The FBI, Department of Health and Human Services (HHS), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning on Wednesday, October 28, 2020, about the imminent threat of ransomware activity targeting U.S. hospitals and healthcare providers (HPH). These federal authorities have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” and advised HPH institutions to be on “high-alert” for ransomware attacks this weekend. They believe the attackers have already infiltrated many HPH systems, but have not yet activated the encryption activity.
In light of this impending cyber threat, hospitals and healthcare providers should take proactive measures to secure their networks and protect patient care by immediately implementing the measures outlined in this advisory.
Continuity of care preparations
The Office of Civil Rights (OCR) considers “all mitigation efforts taken by the entity during any particular breach investigation” in assessing (retroactively) an organization’s response to an incident. Proper implementation of a contingency plan will allow an organization to continue to operate critical services during an emergency and recover sensitive data, such as ePHI.
- Establish and practice out of band, non VoIP, communications.
- Make sure staff members have copies of the plans—and review their roles/responsibilities—for emergency response, business continuity, and disaster recovery.
- Consider limiting use of personal email.
- Ensure proper staffing for continuity.
- Be prepared to re-route patients if patient care is disrupted due to IT outage.
- Ensure sufficient staffing to maintain continuity of operations with disrupted IT networks.
- Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at 855-292-3937.
- Know how to contact federal authorities when phones are down, or email has been wiped.
An organization’s incident response procedures can greatly limit the damage caused by a ransomware attack. Successful ransomware deployment often depends on exploitation of technical vulnerabilities such as outdated software, unsecured ports, and poor access management/provisioning. Even without a detailed plan in place, critical precautions can be taken now to mitigate potential harm from an attack.
- Rehearse IT lockdown protocol and process, including practicing backups.
- Make sure IT staff and security incident response team members have copies of the plans—and review their roles/responsibilities.
- Implement effective access controls to stop or impede and attacker’s movements and access to sensitive data (e.g., by segmenting networks to limit unauthorized access and communications).
- Ensure off-line backup of medical records, including electronic records and have a 321-backup strategy – have hard copy or remote backup or both.
- Expedite patching response plan (IRP) within 24 hours.
- Prepare to maintain continuity of operations if attacked.
- Power down IT where not used.
- Consider limiting/powering down non-essential internet facing IT services.
- Limit personal email services.
In September, CISA issued a comprehensive Ransomware Guide. Part II of the Guide outlines important steps to take immediately if your organization is under attack.
End user awareness and training
Users of Information systems are often the weakest links in an organization’s security posture – they are the targets the attackers seek out to gain access to the network.
- Reinforce this high alert message with all staff who have e-mail, EMR, or other network access.
- Reinforce that all staff are responsible to immediately report suspicious/unusual activity
- If any incoming e-mail or other message—even ones that appear to be internal to the organization—are unusual in any way, the recipient should not click on links or open attachments.
- Call the sender to verify.
In the joint advisory, HPH Sector organizations are encouraged to review and establish patching plans, security policies, user agreements, and business continuity plans to ensure they address these current threats posed by malicious cyber actors. Now, more than ever, HPH Sector organizations should review and update their security incident response plan and business continuity and recovery plan with particular focus on the risks presented and preparedness gaps revealed by these imminent ransomware threats to the HPH sector.
The Buchanan cybersecurity and data protection team is available to work with you and cybersecurity experts to address this ransomware and other cybersecurity threats. Even if you believe that your system is not currently impacted, an independent review of your information security program and incident response plan and testing are prudent. In the face of these threats a healthcare organization may be expected to take proactive measures to thwart this kind of attack.