The following is a guest article by Sean Deuby, Director of Services at Semperis.
No business sector is safe from ransomware attacks these days. But one industry that has been increasingly under attack—and has life-or-death consequences—is healthcare, as recently uncovered in a new research report from the Ponemon Institute.
In the last year, cyberattacks on the healthcare industry have spiked during the pandemic, threatening disruptions to patient care and exposure of private data. Some recent examples of attacks on healthcare systems include the ransomware attack on Ireland’s health service operator, which crippled diagnostic services and disrupted COVID-19 testing, and Hive’s ransomware takedown of Memorial Health System, which affected hospitals, clinics, and healthcare sites across Ohio and West Virginia.
Why are healthcare organizations in the crosshairs of cybercriminals? Healthcare is a prime target for threat actors because there’s a potentially big payout. Hospitals are likely to pay the ransom because data breaches can trigger litigation and regulatory inquiries, and cause months of disruption while the organization conducts remediation activities. But the consequences of a cyberattack against a hospital go far beyond the fallout of a data leak. When a hospital comes to a standstill because of a cyberattack, lives are at stake. Patient care is disrupted while IT teams race to get healthcare services back online.
Cybercriminals are literally banking on the fact that healthcare organizations are under extreme pressure to get up and running again—so they’re likely to pay staggering sums in ransom. According to a recent Sophos report, 34% of healthcare companies end up paying the ransom after an attack—more than any other industry sector.
So why are healthcare organizations so vulnerable—and what can they do about it? First, they’re dealing with myriad data privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). A healthcare system’s Active Directory (AD) provides valuable insights into the status of user roles and privileges as well as any critical changes to the environment. AD can show whether an organization has implemented an architecture that supports the level of access controls specific regulations require, making AD a rich source of information for compliance auditors. However, AD’s ability to demonstrate who has access to what information is also what makes it one of the most common attack vectors for cybercriminals. Among various other tactics, in the attacks on Memorial Health System and the Irish Health Service, bad actors infiltrated systems to then deploy tools to map the AD environment and grant access to critical assets.
Second, in a high-stress hospital environment, employees come and go on a regular basis. IT teams in charge of onboarding and offboarding need to be extra vigilant about checking permission settings, creating new accounts, and deleting accounts.
Third, the rollout of cloud-based telehealth services—which started before the pandemic but certainly accelerated during it—has led to challenges with securing remote access to systems. As organizations embrace the cloud and authenticate to these third-party systems, their attack surface expands considerably as the vendor might have loose security policies. Any serious security vulnerabilities third-party cloud-based systems have can also be used to infiltrate a healthcare organization’s own network, putting patient data at risk.
Defending healthcare identity systems against cyberattacks
So what can be done about cyberattacks on healthcare organizations? The same solid Active Directory security hygiene tactics that work in other industries will work for healthcare, too.
1. Secure Active Directory. Critical infrastructure attacks often start with cybercriminals exploiting AD weaknesses to gain access to critical information systems. These vulnerabilities include indicators of exposure, such as configurations that have drifted over time, and indicators of compromise, such as evidence of malicious activity.
According to a recent survey of users of Purple Knight, a free AD security assessment tool, organizations of all sizes and across every industry are failing to address AD security gaps that can leave them vulnerable to cyberattacks. Healthcare companies reported an average score of 63% across five Active Directory security categories—a failing grade—behind every other industry except insurance. Healthcare companies also reported the highest number of critical indicators of exposure, reporting the lowest scores with account security. This low score is attributed to problems such as leveraging administrator accounts with old passwords and not requiring user accounts with passwords.
Gaining visibility into your organization’s AD environment to identify these vulnerabilities is the first step in preventing identity-related cyberattacks. Organizations that don’t have a way to screen for these problems can download the free Purple Knight tool at purple-knight.com.
2. Watch for malicious changes in AD. The tricky part about detecting attacks is that some AD changes fly under the radar of traditional logging tools. This oversight by traditional SIEM solutions paves the way for attackers to lurk in the environment for weeks or months before unleashing malware. During that time, attackers can gain higher privileges and access, allowing them to move laterally through a network to map the system and identify targets before launching an attack. Leveraging tools that can identify attacks that bypass agent-based or log-based detection and provide autonomous rollback of suspicious activity can help organizations spot malicious changes.
3. Have a rock-solid plan for a complete AD forest recovery. When cybercriminals are sending ransomware notes and the entire hospital staff is locked out of patient records, a fast, tested, and malware-free AD forest recovery plan can significantly minimize the impact of AD outages. In a widespread outage, organizations must recover their AD before they can recover their business. But, according to a poll by the SANS Institute, only one in five organizations have a tested plan in place for recovering AD after a cyberattack.
This oversight can have devastating consequences for healthcare organizations, as AD forest recovery is notoriously cumbersome and prone to failure. While Microsoft provides a lengthy technical guide that details the 28 steps to recover an AD forest, the process is mostly manual and prone to errors that require a restart. . The manual AD recovery process can take days, if not weeks, and might reintroduce malware that enables attackers to breach the systems again using the same tactics.
Regular testing is required to reduce the risk of errors and speed recovery when ransomware hits an organization. Furthermore, an automated forest recovery process cuts the time to fully recover AD to minutes—speeding resumption of normal operations and ensuring the systems is recovered to a known-secure state.
Given the increased attacks and the dire consequences of disrupted patient care, healthcare organizations must deal with the real possibility of a threat actor exploiting AD vulnerabilities to breach and ultimately cripple the entire IT environment. By closing existing AD security gaps, deploying effective threat detection solutions, and implementing a tested AD recovery plan, healthcare organizations can mitigate the risks of a potentially life-threatening cyberattack.
