ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, saying, “At this time, we consider the threat to be credible, ongoing, and persistent.”

In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020.

Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a matter of days or even hours.

A long period between compromise and deployment gives victim organizations time to identify the compromise and take steps to eradicate the hackers from the network in time to prevent file encryption. The short duration makes this far more difficult.

“CISA, FBI, and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”

A variety of techniques are now being used to deploy ransomware, including other malware variants such as TrickBot and BazarLoader, which are commonly delivered via phishing emails, as well as manual deployment after networks have been compromised by exploiting vulnerabilities.

Healthcare organizations should take steps to combat the ransomware threat by addressing the vulnerabilities that are exploited to gain access to healthcare networks. This includes conducting vulnerability scans to identify vulnerabilities before they are exploited and ensuring those vulnerabilities are addressed. Anti-spam and anti-phishing solutions should be implemented to block the email attack vector, and healthcare organizations should adopt a 3-2-1 backup approach to ensure files can be recovered in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one copy stored securely off-site. The recent ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient information was permanently lost as a result of the attack when the ransom was not paid.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” explained ASPR. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Indicators of Compromise (IoCs), suggested mitigations, and ransomware best practices are detailed in the October 28, 2020 CISA/FBI/HHS alert.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.