The rising number of ransomware attacks on healthcare organizations has become impossible to ignore. In fact, ransomware attacks targeting healthcare providers worldwide nearly doubled last year, according to the Cyber Intelligence Integration Center (CTIIC). The patient consequences have been devastating, from disruptions to critical patient care and emergency room shutdowns, to patients unable to access prescriptions and doctors unable to perform procedures, as we’ve seen with the high profile attacks on Change Healthcare, Ascension and so many others.
There are multiple trends at play that fuel this rise. From an economic standpoint, access to cryptocurrencies enables hackers to receive funds, while Ransomware-as-a-Service (RaaS) and automation enables them to attack larger organizations more aggressively and efficiently than ever before. And perhaps most notably, while historically healthcare was considered off-limits by some ransomware groups, this is clearly no longer the case. This is compounded by the fact that healthcare organizations in particular struggle to recover from ransomware attacks due to legacy IT systems, limited resources, and skill set challenges.
Given these alarming circumstances, it’s important to talk about one of the most highly targeted IT systems for ransomware attacks: Active Directory, used by 90% of large organizations, including nearly all healthcare organizations. Active Directory (AD) is a core identity system developed by Microsoft that serves as a central authentication and authorization service for an organization’s resources and operations. In other words, it’s ‘the keys to the kingdom’ – the gateway to the entirety of a healthcare organization’s systems.
Ransomware preys on healthcare’s identity gaps
Healthcare organizations hold vast amounts of valuable personally identifiable information (PII) and personal health data (PHI). This creates a uniquely target-rich AD environment, as AD offers an expansive level of access to sensitive patient information. Exacerbating the issue is the broad shift to remote work and increased reliance on cloud resources, which have further expanded AD’s attack surface. Add to this the constant mobility of doctors, nurses, and support staff within a hospital building at any given moment – associated with logins and access across multiple rooms, systems and machines, making for a highly complicated identity environment. Not to mention that for the sake of speed and efficiency, many healthcare organizations enable auto logins to core applications, which leaves systems open to exploitation.
Meanwhile, many healthcare organizations are underfunded and understaffed from an IT and identity security standpoint. This is particularly true in smaller facilities and rural hospitals, where one IT person is likely to wear many hats. This makes the complicated and time-sensitive process of ransomware recovery particularly challenging, as resource and skill set constraints make it difficult for hospitals to implement and maintain comprehensive recovery processes.
Multiple initiatives have been established to support hospitals during this crisis, including the HHS UPGRADE Program, Microsoft’s Cybersecurity Program for Rural Hospitals, and the White House’s initiative to implement cybersecurity standards for hospitals. However, the timeframe for these initiatives to yield tangible results is unclear, and organizations need to protect their patients from these escalating attacks in the meantime.
When cybercriminals access Active Directory
When Active Directory is compromised, it paralyzes the entire healthcare organization. The attack typically unfolds in four stages:
Initial access: Hackers infiltrate networks through phishing, exploiting vulnerabilities, misconfigurations, or using stolen credentials from the dark web.
Lateral movement: Attackers use AD to authenticate across systems and servers, compromising more accounts and spreading throughout the network.
Privilege escalation: Cybercriminals exploit AD vulnerabilities to gain admin rights, disabling security controls and covering their tracks.
Extortion: Sensitive data gets stolen and/or systems get encrypted to take the organization down and demand ransom. This includes encrypted critical patient data and medical records, inaccessible essential medical tools, compromised backup systems, and Active Directory itself being taken down thus leaving employees and healthcare professionals locked out of systems.
This comprehensive takeover maximizes the attack’s impact, pressuring victims to pay ransom demands. Providers are then unable to access vital information and/or provide necessary patient care, turning a cybe threat into a life-threatening crisis.
The ransom trap: Why giving In doesn’t pay off
The far-spread damage of ransomware significantly impacts healthcare organizations’ ability to respond effectively to cyber incidents. It’s also why organizations are more likely to consider paying ransoms when attacked, as they may view this as a quicker and more feasible solution compared to investing in recovery processes with limited internal resources. However, federal authorities and cybersecurity experts advise against paying the ransom as it can embolden hackers to increase ransom and exploit data through double or triple extortion tactics.
Insurance companies are also increasingly scrutinizing ransomware claims and denying coverage in cases where organizations opt to pay the ransom. This shift in policy is based on the premise that implementing robust threat identification and mitigation programs is now considered a fundamental best practice in cybersecurity. Insurers argue that paying ransoms demonstrates a lack of adequate security measures, which should be in place to prevent such attacks in the first place.
How to secure healthcare’s Active Directory: A three-pronged approach
The following outlines strategies that healthcare organizations can implement now to harden Active Directory and strengthen their cybersecurity posture:
1. Establish a Disaster Recovery Plan that Accounts for Active Directory
Organizations should prioritize creating a comprehensive disaster recovery plan with a specific focus on Active Directory (AD). This includes:
Maintaining a clean standby environment to ensure quick recovery in case of a breach.
Enacting rules that automatically detect and roll back dangerous changes – for example, automatically and immediately undoing any additions to an administrative group outside of an approved secure process.
Testing the incident response plan established for AD ransomware attacks daily, including containment and recovery.
Administering strong backup and recovery strategies, including offline backups for AD data that is isolated from the network.
2. Assess Current Vulnerabilities
Conducting regular vulnerability assessments is crucial and should be an ongoing piece of an organization’s cybersecurity strategy. Once vulnerabilities are identified, they should be promptly addressed to minimize potential attack vectors.
To conduct a thorough assessment, organizations should first take stock of their systems, including those that rely on Active Directory, both cloud and on-premises. This inventory includes an assessment of account locations, system interactions, access protocols for both administration and business applications, user and group locations, and the methods by which permissions and access are granted. It’s also important to understand which authentication and SSO platforms are employed. The goal of assessment is to gain a clear picture of where identities and permissions reside within the organization, and how they are interrelated.
3. Implement Strong Authentication and Access Controls
Once a recovery plan is established and current vulnerabilities have been patched, it’s important to maintain and enhance AD security to prevent ransomware attacks, including:
Removing standing privileges and enabling just-in-time task-based administrative workflows.
Establishing rules, roles, and automation for repeatable processes, heightened security, and minimized manual administrative tasks.
Implementing robust multi-factor authentication for all accounts, especially privileged accounts.
Conducting daily automated security assessments to identify and address vulnerabilities in AD and Entra ID, complemented by continuous monitoring for potential threats with immediate alert systems.
Healthcare organizations can significantly improve their resilience against ransomware attacks by implementing proactive protection, continuous monitoring, and rapid recovery strategies. This approach not only strengthens security but also reduces the likelihood of needing to pay ransoms if compromised, ultimately safeguarding the organization’s data, operations, and most importantly, its patients.
Photo: traffic_analyzer, Getty Images
Dmitry Sotnikov, as Chief Product Officer at Cayosoft, which is a Microsoft Active Directory management, monitoring, and recovery platform. He spearheads the vision, strategy, design, and delivery of the company’s software products, ensuring they resonate with market demands and offer unmatched value to users. With over two decades in enterprise IT software, cloud computing, and security, Dmitry has held pivotal roles at esteemed organizations like Netwrix, 42Crunch, WSO2, Jelastic, and Quest Software. His academic credentials include MA degrees in Computer Science and Economics, complemented by Executive Education from Stanford University Graduate School of Business. Beyond his corporate endeavors, Dmitry serves on the Advisory Board at the University of California, Riverside Extension, and has been recognized with 11 consecutive MVP awards from Microsoft.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.