Could allowlisting reduce the impact of ransomware, cyberattacks on health care?

  • Medical staff members work in the COVID-19 ward nursing station at the United Memorial Medical Center on Dec. 29, 2020, in Houston. One CEO says allowlisting is ideal for health care security stacks. (Photo: Go Nakamura/Getty Images)

    A recent IDC report confirmed the health care sector is more vulnerable to the consequences of cyberattacks than other industries and the most likely to suffer application downtime, with 53% of covered entities reporting downtime after an attack.

    Health care also faces the highest rate of compromised websites (44%) and the highest rate of brand damage (31%).

    For some providers, network outages can last for weeks and sometimes months. Last year, the three-week downtime faced by Universal Health Services after a ransomware attack cost the health system $67 million in recovery and lost revenue.

    PC Matic CEO Rob Cheng explains these issues have compounded as providers with constrained resources were forced to rapidly deploy tech to support innovation needed for the COVID-19 pandemic response.

    Between the DNS attacks and ongoing ransomware scourge, it’s beyond time for providers to seek more creative responses to cyber challenges even with limited budgets, in combination with participation in threat-sharing programs and while relying on free or low-cost resources.

    To Cheng, allowlisting is ideal for health care security stacks, as it’s designed as an additional defense mechanism for antivirus tools and other security measures.

    “Allowlisting is the absolute best protection against ransomware and other malware such as keyloggers, zero-days, and advanced persistent threats,” said Cheng. “For example, if the ransomware is embedded in an email, and an employee clicks on the attachment, before the ransomware runs, the allowlist blocks the ransomware before any damage is done.”

    “Ransomware is the business of monetizing security holes,” he continued. “Allowlisting is not protection against other forms of cybercrime, such as business email compromise where company secrets can be stolen, or fraudulent communications.”

    According to NIST, allowlisting is a detailed list of applications and related components authorized for use within an organization. The supporting technologies use allowlists to control the specific applications permitted to launch within a host environment, which can stop malware and unlicensed or unauthorized software from executing on the network.

    While the antivirus contained in the security stack is based on a denylist of confirmed bad applications, like ransomware, the allowlist blocks the ransomware by default as it hasn’t been established by the security tools as a good application, explained Cheng.

    On the other hand, the denylist architecture would allow the ransomware threat to enter the system as the tool observes it for suspicious behavior.

    Previous allowlist iterations were difficult and expensive to install and maintain, as each entity would have to curate a tailored allowlist of applications allowed to operate on the network. And when any application was updated, the security team would have to add the update to the allowlist.

    And as some applications were updated several times each month, it would require multiple resources to keep the allowlist function. Cheng stressed that many innovations have made allowlisting less expensive and easier to maintain.

    As a result, those entities that implement allowlisting can leverage a global allowlist that includes a detailed inventory of curated applications either commercially available or downloaded. The list “cuts out much of the work of installing popular programs such as Adobe, Google, Microsoft.”

    Further, allowlists can now include custom software for each organization to prevent unwanted software from deploying on a network.

    “If the custom software has a signature, that signature can be added, and it will handle all the custom software written by the organization, plus the custom software that will be written in the future,” explained Chenge.

    “Developers must write and test multiple versions of their software until it is ready. Allowing a particular directory on a subset of machines should be possible to handle this use case,” he added. “If the allowlist has all of the above features, then the maintenance is limited to low prevalence software that is being updated.”

    The tool is not without its drawbacks, as allowlists are known to occasionally block good programs, which Cheng noted can frustrate enterprise workforce members. The tool should include a mechanism to easily allow good programs in real-time, which can reduce friction.

    Allowlist guidance from NIST can provide health care entities with the best-practice steps for implementing the effective tool. Administrators should consider using allowlisting technologies that are already built into some host operating systems, which are less expensive and easy to use.

    If unavailable or deemed unsuitable, NIST recommends that entities look to third-party tech with centralized management capabilities and software able to support more sophisticated whitelisting attributes, including the combination of digital signature/publisher and cryptographic hash techniques.

    NIST confirmed that it’s the most accurate and comprehensive allowlisting capability, but it can cause user friction.

    Entities can also test allowlisting capabilities in monitoring mode to see how it behaves within the network before it’s deployed, which should include an evaluation of how the solution reacts to software changes like an update.

    Given the scope and complexity of the health-care environment, those organizations should consider planning and deploying allowlisting in a phased approach with detailed steps on the process to reduce unplanned issues, identify potential issues, and to incorporate advances in technology.

    “There may be some user frustration, but this can be viewed as an inconvenience as opposed to ransomware, where the ramifications are usually catastrophic,” said Cheng. “Cybersecurity training and multifactor authentication are additional security tools to combat business email compromise.”

    “Allowlisting closes one of the largest, which will decrease infection rates, and hence external ransom payments. This forces the ransomware makers’ revenues to decline,” he concluded. “The lower their revenues, the slower ransomware will propagate.”