Analyst Chat

Analyst Chat #150: Clear and Present Danger - Ransomware Threats to Healthcare Providers

Only a week has passed since John Tolbert, our Cybersecurity Research Director, spoke at CSLS about ransomware and how to combat it. Today, he reports on specific threats posed by ransomware attacks to the healthcare industry, particularly in the US. But in the end, these are just examples of the threats against any user of IT.

Links to the mentioned ransomware attacks:

Helpful documents for cybersecurity in healthcare:

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is John Tolbert. He is the research director for cybersecurity here at KuppingerCole Analysts. Hi, John. Good to see you.

Hello, Matthias. Good to be back.

Great to have you. And actually, we've seen each other, although virtually just last week at the Cybersecurity Leadership Summit. And you as the cybersecurity research director, of course, this was a big event for you as well. And one of the topics that you covered in Berlin for this event, and this can be revisited on our website, was ransomware. And just in the meantime, this is just a week ago when we record this, you added some recent research around what's going on in reality. So not the analysts stuff, but the real life. So what have you found out? What is going on when we look at real threats by ransomware and by cyber criminals that want to get to ransom?

You know, it's interesting, yes. Just in the week since we were last talking about ransomware, there have been a couple of developments, particularly in the health care field and various places around the world. So I thought maybe we could talk about that and some guidance that's been released that would probably be very helpful for those who are in the industry.

Right. And when you say health care industry, so that is really hitting the vulnerable. So it's, of course, aiming at the organizations, at the corporations behind that. But in the end, it's hitting the vulnerable. The patients, the data of patients. What has happened in the meantime?

Well, we've been saying for a while, analysts of all types around the industry have been noting the increase in ransomware attacks, many specifically targeting health care companies and insurance companies. Ransomware has been kind of a scourge that all industries and government agencies around the world have been dealing with for years now. But, just to kind of recap what we did say last week around health care, even then, attacks against medical providers have been up 94% over last year. And there's been some changes in tactics, and I'll talk about that in a minute, too, especially some are now just breaking in, stealing data and then threatening to release that information unless they're paid a ransom. So they're not even bothering to encrypt in some cases the data and the ransom payments are up. And this has been very disruptive to all kinds of businesses beyond the medical field as well.

Okay. Is there any specific target group to be identified or is it across the board when it comes to health care? So clinics and doctors and business size, is there any specific target?

Well, I guess whoever is vulnerable at the time and gets hit with it, so, yeah, it has been targeting specificly providers, hospitals, all the different types of organizations within the health care field. We've seen, just in the last week or so, some updates about the Medibank story in Australia. That was a case where records were breached. There was another large provider across the US, they've seen patient health care records made unavailable, and it interrupts patient care. And another new one in Lake Charles here, another case of a data breach with ransom demands, but apparently no actual encryption. So there's some story links there for those who are interested in following up on those. But those are just cases that have only been going on that we know of for the last month or so. And there have been some developments that are worth following in the news there.

Right. So also the way of the attacks have changed a bit. So it's no longer just encrypting data and making the organizations unable to do their business. But it's really threatening the data subject, the patients, the PII and also really highly sensitive information.

Yeah. Anytime that the records are unavailable for doctors and health care professionals to be able to use, it stands a chance of interrupting patient care, which I'm sure is certainly not something anyone wants to have happen. There's a document that was just released that I think is really instructive. We put the link here, but I thought maybe we could talk for a minute about the TTPs that we're seeing used against these particular health care targets. These are the tactics, techniques and procedures. So this document from US CISA outlines in pretty good detail along with indicators of compromise to look for. This is what they're doing. They're using remote desktop protocol and VPNs, that have just single factor authentication. In a couple of cases, there are some known exploits where they're bypassing multi-factor authentication. Some of them are using email server compromises, again using exploits that are known and have been patched. Once they get in, they turn off your anti-malware, delete the volume shadow copy. That's the automatic “backup” that Windows does on Windows operating system for endpoints. And they'll either do that over the command line or using PowerShell to wipe all of that. They delete other backups and then they delete event logs to make it difficult to trace where the attack came from or what else may have been compromised. So these are pretty sophisticated attacks that you can see involve many, many steps, many phases across the whole minor attack chain.

