by Chris Bowen
Chief Privacy & Security Officer and Founder
Wednesday afternoon, the Department of Health and Human Services (HHS), the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued an announcement that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” They issued this warning urging healthcare providers to ensure they take timely and reasonable precautions to protect their networks from these threats, typically resulting in malware/ransomware attacks.
In this October 29 Healthcare IT News article, Mike Miliard reports “Malicious cyber actors may soon be planning to infect systems with Ryuk ransomware for financial gain on a scale not yet seen across the American healthcare system.”
These attacks to the healthcare system have been ramping up during COVID-19 and in his article Miliard quotes cybersecurity expert Brian Krebs saying he “received a tip about cybercriminals affiliated with the a Russia-speaking ransomware group known as Ryuk discussing plans to deploy ransomware at more than 400 healthcare facilities in the US.”
Often targeted by Trickbot malware, the results to our health systems are devastating ranging from ransomware and data theft to diverted or denied patient services as systems have to go offline, which could prove fatal to those in need.
The tragedy is that these bad actors are choosing this time to ramp up as our nation’s providers battle a third wave of COVID-19, which has strained resources to the breaking point.
I urge any of you working in security to read the announcements linked here and heighten your awareness, while shoring up your defenses, just as we are. Educate your teams on how to be suspicious and cautious.
Here’s what you should seriously consider doing today:
- Ensure all domain controllers are patched for Zerologon
- Disable Powershell with Group Policy
- Monitor for the use of suspicious .bat files
- Regularly backup all data, air gap and password protect backup copies *offline*
- Block domains and IPs associated with Ancher_DNS
- Patch your systems
- Monitor for http requests (via wget or curl, etc. ) to those urls mentioned in the CISA brief (see heading ‘This malware used the following legitimate domains to test internet connectivity’)
- Follow the guidance of CISA (see https://us-cert.cisa.gov/ncas/alerts/aa20-302a)
Here are a few other best practices you can and should employ:
- Know where your PHI is, and make sure it’s encrypted and backed up to a secured, separate location. The backups in a ransomware attack are critical. An attacker loses significant leverage if there are backups of the data that they do not have access to exfiltrate.
- Along the encryption lines, have a strong key management strategy that ensures the encryption keys are secured separately to prevent the encrypted data from being used.
- Secure your databases. While healthcare generally knows how to secure their databases, I’ve seen healthcare providers spin up vulnerable databases without rigorous controls and compliance checks. I recommend an automation first approach to remove the human element from the configuration steps to secure these databases.
- Stop reusing weak or already compromised passwords.
- Don’t click links that shouldn’t be clicked.
- IT could help prevent phishing attacks by tightening up content filters and domain validation on their email and firewalls.
- Weak passwords, phishing attacks, and failure to patch are often the root cause of most ransomware attacks.
- Patch those security holes.
- Dust off your failover strategy and location. This approach is harder in the on-premise world because acquiring space, servers, and cabling is tough at the best of times – let alone when lives are potentially impacted. Cloud environments and their multiple regions and availability can make this easier. You can also store backups in a different region – with different protections.