Warning of Increasing and Imminent Threat of Ransomware to Health Care Industry

On October 28, 2020, the Cybersecurity & Infrastructure Security Agency (CISA), alongside the Federal Bureau of Investigations (FBI) and the US Department of Health and Human Services (HHS), jointly issued an advisory warning of increasing and imminent cybercrime threats targeting the health care industry, specifically US hospitals and providers. These threats include targeting the health care systems with malware that can lead to ransomware attacks, and, ultimately, the disruption of health care services. On October 29, 2020, the Advisory was updated to include more substantive information, including new indicators of compromise.

Key Findings and Threat Details

The Advisory describes the tactics, techniques, and procedures used by cybercriminals against health care targets to infect systems with ransomware, notably Ryuk and Conti, for financial gain. CISA, the FBI, and HHS warn of malicious cyber actors using loaders (like TrickBot and BazarLoader) as part of malicious campaigns that often lead to ransomware attacks, data exfiltration and theft, and disruption of services. Loaders start the infection chain by distributing the payload, and when deployed, they install on the victim’s machine(s). As part of a new TrickBot module and toolset (called Anchor), attackers create a back door that allows them send and receive data using Domain Name System tunneling.

Specifically, regarding Ryuk ransomware, once it infects a system the program will encrypt the victim’s files and attempt to delete any backup files on the system to prevent the recovery of any affected files. Ryuk is also capable of shutting down and removing any applications that could stop the attack. After the attack, the victim is then instructed to pay a specific amount to a specific Bitcoin wallet for the application that can decrypt the files. Notably, there is no guarantee the decryptor will be effective. 

Additional technical details on techniques and tactics as well as new indicators of compromise are outlined in the Advisory.

Recommended Mitigation Efforts

There are a number of steps that hospitals and other health care providers can take to mitigate some of the risks associated with this threat.

First, entities should ensure that their business continuity plans are updated and operational. Health care organizations have likely looked to business continuity plans during COVID-19 response efforts, but if not, this Advisory should serve as a reminder to review and refresh continuity and incident response plans.

Second, hospitals and health care providers should implement network and security best practices, including, for example:

• Patching operating systems, software, and firmware as soon as manufacturers release updates. Note that the HHS Office for Civil Rights (which enforces HIPAA) has issued guidance regarding the importance of patching as a component of an entity’s maintenance obligations under HIPAA, namely ensuring security measures remain effective as technology changes and new threats and vulnerabilities are discovered.
• Regularly changing passwords associated with network systems and accounts.
• Using multifactor authentication (MFA) whenever possible. Usability complaints are frequent with MFA, but the benefits are significant in terms of improved security (do not underestimate the risk of human error in contributing to malware and ransomware) and supporting HIPAA and other state privacy law compliance benefits.
• Auditing logs to ensure new accounts are legitimate. This is part of HIPAA’s information system activity review safeguard.
• Creating backups of critical systems (e.g., patient database servers, medical and billing records, and telehealth and telework infrastructure).
• Setting antivirus and anti-malware solutions to automatically update and conduct regular scans. These practices will help ensure that an entity’s network is prepared for and able to respond to these threats.

Third, hospitals and health care providers should implement ransomware practices to ensure that, if affected, the entities are still able to access their files. These practices include regularly backing up data, password-protecting backup copies offline, and implementing a recovery plan to maintain and retain air-gapped copies of sensitive or proprietary data. A key component of the data backup planning is ensuring that backups are retrievable and usable in a production environment, which requires testing in advance. Organizations should also consider the frequency of backups. For the 24/7 health care industry, frequent backups are key.

Fourth, hospitals and other health care entities should prioritize training and awareness efforts. Many attackers focus on workforce members in order to compromise credentials and access organizational systems, which presents an easier access point than making their way through sophisticated or robust technical safeguards. Providing training on security principles and techniques will help mitigate cybersecurity risks and vulnerabilities. Training should include organizational policies and procedures for employees to report suspicious activity or if they believe that they have been a victim of attack.

Finally, hospitals should stay in communication with other community partners that could provide overflow resources in the event of an emergency. Patients turned away during a ransomware attack are at risk, and hospitals risk violating their EMTALA obligations and protocols by not sufficiently planning for and accommodating the increased risk. 

CISA, the FBI, and HHS agree that these best practices should be implemented immediately given the threat. Organizations can also contact CISA for no-cost resources to help build secure systems and stave off threats.

Takeaways

In a normal year, health care entities do not have the luxury of pausing operations during a cyber attack. During a pandemic, health care providers may be crippled with downtime due to a cyber attack. This makes the health care industry a priority target for cyber criminals looking for a ransomware payoff, including COVID-specific scams and impersonation of regulators. The Advisory emphasizes that health care administrators should balance this risk when determining cybersecurity investments. Here are key takeaways from the Advisory:

1. There is an imminent ransomware threat to hospitals and other health care providers.

1. Hospitals and health care providers need to take immediate steps to mitigate these threats.

1. Organizations need to evaluate their networks and current policies and procedures to identify potential vulnerabilities.

1. Training employees on good security hygiene and organizational policies and procedures will be key in mitigating these threats. Human factors play a major role in organizational vulnerabilities. More on training opportunities and COVID remote work considerations is available here.

1. Organizations need to be prepared to continue to operate in the event of a partial or total system lockdown. Tabletop exercises will help hospitals and providers identify critical systems to prioritize for backups and recovery.

1. When responding to ransomware, organizations should consider potential implications of the U.S. Treasury’s Office of Foreign Assets Control (OFAC) October 2020 advisory, including potential liability for facilitating ransomware payments to a person or entity sanctioned by the U.S. government, particularly if organizations are not working with law enforcement or other forensic firms.

For additional questions on this Advisory or your data privacy and security program generally, contact your Quarles & Brady attorney or:

• Meghan C. O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com