November 2, 2020
On October 28-29, 2020, the United States Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) took the rare step of issuing a joint cybersecurity advisory to the healthcare sector regarding ransomware attacks targeting healthcare providers. The advisory, describes coordinated efforts to infiltrate computer systems of healthcare providers and encrypt data essential for the delivery of healthcare services. This advisory is timely given that many health care providers including hospitals and long-term care facilities are focused on adapting to challenges presented by the COVID-19 pandemic and, thus, are potentially extra vulnerable to attack.
Several hospitals in upstate New York were recently forced to close operations after being hit with a ransomware attack, even to the point of diverting incoming ambulance traffic to other area hospitals. Similarly, the University of Vermont Health Network was subject to a ransomware attack, which forced the system to revert to use of paper medical records causing interruption and delay.
As the advisory explains, malicious cyber actors are targeting the healthcare sector by infiltrating networks with new tools. Often, they enter networks through phishing campaigns that contain links to the malware or attachments with the malware. Once an unsuspecting employee clicks on the link or opens the attachment, the hackers are able to move about the network to locate key data, delete backups, exfiltrate personal data, and effectively lock down the entire system – unless the hospitals pay a hefty ransom. CISA, the FBI and HHS advise against paying the ransom, in large part because one cannot obtain reliable guarantees from the hackers, but hospitals may have little choice but to do so. The payment of a ransom may also be considered aiding terrorist activities or a violation of federal law resulting in potential regulatory penalties or liability.
Until recently, one of the best defenses against a ransomware attack has been a robust backup system. The thinking was, if one can restore the system without paying the ransom, why pay it? That defense presupposes that the backup is maintained outside the compromised network so that hackers could not delete or encrypt the backup as well. More recently, hackers have, in addition to encrypting data, began to exfiltrate data and threaten to disclose it publicly if the ransom is not paid. Such disclosure triggers a host of notification requirement and inflicts severe reputational damage on the hospital. But, there is no reliable way to ensure the bad guys will refrain from (or delete) the acquired personal data if the money is paid, which leaves the victim in a precarious position.
The advisory contains a long list of essential mitigation steps those in the healthcare sector must employ. They include keeping backups offline and testing the ability to do a full restore. Hospitals must have a cyber incident response plan, preferably one that has been tested through a “table top” mock exercise before a real incident occurs. Training staff is more important than ever – both to identify suspicious emails and activities but also to operate if systems are taken offline for defensive purposes. The advisory also directs health care providers to CISA’s Ransomware Guide, which is a comprehensive resource addressing preventative measures and breach response.
The HIPAA Security Rule requires that covered entities conduct a risk assessment to identify security vulnerabilities and then adopt policies and procedures and take steps to actively guard against identified risks including ransomware attacks and other breaches. HIPAA also requires staff training on a myriad of security issues given that human error is commonly linked to security incidents and breaches. In addition, many states have privacy laws that require safeguarding of personal data. Healthcare providers should take these steps, and those referenced in CISA’s Ransomware Guide, in order to protect against ransomware attacks and other cybersecurity threats.
This advisory is a wakeup call for the healthcare sector, but there is no reason why businesses in other sectors should not heed the same advice.