Could you imagine getting a ransomware attack hitting your network and breaching 44,979 patient records? That’s what happened to one hospital in rural Missouri just over 2 weeks after the big LabCorp cyberattack.
In this hospital’s case, the network had been peppered with a variety of malware which included ransomware, leading to the unfortunate instant where nearly 45 thousand records fell encrypted.
While several media outlets have reported the decrease in cybersecurity events over the past year, these past few weeks would speak otherwise. And from the looks of the potency of current viruses and the stealthy attacks made by criminals, healthcare organizations—but especially critical access hospitals—are at high risk for devastating cyberattacks.
What was the cause of the attack?
In short, Remote Desktop Protocols (RDP). These are the attacks that have been stealing the headlines lately. Think about LabCorp, the city of Atlanta, and multiple other healthcare attacks—including the one I’m writing about here.
Attackers scan a network for open ports or under-protected ports from an RDP server (note: many of these attacks come from vendors that have RDP access to your network, leaving many rural hospitals vulnerable to attack. Consider a ransomware vulnerability assessment to find out whether you’re in this boat!).
Once finding a hospital that uses RDP on their network, they then start phishing your users with reasonable requests—some of which may be coming from your Administrator, asking to visit a spoofed link or to open an attachment. Essentially, they are phishing to uncover credentials to get their way into the RDP (once they have this, they essentially have carte blanche access to scan your network and deliver the ransomware virus to each machine). In this case, attackers have been delivering stealthy SamSam variants that are exceedingly hard for many IT teams to detect.
How did the virus infect so many records?
The SamSam virus—a virus that we have remediated timeless times over the past 6 months—has a reputation of encrypting files when users are not active on their computers (allowing for lower detection and greater penetration into a hospital’s network. Many versions of this virus will actually stay dormant for weeks to months until the entirety of the network is infected (as in every single computer linked on the network). This seemed to be the case with the Missouri hospital (as was for other hospitals we’ve remediated).
Once infected, the virus gave the criminals full access to the hospital’s entire network—all of its patient records (yes, a big deal!).
What did the attack target?
While SamSam indiscriminately targets a variety of file extensions, the attack ended up encrypting 45K in patient data. These included billing, medical records, administration, and admittance, amongst other departments. The data included patient names, social security numbers, account numbers, driver’s licenses, disability codes, diagnoses, addresses, dates of birth, and insurance codes.
How might this data risk patient identities?
Combined together, this much information could not only lead to severe cases of identity theft, but also medical identity theft. In fact, people on the dark web have been buying medical identities hand over fist with intent to get pricy procedures done. For the cost of a few hundred dollars, they are able to file insurance claims and have your unsuspecting patients fighting debt collectors for tens or hundreds of thousands of dollars’ worth of surgeries they never had.
How can you take back control of your network to ensure its secure?
Track your RDP connections—leave only those you need open kept open. Scammers are actively searching for holes into your network, and an open port can be their gold mine. Keep track of which RDP access points are open and who is using them.
Eliminate RDP if not needed—if you really can find a different way to get information to vendors, you might want to reconsider having RDP in use. Some cybersecurity experts consider RDP as more of a vulnerability than asset to hospitals, especially when it comes to vendors that might not stick with good HIPAA and cybersecurity hygiene.
Be careful with vendors—vendors may not keep their networks as clean as you and if you give them carte blanch access to your network via RDP, you may be risking more than you’d ever imagine. Make sure at very least that you completely understand your vendor security policies and get a feel for their network hygiene (we recommend all vendors get a network security assessment to ensure they won’t risk your entire network’s security).
Get a second opinion occasionally—even the best of us can make mistakes (that’s why we have multiple cybersecurity experts with CISSP credentials on staff!). Consider getting a second opinion to at least identify if you have any unseen vulnerabilities that may lead to SamSam attacks.
Attackers are smart. They’ll attack when you least expect it. They work weekends and holidays and plan on succeeding in penetrating, attacking, and ransoming your data.
Are you sure you’re safe in the current ransomware landscape? Contact Us today for a free ransomware vulnerability assessment!