Right, it ranges from, as you said, single factor authentication. So this is, of course, also leveraging the data that is out there when it comes to existing breaches, existing information about known usernames, known passwords that can be easily reduced. But as you said, it's also highly sophisticated when it comes to bypassing MFA, which is a more highly sophisticated attack vector, right?

Yeah, definitely. And again, most of these vulnerabilities have been addressed by the software vendors. So as we often say, patching is extremely important.

Right. So the reluctance to patch also really endangers business so this cannot be highlighted enough. You've mentioned the links and we will put them into the show notes so that they can be found on YouTube. They can be found on our website below this video. And we will put them into the show notes for the audio files just to make sure that the audience has good access to these documents as they are highly, highly recommended to use. But to continue, you want to also to talk about disaster recovery, especially in the healthcare industry. What are the signs that you're seeing in real life there?

You know, looking at cases that have come up in like the last 12 to 18 months, it looks like in many of those cases, it can take three or more months, four or five months to really recover from a significant data breach or ransomware attack. So, in that time, again, within the health care profession, if you've lost access to patient records, that is, a potentially life threatening situation. And again, the information that's contained in those records might invite fines from regulators. So, I mean, there are consequences here. Integrity in medical devices is a concern. Many medical IoT devices, can be engaged in IP networks and they themselves then can become targets and vectors of attacks. There's also some very recent guidance from FDA about securing medical devices. So we provide a link for that, too. And then like any other industry reputation damage from having such an attack, especially if a patient records are either unavailable or a leaked, can be pretty severe.

Absolutely. If you think of psychological problems that are documented in such healthcare records, or drug abuse or something like that, that can immediately harm. And even if somebody has recovered from that and is on their way to improve that. So this is really dangerous also for the individual that is in such a data breach and in leaked data as well.

Yeah. Yeah. Those cases have filled the news headlines in the last couple of weeks especially. So, yeah. As I mentioned, there are two documents that are brand new that I think would be very helpful for those who are in the health care field, who are trying to protect their networks, protect their cloud assets. This US CISA document provides a list of indicators of compromise, tells you which systems should be patched and then provides some really good guidance, too, on recovery, beyond just eliminating the immediate threat that is present in the environment. And then I also mentioned the FDA document about how to secure medical devices. I think those would be of interest to those in the field.

Absolutely. And thank you very much for really highlighting this, because this is this can really help immediate protection against obvious threats. Of course, you've mentioned the patching part. That is, of course, yeah, a must, but that is something that should really be done immediately. So we are in a stage where you cannot wait for testing a patch for months and months to make sure that it really works. Then the attackers might already be in there. And that is sometimes also just a matter of minutes when it's documented, if not well patched. Then of course the cybercriminals will try to leverage these, these exploits that are then well documented because they are out there and it's really important to also provide this guidance and to hint at that. Also, from our analyst perspective, this is operational stuff that needs to be done. But nevertheless, I think this is also kind of our duty to highlight that there is work to be done.

Yeah. I mean, the document is very good, but I'm sure everyone can keep in mind that those TTPs are constantly changing. So everyone needs to remain vigilant in trying to keep such things from happening. But it is very difficult to keep your eye on everything going on. But the document can help, especially with some of the more common ransomware families and ransomware operators that are out there now. But the TTP is changing with just doing a data breach and then taking the information. And that's a development that we've seen in the last few months that seems to be becoming more popular with cyber criminals. I guess we can’t call them ransomware operators if they're not delivering encryption ransomware. Yeah, these techniques will continue to change.

