CISA: Ransomware Activity Targeting the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

Heather Paunet, Senior Vice President at Untangle, says, “With each ransomware attack on a hospital or medical center, it becomes increasingly clear that back up plans are being developed or initiated as an immediate response while networks are down. There are many medical instruments, such as ventilators, insulin pumps, and other IoT devices that can become vulnerable network access points. These devices need to be audited constantly for software updates, patches, and other upgrades to ensure that outdated software isn’t leaving the network open for criminals.”

According to Daniel Norman, Senior Solutions Analyst at the Information Security Forum, the healthcare services industry has an out-of-date approach to security awareness, education and training.

He explains, “With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is imperative. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online.”