On October 28, 2020, a coalition of US government entities consisting of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a cybersecurity alert warning that malicious cyber actors are planning imminent attacks against the US healthcare and public health sectors using malware designed to facilitate ransomware attacks, data theft and the disruption of healthcare services.
Notably, in addition to the CISA and the FBI, the coalition includes HHS—the lead regulator for ensuring the privacy and security of certain private healthcare information in the United States. The cybersecurity alert specifically warns that malicious cyber actors are targeting the healthcare and public health sectors with imminent cyber attacks designed to access organizations networks, steal sensitive healthcare information, and create a major disruption to healthcare services in the midst of the COVID-19 pandemic.
The cybersecurity alert is broken into two distinct sections: The first half of the cybersecurity alert speaks to information security professionals by providing a wide array of technical details about the malicious actors' use of TrickBot and BazarLoader malware. Perhaps of greater interest to legal, compliance and risk management professionals, however, is the second half of the cybersecurity alert, which sets forth the federal government’s view of cybersecurity best practices and encourages companies to take advantage of a host of free government resources and points of contact.
The cybersecurity alert provides network best practices, ransomware best practices, and user awareness best practices, while also providing a series of recommended mitigation measures. These measures reference both the Federal Drug Administration's medical device hardening guidance and a government/private sector co-authored ransomware guide with a response checklist. In short, legal, compliance and risk management professionals would do well to determine if their organizations are implementing the US Government’s view of cybersecurity best practices and, if not, whether a reasonable, risk-based rationale exists for substantial deviations from those best practices.
Organizations should also have an up-to-date, rehearsed incident response plan that takes into account everything from how employees should handle and report suspicious emails to a method for designating and contacting individuals both within and outside the company in the event of a known or suspected incident. Other examples of best practices detailed in the alert include ensuring timely patching of operating systems, software, and firmware; using multi-factor authentication where possible; backing up critical assets; and developing a culture of cybersecurity awareness and training across the organization.
Of note, the cybersecurity alert does not take a position on whether the payment of ransomware is lawful. The cybersecurity alert indicates that "CISA, FBI, and HHS do not recommend paying ransom," and that paying ransom "will not ensure your data is decrypted or that your systems or data will no longer be compromised." However, and as described more fully in our client alert of October 1, 2020, other government agencies, such as the US Department of the Treasury's Office of Foreign Assets Control (OFAC), have warned that making or facilitating ransomware payments to sanctioned parties or jurisdictions could violate US sanctions laws.
Cyber threats like those identified in this cybersecurity alert pose complicated business and legal risks. Organizations in the healthcare and public health sectors could face significant operational impacts, potential disclosure obligations, and exposure to regulatory enforcement actions and litigation in the event of a cybersecurity incident. In addition, payments to cyber criminals to relieve the pain inflicted by a ransomware attack may lead to further exposure to enforcement actions under OFAC’s sanctions programs.