In spite of how critical they have become during the COVID-19 pandemic, hospitals have been forced to deal with a barrage of ransomware attacks over the last year. A Comparitech report found that there were 92 separate ransomware attacks in 2020 that had an effect on more than 600 US clinics, hospitals and organizations. More than 18 million patient records were exposed and the report estimates that nearly $21 billion was lost in these attacks in 2020.
Dozens of hospitals across the world have been locked out of important digital systems by attackers leveraging technology against those who need it most, forcing healthcare enterprises to make the tough choice of paying a ransom or potentially losing millions of patient files and more. Authorities in Germany even confirmed that one ransomware attack led to the death of a woman in September.
But help is one the way thanks to the nonprofit Center for Internet Security’s new Malicious Domain Blocking and Reporting Service. The tool, unveiled in February, is a no-cost ransomware protection service for private hospitals in the U.S. that may not be able to afford a robust cybersecurity service.
SEE: Identity theft protection policy (TechRepublic Premium)
Ed Mattison, executive vice president of CIS operations and security services, said in an interview that the service is being offered with the help of Akamai’s Enterprise Threat Protector edge security service, which proactively blocks network requests from an organization to known harmful web domains, helping limit infections related to known malware, ransomware, phishing and other cyber threats.
“85% of ransomware attacks could be prevented in your organization if you were using MDBR because 85% of ransomware attacks are done using known ransomware domains,” Mattison said.
“As long as organizations get hit with ransomware and they pay the ransoms, there will continue to be an increase in the number of ransomware attacks. If organizations can prevent the attacks, or if they don’t prevent the attack but can recover their systems and not pay the ransoms, then we will see ransomware reduce and go away.”
The system searches for traffic from domains that have been previously associated with activity that is considered malicious, and if the system finds a malicious domain trying to connect with hospital networks, the connection is blocked.
“If you are working at an organization and get an email that has a link in it that’s going to download ransomware or contact some ransomware command-and-control domain, if you click that link and there’s not a service like this in place, then that that web request is going to go out to that command and control domain and return the ransomware for installation on your PC and network,” he said.
“The vast majority of infections that are being done are with the same two or three different variants of ransomware that are already known.”
Mattison was quick to say that this is not a catch-all or a replacement for a more robust cybersecurity apparatus. But it was one small way to keep struggling, underserved hospitals a bit safer.
During the month of February, the system blocked 156,145 DNS requests of the 363,518,702 total requests, finding that nearly 70% of all blocked activity for all ISAC members was malware.
“The main vector by which ransomware and other malware gets into an organization is through email. There are some estimates that say as high as 85% of malware infections including ransomware start with a user clicking on a link in an email. It is a known fact that the number of phishing and malware campaigns have greatly increased toward hospitals during COVID-19,” Mattison said.
“K through 12s, higher education and healthcare are some of the top targets of these COVID-based phishing campaigns and if there’s more attacks, there’s likely going to be more infections.”
The program is funded by the Center for Internet Security and originally started last year as an offering to K-12 schools as well as state and county governments, signing up about 2,000 organizations ranging from kindergartens to the DMV. But the service was expanded this year to hospitals once it was found to be effective, blocking almost 800 million malicious intrusion attempts so far.
Mattison explained that so far, 35 hospital systems made up of about 75 hospitals have signed up for the service and more are looking into it thanks to recent publicity efforts and support from the American Hospital Association. The service produces a monthly reporting showing the domains that were blocked and all of the intrusion attempts.
The organization’s goal is to try and enroll about 2,500 of the country’s more than 6,500 hospitals, according to Mattison, who noted that they are targeting hospitals that may lack the funding to afford robust cybersecurity systems.
Already, they are receiving unexpected requests for help. Mattison said he was surprised to see that one of the first hospital systems to sign up was a relatively large system with 20 hospitals that did not already have anything comparable to a secure DNS service.
The signup was a reminder that even larger hospital systems may be lacking in terms of cybersecurity.
Mattison noted that the massive increase in ransoms paid last year is prompting worries about changes to the cyber insurance market and more. Lawmakers are already looking into making it illegal to pay ransomware ransoms and insurance companies are hinting that they may specifically prevent future payments to ransoms, according to Mattison.
In an interview, Andrew Maurer, a systems architect at Madelia Community Hospital and Clinic, said the MDBR system has helped his hospital “by providing hardened baseline OS images that can be used to improve Golden Images for workstation and server deployment.
Maurer added that CIS provides teams like his with security reports that come ahead of the news cycle, enabling IT teams to implement patches before vulnerabilities are exploited.
“We work to prevent ransomware breaches every day and with a lot of training, the right equipment and a bit of luck have not been breached. Other hospitals in the area have not been so prepared or fortunate. Every day there are attempts to penetrate our network, but like many others, our network remains secure,” Maurer said, noting the ease of implementing CIS’ tool.
Maurer explained that hospital IT staffs have been overburdened managing telehealth and remote work, adding that the problem has been exacerbated by the fact that IT functions were largely farmed out to XaaS companies instead of developed in-house.
“You have the equivalent of an open bank vault being guarded by a Mall Cop that also tries to guard dozens of other bank vaults at the same time. What you end up with is a hospital, or any business really, that is a juicy piece of low hanging fruit that many people want to snip from the tree,” Maurer said.
Cybersecurity experts commended CIS for providing the tool but some noted that its effectiveness hinged heavily on the ability to categorize and maintain a list of malicious domains in real time.
nVisium CEO Jack Mannino noted that because the service was free, it could help even the playing field for underfunded security organizations or those lacking the maturity and sophistication of larger programs.
According to Dirk Schrader, global vice president of security research at New Net Technologies, MDBR is a “helpful piece in an organization’s security architecture as it provides for an overlay of security measures” but said it “should not be regarded as a corner stone of any security architecture or as a measure that drastically increases the overall security posture of a school, university or hospital.”
John Morgan, CEO at cybersecurity firm Confluera, said this task is not easy to achieve when attacks are launched from new servers and not-yet-detected compromised servers.
“Services like MDBR would be a good complementary solution to reduce the attack surface for hospitals against ransomware and other attacks. However, organizations have to operate under the assumption that crafty hackers will find a way in,” Morgan said.