KT Connections Blog

Alert: The Healthcare Sector is Being Targeted with Ransomware

Alert: The Healthcare Sector is Being Targeted with Ransomware

The healthcare industry is under siege as cybercriminals take advantage of the COVID-19 fueled stress to attack and compromise medical centers' data. Learn how to defend against these ransomware attacks, which have gained the Joint Cybersecurity Advisory's attention and should capture yours, too. 

The Joint Cybersecurity Advisory Issues a Ransomware Warning to Healthcare Organizations

In a recent release, the Joint Cybersecurity Advisory, which consists of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), issued a warning to Healthcare and Public Health Sectors. The advisory was created to inform healthcare professionals of the increasingly aggressive attacks by cyberhackers whose goal is to infect healthcare organizations' systems with ransomware and hold them hostage. 

What is Ransomware?

Ransomware occurs when a hacker uses malware to gain control of your systems, making your data inaccessible to you. Once your data is under their control, they hold it ‘hostage’ and require a ransom be paid for them to release it; hence the ‘ransom’ in ‘ransomware.’ The first step regarding ransomware is to not pay the ransom. There is no guarantee they will actually release your data, and once you pay them, they will likely target you again. The only real protection is having immaculate backups in place and preventative protections.

Why the Advisory?

Cybercriminals are well aware of most healthcare systems' stress as they address the COVID-19 pandemic. Hackers know that stress can lead to security best practices being relaxed.They use this to compromise healthcare systems and hold them hostage. They hope that due to the pandemic's challenges, many healthcare institutions would rather pay the ransom than risk losing valuable time trying to fight off the attack.

Most importantly, medical data is precious to cybercriminals because it contains a wealth of sensitive information that can be used for various nefarious schemes including identity theft. Medical data is one of the more profitable types of data that is exchanged on the Dark Web. They know healthcare organizations would be willing to pay to avoid the regulatory fines that come with a data breach.

How are the Attacks Happening

When large institutions such as hospitals are attacked, the first assumption is that a coordinated cyberattack broke through their firewall and gained access to their systems. In reality, the hackers are using the most popular method to compromise a system, social engineering. Most malware comes in through benign phishing emails.

While phishing attacks are usually coordinated, they rely on stealth and not brute force to access your system. Security protocols are designed to resist brute force attacks; cyberattacks that capitalize on human error like phishing often fly under the radar.

How Phishing Attacks Can Compromise Your Healthcare Practice

According to the Joint Cybersecurity Advisory release, two instances of malware are currently being used via phishing to target healthcare organizations, Trickbot and BazarLoader/BazarBackdoor. However, system administrators should be wary of and train their team to recognize any phishing attempts.

Phishing attacks are effective because they target a person’s natural desire to be helpful or deceptive about mistakes. This can result in the person breaking protocol to solve a problem or correct an error. Once a target clicks on a link or provides credentials, the hacker can gain access and, in the case of a ransomware attack, gain control of the entire system and hold it hostage.

Phishing emails can appear as average, legitimate business correspondence about essential tasks requiring the recipient's attention. Due to the pandemic, your team may not be as vigilant at detecting these types of threats. A well-trained staff can help prevent ransomware from gaining a foothold.

How to Recognize BazarLoader and Trickbot Malware Attempts

  • The Bazarloader email will link to an infected Google Drive document or other free online file hosting solutions, typically claiming to be a PDF file. Trickbot uses the traditional method of infected links (URLs) or attachments to supply the malware.
  • In the case of Bazarloader, the ‘pdf’ states a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file. 

Keep in mind that these are not the only ways that ransomware can be spread, they are just the tactics that have been sighted recently.

What are the Best Practices to Protect Your Healthcare Organization from Ransomware?

Ransomware is only effective if your data is irreplaceable. As long as you can retrieve your data, the cybercriminal has no power over you or your business, provided that they can’t access your data directly. Here are some best practices to reduce the risk of ransomware and other cyber threats.

  • Secure, maintain, and regularly test your backups. Develop a backup policy to ensure your data is being backed up on a planned schedule. Doing so will ensure your backup is as current as possible. Many ransomware threats will try and find any backups you may have on your network and attempt to lock them down too. This is why your backup protocol must include offsite storage.
  • Use the 3-2-1 rule when making backups. 
    • You should have three backups of your data, at the very least.
    • Two of these should be stored on various media types, such as a server, external hard drive, USB drive, etc.
    • One of these should be stored off-site, like in the cloud or a secure data center.
  • Maintain current images of your systems in case everything needs to be rebuilt. System images should contain a preconfigured operating system and applications, able to be quickly deployed on a virtual machine or server, reducing downtime.

We can’t emphasize how critical it is to your organization to have a backup and recovery (BDR) plan in place. BDR is more than just insurance for your data; it’s insurance for your business’ future. You need to have a plan if you want to have a chance to protect your organization from a ransomware attack.

Do You Have a Ransomware Attack Plan?

The Ransomware Response Checklist is a great resource to help your team develop a plan; however, it is a generic one. South Dakota is a unique environment. For example, we have some of the most robust data security laws in the country, with fines up to $10,000 a day. To be HIPAA compliant in South Dakota, you will need a more personalized approach to cybersecurity. 

South Dakota has a large number of rural clinics. These clinics are prime targets for this type of attack because hackers assume that rural hospitals are less likely to have robust security protocols in place due to their limited budgets. As such, this advisory contains critical information for our rural clinics and hospitals.  

While this advisory is focused on the healthcare sector, all Rapid City businesses can and should take advantage of the warning it offers. Now is the time to develop not only a ransomware plan, but a plan to ensure your data can survive any disaster, whether man-made or natural.  

KT Connections is Rapid City’s premier technology expert. We understand the needs of South Dakota businesses and offer a wide array of IT services and support. We’re well-versed in the healthcare sector's needs and offer services such as HIPAA compliance and Electronic Health Record systems (EMR).

As this notice shows, cybercriminals aren’t taking a break during this pandemic. While sometimes it’s better late than never, it can be too late to protect your system and data from cyberattack. Now is the time to harden your organizations against these types of attacks. Call KT Connections today at 888-891-4201 to schedule a consultation.

Update Google Chrome, Says Homeland Security
Windows 10’s Over 70% Market Share is Still Too Lo...
Comment for this post has been locked by admin.


By accepting you will be accessing a service provided by a third-party external to https://ktconnections.com/