The advisory stated that “malicious cyber actors are targeting the HPH [Healthcare and Public Health] Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services” according to information gathered by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).
According to a KrebsOnSecurity report, a tip from Alex Holden, founder of Hold Security, indicated that online communications were occurring between “cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.” The subsequent FBI/DHS advisory was released two day later.
In response to this imminent threat, the FBI, CISA and HHS are asking healthcare organizations to take action to minimize the chance of experiencing service interruptions from a cyber attack. The advisory emphasizes the importance of maintaining business continuity plans to ensure essential functions can continue through emergencies.
How are ransomware attacks affecting healthcare in 2020?
The threat of cyber crime impacting critical healthcare infrastructure is increasingly concerning. In October, a ransomware attack was investigated as the suspected cause of a patient’s death in a German hospital.
Although months of investigation led police to drop claims that the attack was responsible for the patient’s death, this incident must still serve as a warning to the healthcare industry that a deadly disruption in patient care due to a cyber attack is inevitable.
Ransomware attacks have increased 50% in the third quarter of 2020 compared to the first half of the year according to research conducted by Check Point. The U.S. healthcare sector was the most targeted sector globally. The global healthcare sector also saw the number of ransomware attacks double.
Numerous U.S. healthcare providers have recently been hit by ransomware attacks. Beginning Monday Oct. 26, six hospitals from California to New York were hit with Ryuk ransomware in 24 hours according to The Washington Post. The Ryuk ransomware strain, distributed through the Trickbot botnet, encrypts critical data which can result in disruption of patient care when targeted at healthcare provider networks.
The recent hospital ransomware attacks are linked to Russian hackers responsible for a prior attack on a network of over 400 Universal Health Services locations, considered the largest medical cyberattack of its kind at the time according to the New York Times.
How can healthcare providers reduce risk of a ransomware attack?
These attacks are an example of the concerning rise of medical ransomware attacks and the heightened need for proactive steps to prevent ransomware attacks in healthcare facilities.
The advisory lists network best practices for healthcare providers including but not limited to:
- Patching operating systems, software, and firmware to ensure manufacturer updates are utilized
- Implementing strong password practices and utilizing multi-factor authentication whenever possible
- Disabling remote access/Remote Desktop Protocol (RDP) ports when possible and monitoring remote access/RDP logs
- Audit user accounts with administrative privileges, configuring access controls with least privilege in mind
- Backup systems with critical assets (patient database servers, medical records, and telehealth and telework infrastructure etc.) and store backups offline
- Segment network data so sensitive data is not stored on the same server and network segment as the email environment
- Regularly scan and schedule automatic updates for antivirus and anti-malware
The advisory concludes with a list of resources for healthcare providers to learn how to prevent an attack on their network as well as FBI, CISA and HHS recommendations for contact information all providers should have should they become a victim of a ransomware incident.
The following are organizations that can provide mitigation and response assistance or should be notified after an attack occurs.
- State and Local Response Contacts
- IT/IT Security Team – Centralized Cyber Incident Reporting
- State and Local Law Enforcement
- Fusion Center
- Managed/Security Service Providers
- Cyber Insurance
Why the healthcare industry must act now to avoid being targeted by ransomware
Healthcare facilities are prime targets for ransomware attacks due to their need for immediate 24/7 access to patient data and their heavy reliance on internet connected devices and technology for critical patient care.
Unless healthcare facilities take proactive action to thwart attacks, cyber criminals will continue to capitalize on the fact that hospitals can’t afford any downtime or disruption in their network caused by a ransomware attack. The devastating repercussions of a ransomware attack on patient care make hospitals more likely to be forced to pay the ransom demand to restore functionality if proper backups are not in place.
If Protected Health Information (PHI) or Personally Identifiable Information (PII) on a hospital network is encrypted during a ransomware attack, healthcare facilities will not only be faced with the possibility of a data breach, but medical staff can be forced to rely on paper records, limiting their ability to provide critical and timely care patients require.
How to reduce your risk of ransomware today
Implementing proactive cyber security products and practices as recommended by the FBI/DHS advisory can reduce the risk of a ransomware attack, but healthcare facilities must continually ensure they are up to date with the best practices to handle a disruptive cyber attack as well.
Creating an incident response plan and encouraging all staff members to participate in maintaining a strong culture of cyber security can improve the chances of efficient and effective ransomware prevention and remediation.
At Proven Data, we are committed to helping healthcare facilities navigate ransomware attacks. If you are a recent victim of a ransomware attack or would like to learn more about how to implement proactive security services for your organization, reach out to our cyber security experts today.