Methods for preventing hospital ransomware infections and cyberattacks

As hackers continue to use more sophisticated tools to execute cyberattacks, there are six steps IT can take to prevent hospital ransomware infections and other cyberthreats.

The threat of cyberattacks on hospitals continues to rise and has become one of the biggest priorities for IT to prepare for and protect against. More cybercriminals are taking advantage of highly sophisticated and widely available tools to infect and hold hospital data for ransom. To keep sensitive health data inside hospital systems, organizations are looking for effective protection methods to stay a step ahead of cybercriminals and keep their data secure. Many of the traditional protection methods against viruses are not as effective today, and a approach must be taken to detect and block threats, such as hospital ransomware infections.

The surge in hospital ransomware infections and cyberattacks has not been attributed to a single growing criminal network, but rather the wider availability of sophisticated tools that can turn any petty criminal with basic IT knowledge into a hospital's biggest nightmare. Tools such as exploit kits (EK) have become some of the most popular Swiss army knives when a hacker attempts to infect a machine with known vulnerabilities. The way the tool works is by checking the computer the EK ran on and looking for any known vulnerabilities in that system. Once a vulnerability is discovered, the exploit is executed and a payload is downloaded directly onto the computer notifying the hacker of its availability for remote control or simply loading a ransomware infection. In short, a criminal can send out phishing emails with an embedded link to as many hospital staffers as possible, and then redirect users to a website that contains the EK. From there, the EK will scan the end user's computer looking for potential exploits within the computer, then remotely download tools and connect the attacker to the system in a stealthy way.

This method has been proven to cause significant damage as it is able to leverage any exploit that might have been the result of a missing update on Java Runtime, IE, Windows, Adobe Flash Player, or any other known product that has vulnerabilities. However, these attacks do not always come from a URL inside an email. Attackers have also shown that they can deliver EKs from hacked commercial websites with heavy traffic without the knowledge of the webmaster.

Despite the serious threats that exploit kits bring, there are several steps hospital IT can take to protect against the risks associated with these popular and widely used tools. Here are the top recommended methods to defend hospital environments from the threat of cyberattacks.

Adding protections at the browser level

It is no longer sufficient for IT to deploy protections at the OS level or perform URL filtering. A number of attacks that use malvertising and EKs are finding ways to get through to the end user via the web browser and causing issues despite other means of protection implemented, such as antivirus software. For that reason, one of the new methods of protecting against them is by adding protections at the web browser level. There are a number of exploit mitigation tools that can attach themselves to the browser and deliver enhanced security and block malicious code from running. Malwarebytes and Windows Defender for Microsoft Edge are examples of new methods of protections that can be used to block any attempt by a website to infect the machine.

Backing up all important data onsite or offsite

This recommendation has increased in importance in recent years due to the damage created by ransomware. The rise in these attacks and encryptions of data including in some cases the infection of backup files by ransomware has forced everyone in IT to reevaluate their backup strategy to ensure they can recover efficiently from both onsite or offsite backups. It is recommended for IT to also educate end users to always use the appropriate network locations to store organizational data in order to avoid having it stored locally on their machine where it is not being backed up.

All applications and firmware must stay patched and up to date

With the number of applications used today in healthcare facilities, running on medical devices and desktops, these products must constantly be maintained and kept up to date. Most successful hospital ransomware infections are the result of missing security updates on machines. IT can take advantage of a number of mature solutions that offer robust patch management capabilities for multiple systems deployed in an environment.

Advanced URL and attachment filtering

Sometimes the best protection is the one that can prevent an end user from landing on the wrong site or blocking an infected URL or attachment from getting to their mailbox. To help accomplish that, a number of security companies available today offer the option to detonate URLs and attachments that come through email to determine whether the content is harmful to the user or not. These services from groups like Proofpoint and Microsoft Advanced Threat Protection add the extra layer of protection to ensure users are not attacked using one of the most popular methods -- emails.

Local device restrictions and network access

IT should always consider limiting privileges that an end user has on a machine to help reduce damage if the system in infected. In the unfortunate event where a user accidently visits a website and the system gets infected, the restricted access they have to the local machine and the network would help contain and restrict the damage that the infection can cause. Restrictions can generally be group policies that IT can apply across the organization or security roles that end users are members of that reduce their access to the local system.

Advanced threat protection

Many of today's antivirus products offer the use of a common protection method. Customers rely on these products to create signatures to detect and block any malware, virus or other infections. The rate at which viruses, hospital ransomware and other infections are being created is causing many of the legacy antivirus solutions to fall behind and, in some cases, allow systems to be vulnerable to attacks despite the use of antivirus software. These tools are proven to not be as effective against the new threats hospital face, and require health IT to reconsider their use.

Newer protection products available today rely on techniques that allow them to detect malware based on behavior. Once detected, the tools apply specific restrictions and block the infection or attack. The new tools are also able to block access to known infected websites and known EKs to help reduce risks of infections. There are also tools available today that can monitor a network and by using artificial intelligence to detect suspicious activities that may signal a hacking attack or hospital ransomware infection in progress and notify IT.

Healthcare will continue to see an increase in cyberattacks that result in extortion. These attacks force hospitals to change their security practices and adopt new tools that will allow them to stay one step ahead of hackers. IT should also keep end users educated on some of the known threats that can impact them in the office or at home, as most attacks originate from end users. This also puts the burden on hospitals to constantly keep up with the current state of security tools, infections and best methods to help protect against them.

Next Steps

Also from Reda: Five steps to form a hospital ransomware contingency

How to reduce the risk of cybersecurity attacks in healthcare

Survey says: Healthcare data breaches caused by cyberattacks are spreading

Experts suggest automated backups in the wake of rash of hospital ransomware attacks

Dig Deeper on Electronic medical records security and data loss prevention