The Federal government is warning of an “increased and ongoing cybercrime threat to U.S hospitals and healthcare providers” due, in part, to the recent simultaneous ransomware attacks on six hospitals based in Oregon, New York, and California. The attacks encrypted data on the hospitals’ information systems which caused disruptions in patient care, including the cancellation of noncritical surgeries and the diversion of patients to other facilities. The Department of Health and Human Services, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency described the cybercrime threat health care facilities and providers face in a joint cybersecurity advisory issued on October 28, 2020, titled “Ransomware Activity Targeting the Healthcare and Public Health Sector.”
 
The threat involves the deployment of a more sophisticated version of the Trickbot malware, which is now installed more easily and quickly by cybercriminals. Generally distributed through via spam email, the malware includes a complete set of tools to conduct illegal cyber activities, such as email theft and destruction, credential harvesting, and the deployment of ransomware, including the Ryuk virus. Use of Ryuk has grown and is now responsible for one-third of all cyberattacks in 2020. The malware has infiltrated hospital and health system information systems and caused not only financial damage, but also, in an increasing number of cases, complete interruption of information system operations. The actors deploying Ryuk appear to be targeting larger healthcare enterprises and vary the ransom demand based on the size of the targeted organization. Ryuk could not come at a more difficult time for providers battling the Covid-19 pandemic, which has stretched both finances and operations perhaps greater than ever before.
 
The Advisory includes a listing of prevention and mitigation strategies to increase cybersecurity that include both network and attack response strategies. Given the increasing threat level outlined in the Advisory, the most important and immediate step for a healthcare organization is to review and prepare to implement its Disaster Recovery Plan (DRP). The DRP provides the roadmap for an organization’s ongoing cybersecurity activities and its response to a cyberattack. The DRP should include provisions for the maintenance and retention of multiple copies of sensitive or proprietary data and servers in a physically separate, secure location. An organization’s IT staff should be on high alert and prepared to immediately deploy in the event of an attack.
 
The full Advisory, containing more technical detail, infiltration indicators, and mitigation strategies, is here.