The health care industry continues to get hammered by SamSam ransomware attacks, to the point that the Department of Health and Human Services Healthcare Cybersecurity and Communications Integration Center (HCCIC) has issued a report outlining the danger of ongoing SamSam ransomware campaigns, with tips to help organizations detect and block SamSam.
According to the report, since December 2017, there have been ten major SamSam attacks on health care organizations and the government in the U.S. Those affected include AllScripts, whose system was down for days, preventing health care providers from accessing electronic medical records for up to a week, the City of Atlanta, which shut down its IT systems to prevent its spread, Hancock Health, which paid the ransom to recover its data, the Colorado Department of Transportation, and Erie County Medical Center, which took six weeks to recover from the attack, costing the organization several million dollars.
The tips offered by HCCIC include:
- Conduct a risk analysis
- Train end users to help them detect malicious software
- Implement procedures to protect against malicious software and apply detection software
- Back up data regularly—3-2-1—3 backups made on 2 different media, with 1 stored offsite
- Develop (and I would add test) contingency plans to minimize business disruption
- Develop (and I would add test) incident response procedures, including specifically for a ransomware attack
- Conduct annual penetration testing
- Use rate limiting to block brute force attacks
- Restrict the number of users who can login remotely
- Restrict access to RDP behind firewalls
- Use a VPN or RDP gateway
- Set up multi-factor authentication
Frankly, none of these tips are new and are a reminder that health care organizations are still struggling with implementation of basic security measures to protect data. These ransomware attacks continue to exploit the fact that organizations are finding it extremely difficult to train employees and prevent an employee from clicking on a link or attachment that introduces malware or ransomware into the system. Until we can change the entire culture around work flow with email, ransomware will continue to cripple organizations.
This fact was emphasized by Beazley this week in a report on recent data breaches, which indicated that companies using Microsoft Corporation’s cloud based products (also known as Office 365) are seeing a rise in cyber-attacks due to employees providing their credentials to a hacker who has gained access to the employee’s email account . We too have seen a dramatic rise in successful phishing attacks with clients using Office 365.
Beazley recommended that organizations implement two-factor authentication, enforce strong password policies and train employees to spot phishing emails to combat the ever increasing risk of ransomware attacks.