FBI and HHS Warn of “Imminent Cybercrime Threat” in Healthcare
For years, the healthcare industry has been on guard for ransomware attacks, and now, more than ever, healthcare leaders must continue to be vigilant. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have received credible information of an increased and imminent threat to U.S. hospitals and healthcare providers. On October 28, 2020, the agencies issued a joint announcement (revised on October 29th) to advise healthcare providers to take timely and reasonable precautions against these threats.
An Ever-Increasing Threat
These attacks are increasingly sophisticated and their impact is growing. Cybercriminals are using Trickbot malware and other tools to increase the speed and profitability of their attacks while making deployment even easier. Moreover, the impact of these attacks is growing increasingly severe as they include credential harvesting, exfiltration, and even cryptomining.
One key takeaway: even if you have experienced an attack before, you are not immune from these new threats. In their joint announcement, CISA, the FBI, and HHS provide best practices for networks and users. You can find these mitigation measures at https://us-cert.cisa.gov/ncas/alerts/aa20-302a.
What Else Should We Do?
1. Have knowledgeable counsel at the ready:
Your response team should consult with counsel as soon as an attack is realized. Counsel can assist with assessing and responding to your notification requirements along with reviewing any related contractual obligations if your supply chain is implicated in an attack.
2. Assess the risk:
The heightened risk of attacks provides a good reason to check your plans and conduct needed assessments. At this time, you should:
- Conduct a risk assessment. A risk assessment can aid in identifying, estimating, and prioritizing the cyber risks an organization is facing.
- If you haven’t already, encrypt your data, both at rest and when in transit.
- Implement multi-factor authentication—it’s simple and inexpensive.
- Test your backup and recovery plan. Check the ICS-CERT Alerts https://www.us-cert.gov/ncas/alerts to keep abreast of news and security warnings. The need for segregated back-up systems is clear when ransomware encrypts your system. When a solid back-up plan is in place, the consequences of a ransomware attack on an entity’s system may potentially be minimized.
- Update your Incident Response Plan. A good plan is one that evolves with new challenges. With the emerging threats, you should develop new tactics and security controls to mitigate these risks while taking the opportunity to incorporate lessons learned from other recent events.
3. Protect your organization:
- Train your workforce. Make sure that your entire workforce has sufficient training and education about security and this increased risk. While there may be patches to help alleviate the risks of ransomware, there are no patches for human error.
- Review your insurance policies. Now is the time to verify your cyber-event insurance coverages, including coverage for damages including the costs of breach notification expenses and remediation activities and costs.
Of course, if you have any questions at all, our Butzel Long Healthcare Team and Cybersecurity and Privacy team is here to help.