At a time that health systems are already burdened by a once-in-a-lifetime public health crisis, they have to take on another challenge: malware.
Three federal agencies released a joint notice on Wednesday warning of a credible cybercrime threat to U.S. hospitals and healthcare providers. Cybercriminals are increasingly using ransomware to hobble hospital IT systems for financial gain, which is especially worrying amid rising Covid-19 cases.
The advisory, released by the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation and Department of Health and Human Services, states that cybercriminals are using Ryuk ransomware to infect healthcare IT systems.
⚠️ There is an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.
We released an advisory with the @FBI & @HHSgov about this #ransomware threat that uses #Trickbot and #Ryuk malware. Here is how to mitigate your risk: https://t.co/joBOCx5Usk
— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 29, 2020
A typical cyberattack involving Ryuk, a strain of ransomware that first appeared in August 2018, includes a malicious email that looks believable to the recipient, said Alex Holden, chief information security officer at cybersecurity firm Hold Security, which has been monitoring the Russian-speaking group behind Ryuk ransomware attacks for over a year and half. The recipient then clicks on it and the system gets infected with a virus. The virus then begins infecting other devices on the same network.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
If successful, the cybercriminals are able to encrypt data on the infected machines, and they ask for a ransom to provide the key that would unlock the data, Holden said. The motive appears to be financial. The ransoms can vary — though typically criminals ask for about 10% of the organization’s annual revenue. The ransoms can be as high $5 million or more, he said.
The recent malware attack on the 26-hospital Universal Health Services used Ryuk ransomware, Holden confirmed. The cyberattack, which was disclosed at the end of September, sent shockwaves through the healthcare industry, signaling how vulnerable U.S. hospitals are to this type of criminal activity, particularly amid a pandemic when the healthcare system is already under great strain. It took until nearly mid-October for UHS to restore its IT network.
At least three hospitals were severely impacted by ransomware this week, and multiple hospitals were impacted over the past several weeks, Charles Carmakal, chief technology officer of Mandiant — another cybersecurity firm that has been tracking the people conducting the Ryuk ransomware-related breaches — said via email.
The hacker group has also mentioned hundreds of healthcare provider locations as potential targets in the U.S., including hospitals, clinics and other medical facilities, Holden said. Hold Security notified the FBI about these discussions among the group.
Both Holden and Carmakal declined to name the hospitals that have experienced recent ransomware attacks, though Sky Lakes Medical Center in Klamath Falls, Oregon, acknowledged the attack it experienced Tuesday in a notice posted to its website.
In the joint advisory, the federal agencies said that health systems should not pay the ransoms, as payment does not guarantee that files will be recovered. They listed best practices that hospitals can use to protect themselves against cyberattacks, including regularly backing up data and updating operating systems, software and firmware as soon as those updates are released by manufacturers.
In addition, MedCity News rounded up advice for hospitals from cybersecurity experts:
1. Install two-factor authentication. In light of the pandemic due to which many healthcare organizations have at least a part of their staff working remotely, two-factor authentication is more important than ever, Holden said.
“We’re seeing some hospitals, because of technology issues or even licensing costs not implementing this everywhere,” he added.
2. Train staff to detect suspicious emails, links and websites. Hospitals need to properly train staff and run programs to test that their staff can spot suspicious or fake emails, said Ido Geffen, vice president of product at cybersecurity company CyberMDX, via email.
“Ransomware relies on the attackers finding an entry point into the network and one of the largest and easiest threat vectors to exploit is hospital staff using phishing techniques,” Geffen said.
Dr. David Nickelson, vice president of client growth-healthcare at digital consultancy Nerdery, echoed this point via email, adding that: “The strongest firewall against malware and ransomware prevention is employee training.”
Employees should also be trained on how to quickly take action if they believe they have been targeted or if they think they may have accidentally put the organization at risk, Nickelson said.
3. Close exposed remote desktop protocols. These protocols are used by IT teams to remotely access, repair and configure devices. But hackers can also use these protocols to gain access to devices, Geffen said.
4. Place strong protections around data. Protect data with strong encryption and frequent backups, Nickelson said. Also, use a separate blockchain key management system to provide managed access to data as needed.
5. Segment IT networks. Proper segmentation will allow security teams to quickly isolate compromised devices and shut off network communication to the rest of the device fleet, preventing the entire network from being infected with malware, Geffen said.
“Right now, hospitals are struggling with keeping health of the country up, [but] they should not relax cybersecurity measures,” Holden said. “I understand in cases of emergency… it’s hard to maintain. But unfortunately, the cybercriminals are trying to monetize the most important aspect of our nation… which is health right now, and vigilance from a cybersecurity perspective is absolutely necessary.”
Photo: ValeryBrozhinsky, Getty Images
