You might think that cyberattacks are like bank robberies. The robber comes in with a weapon and demands all the money be placed into a few sacks. The cybercriminal, similarly, comes on your network with a virus and holds all of your medical records ransom for perhaps a bigger sum of money than cash on hand in a bank vault.
Cybercrime isn’t that simple.
You can liken cyber criminals to the smartest and stealthiest of bank robbers perhaps. The kind that scope out targets. The folks that really do their due diligence before a heist.
Unlike the common bank robber, most cybercrime is a long process. And most victims fall because they have no idea about criminal processes to get in and exploit their hospitals.
Today, I want to spend a few minutes outlining 5 of the key phases that most good cyber criminals take when scoping out, targeting, and attacking rural hospitals. I hope this information helps you get better prepared to avoid becoming a target and gives you something to think about if you have the misfortune to be targeted.
5 phases to a hospital ransomware attack:
Reconnaissance—likely the longest phase in a cybercriminal’s pursuit of the best hospital targets, this scouting phase may take from weeks to months to complete. What the criminal is looking for in gathering reconnaissance info is ways to phish the hospital into getting ransomed, open doors through under protected administrative credentials and weak passwords, social engineering onto networks and even external scans of networks to determine if a network is being maintained well.
During the reconnaissance portion of the cyberattack, criminals likely will be hard to detect outright (unless your IT Support is actively monitoring the network, looking for suspicious activity, and warning your users to be cautious giving away too much personal information).
While it is often really hard to defend against a criminal’s exploratory search for vulnerabilities to get into your network, there are steps you can take to make the data gathering hard for your attacker—hard enough to make them want to give up on you and move on to an easier target. Here are 4 ways to make cyber reconnaissance hard on cybercriminals:
Scanning for Network Devices—Once the attacker has found sufficient ‘evidence’ that your network might be ripe for the picking, he or she may start seriously scanning the perimeter of your network and look for internal devices on your network with weaknesses.
Some of the more common things criminals are looking for may include:
Open ports and open services on your network?
Vulnerable applications, including outdated operating systems?
Weak methods to protect sensitive data in transit?
Specific makes and models of your network equipment?
Most perimeter scans of your network should be detected with intrusion detection (IDS) or intrusion prevention (IPS) solutions. While having IDS and IPS in place may keep your network secure from many criminals trying to scan your network, expert criminals are still able to thwart common security standards. Here are a few suggestions we internalize to ensure more secure networks:
Shut down all unneeded ports and services.
Allow critical devices processing sensitive information to only approved devices.
Closely mange your system design, preventing direct external access to servers.
Maintaining proper patch levels on all of your endpoints (servers and workstations).
Gaining Access—Once a criminal has learned the inner workings of your network through scans, it’s only a matter of time until they access your network. Usually the goal is to infect your entire network with a ransomware virus. But in other cases, attackers may be looking to exploit your sensitive data.
To ensure that in the event your network gets breached by criminal activity, you are able to survive an attack, I’d suggest taking proactive action:
Control who has access—understanding and regulating who has access to sensitive data or administrative rights on your hospital network is critical. By minimizing who is able to access records and authenticating users using two-factor authentication (for instance, requiring text confirmation by phone), you can be more certain that the folks accessing your network are doing so legitimately.
Lock your sensitive information up—make sure you have locks on doors to your server rooms and other areas with sensitive information (like printed health records). By using locks that track individual’s access you can also see specifically who is accessing those areas and have visibility on suspicious activity.
Encrypt sensitive data—medical records and other sensitive records should be encrypted to make sure that even if criminals accessed your network, they wouldn’t be able to see the contents of those files. Encryption is a final defense that likely will protect you from a data breach in the event other security measures fail. But don’t rely on encryption alone. There are too many risks to weak security that might compromise your network even with data encryption!
Maintaining Access on your Network—once an attacker gets access to your network, they are likely looking to keep access until their attack is complete. Although an attacker reaching this step has by-passed your security, they are trying to find ways to continue to access your network undetected.
In addition to IDS and IPS devices that detect intrusions (mentioned above), there are a variety of ways you can detect suspicious activity indicative of a cyberattack on your network:
Detect file transfer of content to external sites or devices.
Prevent direct session initiation between servers in your data center and networks not under your control
Look for nonstandard protocols or odd ports being used to access your network.
Detect suspicious activity on your server.
Hiding the Evidence—after successfully attacking your network, a criminal’s last step is to not leave any proof behind. They often will try to hide how they got in to allow them to make a similar attack on another hospital later on.
To help aid law enforcement understand how criminals are breaking into hospital networks, you should consider taking the following actions:
Keep your anti-malware updated.
Alert unusual or unexpected activity by users.
Use firewalls that can detect unusual activity across your network.
Are you certain your hospital’s network is safe from cyber criminals? How do you know you’re not a target to the next big ransom attack? Contact us today for a free ransomware vulnerability assessment.