Absolutely. And you've mentioned health care industry for the U.S., especially, but this is a global phenomenon. We see it in Europe currently when it comes to supply chain organizations and within the automotive industry where we have just been hit. And also logistics, global logistics organizations are hit by ransomware attacks. And this is also making the news just right now. So this is not a theoretical threat. This is a real practical threat. And organizations need to react towards these threats. And the work that we are doing is endless. The work that you are doing as the research director, cybersecurity is really also trying to support organizations in being prepared and being one step ahead, if possible, or at least to detect these threats as they are happening.

Yeah, it's very complex to keep on top of all of the different potential entry routes and vectors that attackers might use. But it's certainly worth putting our best foot forward on that. There are many different components. We've talked last week about Endpoint Protection Detection and Response, Network Detection and Response, XDR, Privileged Access Management, Endpoint... There's a whole slew of different security tools that can be used as well as just maintaining your infrastructure endpoints and servers at the optimum patch levels. So there's quite a bit of work involved to try to be resilient.

Absolutely. And you've mentioned our research. So there's this research that's available at our website. So you've mentioned the documents and the topics that we cover. That is the groundwork that needs to be done to understand that you have the right tooling in place. And we will have the links in the show notes, as mentioned, when it comes to these documents, because they are highly valuable and add another level of documentation which are more current and are more focused on what is going on just right now. So these are valuable documents as well. And for those who are interested in learning more about what we talked about at CSLS, these videos are also available on our website. So there's a lot of information available, but don't watch too much videos, do the work. So really start actually patching the system, start reacting and start reading the documents, the guidelines as provided by CISA and the FDA, just as you, John, have mentioned. Any final thoughts you want to add when it comes to protecting all organizations, including health care against these malware operators, as you call them (and I like that term)?

It's just, it takes a lot of effort. I mean, I think we all know that and it's often said that as defenders, we have to get things right all the time and the attackers only have to find one weakness to get past it. So patching good endpoint security, removing unnecessary accounts and using multifactor authentication, all those things. Our job as security professionals is to make it as difficult as possible for an attacker to be successful. So the more effort, the better off we should be.

Absolutely. And one takeaway that I took away with me from CSLS, is that really finally, cybersecurity really has left the IT department. It's really, on the one hand, a business enabler when it comes to demonstrating security. But also it's important when it comes to being resilient towards the attacks that are just out there. If you don't do cybersecurity properly, it might happen that you are damaged out of business, that your reputation is harmed, and even that your customers, your patients, your citizens are harmed. So this is really something that organizations need to have a look on. It’s not a maybe, it's a must. And organizations have to look at that. And it's no longer these long haired people with these Linux boxes doing some cybersecurity and intrusion detection testing. It's really business. Thank you very much, John, for sharing these thoughts. And that was really interesting and really even an update after one week towards CSLS, while CSLS stuff of course always stays current because it's the groundwork. Thanks again for being my guest today. Thank you. Looking forward to talking to you and bye bye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Exploring the role of Endpoint Security in a Ransomware Resilience Plan

Ransomware attacks continue to increase in frequency and severity. Every organization needs a ransomware and malware resilience plan. Three major components of such plans should include deploying Endpoint Security solutions, keeping computing assets up to date on patches, and backing up…

Event Recording

Lessons Learned: Responding to Ransomware Attacks

The last year has seen almost two-thirds of mid-sized organizations worldwide experiencing an attack. Managing ransomware attacks requires significant patience, preparedness and foresight – Stefan shares his experience managing the ransomware attack on Marabu Inks, his key learnings…

Webinar Recording

Why Data Resilience Is Key to Digital Transformation

As companies pursue digital transformation to remain competitive, they become more dependent on IT services. This increases the potential business impact of mistakes, natural disasters, and cyber incidents. Business continuity planning, therefore, is a key element of digital transformation,…

Webinar Recording

Breaking the Ransomware Attack Chain

At some point, any business connected to the internet is likely to become a victim of a ransomware because they are relatively easy and inexpensive to carry out, but potentially yield large payouts for cybercriminals. The best way of tackling this threat is to know how to break the attack…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00