HHS OCR: How Care Providers Can Avoid Falling Victim to ‘Cyber Extortion’

This week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January newsletter with a focus on cyber extortion. The healthcare industry is in the crosshairs for these types of attacks due to the vast amount of confidential patient data held by care providers.

Cyber extortion attacks involve cybercriminals halting or delaying services while demanding money to stop malicious activities. Typically, cybercriminals steal or block access to the sensitive data held within a healthcare organization’s network and disrupt technologies needed for patient care and operations.

The OCR lists three types of cyber extortion attacks in the January newsletter including ransomware, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. But Ransomware is perhaps the most vexing form of cyber extortion and one that took center stage over the past year. All 6 of 6 of the largest IT/Hacking healthcare events reported in 2017 were attributed to ransomware.

Organizations are scrambling to improve their security controls to avoid becoming a ransomware victim and the OCR provided ten effective steps to take. The OCR tips on minimizing ransomware risk illustrated two very effective security practices that help avoid and mitigate a ransomware attack that is often overlooked. Let’s understand how the lack of good security in network access control and auditing heighten an organization’s vulnerability to ransomware.

Why Weak Network Access Management and Insufficient Auditing Raise the Ransomware Risk

Ransomware usually enters an organization’s network by getting a user to either open malware or send their login credentials. Often, this happens via phishing (i.e., fraudulent) email. Once opened, the ransomware runs with the privileges of the user who launched it. The ransomware works to encrypt the files, file shares, databases etc. the user can access on a network.

What is critical but often overlooked here is that ransomware leverages the access of the user it infects. If that user has limited network access, then the risk of the ransomware may be relatively low. Few files may be encrypted and there may be little impact on the organization. However, if the infected user has excessive network permissions (a real possibility if access management is weak), the ransomware has much more network access it can exploit. The ransomware uses the access of the infected user and then can encrypt more items and inflict much more damage upon the network.

Insufficient auditing will compound any vulnerabilities arising from weak network access management. An organization that does not effectively audit what its users are doing and accessing has little insight into excessive network access or suspicious activity. Combining weak user access management and insufficient auditing provide a ‘double whammy’ of vulnerability to organizations – network users may have excessive access at the organization and insufficient auditing will not detect inappropriate or fraudulent behavior arising from that access. This heightened vulnerability can then be devastatingly exploited by ransomware.

How Imprivata FairWarning Helps Reduce the Chances of Falling Victim to Cyber Extortion:

So how can an organization avoid these vulnerabilities from weak network access controls and insufficient auditing? By implementing two of the steps the OCR recommends and partnering with an effective and knowledgeable partner. Imprivata FairWarning can provide direct assistance to its customers with these steps six and nine that the OCR recommends:

Step 6 “Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and propagation of malicious software”

How can Imprivata FairWarning assist? An organization cannot effectively control network access without understating who their users are and what data they are accessing the network. With its patented Dynamic Identity Intelligence tools, Imprivata FairWarning can assist organizations to build robust profiles of all their network users and what systems they are accessing. With its Imprivata FairWarning Patient Privacy Intelligence solution, Imprivata FairWarning can then assist a customer in effectively monitoring user access on a network and issuing alerts to access that may be in violation of an organization access policies. Further analyses can analyze and confirm inappropriate access and document investigations. User network access can be limited or removed because of these analyses.

Step 9 ” Implementing robust audit logs and reviewing such logs regularly for suspicious activity”

How can Imprivata FairWarning assist? With the Imprivata FairWarning ready program, Imprivata FairWarning is already ready to integrate, standardize and report on the audit logs of more than 350+ application in use at healthcare organizations. Through this robust audit log management, FW can then assist customers in the ongoing review of their audit logs and suspicious behavior monitoring.

In summary, Imprivata FairWarning helps its customers improve their access rights management practices by monitoring, alerting and assisting in investigations on user access to sensitive data. By monitoring what information users are accessing or giving the organization a better idea of who their users are (i.e., through dynamic id intelligence), an organization has better insight into who is accessing their sensitive data and what they are doing with the data. Through investigation and remediation, the ‘double whammy’ of weak network access controls and insufficient auditing can be removed and an organization’s vulnerabilities to ransomware considerably reduced.