Human-operated ransomware: why health and life sciences organizations should pay attention
Photo: Thomas Barwick/Getty Images
By Joseph Davis, Chief Security Advisor, Microsoft
Ransomware existed in small pockets starting in 2013 and was opportunistic, typically affecting one or two devices within an organization.
The more popular and destructive types of ransomware appeared as WannaCry in May 2017 and NotPetya in June 2017. Because these variants of ransomware used vulnerabilities in unpatched operating systems to propagate, this kind of ransomware affected entire organizations rather than one or two devices.
Cybersecurity organizations started noticing a business model created from these more sophisticated and persistent types of ransomware starting in June 2019. This vastly expanded the ransomware business model into an enterprise scale operation blending targeted attack techniques and the extortion business model, threatening disclosure of data or encryption in exchange for payment. Human-operated ransomware is persistent, which means that it can mutate to evade detection from common anti-malware systems. This allows it to remain hidden within an organization and used in the future.
How human-operated ransomware affects the health and life sciences industry
Criminal organizations will target critical infrastructure, which may include the electrical grid, gas pipelines, water management, schools, governments, traffic management systems and even healthcare organizations. These criminal organizations realize that time is of the essence when providing patient care because lives are on the line. This makes the healthcare organization victim more likely to pay the ransom to return to business as usual.
Defining the risk of human-operated ransomware to senior management
There are many examples of ransomware affecting 500 or more individuals in the healthcare sector available for reference. The U.S. Department of Health and Human Services Office for Civil Rights keeps records of reported incidents in healthcare throughout the U.S. Given these overwhelming statistics and the net impact of ransomware on healthcare organizations, it should be less difficult than before to create a business case for senior management to implement the right people, processes and technologies to lower the risk of occurrence and severity of impact.
Reduce the risk of becoming a victim of any kind of ransomware
- Use anintegrated and automated cybersecurity solution. This approach enables you to “see” everything, providing the opportunity for technology to share intelligence throughout the attack chain and apply the NIST Cybersecurity Framework to identify, protect, detect, respond, recover in the early, middle or late stages of the attack. Best-of-breed, unintegrated solutions do not have built-in integration, so they have difficulty sharing their intelligence throughout the stages of the attack chain.
- Use security orchestration and automated response (SOAR). Cloud-based integrated solutions come bundled with sophisticated security orchestration and automated response (SOAR) capabilities, so defensive and remediation activities will execute either before the attack occurs or before the ransomware has a chance to spread throughout the organization’s infrastructure.
- Deploy cloud-powered threat intelligence. Real-time detection, analysis and remote remediation of advanced attacks call for sophisticated machine learning algorithms to analyze billions of pieces of data to differentiate between what looks trustworthy versus what looks suspicious. The ability to analyze attack behavior data at hyperscale gives the integrated system the advantage of detecting and preventing malicious behavior before it can do harm.
- Move to cloud services to reduce patch management debt. If you are responsible for the infrastructure in your environment, such as servers running in a data center or infrastructure as a service in the cloud, ensure that every tier of the system is up to date on patching. That means that everything from firmware to the operating system to the drivers to the application that runs on the operating system, the database and any other code (whether commercial or proprietary) must be vulnerability-free to the extent that it can be. Risk can never be zero percent because the possibility always exists of a zero-day vulnerability that neither the customer nor the vendor is aware of before a patch is issued for it.
- Move to the cloud to simplify vulnerability management. PaaS and SaaS applications do not need patching because the cloud service provider is responsible for vulnerability management in the common shared responsibility model.
- Move to the cloud to simplify and accelerate backup and recovery. It is simpler to ensure backup and recovery of data residing in cloud-based services than on-premises, usually by adding a backup service. These services ensure that if data residing in cloud services become affected by ransomware, recovery can be both immediate and comprehensive.
- Practice cyberhygiene. This concept means understanding what resources are in production and implementing secure benchmark configurations that protect those resources. In other words, cyberhygiene is good configuration governance and should be approached comprehensively for on-premises and cloud resources.
- Implement the Zero Trust model. A Zero Trust approach means that any device or user is evaluated for risk before it is permitted to access resources like applications, files, databases and other devices. This decreases the chance that a malicious identity or device would have the ability to access resources and install or propagate ransomware.
The stakes have changed, and nowhere can the impact of human-operated ransomware be felt more acutely than by health and life sciences organizations. By taking these steps, organizations can make it harder for a ransomware attacker to get into an environment, limit the scope or damage, and better recover from an attack without having to pay the ransom so you don’t become a target for another attack because of a history of paying ransoms.
Access more information from this sponsor here: Human-operated ransomware | Microsoft Docs
By Microsoft Security