Latest Ransomware Trends: Lessons to LearnLearning From Difficult Recoveries and Advice in Government Alerts
As ransomware attacks on the healthcare sector continue to surge, entities should heed the lessons emerging from these incidents as well as the advice provided in alerts from government agencies, security experts say.
Among the organizations that have recently reported health data breaches involving ransomware is North Carolina-based Alamance Skin Center.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that, on Nov. 4, the practice reported a breach that affected 100,000 individuals.
The HHS Office for Civil Rights website, commonly called the "wall of shame," lists health data breaches affecting 500 or more individuals.
In a notification statement posted on Alamance Skin Center's website, the practice says that its investigation into a July ransomware attack determined that, while patient information was not compromised, "on October 21, 2020, we confirmed that certain patient data is unrecoverable."
Alamance says that data includes patient names, medical record numbers, dates of birth, diagnosis information, addresses and dates of service.
Alamance says it reported the incident to law enforcement officials and "will be reviewing policies and procedures and implementing additional safeguards to prevent unauthorized activity."
The practice did not immediately respond to Information Security Media Group's request for additional details about its situation.
Other healthcare organizations have also reported being unable to recover patient data after a security incident.
For instance, in February, Houston-based Fondren Orthopedic Group reported a malware incident that "damaged" some of the medical records in the practice's information systems (see: Malware Attack 'Damages' Patient Records).
In a few other cases, healthcare providers chose to shut down as a result of attacks that left patient records inaccessible (see: Latest US Healthcare Ransomware Attacks Have Harsh Impact).
Clearly, there are no guarantees that all data will be recoverable after a ransomware attack, says Keith Fricke, principal consultant at tw-Security.
"Confidence is usually high that backed-up data can be fully restored as long as ransomware-encrypted files have not become part of the backup, attackers haven't sabotaged backups and IT regularly monitors backups for successes and failures, correcting issues as necessary," he notes.
In some cases in which entities paid hackers for ransomware decryption keys, however, "some encrypted files were not recoverable due to becoming corrupted," he adds.
Meanwhile, in an updated alert issued last week, the HHS Office of the Assistant Secretary for Preparedness and Response warned that the FBI and Department of Homeland Security consider the threat of ransomware cybercriminals targeting the healthcare and public health sectors "to be credible, ongoing and persistent."
The alert warns: "Of note, some recent healthcare sector victims have experienced very short periods of time between initial compromise and activation - even under a few hours. CISA, FBI, and HHS urge health delivery organizations ... to work toward enduring and operationally sustainable protections against ransomware threats."
The alert points out that maintaining anti-ransomware best practices, including implementing backup systems and conducting regular vulnerability scanning, "will help protect your organization against future threats from other ransomware operators."
Criminals often spend weeks or even months leveraging unauthorized access to internal networks to perform reconnaissance, Fricke notes.
"Learning the lay of the land helps the attackers maximize ransomware deployment," he says. "The shorter time between unauthorized access and launching attacks may be because more organizations have improved monitoring and detection capabilities. Consequently, criminals have less time to act before being discovered and shut down."
Ron Pelletier, founder of security consultancy Pondurance, says there's an "ever-increasing level of competition among bad actors. If I find an exploitable weakness in a target environment, it means that another bad actor can also exploit it, and if I don't act soon, the other actor may beat me to the punch."
To prepare for mitigating the impact of ransomware attacks, Fricke suggests organizations consider increasing the frequency of incremental backups and outsourcing monitoring of networks and systems. "Criminals may shift attack windows to nighttime when staff are not actively monitoring," he notes.
"Dynamic security is the key," Pelletier says. "If I'm solely relying on tech, then it's likely that, if the tech doesn't detect [the attack] or prevent it immediately, then it may at least be some time before new signatures or other indicators are added to identify the event as an incident. The most effective managed detection and response organizations balance technology with human intervention to more rapidly identify indicators of attack."
The longer a bad actor resides in an environment waiting to strike, the more likely the intruder will be detected and cut off, Pelletier says. "With the advent of managed detection and response, and more dynamic security, it's likely that my window of opportunity is greatly reduced, forcing me to act more promptly rather than bide my time."
Fricke of tw-Security notes: "As long as criminals are making money from ransomware attacks, the attacks will continue and the sophistication will evolve, too."