This week the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a Joint Cybersecurity Advisory warning of current ransomware activity targeting the health care and public health sectors. The advisory states that the agencies have credible information concerning increased and imminent cybercrime threats to U.S. hospitals and other health care providers. This advisory comes amidst numerous recent news reports regarding an ongoing spike in ransomware attacks against health care organizations.
These ransomware attacks often begin with “loader” malware, such as Trickbot and BazarLoader (or BazarBackdoor), which is deployed via e-mail phishing campaigns that contain malicious links or attachments. When staff at health care organizations click on such links or open e-mail attachments, the malware is then used to infect victim networks and subsequently deploy ransomware, including the malware known as Ryuk. For this reason, we recommend that health care organizations distribute internal communications to place their staff on high alert and provide guidance to assist staff in identifying and appropriately handling phishing and other nefarious e-mails. This is something all health care organizations should do regularly, but it is particularly important at present. Issues to consider addressing in such alerts include the following:
- Watching out for vague or unusual subject lines and e-mail messages
- Hovering (without clicking) over links to see the actual URL (text labels can be modified to trick staff into believing a link is valid)
- Double-checking the spelling and accuracy of domain names and links
- Not clicking links or opening attachments in unexpected e-mails without first obtaining assistance from IT staff
- Picking up the telephone to verify e-mails with senders
- Contacting IT staff if there is any doubt about e-mails, links, or attachments
- Immediately alerting IT staff after mistakenly clicking on a link or opening an attachment that may be malicious
- Alerting IT when receiving suspicious e-mails so that they can alert others within the organization
We also strongly recommend that health care organizations review the recent advisory, which contains a number of technical details on the ongoing ransomware threat, as well as recommendations for ransomware preparedness and mitigation, including business continuity planning and network best practices. Health care organizations should carefully consider such recommendations and ensure they are taking steps to effectively manage cyber risks and also meet HIPAA and other legal requirements that relate to privacy, security, and data breaches. That includes having an effective plan in place to appropriately respond to cyber events when they occur, enable continued business operations, and avoid strategic missteps that can hamper an organization’s ability to recover.
The initial steps that an organization takes when experiencing a cyberattack are critically important.