News headlines across the world have been strongly focused on the unprovoked invasion of Ukraine by Russia. In the midst of those headlines and all the news developments, might cyber-criminals—either connected with foreign governments, or part of organized crime syndicates, or simply freelance cyber-criminals—be tempted to target U.S. industry even more than before? And if so, how vulnerable is the U.S. healthcare system, either directly or indirectly?
As technology and business publication Fast Company’s Steven Melendez wrote on Feb. 25, “As President Biden intensifies sanctions against Russia in response to the invasion of Ukraine, experts warn that cyberattacks against public and private targets in the United States are a possibility. The Department of Homeland Security this week warned U.S. organizations to be prepared for a cyberattack, though DHS Secretary Alejandro Mayorkas said there is no “specific credible cyber threat” against the U.S. homeland. Officials in the U.K. issued a similar warning. Government and banking sites in Ukraine are believed to have already been hit by Russian digital attacks. Exactly what form any hacks in the U.S. may take remains to be seen: CNN reports that the FBI warned local governments and companies to be on the watch for ransomware. Ransomware attacks, like the one that crippled the Colonial Pipeline last year—causing sporadic gasoline shortages—are typically launched by independent hackers in Russia trying to make money, not by government agents. But ransomware groups typically operate with some tacit approval from the regime of Vladimir Putin, and the Russian government may be more tolerant of hacks on major Western targets if tensions continue to ramp up,” he wrote.
Further, as Healthcare Innovation Managing Editor Janette Wider wrote on Monday, “On Feb. 23, the American Hospital Association (AHA) published a cybersecurity advisory warning that Russia may use cyberattacks as a form of retaliation due to the economic and military sanctions placed on the country by the U.S. government and NATO allies. The advisory states that ‘The AHA is closely monitoring the potential for increased cyber risks to the U.S. health system stemming from the ongoing military operations in the Russia/Ukraine region. The Russian military has previously used cyberattacks against Ukraine to disrupt the electrical grid, communications capabilities and financial institutions. For example, it was reported last week that cyber denial-of-service attacks, attributed to the Russian military, were launched against Ukraine’s Ministry of Defense, as well as its financial institutions.’”
That AHA advisory further referenced a “Shields Up” advisory posted on Feb. 23 by the Cybersecurity & Infrastructure Security Agency (CISA), which CISA officials posted to their website. As that advisory stated, “CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. Recognizing that many organizations find it challenging to identify resources for urgent security improvements, we’ve compiled a catalog of free services from government partners, and industry to assist.” Among the couple of dozen specific actions that CISA recommended that all business organizations in the U.S. take were these:
Ø Reduce the likelihood of a damaging cyber intrusion Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
Ø Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
Ø Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
Ø If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.
Ø Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Ø Take steps to quickly detect a potential intrusion
Ø Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
Ø Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
Ø If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ø Ensure that the organization is prepared to respond if an intrusion occurs.
Ø Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
The full list of actions that CISA recommends that organizations take, can be found here.
And it is in that context that Mac McMillan, president and CEO of the Austin, Texas-based CynergisTek cybersecurity consulting firm, shared his perspectives on Monday, with Healthcare Innovation Editor-in-Chief Mark Hagland. Below are excerpts from that interview.
What’s going on right now, and how should healthcare IT leaders understand it?
The Russians have been employing cyber-attacks, primarily against military and infrastructure targets in Ukraine, and primarily in conjunction with other attacks. At the same time, they’ve been employing cyber-attacks in a strategic way, other people are deploying cyber-attacks against Russia as well. And other countries are beginning to get involved. And the thing that we haven’t seen yet, or at least haven’t had reported, is cyber criminals taking advantage of all the noise.
Are cyber-attacks that impact U.S. healthcare organizations inevitable, then?
I think that they’re absolutely inevitable. If the cadence of cyber-attacks picks up and the number of countries grows—not just Russia against Ukraine—to where it will be easier to hide—you’ll have the potential to see cyber criminals getting into the game, because of the opportunity.
