Ransomware in Healthcare: Time for VigilanceExperts Warn Organizations to Monitor the Latest Emerging Threats
As organizations combat BadRabbit, the latest global ransomware campaign, healthcare entities in the U.S. should monitor the situation and take preventive measures to avoid becoming the next potential victim of any emerging malware, experts advise.
The Department of Homeland Security's U.S. Computer Emergency Readiness Team issued a brief advisory Tuesday warning U.S. organizations of the BadRabbit ransomware campaign, which reportedly so far has impacted many organizations in the Ukraine, as well as Bulgaria, Turkey and Japan. US-CERT's advisory, however, did not indicate whether any U.S. organizations, including healthcare entities, were impacted.
Information sharing and analysis organizations serving the U.S. healthcare sector were closely monitoring the situation Wednesday. The National Health Information Sharing and Analysis Center, or NH-ISAC had not seen indications of U.S. healthcare organizations impacted by the BadRabbit ransomware as of Wednesday afternoon, says Jim Routh, CISO of insurer Aetna and a NH-ISAC board member.
"The NH-ISAC Threat Intelligence Operating Committee is analyzing the malware and sharing results of the analysis in real time with [the committee's] members," he says.
Security intelligence reports from external sources identify the threat vector as Microsoft's Server Message Block, or SMB, protocol, which was the same threat vector as WannaCry, he notes. "It is apparent that the threat actor is the same as for NotPetya based on an analysis of the malware design and code - more than 60 percent overlap in code," Routh adds. The indicators of compromise have been shared with NH-ISAC members through multiple channels, he says.
Similarly, the Healthcare Information Trust Alliance, another healthcare sector information sharing and analysis organization, said Wednesday that participants in its Cyber Threat XChange program, which shares enhanced indicators of compromise information, had apparently not been impacted by the latest malware threat, "but we do know that this threat has started impacting the U.S.," says Elie Nasrallah, HITRUST director of cybersecurity strategy.
"The BadRabbit threat is a sophisticated form of ransomware that should be of great concern to all industries," Nasrallah says. "This new threat initially targeted Eastern European countries. However, it has made its way to the U.S. and can be leveraged by cybercriminals to target any organization."
Mac McMillan, CEO of security consultancy CynergisTek, says that although reports so far about BadRabbit suggest that this particular attack appears to be aimed primarily at Eastern Europe, the U.S. healthcare sector needs to stay vigilant. "As we saw with Wannacry and Petya, where these things are aimed is rarely where they are limited to," he says. "We are just too connected nowadays to presume an outbreak won't reach us."
In light of the BadRabbit and other emerging malware campaigns, healthcare entities need to continue to address "cyberhygiene and tighten up defenses by shoring up the integrity of systems," McMillan says. That includes implementing strong multifactor authentication, enhancing network monitoring and detection, remaining current on threat information and following guidance to review their environment for indications specific to the BadRabbit attack, he says.
New threats are constantly emerging, McMillan points out. "At the same time we're hearing of the next ransomware attack that appears to be closely related to NotPetya, we know there is a new internet of things botnet growing out there called IOTroop that could be worse than Mirai" (See Next IoT Botnet Had Improved on Mirai).
Keith Fricke, principal consultant at tw-Security, says the BadRabbit attacks are also a reminder for healthcare sector entities to patch systems with known software vulnerabilities and educate the workforce on phishing attacks.
"In this case, BadRabbit is prompting the download and update of Flash Player that is really the ransomware," he notes. BadRabbit reportedly "can spread from computer to computer in an organization's network. Healthcare IT folks may want to consider advising users to turn their computer off at the first sign of ransomware infection messages," he says.
Battling New Attacks
While BadRabbit is just the latest in a number of large-scale ransomware outbreaks or campaigns, the biggest ransomware attacks so far this year have involved WannaCry.
On May 12, Wannacry began infecting hospitals, as well as telecommunications and transportation companies, encrypting files on vulnerable computers that lacked the latest patches. But some U.S. healthcare entities are still finding themselves battling attacks involving WannaCry or variants.
For example, FirstHealth of the Carolinas, a Pinehurst, N.C.-based healthcare system that includes five hospitals, home health services, primary care clinics and an insurance plan, was a recent victim of "a new form of the Wannacry virus, prompting the organization to shut down its systems for several days this month," according to the organization's Oct. 20 statement.
FirstHealth says that its computer network "experienced a downtime event" that began on Oct. 17 due to a threat from "a malware virus."
The organization says its information systems team "immediately identified the threat" and implemented security protocols, including shutting down the information system network. "At that time, staff initiated standard downtime procedures. Out of an abundance of caution, FirstHealth remained on downtime for several days as its IS team validated that all systems and 4,000 devices in 100 locations "have been tested and cleared of any threat."
FirstHealth says as a result of its quick response, the malware did not impact patient information, operational information or databases. "Patient information has not been compromised. At this time, it appears that no damage has occurred to the network or devices. "
The healthcare provider says it has implemented an anti-malware patch developed specifically for this new form of the Wannacry virus.
In another recent incident in the U.S. healthcare sector, a small Missouri clinic admitted paying a ransom to unlock data after a ransomware attack encrypted patient data on a file server, as well as backups.