Ransomware Advisory: Strategies for your Organization

October 30, 2020

Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) recently updated their warning to hospitals about ransomware to include information about Conti, TrickBot and BazarLoader. The CISA Alert AA20-302A focused on Ryuk ransomware and said the federal government had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Speaking with clients over the last two days, Intraprise Health discussed additional tactical things hospitals can do to further address preparedness.

“Alert fatigue” is something our clients have mentioned as an issue,” said Sean Friel, Intraprise Health’s CEO. “Security professionals and employees are bombarded with so many “alerts” that it is often hard to focus on the highest priority.” To combat this issue, Friel recommends hospitals put a special focus on internal awareness techniques, such as an organization-specific prioritization strategy. This will ensure your workforce knows when they need to be at a higher than normal level of vigilance —  up to and including an air gapped state, when the threat level is most severe.

Hospitals face persistent phishing attacks. The strongest defense against phishing is employee awareness and education. “Hospitals should determine if they need to further optimize their phishing programs – vigilant employees are the first line of defense against cyber threats,” said Friel.

Intraprise Health is sharing its latest recommendations, listed below to deal with the specific threats that have been identified. We will continue to update this list and provide additional resources as the situation evolves.

Short Term Recommendations:

1. Work closely with vendors storing critical data on their preparedness programs, activities and current state of their security program
2. Focus on internal awareness techniques, as noted above.
3. Determine if you need to put a greater emphasis on phishing campaigns
4. Convene table-top exercises with your team, if not already planned specifically the organization’s ability to respond and recover from a ransomware attack.
5. Review your data backup plan:
   1. Ensure system/data backups are running properly.
   2. Backups should include logically separated copies or taped backups whenever possible.
   3. Consider reducing the time interval between backups for your most critical data

Mid Term Recommendations:

1. Seize this as an opportunity to implement important controls that may have been difficult to get approved previously (one CISO was able to get approval to block all personal email sites)
2. Implement multi-factor authentication
3. Consider increasing the frequency of HICS (Hospital Incident Command System) preparedness meetings.
4. Contact your state hospital association and/or local HIMSS chapter to determine the feasibility of convening regional conference/web calls with peer organizations to share and disseminate information.

Longer Term Recommendations:

1. Inventory systems and user accounts to ensure least necessary service ports and privileges are available and assigned
2. Implement technology that automates threat mitigation
3. Consider implementing a Zero Trust framework
4. Address preparedness holistically and from a risk management perspective

If your organization is the target of a ransomware attack, You can contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov. Additionally, see CISA and MS-ISAC’s Joint Ransomware Guide for information on contacting—and what to expect from contacting—federal asset response and federal threat response contacts.