How Healthcare Systems Can Stem the Tide of a Growing Wave of Ransomware Attacks

Dan Schiappa, Chief Product Officer, Sophos

It was easy to overlook in a news cycle increasingly dominated by the election, but on October 28th, a trio of federal agencies – the FBI, Department of Health and Human Services (HHS), and Cybersecurity and Infrastructure Security Agency (CISA) – issued a warning notice of an “imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.”

This wasn’t just a forward-looking alert, either; according to White House officials, some hospitals had already been attacked by ransomware at the time of the advisory.

2020 has been a rough year on a lot of fronts, and certainly cyberattacks aimed at hospitals and health systems has been one of those. In September, ransomware struck a German hospital, leading to a delay in patient care and one woman’s death. This ransomware attack is most likely the first form of malware linked to a human fatality. The perpetrator behind that incident was Ryuk, a ransomware gang that has racked up millions in extortion cyberattacks over the last two years, and has increasingly shifted focus to hospital and health systems in 2020.

In addition to the attack in Germany, Ryuk – after seemingly taking the summer off due to COVID-19 concerns – came back with a vengeance this fall with an attack that knocked offline hundreds of healthcare facilities across the US and UK. Squeezing hospitals for ransom payments while holding up patient care due to unavailable medical records is an enormous pressure on its own, but during a global pandemic it’s outright devastating. Perhaps even more alarming in this case is that Ryuk wasn’t coordinating a string of separate attacks, but rather concentrating a single attack on one connected health system, resulting in profound ripple effects for hundreds of healthcare facilities – and consequently, countless doctors, nurses, and patients. All of that, from one attack.

While Ryuk is one of the more prominent ransomware names at the moment, it’s really just the tip of the spear on a growing and increasingly alarming threat that’s aimed squarely at healthcare systems. In the eyes of ransomware attackers, hospitals are the perfect Goldilocks-esque “they’re just right” target: they can’t afford to have their systems down because unavailable information and delayed patient care are literal matters of life and death, nor do they have the dedicated IT security teams of other enterprises to adequately defend against or even detect ransomware attacks.

With a Ryuk resurgence that’s rolling out new spear phishing campaigns to hook unsuspecting hospitals, and an overall growing trend of ransomware attacks percolating, what can health system administrations do?

The 5 ransomware safeguards every health system must take

  1. Companywide education. IT security isn’t just the responsibility of security professionals; it’s something that every employee can, and should, partake in. Everyone with a password needs to be taught about and set up with two-factor authentication. Everyone with a hospital email account needs to know about and follow through on creating stronger passwords. Everyone has to know what spear phishing emails and attachments look like. This is especially important, as phishing is a major vehicle for ransomware delivery and has become particularly acute during the pandemic, with a major uptick in phishing emails that infect hospital networks by co-opting names resembling legitimate health organizations. It’s easy to see how a hospital employee may be liable to opening an email ostensibly from the World Health Organization about new COVID-19 treatment breakthroughs, only to unwittingly unleash ransomware on their network.
  2. Endpoint detection and response (EDR). Averting a ransomware attack isn’t just putting up a firewall that blocks a specific malware package; it’s about disrupting an attack chain from end to end that stops the attacker dead in their tracks. Deploying EDR across every device on the network, and ensuring every endpoint is secured with up-to-date protections, thwarts ransomware attacks and provides threat response teams with the context they need to actively track down adversaries, identify threats, and act accordingly.
  3. Basic IT hygiene. You don’t need to build a full-fledged security department from scratch. There are many basic measures hospitals can adopt that go a long way. Installing the latest security patches, implementing multifactor authentication, and making regular backups to off-site locations of sensitive records are all essentials.
  4. Proactive human intervention. Automated EDR software is a major factor in ransomware defenses, but it must be complemented with a deft human touch, too. An elite, human-led threat hunting response can recognize patterns, apply context to imminent threats, and attack recurring incidents at their root cause. It’s the offense needed to EDR’s defense.
  5. Rapid incident response. For health systems that do get hit by a ransomware attack, the ability to deploy lightning-fast incident response will be crucial. Sophos Rapid Response is a first-of-its-kind service designed to get healthcare organizations out of the danger zone – and to do it fast.  With patient lives on the line, Sophos Rapid Response is a must-have offering that healthcare organizations need to identify and neutralize attacks and remove adversaries from their networks, minimizing damage and costs, and reducing recovery time.

Ransomware moves fast. Prevention is key, but attacks inevitably will happen and when they do, every second counts. Hospitals and health systems need to be fast and nimble in tackling the new normal of healthcare ransomware.

To learn more about the evolving attacker behaviors and tactics that are likely to shape the 2021 threat landscape, read the Sophos 2021 Threat Report here.


About Dan Schiappa

Dan Schiappa is chief product officer at next-generation cybersecurity leader Sophos. He’s a transformational and strategic leader who orchestrates the company’s technical strategy, playing an instrumental role in architecting technologies; overseeing product management and research and development; and ensuring product quality. With a passion for education and inspiring the next generation of cyber talent, Dan also serves as chair of the University of Central Florida’s Dean's Advisory Board, where he oversees various aspects of the school’s elite cybersecurity program.

As a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyber threats. Powered by SophosLabs – a global threat intelligence and data science team – Sophos’ cloud-native and AI-powered solutions secure endpoints and networks against evolving cyberattack techniques, including ransomware, malware, exploits, data exfiltration, active-adversary breaches, phishing, and more. Sophos Central, a cloud-native management platform, integrates Sophos’ entire portfolio of next-generation products, including the Intercept X endpoint solution and the XG next-generation firewall, into a single “synchronized security” system accessible through a set of APIs.

This article was created in collaboration with the sponsoring company and our sales and marketing team. The editorial team does not contribute.