Ransomware: Doctor, doctor I’m feeling exposed

Targeted by 15% of total global ransomware attacks in 2016*, healthcare institutions are particularly attractive to cybercriminals due to their vulnerability. Because ransomware can shut down hospitals, dramatically impact patient care and result in steep regulatory penalties.

Hospitals, pharmaceutical companies, medical insurance and managed care all depend heavily on technology and the availability of data. Of course accessing patients’ information – drug histories, allergies and surgery directives – is vital. And blocking a healthcare organisation from accessing their electronic health records puts human life at risk.

The WannaCry ransomware attack in May 2017 affected 230,000 computers and took down entire pillars of the NHS. WannaCry is a virus that exploits a known weakness in Microsoft Windows, a platform used globally in hospitals and healthcare facilities. The virus blocks all data on computer systems until a ransom is paid. In this case, the virus infected medical devices, caused ambulances to be diverted and shut down 16 hospitals**.

Ransomware’s notoriety is unsurprising, considering its ability to evolve and surpass traditional data protection solutions. Beyond the use of sophisticated attack techniques, like social engineering, ransomware has been driven by security holes, lack of patching and inadequate backup and recovery processes. Furthermore, the appearance of anonymous e-currency as a payment method and the tendency to pay the ransom, has only served to propagate the problem.

Healthcare information is defined as sensitive under data protection legislation, be it patients’ physical or mental state or medical devices data that help prevent, diagnose, and treat illnesses. Digital transformation expands healthcare IT vulnerabilities in the cybersecurity landscape. The demand for personalised and proactive patient care through health apps pose new data protection challenges. And of course, the use of IoT brings difficulties in protecting data from medical devices connected to the network. Because it’s technically feasible for ransomware to take control of these devices.

So the medical sector must know how to prepare for and recover from the inevitable ransomware attacks:

1. Use different credentials for backup storage

Standard and well-known anti-ransomware best practice, but crucial to follow. The username context that is used to access backup storage should be closely guarded and exclusive for that purpose. Other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations.

2. Start using the 3-2-1 Rule

Have three different copies of your media on two different media sites, one of which is off site. This will help address any failure scenario without requiring specific technology. Moreover, you should ensure that one of the copies is air-gapped, i.e., on offline media.

3. Have offline storage as part of the strategy

One of the best defences against propagation of ransomware encryption to the backup storage is to maintain offline storage and there are numerous offline (and semi-offline) storage options. These include:

  • Tape – completely offline when not being written or read from
  • Storage snapshots of primary storage – semi-offline technique for primary storage
  • Cloud – a different file system, authenticated differently and off site
  • Rotating hard drives (rotating media) – offline when not being written to or read from

4. Leverage different file systems for backup storage

Having different protocols involved can be another way to prepare for a ransomware attack. Therefore it’s imperative that users add backups on storage that require different authentication. Having a Linux system functioning as a repository is a good example.

5. Achieve complete visibility of your IT infrastructure

One of the biggest fears of ransomware is the possibility that it may propagate to other systems and so visibility into potential activity is of massive value. A pre-defined alarm which triggers if a typical ransomware pattern is identified, is a good example.

6. Use a backup copy mechanism

Backup copy allows you to create several instances of the same backup data in different locations, whether onsite or offsite and with different restore points and retention rules.

7. Educate all employees on ransomware not just your IT staff

Establish a strong source of education, communication and support and this will ensure everybody is equipped to avoid and propagate a ransomware attack.

The medical sector demands 24.7.365 access to information and highly sensitive healthcare data must be guarded at any cost. We partner with Veeam Software as the innovative provider of solutions that deliver ‘Availability for the Always-On Enterprise’. Customers save time, mitigate risks, and dramatically reduce capital and operational costs.

‘Ransomware: Doctor, doctor I’m feeling exposed’ extracts taken from the Veeam whitepaper entitled ‘7 Proven Resilience Best Practices against Ransomware for Health Care’

* 2017 Global Threat Intelligence Report, NTT security
** “NHS seeks to recover from global cyber-attack as security concerns resurface.” The Guardian. May 13, 2017.

Download Whitepaper

Among all malware attacks on the medical sector in 2016, ransomware accounted for a large majority: 72%. Find out more by downloading the whitepaper.

Download White Paper