In the last few weeks there have been several high-profile publicized ransomware attacks in healthcare, and inevitably there are dozens that were not reported to the media. These recent attacks with ransomware on healthcare IT systems have reiterated the necessity for efficient preventative measures that, if correctly implemented, could protect organizations from these attacks. In the last week, I have responded to multiple client queries regarding protection from the most recent rash of attacks. There is, of course, no magic bullet that will fix all the systems, but during the course of my research of the latest ransomware iterations made, it is clear that there are two critical points of weakness laying organizations open to these attacks that need to be addressed.

Users and Awareness Training

The first tactic for arming your organization against an attack is to strengthen your weakest link: users and awareness training. This vital element of security preparedness is frequently scoffed at by users as unimportant or redundant information. In my experience, it is likely that users are skipping through the slides and either acquiring the answers from co-workers or simply retaking the test until they pass. A solution must be found for creating a training platform that actively engages users and prevents weaknesses in security that could be avoided by simple knowledge and adherence to policies. Healthcare as a whole has a leg-up on most other verticals, as there is an ingrained culture of patient safety and privacy already in place. If this were incorporated into their awareness training it could have a profound effect on the overall security of the organization and, by association, the patient’s safety.

Systems Patching

Another key factor promoting the success of ransomware attacks is the number of systems that have not been properly patched. Patching, like training, is not a task that people generally enjoy, but almost every successful ransomware attack has taken advantage of known vulnerabilities for which a patch exists. While it may seem obvious that keeping all systems up to date is critical to the security of an organization, the crucial point is that the current crop of ransomware is targeting very specific vulnerabilities. These should be patched as soon as possible. Below is a simple list of the common “families” of malware, their primary attack vector, exploit/payload type, and a link to a complete and well written technical breakdown of the particular ransomware. Again, this is an area in which an ounce of prevention is worth a pound of cure. The best way to avoid falling victim to an attack from a bad actor is to have a qualified penetration tester attack your network for you. A penetration test will find the same vulnerabilities that a hacker could find but instead of using this information to steal data, the tester will report it back to you for remediation.

The healthcare industry provides very effective training and practices regarding patient safety, how to respond to germs and other pathogens, and how to recognize a foreign entity in an individual’s body. Remember that all of this (a real germ or a digital virus) is detrimental to the safety of patients and should be taken as seriously as an infectious disease within the facility.

Ransomware Type Attack Vector Target/Exploit External Writeup Link
SAMSAM Missing System Patches JBoss/JexBoss Cisco Talos Blog
Maktub Locker Phishing/Social Engineering Javascript/Macros MalwareBytes Security Blog
Lucky (Nuclear/Locky) Adobe Flash/Infected ads or websites

Flash CVE 2015-8446

Flash CVE 2015-8651

Flash CVE 2015-7645

Silverlight CVE 2016-0034

Palo Alto Network Research Center Blog