In recent years, ransomware attacks have become one of the most prominent and worrying forms of cyber threats, especially for healthcare institutions. Healthcare organizations have become lucrative targets for cybercriminals due to several intrinsic vulnerabilities that offer a perfect storm for ransomware exploitation. This blog post explores these vulnerabilities and discusses strategies that hospitals, care providers, insurance and billing departments, and other healthcare organizations can implement to shield against such debilitating attacks, including solutions like Protective DNS. 

Healthcare is now a Ransomware target. 

Recent events have alarmingly underscored the vulnerability of healthcare providers to ransomware attacks. In December 2022, researchers from the University of Minnesota and the University of Florida published their findings in the JAMA Health Forum about ransomware attacks against healthcare providers. In the 5 years studied between 2016 and 2021, 374 attacks exposed healthcare data. 

“Researchers from the University of Minnesota and the University of Florida measured attacks on healthcare delivery organizations from 2016 to 2021, publishing their findings in the December issue of the JAMA Health Forum. During the study period, 374 attacks were identified as exposing the personal health information (PHI) of 41,987,751 individuals—more than 10% of the U.S. population.” 

In January of 2023, the Health Sector Cybersecurity Coordination Center (HC3) published a brief on Royal and BlackCat ransomware and its use against healthcare targets. The brief claimed that Royal was making ransom demands ranging from $250,000 to over $2 million USD. 

And some of these attacks were made public. For instance, in May 2022, San Diego-based Scripps Health faced a devastating ransomware attack that led to a significant disruption of its IT systems, impacting patient care services and privacy. Similarly, in October 2021, the University Hospital Brno in the Czech Republic experienced a cyberattack that forced it to cancel surgeries and reroute critical patients to alternative facilities. These incidents highlight the potential for operational paralysis and the profound implications for patient safety and data security. 

This shift in focus marks a significant change in strategy for ransomware groups, who previously steered clear of targeting medical care facilities directly. Historically, these cybercriminals targeted sectors perceived as more lucrative, such as finance and retail, where immediate financial gains were more apparent. However, the unique position that care providers occupy—a nexus of critical, time-sensitive services and sensitive personal data—has made them an increasingly attractive target. This evolution in target preference underscores a concerning trend, where the vulnerability of public health systems is exploited for gain, emphasizing the need for enhanced cybersecurity measures within healthcare infrastructures. 

Core vulnerabilities of healthcare systems. 

Healthcare organizations are treasure troves of patients’ Personally Identifiable Information (PII). Unlike credit card numbers, the intimate details contained within medical records cannot simply be “changed” or “cancelled” in the face of a breach, making them enormously valuable. 

• Urgent need for data access: Healthcare providers require immediate access to patient data to deliver lifesaving care. Ransomware exploits this urgency, knowing that urgent care providers are more likely to pay ransoms quickly to regain access to critical systems. 
• Legacy systems and software: Many healthcare facilities rely on aging technology to support crucial applications. These legacy systems often operate on outdated operating systems that no longer receive security updates, leaving them inherently vulnerable. 
• Medical device and IoT exposure: The vast ecosystem of medical devices and Internet of Things (IoT) within health networks are notoriously challenging to update, if not outright impossible, presenting an array of soft targets for ransomware. 
• Open networks: Hospital networks are designed to allow healthcare staff rapid access to patient data. Unfortunately, this necessity often translates into less restrictive network controls, contributing to the potential for ransomware dissemination. 

Proactive defense strategies for healthcare. 

Healthcare organizations must recognize the profound risks present in their digital infrastructure and build countermeasures to defend against ransomware.  

In cases where legacy operating systems or IoT devices cannot run contemporary anti-malware solutions, the network must provide protection from ransomware.  There are essential strategies for healthcare organizations to consider: 

Network segmentation and micro-segmentation. 

By dividing the network into distinct segments, healthcare IT teams can minimize the impact of a device compromise. A breach in one area can be contained, preventing it from spreading throughout the organization.  At a minimum, this means separating general-purpose business systems like laptops and desktops from embedded devices and mobile workstations used to access patient data. 

Internet access restrictions. 

Restricting internet access for sections of the network with sensitive data is a critical preventive measure.  Servers in a datacenter and embedded devices such as medical imaging machines should not be reaching out to services on the Internet except in rare cases. 

Rigorous backup capabilities. 

Backing up data in locations resistant to ransomware, such as offline, is vital. This process, coupled with regular testing of backup restoration, can significantly reduce the impact of ransomware attacks. 

Enhanced access controls. 

Strong user authentication protocols and stringent access controls such as Network Admission Control (NAC) can reduce the risk of unauthorized or accidental access to a network zone leading to ransomware deployment. 

Using a Protective DNS solution.

Pre-emptive Protective DNS can transform a healthcare organization’s defense strategy from reactive to proactive. By mapping adversary infrastructure and analyzing communication patterns, protective DNS proactively counteracts ransomware and other attacks. Protective DNS provides the following capabilities: 

Blocking DNS queries to malicious domains: Protective DNS prevents ransomware by blocking queries to harmful domains used for malware delivery, stage-2 payloads, and command and control (C2) servers. 

Policy enforcement: Enforce corporate internet standards and ensure security with a network of secure recursive servers that block websites forbidden by organizational policy, such as gambling and pornography. 

Company-wide protection: Consistent protection for devices no matter what network they are on, even for remote users. 

Logging and alerting: By logging DNS queries, protective DNS allows you to perform traffic analysis and threat hunting to discover misconfigurations, policy violations, and attacks. 

The importance of a proactive security stance.  

The implementation of these strategies, particularly the integration of a Protective DNS solution, offers hospitals and other healthcare organizations a chance to fortify their defenses significantly. By shifting the focus from responding to threats to actively preventing them, providers can safeguard their critical data and maintain essential services to help their patients without interruption. 

In the age of digital interconnectivity and complex cyber threats, only a proactive and comprehensive defensive stance can assure both security and peace of mind. For healthcare providers around the globe, this isn’t merely a matter of data protection—it’s a commitment to patient safety and trust. 

To learn how Vercara’s Protective DNS solution, UltraDDR, can help protect your healthcare organization from ransomware attacks, visit our product page.