The Washington Post is reporting that in the space of 24 hours, six hospitals across the country were hit this week with Ryuk ransomware attacks demanding up to $1 million, and that some hospitals have paid. In response, federal agencies have issued a warning saying that they have credible information of an increased and imminent cybercrime threat to more U.S. hospitals and healthcare providers.
An AP News story identified a few of the hospitals attacked so far this week as three belonging to the St. Lawrence County Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Ore. “Sky Lakes acknowledged the ransomware attack in an online statement, saying it had no evidence that patient information was compromised. It said emergency and urgent care 'remain available.' The St. Lawrence system did not immediately return phone calls seeking comment,” according to the AP story.
In an interview with NECN and NBC10 Boston affiliate NBC 5 News, Vermont Public Safety Commissioner Mike Schirling confirmed that the University of Vermont Health Network's systems are down, and characterized the penetration as the largest cyberattack ever in Vermont that he was aware of.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services are warning healthcare providers to take precautions to protect their networks from these threats, including attempts to infect systems with Ryuk ransomware.
CISA, FBI, and HHS encourage healthcare organizations to maintain business continuity plans to minimize service interruptions. They also suggest reviewing or establishing patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.
In terms of response to attacks, CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered, they noted. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” In addition to implementing network best practices, the FBI, CISA and HHS also recommend the following:
• Regularly back up data, air gap, and password protect backup copies offline.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
• Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
• Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.
• Join a healthcare information sharing organization such as the Health Information Sharing and Analysis Center (H-ISAC)
• Engage with CISA and FBI, as well as HHS—through the HHS Health Sector Cybersecurity Coordination Center (HC3)—to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises.
Cybersecurity vendors and consultants weighed in on the new advisory with advice and by touting their services.
“It’s extremely difficult for businesses – most of which are not cybersecurity experts – to address ransomware and other cyberthreats, which continue to grow in sophistication, read a statement from Jeff Brown, CEO of vendor Open Systems. “Most organizations struggle to find the cybersecurity talent they need, which makes it extremely challenging for them to contain the deluge of cyberattacks coming their way. “Organizations that need assistance addressing ransomware and other cyberthreats can get the expertise and responsiveness they need by partnering with a managed detection and response provider. An experienced MDR provider can efficiently and effectively identify and contain cyberthreats on the enterprise’s behalf based on a pre-authorized playbook.
A statement from Oliver Noble, a data encryption specialist at NordLocker, makes several recommendation, including the following:
• Adopt zero-trust network access, meaning that every access request by a member of medical staff should be granted only after their identity has been appropriately verified.
• Encrypt medical files to avoid data leaks in ransomware. Tools can offer an encrypted cloud for easy access and secured data storage.
A statement from Matt Walmsley, EMEA director at Vectra, a San Jose, Calif.-based company, notes that “the performance and analytical power of AI is needed to detect these subtle indicators of ransomware behaviors and the misuse of privileged credentials at a speed and scale that humans and traditional signature-based tools simply cannot achieve. Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalise on organizations’ valuable digital assets.”
