U.S. hospitals and healthcare providers are being warned by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) of “credible information of an increased and imminent cybercrime threat” to their IT systems.
The three agencies are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
Several hospitals have already been breached by coordinated attacks using Ryuk ransomware to encrypt data and keep it locked up over the Trickbot network of infected computers to steal data, disrupt health care services and extort money.
Institutions are being urged to take necessary precautions to protect their networks.
Since 2016, the cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization.
The attacks are said to generally start as emails similar to corporate communications containing Google Docs and PDFs with malicious links.
CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
HPH Sector organizations are urged to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.
CISA, the FBI, and HHS have recommended that hospitals and healthcare systems implement the following measures as soon as possible:
· Establish and practice out of band, non VoIP, communications
· Rehearse IT lockdown protocol and process, including practicing backups
· Ensure backup of medical records, including electronic records, and have a 321-backup strategy – have hard copy or remote backup or both
· Expedite patching response plan within 24 hours
· Prepare to maintain continuity of operations if attacked
· Review plans within the next 24 hours should you be hit
· Check that your anti-virus and endpoint detection and response (EDR) are running; a stopped state may indicate compromise
· Power down IT where not used
· Consider limiting use of personal email
· Be prepared to reroute patients
· Ensure proper staffing for continuity
· Know how to contact federal authorities when phones are down, or email has been wiped
· Consider limiting/powering down non-essential internet facing IT services
· Limit personal email services
· Be prepared to re-route patients if patient care is disrupted due to IT outage
· Ensure sufficient staffing to maintain continuity of operations with disrupted IT networks
· Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at 855-292-3937
The full Cybersecurity Advisory provides technical details, indicators of compromise (IOCs) for Trickbot, Ryuk attack techniques under the MITRE ATT&CK framework, and significantly more detail about mitigation.
Several chief technical officers have characterized the attacks as the most significant threat seen in the United States.
