“Increased and Imminent Threat” to Healthcare Organizations Brings Endpoint Security Into Spotlight
A recent joint advisory from the United States Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services has announced an “immediate and imminent threat” against healthcare organizations.
While cybersecurity concerns are growing for all organizations, such a pointed joint advisory from these federal agencies highlights the critical need for healthcare organizations to redouble their digital security efforts.
We wrote this short piece to help healthcare organizations defend against –– and prepare to respond to –– this incoming threat.
In this piece, we will:
- Summarize the advisory and why it matters.
- Offer insight on these threats and how you might stop them.
- Provide a list of practical steps you can take today to protect your healthcare organization.
The Advisory: New Ransomware Attacks Are About to Target Healthcare Organizations
The October 28 warning was a rare kind of joint notice. If all of these agencies — and more — have joined forces to tell you about a threat, it’s worth taking quite seriously.
Specifically, the intelligence indicates that criminals are about to launch intensive ransomware attacks using multiple threats to infect HPH organizations— most notably the Ryuk and Conti malware.
We are not surprised by this notice. We have witnessed similar threat patterns all year among our HPH customers.
Criminals have targeted HPH organizations with ransomware since the COVID-19 pandemic began, identifying them as highly vulnerable targets. Their staffs are burdened. Their defenses are down. And their operations are critical. Cybercriminals see an opportunity.
But there are many ways healthcare organizations can better defend against these types of attacks. Here is how you can prevent them.
Incoming Ransomware: Understanding the New Attack
First, let’s outline these incoming threats to better understand how to stop them.
Criminals likely will be using Trickbot malware to launch their attacks. They will use the Trickbot to deploy a payload of ransomware. The advisory highlights Ryuk as the common ransomware used in this attack, but others may be used, too.
Once Ryuk has taken root, the criminal will perform a fairly conventional ransomware attack. They will spread laterally through your vulnerable systems and gain a foothold in your network. They will identify your most critical systems and may exfiltrate sensitive data. Finally, they will lock up your systems, threaten to dump your stolen data, and demand a ransom to end their attack and release your systems and data.
In short: This is a complex, multistage attack. And it can move very fast.
While there is no silver bullet action you can take to defend against it, there are layers of defenses you can set up to prevent these attacks from succeeding.
Preparing Your Defenses: Immediate Required Actions
A holistic threat — such as ransomware — demands a holistic security response.
To defend against this imminent threat, we recommend you:
- Warn your employees about incoming targeted spear phishing.
- Read the advisory for full details on this threat’s indicators of compromise.
- Assess the hygiene of your digital environment, and determine vulnerabilities across all of your assets that criminals might exploit.
- Place a special emphasis on patching and updating your assets — in particular your legacy systems — to reduce possible pathways into your networks.
- Assess and update configurations on all of your assets — in particular administrative rights — to ensure each asset aligns with your security policy.
- Maintain a full inventory of all of your assets, as well as real-time visibility into them. This will help you determine the impact of any breach you do suffer, as well as help protect against ongoing and future attacks.
It’s a big list. And we understand it might be a bit overwhelming. But nothing on this list is optional. We have reviewed the advisory in-depth, and we have looked at the brief’s recommended actions. Our conclusion is straightforward.
- These are the absolute minimum steps you must take to effectively protect your organization from this new threat.
- You must take all of these steps ASAP.
Responding Rapidly: What You Can Do Today to Defend Your Healthcare Organization
During a ransomware attack, every minute counts.
We have watched a ransomware attack unfold across a large HPH organization in just five hours, averaging less than one minute per location to traverse its network. That is faster than most organizations can respond.
In that kind of scenario, you must be able to act quickly. Seconds can save a wealth of systems and data. And every moment you lack visibility and control over your environment is a moment of opportunity for the criminals attacking you.
According to this joint advisory, that kind of scenario is about to knock on your door.
Are you ready to answer it?
If you have maintained proper IT hygiene, and if you have the tooling required to rapidly scan, patch and update your assets, then you are in good shape to protect your organization. Simply work through the actions we listed above, and you will be as safe as you can be.
But if you have not maintained proper IT hygiene, and if your tooling does not allow a rapid and comprehensive response to this advisory, then please let us help.
The Tanium endpoint security and management platform that can:
- Install in minutes or hours, from the cloud, with no infrastructure required.
- Find your assets in your environment and provide real-time data on open vulnerabilities, missing patches and updates, and indicators of compromise (IoCs) for this threat.
- Deploy patches, updates, and configurations to your assets in your environment in hours — not days or weeks — without network disruption.
If you would like to know more about how Tanium can help your healthcare organization defend against cyberattacks, please contact us today. Or see the power of Tanium for yourself and sign up now for our Free Evaluation trial.