How one hospital is defending against ransomware

On top of the onslaught brought by COVID-19, hospitals faced yet another challenge this year: ransomware.

On Oct. 28, the FBI, DHS and Department of Health and Human Services alerted healthcare providers of an expected uptick in ransomware attacks, particularly from the Ryuk and Conti strains.

For Indiana-based Rush Memorial Hospital's IT and security organization, the alert was nothing more than a threat already seen "through the grapevine where it's not as public," said Jim Boyer, VP of Information Technology and CIO of Rush Memorial Hospital. "We've seen alerts like this over and over again."

Ransomware requires organizations to look beyond the threat and act like the infection already occurred. Depending on the strain, the ability to initiate a backup, and the quality of it, will define how smoothly an organization will recover. Rebooting computers following ransomware could actually boost the malware's infection rate. But some ransomware is more methodically designed, and takes it time to scope out the victim network. This is the case of Ryuk.

"I'd like to believe that it would never happen to us, but, knock wood, as soon as I say that, you know it's going to happen," said Dan Matney, director of Information Services at Rush Memorial Hospital.

Ransomware is succeeding

By the time the Ryuk alert was issued, Rush Memorial had at least two risk mitigation measures: improved backup as a service (BaaS) and a systems engineer with a plan to evade further infection from phishing attacks.

The engineer wrote policies for the hospital's computers saying they can only run a certain number of applications, and if they didn't match with a specified executable name, it cannot execute Command Prompt.

What Rush Memorial did was one tactic to lessen the reliance on the end user's cyber hygiene. It took the "decision" part out of a phishing scenario. It most closely aligns with the people aspect of "people, process and procedure" security strategies, said Matney.

The ransomware holds backups hostage, upending the possibility of an easy recovery. "You go to backups, and the backups already have the bad code on them," said Liz Mann, EY Americas Health and Life Sciences Cybersecurity leader. "Every successful landing of a ransomware attack hurts the entire industry."

"One of the things that [EY tries] to do is not leave the controls in the hands of our end users," said Mann. It's one of the reasons ransomware is so pervasive because they are the ones who judge an email's validity. "You can be successful a lot of the time but you're not going to be completely successful."

The engineer's policies are so strict that even Rush Memorial's administrative IT staff don't have that ability, said Matney. "We have to manually go in, request that access type in a password to get to that level. So being able to lock that down to those very specific applications gave us a huge safety net that others don't have."

The strategy is sound enough, though it's admittedly inconvenient, said Matney.

Segmenting and filtering can prevent users from deciding the entire organization's fate in a phishing email. It's just one of the ways security teams can insulate their end users from having threats land on their desks, said Mann.

This month, a Rush Memorial IT personnel working on a simple mail transfer protocol server found a managed security service provider had detected an executable and issued an alert. Matney, aware of the situation, said to whitelist the executable.

"Without even having a conversation, we're already getting alerts from eyes on glass," said Boyer. The worry would only kick in if the team told Boyer "we don't know what this is!"

Rush Memorial's team expects intrusions, what has changed is how it responds to them. "I tell my team all the time, 'One day it's going to happen.' But when they're in the network, how are we going to isolate that damage?" said Boyer.

Ryuk loves backups

Ransomware has challenged traditional methods of backups for years. The moment a ransom note appears is not the time to question the reliability of a backup.

In Matney's experience with managed service providers, physical storage allowed him to restore data during four different ransomware attacks. And in a year where so much of the workforce is working remotely, that kind of backup storage required on-premise access with a hard drive to transfer the dataset. However, the air gap, while effective in safeguarding data, left intervals in what data was saved.

"I cringe thinking about recovering from a ransomware attack from the previous things that we have done," said Matney. The hospital adopted Clumio as its BaaS provider.

Other services reliant on an online "vault" would not suffice if met with Ryuk. The ".bat" file Ryuk drops tries to delete all backup files and Windows' Volume Shadow Copies, according to the Cybersecurity & Infrastructure Security Agency (CISA).

After sitting dormant, compromising the backup is one of Ryuk's first actions. After that, the ransomware commandeers administrative controls of a network to wreak the havoc they can. Moving backups off-premise leaves "nothing for them to find," said Matney. If Ryuk were to strike Rush Memorial, "we know that we're not going to lose any more than four hours of data, that's it."

At the same time, Rush Memorial is relying on a vendor to ensure a healthy backup, Boyer warned other hospital CIOs not to place too much trust in their vendors. "I don't care if it's your own employees, you have to establish systems that are going to bond that trust," he said.