Healthcare is a targeted sector for cyber criminals, due to the high volume of confidential data held by these organisations. Data breaches can be highly disruptive and for an organisation that relies on delivering services in a timely and efficient manner, this causes big problems. In healthcare, being able to access patient data is an intrinsic part of the job, meaning if data becomes inaccessible and held to ransom, the organisation cannot function. Consequently, criminals could be more likely to target these organisations if they believe they are likely to pay the ransom demand to regain access to their data.
The WannaCry ransomware attack is a well-known example. Beginning in the spring of 2017, this was an attack that exposed a specific Microsoft Windows vulnerability, affecting people across the country. The NHS was brought to a standstill for several days as a result, affecting GPs and hospitals across England and Scotland. Of the 236 NHS trusts, at least 80 were affected by the attack, in addition to 603 primary care and other NHS organisations, including 595 GP practices. Although there were no reports of anybody paying the ransom, the costs of the widespread service disruption are unknown and unquantifiable. This attack signified failings in the way cybersecurity is navigated in the UK, and demonstrated that regardless of size, anybody with a presence online is at risk of experiencing a cyber-attack.
What is Ransomware?
Ransomware is a type of malware that prevents you from accessing your device and the data stored on it, usually by encrypting your files. Criminals will then demand that a fee be paid in exchange for decryption. The choice to pay a ransom raises several ethical and financial dilemmas, however even if your files are released there is no guarantee that you will get your data back, nor that your computer is not still infected. Additionally, your data may still be stolen, and you could be targeted again in the future, having been noted as somebody willing to pay. As is the case with all cyber-crimes, prevention is highly effective, meaning it pays to understand how criminals can install ransomware, and what you can do to avoid this.
Criminals use various methods to install ransomware, but phishing is the most common. Phishing involves disguising malware within a legitimate looking message, to try and trick somebody into downloading a file or revealing sensitive information. This technique is designed to play on human nature, and emails can be crafted to be highly convincing and sophisticated. For example, attackers can spoof the email address of CEOs and conduct background research on the company and its employees to make their request seem legitimate. Using mail-filtering and safe browsing lists can help to prevent successful phishing attacks; however, delivering regular awareness training and implementing thorough online policies amongst your organisation can help your staff become aware of how to spot the phishing attempts that do make it into their inbox.
Another way criminals install ransomware is by exploiting unpatched or out-of-date software. As systems and devices age, they become more susceptible to new and emerging threats. If devices are not being supported and updated, any newly discovered vulnerabilities remain unpatched, leaving them open to being attacked. Additionally, running out-of-date software can mean they are incompatible with new security technologies that are becoming available. They are also more likely to be missing security tools such as firewalls, antivirus software, and any intrusion detection systems. In the case of the WannaCry attack, many NHS devices were running a supported operating system, but had not installed a patch for a known vulnerability.
Additionally, Remote Desk Protocol (RDP) allows users to connect to a computer from anywhere in the world, a tool which has many benefits in the workplace. However, criminals can use port scanners to find vulnerable ports and then use brute force or credential stuffing techniques to gain access to the system. This involves running different variations of common passwords to guess the correct one and highlights the importance of using strong and separate passwords for each account, as well as using MFA.
How do we stop ransomware?
There are lots of methods criminals can use to try and install ransomware, making it impossible to totally mitigate against the possibility of an attack. However, there are simple steps to take that reduce the risk for organisations of any size.
Install Patches and Updates:
Keeping technology up-to-date and installing security updates as soon as they become available means that bugs can be fixed before they are exploited. To make this easier, it is a clever idea to enable automatic updates wherever possible.
Use Strong Passwords and MFA:
Passwords should be unconnected to anything in your personal life and a separate password should be used for every single account you use. Using separate passwords is frequently overlooked but it means that if one of your online accounts is compromised, that password does not become a master key to the rest of your accounts. Using MFA provides an additional layer of protection to this, stopping unauthorised access from occurring remotely without the use of a second security factor.
Encourage Cyber Awareness:
Educating everybody within the organisation on the importance of strong passwords, as well as how to spot phishing emails, prevents malware being installed accidentally through one of your employees. The topic of malware prevention can be confusing for a non-technical audience, but The National Cyber Security Centre has an easily digestible guide on ‘Mitigating Malware and Ransomware Attacks’ detailing every prevention method. For small businesses, the ‘NCSC’s Small Business Guide’ is essential reading for improving your cyber resilience.
Plan for an attack:
Considering what processes you would follow, how you would prioritise system recovery and how you might respond to a ransom demand, can help to reduce disruption in case the worst was to occur. The ECRC has a template for an incident response plan that can help you get started. As well as this, make sure any important files are regularly backed up, offline and in a different location. Additionally, make multiple copies of files using different backup solutions and do not keep the devices that contain your backups (e.g., hard drives and USB sticks) permanently connected to your network.
How can the ECRC help you?
Signing up as a free member of the Eastern Cyber Resilience Centre enrols you onto our ‘Little Steps’ programme, a weekly email series giving you bite-sized steps to take that will massively improve your cyber resilience. Additionally, you can find free support tools and guidance that is sector-specific on our website.
The ECRC also offers affordable support services that can help you protect and prepare for ransomware without breaking the bank. This includes Security Awareness Training, First Step Web Assessments and Remote Vulnerability Assessments, amongst others.
Additionally, for any organisations looking to become accredited in Cyber Essentials, not only does our ‘Little Steps’ programme help you become compliant with the criteria for this, but we also have a list of Cyber Essentials Partners, who are companies that are all able to accredit you with this certification.
If you would like to know more about what we can do for you at the ECRC, why not book a chat with us today?
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which isn’t ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)