By Erik Dullea and Pete Enko
The combination of a significant increase in COVID-19 cases, political tensions in the final days of a national election season, and law enforcement’s focus on election security created an opportunity for cybercriminals to target the computer networks of America’s healthcare and public health (HPH) sector. That opportunity has come to fruition this week.
On October 28, 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published Alert AA20-302A (Alert) describing ransomware activity that has targeted the HPH sector. In the Alert, CISA, FBI and HHS assess that cybercriminals are targeting the HPH sector with TrickBot and BazarLoader malware, which are frequently followed by ransomware attacks, data theft, and disruption of healthcare services.
Key Points: Hospitals across four different states have already been attacked, and cybersecurity experts report that 400 American hospitals are on a list now shared amongst criminal organizations who utilize Ryuk ransomware. Ransomware attacks on hospitals can have life and death consequences by delaying and denying essential medical services that are normally provided with the assistance of computers. CISA Director Chris Krebs had three important messages for HPH stakeholders:
- All HPH personnel must assume the Ryuk ransomware is already inside your network;
- Executives must review and be ready to activate their business continuity plans;
- IT Departments should be patching, reviewing logs and implementing multifactor authentication.
The Alert goes into great depth on the technical details of the threat from TrickBot, BazarLoader, and Ryuk ransomware and should be shared with hospital IT departments. Ryuk ransomware is typically used against large enterprise environments and has been described as a ‘big game hunter’ in the cybersecurity community.
HPH stakeholders inside and outside of a hospital network need to recognize that attacks do not have to begin inside of a hospital. Many ransomware attacks begin by breaching a trusted business partner, and riding the partner’s coattails to penetrate the target’s network. For example, after Ryuk infiltrates a network, the attackers move laterally within the network, perform a reconnaissance of the network. During this reconnaissance and lateral movement, the attackers are mapping out the network and identifying connections to other networks. Once the desired target has been identified and the attackers have collected the information needed to maximize the effectiveness, the ransomware begins deleting online data backups that were found during the reconnaissance and encrypts or deletes the data on the victim’s network. At that point, the attackers contact the victim and demand payment. Ryuk ransom demands are often in the hundreds of thousands of dollars.
While there are competing schools of thought on paying ransom demands, CISA and the FBI discourage victims from doing so. Not only do ransom payments validate the economics of this criminal activity, which encourages more of the criminal activity, there is no guarantee that the victim will in fact recover their data, or that paying the ransom will end the ordeal. A newer technique within ransomware attacks has been for criminals to copy the data before deleting or encrypting the victim’s files, giving the cybercriminal leverage to demand additional payments in the future lest they publish the copied data.
Assuming that the ransomware encrypted and likely copied unsecured protected health information, there is a reasonable probability that a data breach has occurred, which would require HIPAA covered entities to provide notifications pursuant to 45 C.F.R. §§ 164.400 et. seq. If the breach spilled over to a covered entity’s vendors of personal health records, or the vendor’s third-party service provider, the vendor and service provider have additional notification requirements under § 13407 of the HITECH Act, which is also subject to enforcement by the Federal Trade Commission.
After reviewing the technical details and indications of compromise, the Alert offers a range of recommended policies and procedures for healthcare stakeholders to implement, if not implemented already. The recommendations are grouped into best practices for networks, ransomware mitigation, and end-user awareness/training.
Two recommendations included in the Alert are ones that HPH organizations presumably can implement in short order. First, healthcare stakeholders should join a healthcare Information Sharing and Analysis Center/Organization (ISAC/ISAO), which gives them the opportunity to receive critical information and services to manage the risks from ransomware. Second, healthcare providers should adopt the 3-2-1 Rule for backing up their data. The 3-2-1 Rule calls for three copies of all critical data sets, stored on at least two different types of media, with at least one of the media formats stored offline.
The Alert concludes with a detailed list of recommendations and resources for responding to ransomware attacks, hardening computer networks, information sharing resources and law enforcement resources.
Erik Dullea is a Denver-based partner with the law firm Husch Blackwell LLP who focuses on administrative and regulatory law with an emphasis on workplace safety and security in critical infrastructure sectors such as mining, energy and aviation.
Pete Enko is a Kansas City-based partner with the law firm Husch Blackwell LLP who guides healthcare clients on health law, information management, and data privacy and security matters.