To ransom-proof healthcare, we need to go on the offensive – interview
Ransomware attacks on healthcare can turn deadly. To avoid further casualties, states might need to go on the offensive.
The US might have had its first ransomware-related death recently. A lawsuit in Alabama claims that a newborn baby ended up with severe brain injury because an expecting mother did not receive necessary care due to an ongoing attack against the hospital she was in. The baby died nine months after birth.
Last year, an ambulance carrying a dying woman in Germany was redirected to a different hospital since the closest one was in the grips of an extortion attack. Even though prosecutors later confirmed that the patient would have died anyway, it's only a matter of time when a critically injured patient will not receive necessary help due to an ongoing attack.
Hospitals, like so many other organizations, are ill-prepared to double or triple extortion attacks. Even though there are few novel remedies to combat the threat to hospitals, simply updating attack-reporting routines might not cut it when human lives are at stake.
"Instead of just taking back the ransom, we need to take back the entire bounty that they've collected over their entire history. Only then will you eliminate the incentive for the activity."-Chris Bowen
According to Chris Bowen, the Co-Founder and security expert at ClearDATA, a healthcare cloud hosting and security company, law enforcement and businesses need to join forces to combat threat actors more efficiently.
"Ransomware-as-a-service on a public cloud should not be tolerated by the public cloud. We've got to work with major cloud providers to continue to take up that fight. They have to play a role in that because their tools are being used for this," Bowen told CyberNews.
We sat down to discuss how ransomware affects the healthcare sector and what hospitals, businesses, and law enforcement could do to combat a potentially deadly threat for better results.
Ransomware has evolved a lot over the past couple of years. Do you see any healthcare-specific tendencies in the field?
The market dynamics of ransomware are very interesting. It's now super easy to buy ransomware services, and you can deploy the malware in a modular way. What I've seen is that in healthcare, there are many outdated systems that aren't supported from a patching perspective.
And that's particularly the case with healthcare providers, like hospitals. In those kinds of settings, they're still migrating from on-prem data centers, and they haven't upgraded into the cloud yet.
The cyber gangs understand that healthcare data is critical. And they're taking advantage of that. They know that they've got a fast buyer of their data. Hospitals want to get the data recovered as quickly as possible. Hospitals need to get back online as soon as they can. And the bad guys are taking advantage of that faster payment.
The other thing I've seen is that the bad guys have this perception that healthcare has money. So, they're going to go where the money is. And they try to take advantage of that because they can get paid quickly and with a lot of money.
There's a couple of social things that I think are important to healthcare. I haven't done empirical studies on this, but healthcare workers are genuinely there to help people. And that might help threat actors with the social engineering aspect of the attack. I mean, their focus is on patient care, on understanding the MRI, not necessarily how to spot a fake email all the time.
The FBI and CISA recommend avoiding paying ransomware, but hospitals, like many organizations, do pay criminals. Do you see a unanimous approach everyone should take?
The sad thing is that if you pay, you will attract more threat actors. So, the FBI, CISA, and others have discouraged that. But if you're not prepared for the attack, you're going to have to pay unless you want to rebuild everything. And that's why we preach preparedness, preparedness, preparedness.
Malicious actors take an interesting approach nowadays. They exfiltrate the data, then destroy it, and only then message or call the victim. And by then, you're totally unable to respond. You need to ensure that your backups are in a mutable state, air-gapped away from the cloud environments you're using for production.
A lot of healthcare organizations forget that ransomware is now designed to destroy backups. And architecting for that is a very, very important countermeasure. It's just not happening at the rate that it needs to happen at this point in time.
Even though the threat of ransomware is not new, no one seems to have been prepared for that. Why do you think that is?
In healthcare, the money typically goes to patient care as much as possible. Let's face it, putting money into a security budget is not a revenue-generating activity. It's a risk-mitigating activity.
But we've started to see that mindset shift with people better aware they got to invest. Some of our bigger customers are putting millions into security. Some of them are still trying to figure out how to upgrade their Windows Server 2008.
Healthcare institutions need to rearchitect. They need to move to the cloud in a way that's not just a 'lift & shift,' and they need to find the talent to help them move. Without that, it's challenging for them to accomplish that. Even if they know, they need to.
"In healthcare, the money typically goes to patient care as much as possible. Let's face it, putting money into a security budget is not a revenue-generating activity."-Chris Bowen.
New ransomware gangs keep emerging in the place of one's that have been forced off the internet. Do you see any novel means to combat the threat?
We have to continue to be vigilant. We are seeing that some of the sites that were shut down in the past are getting repopulated. I think we need to be proactive about going after these criminal syndicates. When people attack the NHS in the UK, the Department of Health in Ireland, or anywhere else, it's really, really serious.
Right now, we're playing defense, saying let's report the attacks better, let's share more information. We need to go after bad guys in a stronger way. I'm hopeful that some government agencies somewhere are doing that.
What would be considered a 'stronger approach' in combating ransomware gangs?
It's hard to tell. I mean, we understand the psychology of these folks, and most of the time, it's just to make money. I think it has to be a multi-pronged approach.
I think ransomware-as-a-service (RaaS) on a public cloud should not be tolerated by the public cloud. We've got to work with major cloud providers to continue to take up that fight. They have to play a role in that because their tools are being used for this.
We also have to take a government approach. Following the money is usually the most effective way to find something or to track something. The wallet addresses from digital cryptocurrencies are one way. Sure, they swap around the wallets, but I'm sure we can figure out a way to monitor those as well.
It's a public ledger, after all. We have to be able to do a better job of that. And some brilliant people are developing some amazing technology to do that. And we've seen some of that happen in the recent past. Some of those ransoms have been clawed back.
But we need to do a lot more of that. Instead of just taking back the ransom, we need to take back the entire bounty that they've collected over their entire history. Only then will you eliminate the incentive for the activity.
More from CyberNews
Subscribe to our newsletter