On October 28, 2020, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). The advisory warns of an “imminent cybercrime threat to U.S. hospital and healthcare providers” and describes the tactics, techniques, and procedures (TTPs) used by cybercriminals to infect systems with Ryuk ransomware. CISA, FBI, and HHS are advising all entities within the healthcare sector to take immediate precautions to protect their networks from these threats.
The healthcare sector has always been a prime target for cybercriminals, but the percentage of healthcare entities impacted by ransomware has significantly increased in recent months. Typical ransomware demands range from several hundred thousand dollars in to the millions. Hospitals, specifically, are often targeted because cybercriminals believe they are more likely to pay the ransom (quickly) to avoid negative impact on patient care.
In September 2020, a woman in Germany died during a ransomware attack that impacted the Duesseldorf University Hospital. The target of the attack was Duesseldorf University, but the University Hospital network was impacted as well. The woman presented to the hospital in need of urgent treatment but because of the attack, the hospital could not accept emergency patients and the woman had to be sent to a health care facility in another city. The woman’s death appeared to be the first specifically connected to a ransomware attack involving a hospital.
Key recommendations provided by the CISA, the FBI, and HHS:
- Establish and practice out of band, non VoIP, communications
- Rehearse IT lockdown protocol and process, including practicing backups
- Ensure backup of medical records, including electronic records, and have a 321-backup strategy – three backups on two different media, one of which is offline at all times
- Expedite patching response plan within 24 hours
- Prepare to maintain continuity of operations if attacked
- Check that your anti-virus and endpoint detection and response (EDR) are running; a stopped state may indicate compromise
- Be prepared to re-route patients if patient care is disrupted
No entity is immune from a ransomware attack. Preparedness is key. Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at 855-292-3937 as well as to your Cyber Insurance provider and broker.