Skip to content Skip to navigation

Report: Healthcare Organizations Must Use Layered Endpoint Security to Combat Ransomware “Blitzkrieg”

April 20, 2016
by Heather Landi
| Reprints
According to report authors, the ransomware used in the MedStar Healthcare attacks late last month, called Samsam ransomware, marks an evolution in ransomware as it was deployed without victim interaction or awareness.
Click To View Gallery

Securing vulnerable endpoints in an organization’s network is the first step in the battle against ransomware and is one part of a layered defense, according to a new report from the Institute for Critical Infrastructure Technology.

In the new report, titled “Healthcare Organizations Need a Layered Defense to Combat the Ransomware ‘Blitzkrieg,’ report authors, James Scott, ICIT senior fellow and Drew Spaniel, ICIT visiting scholar from Carnegie Mellon University, assert that American cyber culture is still lacking in the basic cyber-hygiene and security-centric focus necessary to preclude the cyber incidents that result from human error.

Last month, ICIT released a report warning about the increasing threat of ransomware, stating that 2016 will be the year ransomware will “wreak havoc on America’s critical infrastructure community.” “To pay or not to pay,” will be the question fueling heated debate in boardrooms across the country, according to Scott and Spaniel in that earlier report.

The ransomware phenomenon is menacing more and more U.S. hospitals and patient care organizations, and in a the first part of a two-part series, Healthcare Informatics editors recently spoke with industry experts who agreed that it's time for healthcare IT leaders to meet the ransomware crisis head-on. Part two of that series will post later this week.

In this new ICIT report, Scott and Spaniel state that endpoint security is “layer one” in a layered defense. The authors compare information security and the defense of an organization’s network to a house, in which every door and window is a potential pathway for information, such as noise and light, objects, such as dust particles and baseballs, as well as people.

"Similarly, in information security, any system or access point in which data are stored or through which information can enter and leave your network is known as an endpoint,” the report authors wrote. “You secure the endpoints of your home with locks, an alarm system, and perhaps a guard dog. Analogously, endpoint security is the practice of employing layers of hardware and software solutions to secure the vulnerable points in your network. As the solutions to secure your home are tailored to the entry point and the scale of the assumed threat, most endpoint security solutions are tailored to protect specific network devices and entry points against specific threats.”

The report, which includes research contributed by a number of ICIT Fellows, Scott and Spaniel asset that any organization that stores, processes or transfers data is a valuable target to bad actors, and they describe the different kinds of cyber attackers. The authors liken teenagers vandalizing a home to the lesser end of the attacker spectrum of “script kiddies” and “hacktivists” who deface websites and interfaces. Or, attack could commit other minor crimes to inundate the victim’s entryway with an unexpected influx of visitors. “In information security, this form of attack is known as a dedicated denial of service (DDoS),” Scott and Spaniel wrote.

Scott and Spaniel specifically delve into the rising tide of ransomware, with most variants spreading through malicious links in spear phishing emails or through drive-by-downloads. However, according to the authors, the ransomware used in the MedStar Healthcare attacks late last month, called Samsam ransomware, marks how ransomware is evolving as that malware was deployed without victim interaction or awareness.

“The attacks tend to occur in a rapid, Blitzkrieg fashion that is designed to disorient and scare the victim as much as overcome their defenses. Most ransomware attackers are script kiddies who tend to not execute reconnaissance or target specific victims. Ransomware attackers do not expend the time or resources sifting through your information and assets to uncover valuable data. They do not worry about entry into your network, about remaining undetected on the network, or about exfiltrating data from the network. Ransomware attackers just deny victims access to their information and systems unless a ransom is paid,” they wrote.

In the report, the authors argue that paying the ransom in a ransomware attack does not confirm that the data will be released. In fact, Scott and Spaniel attest that paying the ransom “encourages the specific attacker to continue utilizing the attack vector and it encourages new entrants of varying degrees of sophistication, to conduct attacks.” The profitability of ransomware has attracted sophisticated groups, such as the Dridex criminal organization, they state.

“Victims need to realize that they do not know to whom they are paying ransoms or what malicious purpose that contribution will facilitate. In the best of circumstances, a ransom only encourages a script kiddie to attack numerous other hosts. At worse, average citizens and organizations might be actively paying enemy nation states to compromise federal agencies and critical infrastructure systems,” the authors stated.

And the report authors stress the importance of regular backups of data and to store that backup in a secure and digitally isolated location. While it might be difficult to regularly backup every device on a network without negatively impacting network performance, “every device in the network must be protected from ransomware according to the value of the system and its data because every system in those networks is vulnerable to at least one exploit,” the authors stated.

The report also addresses defense strategies for ransomware threats. In the physical world, when people recognize threats, such as a security threat to their homes, they take precautions and set contingency plans. By comparison, according to the authors, “American cyber culture is still lacking in the basic cyber-hygiene and security-centric focus necessary to preclude the cyber incidents that result from human error,” and “information about emerging threats or compromised networks is neither shared adequately or equivocally to efficiently benefit the community at large.”

Organizations who employ layered endpoint security solutions and who teach proper cyber hygiene to their employees are finding themselves better defended, Scott and Spaniel asset, especially when compared to their competitors “who refuse to invest in cybersecurity based on antiquated excuses like budget constraints or lack of an ROI.”

“These early adopters actively fortify their home network. These networks, properly fortified with layered defense in depth solutions around their endpoints and reinforced with a cyber-hygienic culture, are invulnerable to all but the most sophisticated and targeted attacks,” the authors wrote.

However, the authors do point out that there is no silver bullet solution, yet, instead, a well-defended network often depends on a first line of defense, layered endpoint security solutions, and internal security solutions to slow the advance of a cyber attack long enough that either the threat can be reduced or the impact can be mitigated.

Vulnerable endpoints in organizations include servers, personal computers, mobile devices, specialized hardware, cloud services, IoT devices and even users, although historically users have not be considered “endpoints.”

The report also describes endpoint security and gives recommendations for selecting endpoint security solutions.

“The malicious element within the hacker community is collectively migrating toward the ideology of ransomware as an apparatus for distraction, while stealthily exfiltrating and manipulating data that can be monetized for colossal profits on dark web forums,” the authors state. “There will always be new ransomware and malware variants delivered along new and creative attack vectors that exploit recently discovered vulnerabilities in applications, devices and industry niche technologies.”

“The only defense is a layered defense, of which endpoint security is an essential layer and can offer a potent ingredient for nextgen cyber fortification,” Scott and Spaniel wrote.





ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.