Cloud Security Alliance Issues Guidance on Combatting Ransomware in the Healthcare Cloud

New guidance has recently been released by the Cloud Security Alliance (CSA) Health Information Management Working Group to help healthcare organizations combat the growing risk of ransomware attacks on the healthcare cloud.

Many healthcare organizations have adopted the cloud for data storage and use the cloud to store backups of critical data. The cloud is viewed by many as being a much better option for storing backups than on premises, especially to protect against ransomware attacks. In the event of an attack, data stored in the cloud will be protected and can be recovered. Storing healthcare data in the cloud does have advantages when it comes to data protection and recovery, as there are usually multiple recovery options available.

However, while the cloud can be more secure than on premises storage, that does not mean cloud-stored data is not vulnerable to ransomware. As more healthcare organizations utilize the cloud for data storage, the number of ransomware attacks on the healthcare cloud have increased.

The hardware on which data are stored is maintained by the cloud service provider, and cloud service providers ensure their hardware is well protected, but as the CSA explains, “Cloud services rely on the synchronization of data, and if ransomware encrypted data enters the synchronization process, data will run the risk of being propagated in the cloud. At this point, cloud applications become complicit in spreading the malware.”

The guidance issued by the CSA explains how ransomware gangs are conducting attacks on healthcare delivery organizations and their cloud service providers and provides guidance for healthcare delivery organizations on detecting ransomware and protecting data. The guidance follows the structure of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and is built around the same 5 Core Functions, which are Identify, Protect, Detect, Respond, and Recover.

In order to protect data, healthcare organizations must identify and classify all of their IT infrastructure, which includes hardware, software, and data, including on-premises and in the cloud. There must be a complete inventory of everything, which includes IT as well as people and facilities. Once everything has been identified and classified, it is easier to prioritize when developing a disaster recovery plan.

The Protect Function involves developing and implementing controls to ensure the delivery of services and limit and contain the impact of a ransomware attack. Protect needs to start with computers, which means installing endpoint protection measures. While antivirus software is effective against malware, it is not so good for protecting against ransomware. Instead, unified threat management solutions and ransomware-specific solutions should be utilized.

Strong spam filters are also required and should be used to scan both incoming and outbound email. Spam filters should also use Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to protect against email spoofing. Network segmentation is also essential to limit the damage that can be caused.

Backing up data to the cloud can help to ensure a quick recovery, but malware can get copied to the cloud during synchronization. The guidance sates, “a combination of data encryption with the use of homomorphic encryption to enable ongoing data management while encrypted and stored in the cloud, and cloud immutable/ WORM storage is the only sure way to address the new risks from ransomware.”

The Detect Function involves implementing the right controls to ensure ransomware attacks are detected in real time, before any damage is caused. That requires malware detection, behavior-based anomaly detection, and intrusion detection to alert the security team and allow actions to be taken to block an attack in progress.

The Respond Function is concerned with mitigation and containment to limit the harm that is caused. That requires an incident response plan to be developed and implemented that can be immediately actioned in the event of an attack. “A response can involve stopping the execution of associated programs, disabling user accounts, isolating systems, and more, depending on the threat,” suggests the CSA. “Actions may include removing software from a system, restarting services, or copying the threat to a safe environment for analysis and forensics.”

The Recover Function is concerned with returning to normal operations in as short a time frame as possible, while reducing the risk of a further attack. Recovery is much more difficult if cloud-stored backups are also impacted by the attack. It is therefore essential to ensure cloud storage systems can react in the event of an attack. It may be necessary to not only restore on-premises systems but also cloud-stored data. Disaster recovery plans must also cover recovery of cloud-stored data and healthcare organizations must architect their cloud for failure.

“With the year-to-year increase in ransomware attacks and the devastating effects and cost, HDOs are under a significant strain to prevent these attacks,” said the CSA. “Ransomware can cause a complete shutdown of healthcare organizations, putting patients at risk. This makes it imperative they do all they can to prevent ransomware.”