On October 28, three federal agencies issued an alert that healthcare organizations face “an increased and imminent cybercrime threat,” including ransomware attacks, data theft, and medical service disruptions.
The three agencies — the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) — also provided advisories and best practices for how healthcare organizations can protect themselves against these ongoing threats.
What are the latest threats?
First, let’s break down the latest alert and the potential threats to medical organizations.
According to Alert AA20-302A, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” the three agencies report “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” from hackers using TrickBot and BazarLoader/BazarBackDoor malware.
TrickBot “provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” the alert notes, including theft of user credentials and point-of-sale data, cryptomining, and infecting systems with ransomware like Ryuk and Conti.
In 2019, the FBI identified a new module for TrickBot called Anchor that uses Domain Name System (DNS) tunneling to send and receive data from victim machines. Typically used for cyberattacks on large corporations, Anchor essentially disguises the hackers’ malicious communications as regular DNS traffic, making it difficult to identify.
Earlier this year, the agencies report, hackers “believed to be associated with TrickBot” started deploying BazarLoader and BazarBackdoor to attack victim networks through phishing attempts.
These phishing emails pose a real challenge because they include many elements that make them appear legitimate:
- Sent through mass email delivery systems with a PDF attachment or Google Drive link
- Instructs users to click a URL when a preview of the document fails to open
- Appear to be legitimate business emails regarding customer feedback, HR decisions, or other important tasks
- Include the recipient’s name or employer’s name in the subject line.
In truth, the URL delivers malware to the victim’s computer. Increasingly, the hackers use “fileless malware,” simply a process running in memory. This is difficult for traditional antivirus software to detect. Using this initial intrusion as a “beachhead,” the hackers use “Living off the Land” (LotL) techniques to move throughout the network. LotL involves the use of standard IT tools like Powershell, or special use tools like Cobalt Strike and Powershell Empire.
Because hackers use these standard tools, often with legitimate credentials, this kind of activity often goes undetected. The goal for the hackers is to infect as many machines as possible, including backups, so that when they deploy ransomware the only alternative is to pay.
Fortunately, there are steps that healthcare organizations can take to mitigate these risks and keep their data secure.
What can healthcare organizations do?
As I’ve written before, it’s just not possible to have perfect cybersecurity, but taking a thorough, coordinated approach can reduce your organization’s vulnerabilities.
That starts with assessing risk — making a list of areas that may be targeted by hackers, and determining what your organization can do to shore up its defenses in these areas.
In its latest ransomware guide, CISA offers a free Resource Hub where organizations can find tools like routine scanning for external threats and assessments for phishing and other system vulnerabilities. Organizations who have taken advantage of these free services provided by CISA have found them to be tremendously useful.
Rapid detection and response is arguably more important than preventive measures. Organizations who can rapidly detect an intrusion are able to shut it down, complete an investigation of what happened, shut the hackers out, and recover much more quickly.
Your organization should also have an encrypted, offline backup of its data and conduct routine tests on the backups to make sure they can be accessed in the event of a cyberattack.
Especially in health IT, where multiple vendors may have access to EHR data, it’s important to understand where each entity’s security policies intersect — for example, MEDITECH follows HIPAA guidelines for hosting and accessing patient data, while a cloud services vendor may be responsible for additional encryption measures to support interoperability.
And while these concepts focus on technology, you should always be cognizant of the human factor. Your employees — whether in the clinical or administrative settings — need regular reminders and training to know how to identify threats and alert your IT team so they can respond.
Your staff is your most important asset against cyberattacks; done properly, your organization’s cybersecurity planning can create a “human firewall” against hacking and ransomware.
Additional cybersecurity resources
- The CISA Ransomware Guide includes an extensive list of no-cost resources that your organization can use to assess its cybersecurity posture and take steps to strengthen it.
- If you are a MEDITECH customer, visit our Cybersecurity Resources page for the latest news and information, and review our EHR Security page to learn how to keep your MEDITECH platform secure.
- Register or assign a member of your organization as its Information Security Contact for MEDITECH, and sign up for our monthly Security newsletter.
Cybercrime may be an ongoing threat to healthcare IT, but with the right preparation and planning, you can ensure that your organization is less of a target for hackers and protects its most important data from attack.
Check out MEDITECH's on-demand webinar, "An Insider Look at Cybersecurity."