It's no secret that organizations across the world in nearly all verticals have been reeling from the destructive effects of ransomware over the past several years. News outlets have been flooded with tales of lost productivity, revenue, and exorbitant sums paid. And from our experience, a substantial majority of these cases are never publicized.
In healthcare, ransomware is particularly effective. By directly compromising patient care and safety, attackers are able leverage provider urgency into payment. Many healthcare providers are unprepared to mitigate or remediate these attacks. Complicating the issue further, HIPAA considers ransomware attacks impacting ePHI to be a breach unless one can demonstrate the lower probability that PHI has been compromised based upon the factors in the Breach Notification rule – a difficult task for sure.
While it's impossible to fully protect oneself, we wanted to take a few minutes and detail some preventative controls that can minimize exposure to the disastrous effects of ransomware. Keep in mind that every organization varies in complexity, environment and risk tolerance so make sure to conduct a thorough risk analysis and asset inventory prior to implementing any preventative controls or processes.
It's hard to believe this is still a factor but some of the costliest incidents in recent history stem solely from a lack of a regular, scheduled patching program. We recommend patching operating systems and software as soon as feasible. Many IT professionals are wary of patching due to unintended consequences, but this concern can be mitigated through the proper use of testing machine/user groups and appropriate reviews.
Antivirus is necessary but not sufficient. AV vendors are often caught flat-footed when new variants emerge and have to scramble to catch up. The new AV platforms, denoted as "next-gen", can close the gap, however. These products are driven by heuristics rather than definitions. In the context of ransomware, this can be extremely effective as it watches behaviors rather than specific "fingerprints" to trigger a remediation action. Software such as SentinelOne hardens the volume shadow copies on Microsoft Windows, allowing for a one-click remediation of ransomware infections even if the malware was effective in encrypting a few files before it was successfully mitigated. We recommend choosing a competent vendor that offers a comprehensive management console, ensuring effective administration of the software across your organization and quick mitigation of any infection or technical issue.
Perhaps the most effective control is user training. Unfortunately, it's also the most variable and unreliable. Even the best controls can be overcome with by the actions of an ignorant or inattentive employee. Regular, interactive user training can be effective if supported by leadership and not simply discarded as a mandatory HR requirement. Specifically, training involving email phishing and online scams are most effective.
The domain name system (DNS) is essentially the phone book of the internet. Utilizing a filtering solution can be extraordinarily effective in blocking undesired or dangerous content. Seasoned IT Pros may remember manually editing host files to block domains manually by redirecting requests to 127.0.0.1 or 0.0.0.0. This method still exists - a quick search will show updated block lists available that redirect all sorts of sordid content. I still use it on all of my personal machines.
Automated solutions like OpenDNS (now known as Cisco Umbrella) bring in threat intelligence to respond in real-time and report in a centralized dashboard for easy monitoring, whitelisting and discovery. A good free option that offers some of these features is Quad9. Simply by changing your external DNS to 22.214.171.124 and 126.96.36.199, you'll gain access to their real-time intelligence and gain some security, albeit with the loss of reporting and customization.
The difference between a serious inconvenience and a disaster is the strength and reliability of your backup solutions. In addition to the exorbitant sums extorted out of ransomware victims, the restore process is often slow and error prone. A quick restore from trusted and validated backups greatly improves the outcome.
Backups can pose some interesting problems. The backups need to be isolated and immutable in order to prevent infection. Many companies experience a ransomware attack only to find their backups encrypted as well. Technologies such as Amazon Web Services’ Glacier vault feature provide low cost, immutable storage that is highly secure, redundant, and available. Certainly, other options are available at a lower cost, however, we caution against any strategy that is not automated, encrypted, and regularly tested.
One of the most effective methods in securing a corporate network is to utilize application whitelists, allowing only vetted and approved applications to run. This control requires a heightened organizational, process, and cultural maturity for effective implementation. Built-in tools such as Group Policy and System Center Configuration Manager are great options.
From a purely technical perspective, white listing is quite possibly the most effective control in preventing ransomware. The implications of such a strategy, however, should be thoroughly explored and mitigated prior to implementation.
Email presents the single most effective attack vector into most organizations. A robust and effective mitigation strategy is required to prevent ransomware infection. Tools such as Office 365 Advanced Threat Protection and Mimecast provide comprehensive protection including real-time scanning, attachment sandbox detonation, and link rewrites. We recommend a solution featuring a comprehensive dashboard including real-time analytics and remote administration.
Running administrator accounts for local day-to-day access is a time-honored IT tradition. Unfortunately, it also results in much of the headaches and expense that plague organizations. Consider taking the necessary steps to limit administrator access to follow the principle of least privilege as it fits into your organization.
File shares have long been the bane of the average security engineer. They're prone to data hoarding, over-permissioning, permission creep and inheritance, incorrect classifications, overwrites and errant copies, and a whole host of other security issues. They also represent an attack vector that ransomware and other malware can utilize to spread and amplify the effects of their payloads. The server hosting the share itself is a target and must be protected through antivirus, patching, and hardening of the operating system itself.
Consider replacing these relics with modern applications such as OneDrive, Box, or Dropbox. These options provide great features including seamless file restoration, incremental backups, easy sharing and collaboration, and robust, secure infrastructure. Utilities are available that mimic mapped drives and other legacy concerns, making the transition easy and transparent.
Network isolation and data classification
Consider conducting a thorough review of your network and system architecture with a focus on data rather than devices. Focus on limiting lateral movement throughout the organization and isolating specific data stores from one another. Use Virtual Local Area Networks (VLANs) and Virtual Access Control Lists (VACLs) to segment off data and systems in logical blocks – preventing an infection from causing company wide destruction.
We recommend study and review of your infrastructure until you intuitively know the what, where, why and how your data is stored, used, protected, and disposed. Apply controls appropriately, in the order of frequency and magnitude of any identified risks. You should develop, study, and practice disaster recovery scenarios – understanding what must happen, what could go wrong, and where the residual risk remains.
HIPAA One features a team of information security engineers and auditors that can walk you through these components and ensure that you’re ready to meet the most rigorous auditors and most advanced attacks. Our software makes it easy to conduct your HIPAA Security and HIPAA Privacy and Breach Analysis to identify any vulnerabilities and bolster your defenses. We can also offer professional services to help remediate and document your controls to prepare you for the future. Contact us to see how HIPAA One can help.