What kind of person might be involved in these attacks?
Any cyber-criminal or organized crime bunch that would be going after businesses for ransomware purposes, for example. They could be more easily concealed and less likely to quickly be discovered. On the one hand, I’d like to believe that people would be more vigilant right now; but I’m a realist. In reality, everybody’s fixated with what’s going on with Russia and Ukraine and Belarus—and these guys will likely slip in. It hasn’t evolved yet into a full-blown cyber war involving everyone. But you have Belarusians and Chechens vowing to get into the fight with the Russians; and the Poles are saying they’re going to help the Ukrainians more directly.
The problem with all of this, as we’ve seen in the past is that, even though you might launch an attack against a specific target, rarely has an attack not hit someone unintended. For example, within a day of the WannaCry ransomware attack being released, hundreds of thousands of systems in 150 countries around the globe, were affected. So anything could happen. Let’s face it: Ukraine, Belarus, and all, are connected to a lot of people. So I may just be attacking you, but that attack could impact many others downstream.
So it’s not so much about entities here being directly attacked, though the more sanctions we levy, and the more painful those sanctions become, who knows? I think there’s a risk here not just from direct attack, but from collateral damage, such as through supply chains being disrupted or infrastructure being disrupted, or even economic disruption.
Could you see organized crime leaders in Russia trying to hit soft targets in the U.S., and that that could potentially include healthcare?
Yes. The more people are hurt by this, the greater the chances they’ll strike back. And it’s not just Putin himself, it’s the oligarchs, it’s people who support Putin or the oligarchs. And in any one of those scenarios hitting us or our critical allies, that could potentially affect all of us. The attack surface here is enormous: it’s literally the entire globe. It’s not so much that they’re attract a specific hospital, for example, but rather our infrastructure. So if they take out the ISBs and Internet communication, or they attack parts of the energy sector, they could cause massive cost to the healthcare sector; or they go after major healthcare vendors. Why go after Hospital A, when I could go after Cerner or Epic, and take out a whole bunch of hospitals? Sometimes, we think too simplistically about this, because we’re thinking as private-sector leaders who are thinking as civilians, as opposed to think about military combatants in a geopolitical war.
So what should healthcare IT leaders be doing now?
The first thing that they should be doing would be to be heightening vigilance—tell everybody in your organization, we could be a potential target, a potential victim of someone else. We could be the victim of some debilitating influence because of some element in our infrastructure; and we need to be paying attention now more than ever before. And anything that looks out of order needs to be reported right away. We need to know who our critical suppliers are, and we should be asking them, do you have any folks with any connections here? Do I have a supplier with their help desk, or their coders, in Ukraine? Or other countries. Think Kronos, Kaseya, JPS Foods, Colonial Pipeline; a lot of people were hurt by those attacks who were not attacked directly. We have to understand who our suppliers are and determine how secure they are. We need to be identifying potential risks. If something happens to any of my suppliers, what am I going to do? And you need to dust off your business continuity plans for the possibility of being hit by an outage that might last longer than a couple of days.
And where are we with respect to patching? To behavioral monitoring? And anyone supporting us who’s doing endpoint protection or who’s monitoring our environment with a SOC, are we really operating efficiently? Are we getting alerts? Are we doing anything? And to the extent possible, we should be reducing access: any foreign location that doesn’t need to be communicating with us over the Internet, shouldn’t be doing so. We need to the number and group of people who can connect to our environment to those who are absolutely necessary to carry out the mission. And last but not least, we need to remind our staff to stay alert to things like phishing and messages related to scams, so they’re on heightened alert with respect to those things. The bottom line is that if you haven’t already invested in technology, you won’t have time to do it now, so you have to make sure that what you have is as tight as possible, that you’re paying attention, and that you’re doing the best you can at anticipating where you might be at risk.