In a story published by the New York Times about attempted ransomware attacks on two hospitals in the Czech Republic amid the pandemic, Andrej Babis – the country’s prime minister – wondered, “I don’t understand why anyone would do something so dirty right now.”
Another incident, this time with more serious consequences, led a public health entity in Illinois in the United States to make the difficult decision of paying $350,000 to the criminals by triggering its cyber incident insurance, as the recovery of the environment would have taken months without the ransom payment.
Being surprised by some people’s attitudes in this crisis is understandable. However, while it’s easy to recognize the greed behind many of the recent cyberattacks against healthcare companies, answering at least in part to Mr Babis, it’s more productive to focus on the lessons learned on each occasion.
Thus, we briefly point out in this article some important forms of prevention for hospitals, laboratories, and other healthcare entities to reduce the risks of cyberattacks during a crisis.
Criminals are using the branding of healthcare institutions in a variety of attacks against the population ranging from installing fake apps that steal people’s data to armed robbery in which the victim was waiting for a supposed home collection service of material for COVID-19 testing.
The problem of misinformation has proven to be as relevant as the disease itself. That is why it’s important that health entities communicate with the population, making it clear what activities they do not conduct and what information they do not request. This needs to happen through social networks and also in an easily accessible and prominent message on the institution’s website.
Haste, work overload, loss of colleagues, apprehension about family, and fear of getting infected have made healthcare professionals an easy prey to cybercrime. This is because when we are inattentive, which is typical of those under great pressure, we are more likely to fall for scams by clicking on links or opening malicious attachments or even being tricked over the phone. Most attacks with the potential to bring an entire hospital to a halt start exactly this way.
It is essential that the cybersecurity managers of healthcare entities reinforce awareness. However, considering the timing, we cannot expect these people to take the time to read an email or stop their activities to watch a lecture or video about the risks of these scams. Let’s go back to basics and make posters (printed right on the office printer) with quick content that doesn’t terrify people – these people have enough to worry about – but offers friendly advice on cybersecurity.
There is no point in fixing the posters in hallways where people are always running around. This material needs to be where teams are in the habit of stopping. For example, at the drinking fountain, where they collect medicines, in the doctor’s office, in the garage, next to the electronic point, where the paramentation takes place, etc… Of course, if health regulations and laws allow it.
Making backups of all relevant computers and making sure that they will work when needed is the most important thing in dealing with ransomware attacks. It’s possible that threats like these are programmed to lie dormant for a certain period of time until the attack is triggered, which would contaminate even the backups.
However, the chance of saving your servers by having done your homework and maintaining a quality backup is also great. Thus, it’s worth reviewing the process, prioritizing the copying of important computers over others, and checking whether it’s possible to restore the data in case of problems.
It’s very common, especially in large companies, that the configuration of workstations is standardized. In other words, that all software in use and its settings are the same for all users.
Usually the support areas put together a compilation of all this in a file, USB stick or CD to be quickly installed on occasions such as when buying several machines, or activating a computer for a new employee and this is popularly called an “image” of the computer. But one thing we often notice is that these images are outdated when we need them the most, for example in a ransomware attack where we need to do a massive reinstallation. This ends up requiring more manual parameterization and increasing the recovery time of the environment.
This is why it’s necessary to review the status of the image that your support area has. If this does not exist in your company, then it’s essential to create one. Additionally, these images need to be stored in an off-network repository, so they will be available in the event of an attack that stops the entire environment.
Security Update Management
Many attacks exploit vulnerabilities that can be fixed simply by installing an update from the vendor. However, not all companies keep their systems up to date.
Having a process in place to ensure that updates are evaluated, tested, and then installed on all computers is essential for companies of any size. So reassess the status of this activity in your environment and keep all eligible technologies at their latest software versio.
One of the biggest learnings from the WannaCry incident in 2017 was the need to have an additional concern for embedded systems in medical equipment. Some of them are designed in a way that makes it difficult to update software, for example, relying on older versions of Windows to function. This was one of the main reasons why the British healthcare system was heavily compromised on this occasion.
Upgrading systems like these can require more planning, more approval time, and the involvement of the equipment manufacturer in the process. In other words, it is not something that is done overnight. So it’s important that they are on segregated networks, ideally without any connectivity to other networks in the institution and under strict access control. This way, possible attacks that propagate through the corporate network will not reach these machines. This is why it’s so important to check the level of segregation between networks and correct deviations.
Quick Approval Procedures
The organization you work for is probably conducting a procurement process for medical equipment or systems on short notice in order to cope with the increased demand.
Breaking a few steps in the homologation of this material during a crisis is understandable. However, it’s important to establish a minimum set of cybersecurity criteria for the technology being purchased. Topics such as two-factor authentication, group-based access control, encryption of critical data, and the ability to install security updates to the operating system are essential.
One of the main consequences of the new coronavirus crisis are the problems that the disease and its economic impact can cause in your supplier network. Because companies with less capacity to support the moment are laying off or going bankrupt, and this can bring serious problems for the data your organization shares with them.
So the time is right to reinvent which data is exchanged with each company and, from a risk management perspective, to assess the possibility of serious incidents occurring because of disruption in services due to bankruptcy, illness, or mass layoffs. The risk of damage or data leaks by disgruntled former employees of these companies also needs to be considered.
Finally, beyond the typical “business networking” it is recommended to activate cooperation networks. Participating in groups where people know what it’s like to deal with cybersecurity in healthcare companies can save your skin in specific situations: clearing up a doubt at a critical moment, recommending a product, company, or professional that you need, or at least offering solidarity when faced with problems common to your routine.
Other articles in this series
Cybersecurity in home office in times of coronavirus: a question of coresponsibility – tips for protecting company data in your home environment
The minimum of cybersecurity you need to keep in mind when setting up an infrastructure in a hurry – what topics to prioritize and some free resources and information sources
The strategies behind the attacks with the new coronavirus theme – old scams in new packaging
The challenges on the path of those who need to manage cybersecurity in the midst of crisis – some trends on threats and topics to be considered
Placing Zoom’s security in perspective – an analysis of the latest incidents involving the product’s security