Protect Your Healthcare Facility By Understanding the Anatomy of a Ransomware Attack

There used to be some honor among thieves. Threat actors, once upon a time, left healthcare providers alone to avoid the potential of killing a patient. Unfortunately, those times are behind us. Today, healthcare is among the top three industries targeted by ransomware. And the threat continues to grow. Last year Zscaler alone blocked nearly 4.5 million attacks, up from 3.8 million the previous year. Recovering from ransomware is expensive. The largest payout to a ransomware threat was $75 million and that does not include money lost to downtime, lost revenue and damage to provider reputation. 

The good news is that based on successful attacks we know the villains as well as their strategies and we have the technology to block their efforts. The Change Healthcare attack targeted a third party application widely used across healthcare organizations to facilitate payments. The application was infiltrated, the bad actors moved laterally, then stole/exfiltrated the data followed by encrypting everything. Ascension Health, one of the largest healthcare systems in the U.S. was breached when an employee unknowingly downloaded a malicious file which was able to move across the network, disrupting critical systems, including electronic health records (EHR), systems used for ordering tests and medications, and patient communication portals. 

In both cases an external facing system, one accessible by the internet, was to blame, proving the adage, “if you are reachable, you are breachable.” Luckily there are steps to take to decrease your “reachability.”

Ransomware Defense 

To prevent attacks and minimize damage there are actions you can take at each stage of the attack cycle. 

• Minimize your attack surface - To do so you must hide, or proxy, applications and security appliances by pulling them off the internet. This means avoiding logins to VPNs or other internet-exposed systems and appliances. Phished credentials are no good if there is no where to enter them.  
• Prevent initial compromise – Attackers encrypt malware payloads. Plus, if someone gets into your system the first move is to encrypt everything they are doing so you cannot see what they are moving and where. It is difficult and extremely expensive [cost prohibitive] to do full decryption on firewalls so a better and easier solution is SaaS/Cloud-based full SSL/TLS inspection, browser isolation, advanced threat protection, as well as the use of sandboxes and deception decoys. 
• Prevent lateral movement – Utilizing a zero trust architecture, ensure users are only connecting to the apps they need and connecting directly to those apps versus connecting to the network.  
• Stop data loss and malware delivery – If they still somehow make it through, make sure you have a data protection plan in place – endpoint, internet, email, CASB, etc. 

Efforts must also be made at seeing and blocking the command and control of attackers. Zscaler supports all of these efforts with cyber threat protection, data protection, zero trust networking, and risk management solutions. 

Threats Keep Evolving

Today’s strongest defense is no match for the threats of tomorrow. As highlighted on our ThreatLabz Ransomware Report, organizations need to start preparing for: 

• Highly targeted attack strategies. Malware files are uniquely customized for each organization. 
• Voice-based social engineering will introduce a new phishing vector
• GenAI allows for the quick creation of advanced malware plus personalized attacks that can imitate trusted entities including vendors, banks, and even your children’s school.
• More reporting of incidents as mandated by SEC rules for public and private companies alike

For more details on how healthcare organizations can prepare for and prevent ransomware attacks check out our recent webinar.