8 Steps To Protect Against Ransomware When Developing Or Deploying New Apps-The HSB Blog 7/26/21
With the rise of ransomware attacks, healthcare providers and application developers need to make sure they are practicing exceptional cybersecurity controls and security hygiene to avoid being victimized and to recover quickly if they are. As noted in a recent Forrester blog post, entitled “Ransomware: Surviving by Outrunning the Guy Next To You”, ransomware is about making yourself a less vulnerable target than others and protecting your critical infrastructure, ensuring that staff is familiar and practicing security protocols, reducing the potential places for malware intrusions and ensuring the safety of healthcare systems and patients.
According to CISO magazine, 97% of organizations faced a mobile malware attack and 46% had at least one employee download a malicious mobile application in 2020.
Between 2010-2017, over 176.4 medical records were breached by criminals aiming to monetize off of the medical and private information stored by the healthcare systems.
According to the HHS, “4 out of 5 U.S. physicians have experienced some form of a cybersecurity attack.”
Surveys indicate that recent ransomware attacks only heighten patient’s hesitancy to provide personal information and data online.
On May 1, 2021, Scripps Health in Los Angeles reported that it had begun experiencing a ransomware attack that would ultimately last several weeks. According to Scripps the attack exposed the health and personal information of approximately 150,000 patients, forced it to take its IT system offline for several weeks, and required medical personnel to revert to using paper-based records. This is only one example of the increasing rise in ransomware attacks on healthcare facilities that are occurring more frequently, putting patient’s information at risk and disrupting operations or entirely shutting down healthcare services. This not only places patients at risk but damages the healthcare organization’s brand and reputation. These ransomware incidents raise questions on the role healthcare systems themselves and users of these healthcare technologies and applications play in ensuring the security of patient data and their basic operating infrastructure as well. For example, according to HealthcareDive, “fewer than half of healthcare institutions met national cybersecurity standards last year” and IT and cybersecurity spending for healthcare systems remain low relative to other industries.
Cybersecurity, or lack thereof, is directly related to the protection of the delivery of healthcare to patients and patient health information. The possibility of a cyberattack increases the risk of exposing patient information, erasing or deleting health records, and even shutting down the entire system. Ransomware is a very dangerous example of what may result from attempts at email phishing or malware or targeted bugs. Ransomware is malware implanted by cybercriminals that utilizes encryption to in effect hold user information hostage for a ransom ranging in amounts from thousands to billions of dollars from the organizations that rightly own the data. Moreover, even when the demands for ransom are met, not all the data is recovered. For example, In 2020, the average “bill” paid to cybercriminals by companies to recover their information toppled upwards of 1.3 million dollars yet only about 69% of the stolen data was ever retrieved following this payment. Oftentimes, ransomware is launched into systems via emails and plug-ins such as USBs and other hardware. The data is encrypted so that owners of the data cannot access files, applications, or their databases unless they pay the ransom in order to get the “key” to decode or decrypt the data. Ransomware can also be designed to affect other parts of an organization’s systems.
Due to the sensitive nature of its data and the life-and-death impact that data issues or delays can have on the quality of care the healthcare industry is vulnerable to and has been a prime target of ransomware. For example, in 2020 over a third of healthcare systems reported being hit with ransomware, and 65% of those reported that they had paid the ransom to cybercriminals to get their data unencrypted by the attackers. As noted above, this lack of IT security is in part due to institutional constraints, such as a lack of financial resources and understaffed and underfunded IT teams. These problems were heightened by the COVID crisis when healthcare systems had to deal with the stress of the shortage of physical facilities for patients and dramatically increased workloads on staff (some of whom became ill with COVID). Just as healthcare workers are expected to maintain certain practices and procedures for physical hygiene, healthcare organizations need to ensure they have and are following similar policies and procedures for data privacy and security and their online presence. These methods are most effective when they are communicated broadly throughout the organization, practiced widely, and the subject of drills so they can be put in place quickly in the event of an emergency. One suggestion for healthcare providers would be to follow the lead of organizations in the financial services industry, which generally have been at the forefront of cybersecurity controls. As such we would suggest that healthcare organizations implement the controls recommended by the New York State Department of Financial Services in a recent National Law Review article. These include:
Email filtering and anti-phishing training for employees, including regular exercises and blocking malicious attachments and links;
Vulnerability and patch management, including a documented program to identify, assess, track and remediate vulnerabilities on all enterprise assets;
Multi-Factor Authentication, including for all logins to remote or internal privileged accounts;
The disabling of Remote Desktop Protocol (“RDP”) access wherever possible, and if RDP is deemed necessary, restricting access only to whitelisted originating sources;
Privileged access management, including implementing the principle of least privileged access;
A way to monitor systems and respond to suspicious activity alerts, including an Endpoint Detection Response (“EDR”) solution;
Comprehensive, segregated backups that will allow for recovery in the event of a ransomware attack; and
An incident response plan that explicitly addresses ransomware attacks and will undergo testing, including with the involvement of senior leadership.
The dramatic increase in ransomware combined with the proliferation of digital health tools requiring remote access has lead to an exponential increase in points of vulnerability points for healthcare suppliers, their partners, and their customers. As a result healthcare organizations need to make sure they look closely at any applications they may deploy in their systems to ensure they don’t expose vulnerabilities or create new ones. Similarly, application developers need to ensure they are following strong coding standards and design techniques and incorporating strong security tools from the earliest stages of development. While these may sound fairly straightforward, as noted in a recent article review in the Journal of Medical Internet Research, approximately 15% of the articles they studied noted that developers lack the expertise to secure mHealth apps, pay little or no attention to the security of mHealth apps and lack the resources for developing a secure mHealth app. As a result, we recommend that both app developers and those looking to deploy new digital health apps in their environment follow steps similar to the ones outlined in the W2S solutions blog entitled “Security Issues App Developers Need To Deal With While Developing A Mobile App.” While not meant to be exhaustive, the recommendations and others will help protect from ransomware entering an organization’s system. These include:
Writing secure code, that uses strong coding practices like signing in and code hardening
Encrypting data during development thereby making it more difficult to be accessed by malicious attackers
Using third-party application libraries sparingly and testing code after using it to ensure the code is not compromised
Using only authorized Application Programming Interfaces and using a central authorization for the complete API to ensure maximum security
Deploying high-level authentication via such means as Multi-factor authentication (ex: OTP login, biometrics)
Incorporating session management as a feature, in case the device is lost or stolen and using tokens instead of identifiers when managing sessions
Testing continuously and properly, use emulators and penetration testing to determine any vulnerabilities
Staying on top of evolving security technologies and threats to ensure that you are using the latest protection for your application