FBI, DHS, HHS warn of credible and imminent cyber threat to healthcare
Recognize, prevent growing ransomware as a service and drive-by downloading threats with these tips
By John Yeast and Anthony W. Minge, EdD
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
The ransomware world of threat actors has become more complex with increased sophistication around their own business models and strategies. The evolution has included the development of ransomware as a service, (RaaS) resembling software as a service (SasS). These RaaS organizations are run by sophisticated attackers and malicious developers operating more like an enterprise company with customer service, online support, call centers and payment processors. Just like a modern customer-focused business, they have people who respond to questions, assist with payment and decryption and are very organized.
These RaaS operators are making a considerable amount of money from this. This isn’t just autonomous ransomware that can simply be addressed with standard anti-virus software – these are focused, motivated and knowledgeable criminal operators that are targeting susceptible healthcare organizations by exploiting vulnerabilities, gaining a foothold within their networks and deploying ransomware that holds their important data hostage.
Phishing and drive-by downloading risks
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge. Phishing emails contain link(s) that may look like they are from a company you know or trust. They may look like they are from a bank, a credit card company, a social networking site, an online payment website or app, or an online store.
Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. They may:
- Say they’ve noticed some suspicious activity or log-in attempts
- Claim there’s a problem with your account or your payment information
- Say you must confirm some personal information
- Include a fake invoice
- Want you to click on a link to make a payment
- Say you’re eligible to register for a government refund
- Offer a coupon for free stuff
How to prevent getting infected by ransomware
The number one question is always, “What can we do to prevent getting infected?” There is no silver bullet to protect any one environment. Basic cyber hygiene standards need to be met. Organizations that regularly patch and have a robust backup strategy drastically reduce both the attack surface and impact of ransomware.
Basic cyber hygiene steps include:
- Back up, back up, back up. Build a robust backup strategy for your data, to reduce the harm that ransomware can do. Backup with redundancy, and offline backup specifically, and a strategy to restore systems quickly is ultimately the way you can defeat cyber attacks. Test your backup workflow on a quarterly basis by selecting large data sets and walk through your restore process to validate successful restoration. The right backup solution(s), in the event of ransomware attack, can be the difference in being back online in several hours vs. several weeks or months.
- Incident response plan. Develop a plan. Most organizations, even though a covered entity by HIPAA is required to have one, do not have an incident response plan. Cyber incidents are not just technical problems, they are business problems. Financial impact of a successful breach goes beyond potential fines and penalties. An organization’s reputation in that market is placed at risk and should be evaluated based on their own risk tolerance. Develop a playbook for your organization that does more than check a box. Craft a tool that will chart your course to recovery when security defenses are tested, and even defeated. Once you have a plan, you must: test, practice, review, repeat.
- Patching. Systems that are not patched regularly place an organization at risk. These vulnerabilities are the threat vectors that cybercriminals seek out to exploit. These vulnerabilities can be remediated by ensuring regular patching of all systems. Patching should be all encompassing of any system or application that are connected to an organization’s network. Many times, non-core applications are overlooked but pose significant risk. Oftentimes, these are shadow applications (non-IT approved software) from third-party companies that are not on a patching schedule.
- Human firewall. Human firewalls are any organization’s most critical line of defense. Cybersecurity cannot fall on the shoulders of the security and IT teams alone, especially as cyber threats continue to grow more sophisticated and challenging to detect. In short, bad guys need humans to behave a certain way to see a successful phishing attack. Take the time to thoroughly educate employees on what to look for and what to do when they see or suspect something that may be harmful. A security awareness and training program can be scaled depending on the size of the organization. Something is always better than nothing. The ability to be cyber-aware is a critical piece of the puzzle when it comes to keeping organizations secure. Whether employees realize it or not, their actions could open the door for cyber criminals to access sensitive information, meaning a passive approach towards data security is no longer acceptable.
The cyber attack threat to EMS is real
While many may consider danger levels to EMS agencies minimal, this could not be further from the truth. No organization, regardless of size or specialty is immune to these threats. In fact, EMS organizations are just as exposed, if not more so, as other areas of healthcare and may be prime targets. Budget cuts, historical lack of security threat focused efforts and education, and tireless focus on COVID-19 and other burdensome recent events, have left many services exposed. These attacks have the ability to not only steal or hold records and vital information hostage, they can disable software and even disrupt activities by crippling dispatch and communication efforts. Couple a ransomware attack with the reduction of funds due to decreased service levels and reimbursement over the past several months and you have a recipe for disastrous outcomes for the agency and possibly even the communities they serve.
Finally, there can be an additional financial impact when a successful breach occurs and private health information is compromised. There are numerous reporting requirements that must be met and done in a timely manner. A qualifying breach must be reported to HHS Office of Civil Rights on their breach-reporting portal, along with law enforcement (local, state and possibly federal) and news outlets. These breaches can escalate into HIPAA investigations and fines if the OCR perceives that an organization has not made a good faith effort towards HIPAA compliance.
There are bad people out there doing bad things, and the impact can be harmful if not disastrous. EMS does not have the luxury of assuming that it will not happen in this segment of healthcare. Be prepared: Vigilant planning, monitoring, education, and action are critical in preventing and properly responding to cyberattacks.
About the authors
John Yeast is the director of technology at St. Charles County Ambulance District, and executive vice-president of cybersecurity solutions for EMS Compliance, LLC. He has a focus on information technology leadership along with cybersecurity and holds certifications in protecting cyber ecosystems, including Certified Ethical Hacker, and Cyber Security Architect.
Anthony Minge, EdD, is a senior partner at Fitch & Associates. He has extensive experience in public safety and healthcare finance. Prior to joining the firm, Anthony was the business manager for Northwest MedStar in Spokane, Wash., one of the largest air medical programs in the Pacific Northwest. He holds a Doctor of Education degree in organizational leadership. Contact him at firstname.lastname@example.org.