Ransomware in the Healthcare Sector | Enea Romania | 0LOVES1


We're not saying it's gonna be easy.
But we promise it's not gonna be boring.

We pride in providing new challenges all the time for our creative, rebellious engineers. This is the kind of place where we want to change the world with the right lines of code. Insane passion, curiosity and thirst for breaking barriers and rules feel like home here at Enea.

Would you feel like home?

Ransomware in the Healthcare Sector


For all, from small businesses to large corporations or even public sectors, Cybersecurity is, as we all know, a massive challenge.

Enea’s Cybersecurity Specialist, Andreea Drugă, walked us through a sensitive subject nowadays:

What is ransomware and how it attacks healthcare providers and related industries?

Ransomware is a type of malicious cyberattack that has significantly grown frequency in the past few years. It represents a very impactful type of malware that can be employed in attacks such as phishing or drive-by downloads type of attacks.

In a phishing attack for example, the attachment of an e-mail will be crafted to look as normal as possible, so as to delay the victim from noticing the encryption that’s happening in the background. During this time, the ransomware will search for and encrypt sensitive files on the user’s computer and any connected devices. After the malware completed the encryption, it will display instructions for how the victim can pay the ransom in order to obtain the decryption key. Usually, this is being requested to be paid in bitcoins, as it provides the ransomware creator with an untraceable mechanism of instant payment.

Due to the proliferation of ransomware-as-a-service (RaaS), novice attackers can also use this form of attack. Ransomware-as-a-service has been created so that skilled cyber-attackers could further enlarge their operations by providing their code and expertise to novice hackers online for a fee or a cut of any ransom obtained.

Ransomware became a malware epidemic with the rise of WannaCry starting with May 2017. This particular ransomware leveraged the EternalBlue vulnerability as a result of a data leaked by the Shadow Brokers group, allowing it to automatically propagate itself to vulnerable machines across the Internet. This attack exploits a security vulnerability in the Server Message Block (SMB) in Microsoft Windows, which can allow for remote code execution upon successful exploitation. WannaCry is being identified as the biggest cyberattack the world has ever seen. In the first day only, the ransomware took hostage more than 200,000 computers in 150 countries.

The healthcare environment is an especially attractive target for cybercriminals, due to the valuable personal healthcare information (PHI). Nowadays, PHI data can be more valuable on the black market than the personal information from financial institutions, for example. A healthcare ransomware attack usually holds this data hostage in hopes of receiving the payment or sells the information to third parties.

What are the costs of ransomware?

Healthcare is an especially significant target for any attackers. Due to its sensitive nature, the industry has often paid ransom to retrieve vital customer data quickly.

According to a report from Comparitech, more than 1,500 healthcare organizations have been hit with successful ransomware attacks since 2016, costing the sector over $157 million. To be added here that the downtime caused varies from hours to months. The ransomware attacks over hospitals can be potentially life threatening, as some of them are forced to shut down operations. While most industries can rely on a few days old backup in order to start again their activity, the constantly changing nature of the healthcare systems requires immediate availability of real-time data, and there is always the risk that very old backups can put patients at risk.

Stolen patient health information is being sold on the dark web and can be used for various kinds of fraud and extortion.

In the later part of 2019 ransomware affected the services of hundreds of dental and nursing facilities, while a number of hospitals, health systems, and other covered entities reported business disruptions from these targeted attacks. One notorious ransomware family targeting the healthcare sector is the SamSam family. It is responsible for most ransomware attacks targeting the healthcare sector since late 2015 and it alone extracted more than US$5.9 Million from their victims.

What can be done about ransomware prevention and mitigation?

1. Patch your software

Outdated software provides the easiest entry point for cybercriminals. Ensure that each software has been properly configured and that each running version does not have any known security vulnerabilities. Implement a patch management process for your systems, where it is possible. Note that sometimes specialized equipment used by the healthcare systems can’t be patched. Reach out to your vendor and discuss with them about this matter. It only takes a single out-of-date system to become the launching point for an attack against an organization’s entire network.

2. Backups, backups, backups

We cannot emphasize enough the importance of performing regular backups. This would not only assist you gain your data back after a ransomware attack, but also in case of technical failures, natural disasters and other risks that might affect information systems. The more often you perform backups, the better, considering the sensitive nature of healthcare systems. Remember to keep them stored in a safe place and ensure that only authorized personnel can have access to it.

3. Antivirus and email scanning

Email represents one of the main entry points in any organization. Hence, it is crucial for an entity to use scanning and filtering tools on their email platforms. Installing and maintaining an anti-virus software is an important step that an organization can take to prevent a devastating malware attack. A centralized anti-virus monitoring solution can detect and report computers that fall out of compliance, can directly report any suspicion of an infection, and allows the authorized personnel to further investigate and even prevent a potential attack.

4. Implement an incident response plan

Every organization should have a cybersecurity incident response plan. Implement procedures for identifying security incidents, containing the damage, eradicating the effects of the incident, and recovering normal operations. Once the efforts have been completed, a post-incident phrase should be added in order to create a written report, provide a lessons-learned session alongside the next steps to be taken in order to avoid similar security incidents in the future.

5. Perform regular security assessments

One crucial step in preventing any type of attack, ransomware included, is knowing your environment. Service enumeration and asset discovery is critical here. Assess risk on a regular basis by performing various security assessments, such as a penetration test engagement. Remember that cybersecurity is not a one-time project, threats evolve, and business practices change. Health-care providers should schedule annual risk assessments designed to identify new vulnerabilities and implement measurements to address them. These assessments can be conducted in-house if the IT personnel has expertise in security. Consulting firms that offer various cybersecurity services, such as vulnerability scanning, penetration testing or red team engagements may also be contracted in order to fully assess the security posture of your organization.

Read more about Enea’s Cybersecurity Services here.

Related reads



Leave a Reply

Your email address will not be published. Required fields are marked *