techniques, IT professionals should disable admin tools they aren’t using and restrict access to the ones they are. It’s also critical to utilize endpoint security that isn’t completely reliant the kinds of defenses these attacks are designed to bypass — things like file scanning and whitelisting.
Trend #3: Attacks are being built to propagate automatically
2017 also saw a resurgence in attacks leveraging worm components to transform single infections into network-crippling events. The WannaCry ransomware outbreak used this technique to spread to an estimated 400,000 computers in more than 150 countries. That success has inspired other malware authors to add worm components, and unfortunately plug-and-play options now make it easy to add this effective weapon quickly and easily.
Taking a big picture view, this development demands that IT professionals no longer consider attacks in terms of only the risk of a single employee infecting a single machine. Now, it’s very easy for that one infected machine to become a catalyst for a larger outbreak that can take down internal and external networks in a very short period of time.
To help reduce the risk posed by worms, IT professionals need to prioritize security that blocks these kinds of attacks at the outset, before they have the chance to spread.
Key for 2018: Security that evolves at the pace of attacks
There is no doubt criminals will continue to build off these trends to conduct increasingly advanced attacks in the year ahead. According to the Ponemon Institute, over a third of the attacks in 2018 are projected to utilize fileless techniques that bypass antivirus solutions. That is a change many healthcare organizations currently aren’t ready for. In order to protect themselves they need to proactively make changes to their security now.
The good news is new solutions are available that have been specifically designed to block fileless attacks. Innovations in machine learning also give them the ability to actively learn and adapt the protection they provide on a nightly basis, so they can keep organizations continuously protected even as new malware is discovered. The organizations that are able to harness these new innovations effectively will find themselves one step ahead in the ongoing race to stay protected — a race where it’s increasingly easy and costly to fall behind.
About Mike Duffy:
Mike Duffy is the CEO of Barkly, the company advancing endpoint security by combining the strongest, smartest protection with the simplest management. Mike has a history of creating winning teams and valuable technology companies. Prior to founding Barkly, Mike led OpenPages to become the leading provider of GRC solutions for the enterprise, achieving a record growth and a global market presence that resulted in the acquisition of OpenPages by IBM in 2010. Before OpenPages, he held the role of General Manager for Intel's wide area networking business, Senior Vice President of Worldwide Sales and Marketing at Shiva Corporation, and led sales and marketing for internet pioneer, BBNPlanet. Mike has been the recipient of the Ernst and Young "Entrepreneur of the Year" award.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.