Ransomware attacks against the healthcare industry have been in the news frequently. On October 28, 2020, the FBI and U.S. Department of Homeland Security assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The Cybersecurity and Infrastructure Security Agency updated its notice on November 2, 2020, to include additional technical details.
The key findings of that notice include:
- Malicious cyber actors are targeting the healthcare and public health sectors with specifically designed malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
- These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
According to a recent HealthITSecurity article, 560 healthcare facilities were affected by ransomware attacks in 2020. A subsequent article published on February 3, 2021, indicated that data exfiltration jumped 20 percent in the fourth quarter of 2020, and now 70 percent of all ransomware attacks include data exfiltration. Therefore, healthcare organizations that are the victim of any kind of ransomware attack should consider the privacy breach ramifications.
These attackers continue to develop new functionality, tools, and methods to stay ahead of law enforcement and cybersecurity professionals. Typically, the most common method used to deploy malware is through social engineering techniques, such as email phishing. However, there is growing evidence that cybercriminals have been combining these social engineering techniques with open-source intelligence, exploiting vulnerabilities on networks and servers, and leveraging other traditional technical “hacking” methods. For example, attackers may identify and exploit weak passwords to gain access to the email and calendar system. This access combined with knowledge gained about key stakeholders and their roles via publicly available sources could enable them to obtain and assess detailed calendars and travel itineraries. With these capabilities and knowledge, they could design a custom phishing attack that is more likely to succeed and can be initiated at a specific time to exploit potential absences of key decision makers.
How can your organization protect itself from these risks? To effectively address the threats and vulnerabilities that lead to ransomware attacks, organizations should develop a comprehensive cybersecurity program that is based on an industry-proven framework and combines assessments of the organization’s culture, governance, and control processes. Two commonly used security frameworks in the healthcare industry are:
- The National Institute of Standards and Technology Cybersecurity Framework, which includes functions related to the organization’s ability to identify, protect, detect, respond, and recover from risks deriving from various cybersecurity threats and vulnerabilities.
- The Health Insurance Portability and Accountability Act of 1996 Security Rule, which identifies various control processes related to administrative, physical, technical, and organizational safeguards that need to be in place for a comprehensive security program.
While contemplating the need for a comprehensive risk assessment based on such frameworks, healthcare systems should shore up their cybersecurity without delay. To help prevent possible ransomware attacks, organizations should consider immediately taking the following steps:
- Make sure your critical data is backed up and recoverable on a server off your network.
- Along with system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.).
- Ensure all administrative passwords are not using default passwords and strong password policies are in place.
- Where possible, organizations should segment their networks.
- Remind your system users of social engineering prevention best practices. These include not clicking on links within emails from unknown or suspicious senders, never giving out your username and password via email or on the phone, etc.
- Alert your information security monitoring teams or service providers about this threat.
- Review your information security incident response, business continuity, and disaster recovery plans, and prepare your teams for possible action. Include contact information for FBI field offices or the FBI’s 24/7 Cyber Watch at 855.292.3937 or CyWatch@fbi.gov within your incident response plans.
For more information, reach out to your BKD Trusted Advisor™ or submit the Contact Us form below.