Technology and security professionals throughout the healthcare industry know all too well the disruptive power of ransomware. The WannaCry ransomware worm made headlines in May for locking down IT systems at many organizations around the world, most notably hospitals and other healthcare institutions belonging to England’s National Health Service. Another ransomware incident in 2016 prevented hospital staff in Los Angeles from accessing patient records for more than a week.
The potentially devastating effects of ransomware compel every hospital to prevent infections to their systems. To mitigate risks, organizations must devise a comprehensive strategy that accounts for all technologies and end users, as well as potential infection scenarios.
Assess Medical Device Risks
Ransomware spreads using a wide variety of methods, including tricking people into installation, exploiting vulnerabilities or configuration errors in software, and abusing trust relationships. Every computing device — from servers, desktops, laptops and smartphones to medical devices — is potentially at risk for infection via ransomware.
However, some devices are at greater risk than others. For instance, devices that can’t be kept up to date with patches because of the potential impact to reliability and human safety are more vulnerable to ransomware. A similar problem exists for devices with old operating systems that vendors no longer support.
What’s more, some devices are more vulnerable depending on the method of attack. Devices that are directly accessible from the internet are somewhat more prone to a ransomware worm infection. And tools with traditional operating system interfaces for users — most desktops, laptops and servers — are more likely than other devices to fall victim to infection through social engineering techniques.
Design Security Layered Architectures
Healthcare organizations must absolutely layer their approach to technology security, especially since ransomware spreads using many methods; there is no single way to address them all.
Some of the most commonly used components for an anti-ransomware security architecture include:
- Network segregation: Putting different groups of devices on separate networks makes it harder for ransomware to reach systems and slows down potential spread from one device to another.
- Firewalls: Firewalling each device restricts the tools with which it directly interacts. For technology at considerable risk, configure firewalls using approved network and application protocols.
- Patch management: Keeping device operating systems and applications up to date with patches is important in general, but it is particularly vital for stopping ransomware that takes advantage of unpatched vulnerabilities. Priority should be given to patching applications that handle untrusted content, such as emails (email clients) and web pages (web browsers).
- Configuration management: Each device’s operating system and applications should be configured to deter ransomware. For example, the principle of least privilege should be followed, which helps prevent ransomware from gaining access to the administrator-level rights often needed for successful installation and infection. Another important consideration: disable any unnecessary wired or wireless network interfaces.
- Anti-malware, anti-spam and anti-phishing: Attackers may lure users into unknowingly downloading ransomware through files and URLs in emails, web pages, instant messages and other formats. Preventing these downloads from occurring in the first place and detecting any downloads that still manage to happen requires using a combination of anti-malware, anti-spam and anti-phishing technologies to cover as many download mechanisms as possible. Adding reputation services to these technologies makes them even more effective at detecting potential threats.
- Application whitelisting: For some types of devices, application whitelisting may be a viable option. When properly configured and maintained, whitelisting can prevent unauthorized executables, including all ransomware, from being run on a device. However, whitelisting is generally only feasible on well-managed, well-secured devices. These typically are devices least likely to be infected with ransomware, so resources may be better spent on other security technologies.
When planning how to stop ransomware, pay close attention to devices that can’t use all these security components. For example, some devices can neither be patched on demand nor have third-party security controls like anti-malware tools installed. In these cases, consider how to compensate for the unavailable controls. Keep in mind that network equivalents to endpoint-based controls do exist. In other cases, network controls such as firewalls can enforce more stringent policies to make up for a missing endpoint-based control.
Expect Infection and Prepare an Effective Response
No matter how many security technologies are put in place to stop ransomware, infections are practically inevitable. Your organization must prepare to respond quickly to prevent infection from spreading to other devices and to restore normal system operations as soon as possible.
What’s more, it’s essential to regularly back up all valuable data, and verify and test those backups periodically.
Finally, always be ready to reimage, reset or otherwise revert any device to a known clean state. This may mean reinstalling the operating system and applications, performing some sort of factory reset, or swapping out an infected device for a spare. Regardless of the method, it’s important that the clean device be fully protected before putting it back into production; otherwise, another ransomware infection may occur rapidly via the same method.