The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (DHS), have issued a cybersecurity advisory to the U.S. healthcare sector (Alert: AA20-302A) regarding a concerted effort to compromise and take hostage the computer systems of healthcare providers.
The cybercriminals are targeting the sector with “Trickbot Malware” with the intent of creating a ransomware situation. If successful, their efforts to encrypt the systems and demand a Bitcoin ransom will disrupt the affected healthcare entity.
This criminal activity, attributed to a Russian criminal entity by the chief technical officer of cybersecurity firm Mandiant, hits the U.S. as the COVID-19 pandemic is putting more pressure on hospitals and other healthcare facilities. In September, a hospital in Dusseldorf, Germany, was hit with a ransomware attack that resulted in the death of a patient. The event illustrated the very real potential for widespread disruptions if healthcare providers do not have their information technology house in order.
Kevin Coleman, executive director of the National Cyber Security Alliance noted:
“Hospitals and other healthcare facilities are increasingly relying on connected devices, patient records are becoming more digitized and people are depending on telehealth services for medical help during the pandemic. Each of these healthcare components are vulnerable, making the need for increased cybersecurity awareness and education among consumers and healthcare practitioners paramount for safety and prevention. In terms of best practices, effective security policies, training road maps for IT teams and the integration of proactive cybersecurity education initiatives into the public health workplace culture are all incredibly important for keeping threats at bay. Addressing the specific threat of ransomware, it’s essential for facilities to regularly create backups of critical systems and files, and to house those offline from the network. Simultaneously, healthcare and public health facilities should also be vigilant about upgrading and updating their legacy hardware and software; ensuring that all connected devices and applications have multi-factor authentication enabled; and that employees know how to identify and avoid malicious email links and attachments from possible phishing scams targeting their workforce.”
The current wave of attacks uses the Ryok ransomware as the payload. Cybersecurity professionals and researchers have been hunting and researching Ryok since August 2018, as it traversed various industries. The CISA/FBI/HHS alert highlights the need to review business continuity plans and ensuring emergency system functions are operational.
While the miscreants’ efforts are ongoing and multiple hospital systems have been affected, the threat can be mitigated with appropriate cyber hygiene, cold (offline) backups and security awareness. “There is also a continued lack of awareness of the need for SaaS backup in healthcare IT,” noted Mike Puglia, chief strategy officer at Kaseya. “Healthcare organizations and their IT leaders need to recognize that platforms like G Suite, Microsoft Office 365 and Salesforce do not guarantee full restoration of lost data if an issue occurs on their end either through an honest mistake or malicious intent. Responsibility lies with the IT department to fill in any data protection gaps by implementing a backup and recovery solution, even for SaaS applications.”
Victims of these attacks are advised to not pay the ransom, as payment does not guarantee access to one’s data and serves to fund future criminal activities. The alert includes steps entities should take to harden their environment and weather a ransomware attack without paying the ransom.
To reiterate a key recommendation from both cybersecurity professionals and the CISA/FBI/HHS alert: Immediately brief employees on the threat and how users are being targeted and provide them with a means to report anomalous activities.