HHS Dept. Issued Ransomware Warning to Health Care Organizations
Ransomware is the “business pandemic.” Warnings have been issued by multiple agencies around the world to alert businesses to increase their protection and awareness. Most recently, the Department of Health and Human Services (HHS) has issued a warning to health care organizations related to what it calls “an exceptionally aggressive” ransomware group known as Hive.
Hive has been active since June of last year, but according to the HHS, has been more active of late targeting health care organizations with “double extortion” threats. The group is described as “financially motivated,” demanding payment to unlock data it has encrypted and also threatening to publicly release unencrypted data, selling it on “name and shame” dark web sites according to the HHS alert.
The alert reminds health care organizations to protect themselves with continuous monitoring and active vulnerability management. The alert also suggested keeping backups of data in multiple locations and using two-factor authentication with strong passwords.
Given the multiple operating systems and various types of data collection, data use, and data access in health care settings, it presents particular security challenges that are exploited by ransomware groups. At a minimum, health care organizations should carefully review the HHS alert and implement basic security measures.
The American Hospital Association issued a Cybersecurity Advisory to members warning of the need for the sector to increase its alert level in light of the Russia/Ukraine military operations and following on CISA’s related (and rare) “Shields Up” warning to the US private sector, including health care. The AHA advised member organizations to implement several protection and mitigation strategies, including:
Increasing network monitoring for unusual traffic.
Heightening staff awareness of malware-laden phishing emails.
Implementing geo-fencing for all inbound and outbound traffic originating from, and related to, Ukraine, Russia, and its surrounding region, identifying all internal and third-party mission-critical clinical and operational services and technology, and putting into place business continuity plans and downtime procedures.
Documenting, updating and practicing a cyber incident response plan.
In addition, administrators should review alerts published by the Cybersecurity & Infrastructure Security Agency (CISA), such as the recently updated list of “common vulnerabilities” which provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021. The list also provides recommended mitigations which should be applied to reduce the risk of compromise by malicious cyber actors.
Ransomware attacks on health care organizations can have severe consequences on patient care, as well as financial impact. A survey by the Ponemon Institute found that one in four providers said their organization noticed a rise in mortality rates following an attack.
©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XII, Number 118