The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) recently issued a Joint Cybersecurity Advisory in light of “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” The advisory is being shared as a warning to healthcare providers so that they may take “timely and reasonable precautions” to secure and protect their networks against such attacks as we enter the new year.
Increased Sophistication of Cybercriminals
The Joint Cybersecurity Advisory finds that malicious cyber actors are increasingly targeting the healthcare sector with TrickBot and BazarLoader malware and then deploying ransomware, such as Ryuk, to infect and monetize networks. Cybercriminals are developing new functionality and tools that serve to increase the “ease, speed, and profitability” of cyberattacks. New methodologies, such as TrickBot’s Anchor, open a backdoor to victim machines that evade typical network defense products and make malicious communications indistinguishable from legitimate Domain Name System traffic. The increased sophistication of cybercriminals comes at a steep price for healthcare providers. According to a report recently published by IBM, the average cost of a data breach in the healthcare industry in 2020 was $7.13 million, far surpassing the $3.56 million average cost of a data breach in other industries.
Impact of COVID-19
The Joint Cybersecurity Advisory warns that cybersecurity issues will be particularly challenging for healthcare providers within the context of the COVID-19 pandemic. The increased use of telehealth during the pandemic presents a ripe opportunity for attack to cybercriminals, an area that has already seen a nearly exponential increase in targeted attacks this year, as outlined in a report by Security Scorecard. The shift to remote working has likewise presented hackers with increased opportunities for attack, with remote health system and hospital workers unaccustomed to, and unfamiliar with, the increased risks of accessing patient data from less secure remote systems.
Importantly, the potential for the disruption of critical healthcare services as a result of an attack is of particular concern at a time when COVID-19-related hospitalizations are on the rise. The disruption to Universal Health Services’ operations in the aftermath of a ransomware attack in October 2020 serves as just one illustration of how a cyberattack can lead to massive outages in computer systems, shut down emergency department systems, and require the diversion of ambulances.
Takeaways to Prepare for 2021
Healthcare providers and other healthcare industry actors should heed carefully the government’s warnings and ensure their respective organizations are prepared in the event of a ransomware attack. For instance, organizations should ensure that they maintain and continuously evaluate business continuity plans to identify continuity gaps. The Joint Cybersecurity Advisory places particular importance on maintaining offline, encrypted backups of data and the need to test these backups regularly. After all, as the Advisory notes, “there is no need to pay a ransomware for data that is readily accessible to your organization.” The CISA, FBI, and HHS further encourage organizations to:
- implement applications and remote access to allow only systems to execute programs known and permitted by the established security policy;
- identify critical assets such as patient database servers, medical records, and telehealth and telework infrastructure, creating backups of such systems that are housed offline from the network;
- focus on awareness and training for employees and stakeholders on cybersecurity threats, such as phishing scams;
- ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack;
- create, maintain, and exercise a cyber incident response plan; and
- develop a risk management plan that maps critical healthcare services and care to the necessary information systems.
If you have any questions on how to protect your organization from ransomware attacks or what to do if your organization is a victim of such an attack, please contact the authors.