As healthcare organizations continue to respond to the pandemic, cybercriminals have continued to persist in their attacks on providers, health plans and business associates – compromising sensitive patient data while impacting the delivery of care to patients.

Here, Jeff Horne, Chief Security Officer (CSO) at Ordr, discusses the top cybersecurity challenges for healthcare organizations, as well as mitigation strategies.

Security magazine: What is your title and background?

Horne: I joined Ordr, provider of security for enterprise IoT and unmanaged devices, as their CSO at the beginning of this year. At Ordr, I’m responsible for the security direction both within Ordr products and internal security. I’m also a member of Black Hat’s Review Board, which I’ve been on for more than five years now. I started my career in the security space as a Vulnerability Researcher at Internet Security Systems - working on vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware.

Before joining Ordr, I was the VP of Information Security for Optiv and was responsible for all security operations, governance risk and compliance, endpoint, internal incident response, physical security, and employee security awareness groups. I also had the pleasure of working for SpaceX as Senior Director of Information Security, where I focused on the overall security strategy of SpaceX and managed the information security, compliance (ITAR), security operations, and physical security groups. Even further back, I was the VP of R&D and Chief Architect for Accuvant LABS for almost five years and Director of Threat Research at Webroot Software for almost six years.

Security magazine: What are the biggest cyber risks that the healthcare industry faces?

Horne: The global pandemic has accelerated the healthcare industry as a target for cyberattacks and this will continue to proliferate. The supply chains for PPE, the COVID-19 vaccine, or even companies that produce standard medical equipment are at particular risk for attack.

Right now, healthcare organizations are dealing with the second wave of COVID-19. We’re seeing hospital beds at 90% capacity, there are heightened worries about ransomware, and there is reduced IT and medical support because staff is getting sick.

On top of these newer vulnerabilities, healthcare has been a sector that’s been plagued with these issues for years. Medical devices, like all other computer systems, are vulnerable to security breaches. In fact, Ordr’s researchers  found that nearly 20% of medical devices run on Windows operating systems that are Windows 7 or older. When we look at medical devices, this is a much greater issue since they are usually more difficult to patch -- or patches are not made available by manufacturers.

Security magazine: What are some of the latest ransomware/malware trends and threat groups that are targeting healthcare?

Horne: Recently, there have been high-profile cases of ransomware and researchers warn of a seven-fold increase in attacks, compared to 2019 alone. Hospitals are already a very lucrative target, and the pandemic provides a significant opportunity for threat actors looking to target healthcare providers. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.

The three most common ransomware campaigns that are targeting healthcare organizations are Zeppelin, Ryuk, and Sodinokibi:

• Zeppelin is believed to be operated by a Russian cyber group, however, very little is known about the operators. The ransomware code is based on a purchasable ransomware variant known as VegaLocker. Zeppelin either starts as a spam or phishing email with an infected document that downloads and installs malware onto the healthcare organization’s system or the operators attempt to exploit vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet, and once connected to the infected system, operators can execute their attack.
• Ryuk, or Conti, is also known to be operated by a Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes, which was possibly created by a North Korean hacking group. Ryuk also starts as a spam or phishing email, but when the infected document is opened, it drops a Trojan downloader or bot that includes several tools for remote access, privilege escalation, and lateral movement. Once bad actors are in the health organization’s system, they quickly grant themselves privileges and turn off any anti-virus, logging, and detection systems that would detect their movement before distributing their ransomware and then reaching out to organization members via an anonymous email notifying them that their system and data has been taken for ransom.
• Sodinokibi, or Sodin or REvil, is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. Sodinokibi is somewhat similar to the other operators as there are several methods -- including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords -- to gain access to systems. Once inside the network, operators drop various exploit and privilege escalation kits to laterally move throughout and compromise the network. Lastly, all system backup files are deleted and recovery mode is disabled to prevent restoring via local backup before the ransomware is deployed.

Security magazine: How do you go about detecting and responding to ransomware attacks?

Horne: The best thing you can do to respond to a ransomware attack is to take proactive, mitigating actions. Work with trained security experts to assess your vulnerabilities, close security gaps, train employees, and put a written incident plan in place specific to your organization. Of course, having a robust backup strategy that can be quickly recovered from once a ransomware attack occurs is the best way to mitigate the risk of damage, downtime, and having to pay the ransom. There are many antivirus and backup tools out there that can prevent or limit the damage of a ransomware or other malware attack.

However, in the case a ransomware attack happens:

• Isolate infected machines quickly to stop the spread of ransomware to protect systems with important information and reduce the number of infected machines.
• Research free decryption programs and determine which variant of ransomware has hit your network; you may learn that the keys to decrypt your data are easily available.
• If important data is still encrypted, determine whether you should (or if it’s legal) to pay the ransom by following the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments by the U.S. Department of the Treasury and then ask yourself: How valuable is your lost data and can you do without it? Do you have that data backed up and archived? Can you recover from backups quickly? Does losing the data affected by the ransomware put the life of your business at risk?

Ransomware as a service is one of the more insidious attacks that can be unleashed by malicious actors. It usually enters an organization through phishing attacks or vulnerable systems deployed on a network’s perimeter. Once the ransomware operators gain a foothold, the operators spread throughout the network using common exploits or open shares, moving laterally from machine to machine and encrypting important data. Then, once the important data is encrypted, the attackers display a message to pay a ransom, or else the data will be lost forever; that is followed by instructions for transferring money to the attackers via usually untraceable cryptocurrency.

In most ransomware cases, the requested ransom amount increases overtime in an attempt to lure companies to act fast and pay a lower ransom payment. A leading institution of medical research was recently targeted by the Netwalker ransomware and paid $1.14M to recover its data.

Security magazine: What are some of the top mitigations for healthcare IT/cybersecurity teams?

Horne: By some estimates, there are nearly 650 million IoT and IoMT devices operating in the healthcare industry right now, and 82% of healthcare organizations using IoT/IoMT devices have had those devices attacked. With that in mind, the first question CISOs need to answer is “How confident are you in your asset inventory and does it accurately represent what is connected to your network this very second?”

Another challenge organizations face in securing their networks is the sheer scale -- from connected medical and consumer devices like glucometers to local automated machines like parking lot gates -- it’s difficult to have visibility into all the devices that could connect to a health organization’s network. Organizations must understand what is connected to their network at a deep level (i.e. device type, software being run, etc.) and in real-time. A patching strategy needs to be created and executed on devices that vulnerabilities can be mitigated by patching. For machines that remain vulnerable, organizations should segment any vulnerable systems on their network and regulate traffic among devices so that if a breach happens so that threat actors cannot use those devices as a pivot point to access and compromise other devices on the infrastructure.

Additional solutions to mitigate organizational risks and increase efficiency include:

1. Computer maintenance management systems (CMMS);
2. Vulnerability management solutions to inform an overall risk posture and enable vulnerability identification in networks with sensitive devices that cannot withstand active scans and security operations center (SOC); and
3. IT service management (ITSM) tools.