On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint cybersecurity advisory (the Joint Cybersecurity Alert) to warn the healthcare sector that there is “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The complete Joint Cybersecurity Alert provides specific details regarding this threat and can be found here.

Healthcare companies should be aware of the heightened risk of potential ransomware attacks targeting the sector. Below are some practical steps you can take right now to decrease the risk of attack and to be better prepared should your organization fall victim:

• Review your cyber insurance coverage. Is it up to date and does it cover ransom?
• Do you have a good incident response plan? If your company is still in WFH mode, be sure that all who may be activated in the event of an incident have a paper copy of the plan at home.
• Do you have a way for senior management to communicate if your network systems are all down? We recommend setting up a secure texting app string before an attack occurs.
• Have your employees been educated on how to detect (and report) phishing emails and the exponential increase in phishing attacks since March of 2020? Phishing emails have increased more than 35 times the normal rate during the COVID-19 pandemic.
• Are your employees only accessing the network through approved devices and secure networks (with up-to-date anti-virus software and patches)?
• Have you done trainings and table top exercises to prepare for a cybersecurity incident? We recommend taking this step now so that senior management develops muscle memory for what to do in an incident. The midst of a crisis is not the time for learning on the fly.

The Joint Cybersecurity Alert also includes a list of network security best practices that organizations in the healthcare sector may consider to mitigate risk. These include the following:

• Patch operating systems, software, and firmware as soon as manufacturers release updates.
• Check configurations for every operating system version to prevent issues from arising that local users are unable to fix due to having local administration disabled.
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
• Use multi-factor authentication (MFA) where possible.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Implement application and remote access restrictions to only allow systems to execute programs known and permitted by the established security policy.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Audit logs to ensure new accounts are legitimate.
• Scan for open or listening ports and mediate those that are not needed.
• Identify critical assets; create backups of these systems and house the backups offline from the network.
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

We recommend reviewing the Joint Cybersecurity Alert and evaluating your organization’s cybersecurity policies and programs in light of the potential cybersecurity threats that are identified in this Alert.