ASPR Gives Update on Ransomware Activities in the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has released a recent advisory on ransomware activity that targets the healthcare and public health industries.

In late October, the HHS, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) issued a joint advisory about an upcoming increase in ransomware activity directed at the healthcare sector. In just one week after issuing the alert, six healthcare organizations reported ransomware attacks in a single day. More than a dozen healthcare companies have submitted cyberattack reports in the past two months. Healthcare companies reported over 62 attacks so far in 2020.

Human-driven ransomware attacks have previously allowed attackers to access networks a few weeks or even months before the deployment of ransomware. According to ASPR, many recent ransomware attacks have a short time period, a few days or hours, from the initial compromise to ransomware deployment.

A long time period from compromise to deployment offers victim organizations time to find the compromise and do something to eliminate the attackers from the network easily to avoid file encryption. The short time makes this a lot more difficult.

HHS, FBI and CISA want health delivery companies and other HPH industry entities to work towards lasting and operationally sustainable security solutions against ransomware threats both now and in the future.

Various techniques are now being employed to deploy ransomware, such as other malware variants like TrickBot and BazarLoader, which are typically sent via phishing emails, as well as manual deployment after systems were compromised by exploiting vulnerabilities.

Healthcare organizations ought to take the following steps to combat the ransomware threat by handling the vulnerabilities that attackers exploit to get access to healthcare networks:

  • Conduct vulnerability scans to identify vulnerabilities before exploitation and address those vulnerabilities.
  • Anti-spam and anti-phishing software must be implemented to prohibit the email attack vector.
  • Healthcare companies should undertake a 3-2-1 backup strategy to ensure files may be retrieved in the event of an attack.

The 3-2-1 tactic consists of 3 copies of backups, on two various media, with one copy kept securely off-site. The most recent ransomware attack on Alamance Skin Center shows the value of this backup technique. Patient information was forever lost because of the non-payment of the ransom demand.

Organizations ought to balance their operational needs using the current threat level and create processes and postures for normal operating status and greater threat intervals. The danger from ransomware is ongoing and entities must create effective deterrent processes while sustaining efficient delivery of care.

Read the Indicators of Compromise (IoCs), recommended mitigations, and ransomware best practices provided by CISA/FBI/HHS in October 28, 2020 on this page.