Recently, three different hospitals across the U.S. have declared states of emergency after hackers hijacked computer networks, freezing operations until a ransom was paid. Such attacks are always cause for concern, but in the healthcare industry, ransomware threats are a matter of life or death.
The recent wave of ransomware attacks has crippled several U.S. hospitals, leaving administrators across the country scrambling. In some of the worst cases, it's been reported that ransom demands have reached as high as millions of dollars, while thousands of dollars in recovery costs have already been surrendered to hackers.
Ransomware, a malicious software designed to block access to a computer system until a sum of money is paid, first surfaced in the late 1980s with the "AIDS" trojan (also known by the name "PC Cyborg"). It demanded that users send $189 to a PO Box in Panama. Today, the underlying tactics have remained the same, except we now deal in bitcoin instead of snail mail, and with higher stakes.
For healthcare institutions, damage implications reach far beyond financial burden. When hackers hold hospital data hostage, doctors and nurses are unable to provide proper care, which leaves patients' lives at risk.
Today's strains of ransomware are extremely sophisticated and the organized crime groups controlling them are getting smarter about distribution. As our familiarity has grown with detecting modern versions of ransomware like CryptoLocker and CryptoWall, new strains like Locky and Samas have replaced them. And as new defenses go up, the hacker thieves ship out fresh variants monthly to stay one step ahead. The most common delivery methods are still based on phishing campaigns, but many ransomware attacks have successfully passed defenses by hiding in online advertising using exploits found in common web frameworks like Adobe Flash and Microsoft's Silverlight.
The latest FBI advisories indicated that Samas strains are targeting servers running an open source enterprise application platform called JBOSS, widely used by healthcare IT service companies. Hospitals have deployed JBOSS in back office management services for the last decade because of its low cost of ownership and open codebase. But while support for tools like JBOSS is freely available through the open source community, patching -- or fixing a bug or adding a new feature or documentation to a project -- often comes at a high cost due to complicated deployments and potential adverse effects on custom applications. For this reason, many hospitals fail to update critical security patches and leave themselves exposed to exploitation by hackers. With targeted malware like Samas, vulnerable JBOSS installations offer a means of persisting once a network is compromised using other tools.
So, why aren't ransomware attacks being stopped by the firewalls and anti-virus tools in place? And what steps can hospital administrators take to prevent them from occurring?
The simple answer is that hospitals cannot prevent ransomware attacks, but they can better prepare for them with early detection and action. In the same way that a vaccine does not prevent viruses from evolving to bypass immunization, ransomware is ever-evolving; to maintain your organization's network health, proactive screening and monitoring are the fundamental keys to the strongest defense possible.
We now live in a time when "prevention" fails us and, while anti-virus tools are capable of thwarting basic attacks, most adversaries have moved on to designing custom malware uniquely for every attack. Hacker thieves have access to automated tools that rival the most aggressive multi-channel marketing campaigns to find exploitable users and porous endpoints. These days, the perimeter that hospital IT administrators have built around their databases is no more than a speed bump along the on-ramp to your network.
Revealing and stopping ransomware attacks requires different tactics that focus on identifying early signs of "sickness" before they become system level catastrophes.
It begins with auditing logs and monitoring network traffic but it is made effective only when the pieces are put together in a meaningful way. Correlating data from multiple sources within the context of protecting mission critical services drives better visibility into security gaps. This also means continuously tracking anomalous user account activity, file integrity changes, network and host intrusions and application vulnerabilities.
Having a security operations center that is tracking all system changes 24/7 and alerting new findings to key IT stakeholders is the best way to protect critical operations and sensitive data. With active monitoring, healthcare institutions can more easily pivot, create new hurdles and eventually kick out an unwelcome visitor on the network.
In the wake of high profile ransomware assaults on hospitals, administrators who are scrambling to revisit their internal ransomware plans should consider prevention dead. Networks are a living, breathing patient and, although you cannot unequivocally stop a virus from spreading, early detection and remediation are critical to keeping your organization healthy. Around the clock, your tools, sensors and applications are alerting hospitals to bad things that are constantly occurring, and it's time that administrators take note so that future attacks do not become tragedies.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.