On October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint advisory to organizations in the healthcare and public health sector. The alert was issued to address a rapidly rising threat to healthcare organizations and warned of “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The agencies cite “credible information” that malicious groups of cybercriminals are actively targeting hospitals and healthcare providers.
How the healthcare cybersecurity attacks are delivered
The specific vectors used in recent healthcare cybersecurity attacks (the methods cybercriminals use to gain unauthorized access to data and systems) mentioned in the CISA/FBI/HHS advisory are not new. They include Trickbot, a digital infrastructure used by a cybercriminal enterprise to distribute malware, including ransomware. Trickbot has been known to the security industry since 2016. You’ll also see mention of a type of ransomware called Ryuk, which was first spotted in 2018. According to data released today by SonicWall, Ryuk ransomware is responsible for one-third of all ransomware attacks detected to date in 2020.
Healthcare organizations are being specifically targeted
Healthcare organizations are particularly vulnerable to ransomware attacks, loss of data and disruption to the vital services they provide. The industry is heavily reliant on technology, including computer-controlled treatments and electronic health records, that any disruption can potentially increase the likelihood of a victim paying the ransom.
According to the Associated Press, there have been several successful ransomware attacks against U.S. healthcare organizations this week. As with any type of cyberattack, the impacts have ranged widely. However, in some cases, they have led to hospitals having to turn away patients – a frightening prospect to consider. Reportedly, ransoms of up to $1 million have been demanded to unlock the encrypted data.
Ransomware attacks may include extortion
An alarming trend in ransomware attacks goes beyond simply encrypting data and now involves the threat of releasing said encrypted data to the public. Think about that in the context of hospital and healthcare providers, organizations that store some of the most private and personal data we have to share, and you can see why this tactic might be effective – and lucrative – for cybercriminals. However, paying the ransom can have consequences beyond the immediate financial impact.
Facilitating ransomware payments may result in sanctions
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to raise awareness of the sanctions that may be taken against organizations that “facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” While the advisory acknowledges the increased threat of ransomware in 2020, it states that companies involved in these payments “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
The best defenses against ransomware
Considering all potential consequences, there have never been more reasons to avoid having your systems affected by ransomware.
ADNET recommends all organizations, including hospitals and healthcare providers, take the following steps to guard against cyberattacks:
Having solid backups – that have at least one copy that is isolated from the network – is a critical thing that needs to be in place. This allows the organization to recover in the case the worst does happen.
Keep patches up to date
It’s important to patch all devices, including computers, network equipment, operating systems and firmware as soon as possible after manufacturers release updates, which often address critical security vulnerabilities.
Train and test your users
One of the easiest and most affordable ways to prevent a cybersecurity event is by educating your employees. Security awareness training can help your employees go from a potential target to a key part of your defense strategy.
Consider reinforcing your security awareness training by leveraging software that safely simulates a phishing attack. These campaigns can be used to pinpoint where your biggest vulnerabilities are and convert them to a teaching opportunity for your team.
Use good password practices
Set strong passwords that are changed regularly, and please, don’t re-use passwords. It’s bad enough if one password gets compromised, but you don’t want a cybercriminal to be able to access other systems because you use the same password for everything. Having trouble remembering all your complex, unique passwords? Try a password manager application.
Use Multi-factor Authentication (MFA)
Usernames and passwords, even strong passwords, are not enough. MFA combines something you know (like a password or PIN), something you have (like a cell phone or smart card), or something you are (like fingerprinting or retinal scans) and requires evidence from at least two of those categories to log in. When you do add MFA to your systems, pay attention to the prompts – we have seen false MFA prompts coming in as an attempt to bypass security measures.
Endpoint Detection & Response
The days when security meant anti-virus and a firewall are long gone. While those solutions are still needed, they’re insufficient against today’s threats. Anti-virus, for example, uses signatures to identify known threats. The keyword here is “known” – it does nothing against new threats.
Endpoint detection and response solutions (EDR) are behavior based – they analyze the activity on your network and look for changes that are out of the ordinary. ADNET’s Foundations Detect + Respond, a comprehensive EDR solution, has the ability to stop active threats like ransomware but if something does get past it, it can roll your system back to a pre-infected state. See that process in action here.
Disable externally facing ports that aren’t needed
One of the best practices is to continually review what port/services are exposed to the Internet. Only services that are actually active should be Internet facing. As systems are retired, it is important that the firewall rules that allow for this access are shut down.
How the ADNET Cybersecurity Team can help with Healthcare Cybersecurity Attacks
ADNET is prepared to serve our clients during times like this. As always, we continue to monitor the latest threat intelligence and advise our clients accordingly. Our dedicated team of cybersecurity professionals are here to help. We can assess your current cybersecurity risk, deploy appropriate security solutions backed by support from our 24×7 Security Operations Center. Our team can also train your organization on security awareness.
Have you been a victim of any healthcare cybersecurity attacks? We’re also here to help organizations that have experienced a security event to identify the issues and prevent further damage. My hope, however, is that you never need to work with a company like ADNET on security incident response. That’s why we spend so much time increasing security awareness through sharing content like this. ADNET wants to help as many people as possible avoid becoming the next victim of cyberattacks.