eugenesergeev - Fotolia
A cybersecurity advisory from the federal government not only puts healthcare CIOs on high alert but also signals a call to arms.
Last week, the FBI, the U.S. Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency issued a joint cybersecurity advisory warning healthcare organizations of an "increased and imminent cybercrime threat."
The federal agencies have collected credible intelligence to suggest an impending wave of ransomware attacks, with some speculation that more than 400 healthcare systems could be targeted and that may have already started. Since the cybersecurity advisory was issued, healthcare systems, including Sky Lakes Medical Center in Klamath Falls, Ore., and three St. Lawrence Health System hospitals in New York, have reported being hit by ransomware, although it's unclear if those attacks are related to the advisory.
The ransomware threat is another in a string of hardships affecting healthcare organizations today. The pandemic is still wreaking havoc, as organizations continue to fight COVID-19, while embracing new technologies and routines against significant budgetary disruptions.
"This should be the rallying call to say, 'Look, this is the next crisis we're dealing with, just like we dealt with PPE and masks and ventilators,'" said Caleb Barlow, president and CEO of healthcare cybersecurity firm CynergisTek. "Our issue now is we have to shore up the cybersecurity posture of America's healthcare -- and we have to do it right now."
And, according to cybersecurity experts, there are ways healthcare CIOs can prepare their organizations to do just that.
TrickBot and Ryuk
The cybersecurity advisory warns healthcare systems that cybercriminals are using TrickBot and BazarLoader malware to gain access to healthcare networks. The malware is disseminated mostly through email phishing and social engineering so that when employees click on links or download attachments, their computers become infected, according to Barlow.
Once cybercriminals gain access to the healthcare network, they work to access systems and administrative credentials. Ryuk, ransomware that grew up out of the banking industry, is eventually deployed, which locks a system's data through encryption.
Dan L. DodsonCEO, Fortified Health Security
Barlow said phishing emails are sophisticated, look credible and often appear to be from known entities or the user's own company, even incorporating company logos. But it's the evolution of Ryuk that, along with credible intelligence from federal agencies, likely helped trigger the cybersecurity advisory, according to Dan L. Dodson, CEO at Fortified Health Security, a healthcare cybersecurity firm in Franklin, Tenn.
In the past, Ryuk "used to be low and slow," Dodson said. "That allowed organizations time, if you will, to identify, isolate and remediate before damage is done."
Today, Ryuk can enter a healthcare organization's environment and "hold you ransom within five hours," he said, which gives healthcare CIOs little chance to control the attack.
What healthcare CIOs can do today
Even with a threat as insidious as this, CIOs are not powerless.
David Chou, CIO at Harris Health System in Houston, for one, never let his guard down after the University Health Services (UHS) ransomware attack a month ago.
"Even a few weeks ago, when UHS went down with a very comparable attack, we were already on high alert there," Chou said. "But the fact that we have the FBI bringing this up has really put us even more at a higher elevation in terms of awareness."
Chou said since receiving the cybersecurity advisory, he has focused on accomplishing two main tasks: First, he said he is sending an automated message to every Harris Health System employee, warning them of the ransomware threat. Second, he's working to update endpoints with the latest security measures now that many Harris Health System employees are remote.
The steps Chou is taking are in line with what cybersecurity experts advise -- both strategically and tactically. In addition to keeping on top of information as it emerges, they recommended that healthcare CIOs look for potential vulnerabilities and weaknesses, applying strategic patches -- especially for critical systems -- if they're missing. Penetration tests or simulated cyberattacks can be a useful resource for CIOs in conducting this assessment.
"If you've done a penetration test or a hacking test proactively, look at the results of that and see, is there anything here that we've identified already that would have been an entry point for these particular pieces of malware and how they operate," said Brian Selfridge, partner at Meditology Services and CORL Technologies, a healthcare cybersecurity consultancy in Atlanta.
Because the ransomware is often deployed through phishing attacks, alerting leadership and employees to the seriousness of the cybersecurity advisory is also critical.
"This is a call to arms," Dodson said.
Dodson recommended CIOs consider the organization's culture when choosing how to alert staff to the threat. "If you're an organization that heavily floods your user base with awareness and training [programs], they're going to think this is just another note from IT," he said. "This is significant enough of a heightened awareness alert that this needs to feel different, depending on how you've managed that culturally in the past."
The cybersecurity experts said CIOs should analyze their systems for indicators of compromise, many of which were included in the cybersecurity advisory. Barlow said they can conduct a compromise assessment by deploying a set of tools to look for signs that the network has been attacked.
Selfridge suggested information from cybersecurity organizations such as Mandiant Solutions can come in handy, too. Mandiant, for example, released a list of IP addresses known to be used in TrickBot and Ryuk attacks. Analyzing a healthcare organization's traffic for those known addresses may provide an early warning sign.
"If you see any indications of TrickBot, really start accelerating your initiatives to get your backups in place for critical systems," Selfridge said. "Make sure you have updated snapshots in an offline capacity where you'll be able to recover those."
What healthcare CIOs can do tomorrow
After critical patches have been deployed, the staff has been notified and systems scrutinized for indicators of compromise, the cybersecurity experts recommended that CIOs review their plans for continuing operations should they be affected.
"Test your backup and downtime plan to make sure you're prepared in the event that you need to move forward with the activation of those, primarily making sure that you can deliver the clinical care you need to," Dodson said.
Dodson also recommended reviewing incident response plans and dusting off cyberinsurance incident response policy requirements in preparation.
CIOs can also introduce proactive measures such as multifactor authentication, according to Barlow. He recommended they aggressively deploy endpoint protection and segment the healthcare system network.
Finally, CIOs should work with the leaders of the organization to run simulation exercises. Doing so puts the organization through the paces so they can address questions such as what they would be willing to pay and when, how vulnerable their systems are right now and how they will keep clinical operations going if systems go down, Selfridge said.
Simulation exercises can also help organizations put together a communication and governance plan, which can be critical in a crisis, Dodson said. Cyberattacks can trigger a lot of motion in an organization from a PR standpoint to a legal perspective to an IT issue.
"When the boom happens, organizations begin to scramble and you have different owners, if you will, running in different directions," Dodson said. "Having governance and a communication plan ironed out is extraordinarily important."