Skip to main content

CISA, FBI, HHS Warn Hospitals of 'Increased and Imminent' Cybercrime Threat

Analysis  |  By Jack O'Brien  
   October 29, 2020

The three federal agencies released an advisory Wednesday warning of a potential cybercrime threat against healthcare providers.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint advisory Wednesday warning hospitals and health systems about an "increased and imminent cybercrime threat."

"CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats," the advisory read.

The advisory described the tactics, techniques, and procedures used by cybercriminals to infect healthcare providers with Ryuk ransomware.

The notice also listed two key findings: the cybercriminals are targeting the Healthcare and Public Health (HPH) Sector with Trickbot malware, which can lead to "ransomware attacks, data theft, and the disruption of healthcare services," and that these challenges will be heightened for organizations dealing with the ongoing COVID-19 pandemic.

Related: Strategies for Hospitals to Stay 'Cybersafe' During a Pandemic

The advisory stated that administrators will "need to balance this risk when determining their cybersecurity investments."

The joint advisory was released almost one month after HHS released an update on Ryuk ransomware threats.

This came less than a week after Universal Health Services, Inc. had to temporarily shut down user access to IT applications due to a malware cyberattack.

Related: HHS Releases Update on Ryuk Ransomware Threat

In preparation for potential cybercrime threats, the three federal agencies urged HPH organizations to maintain "business continuity plans" to minimize service interruptions, warning that without these processes in place, hospitals "may be unable to continue operations."

The advisory also listed best practices for networks, ransomware, and user awareness, as well as recommended mitigation measures.

"System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data," the advisory read. "Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs."

Related: Data Breaches Cost Hospitals $4B Annually

The federal advisory prompted responses from cybersecurity experts on Thursday.

"Threats against the US healthcare system continue to be a long running issue, made undoubtedly worse as the COVID-19 pandemic’s spread continues," said Kevin Coleman, executive director at the National Cyber Security Alliance, said in a statement. "The latest alert and joint statement released by CISA, FBI and HHS, Ransomware Activity Targeting the Healthcare and Public Health Sector, confirms that the persistent dangers of ransomware throughout our healthcare infrastructure are not to be taken lightly."

Peter Mackenzie, incident response manager at Sophos Rapid Response, said that while ransomware attacks against hospital are common, they are not more frequently affected than other industries.

"It is clear the operators behind Ryuk are back from their summer break, and now targeting hospitals along with other industry sectors," Mackenzie said in a statement. "Most of the heightened interest in these attacks stems from the attack on UHS hospitals a few weeks back. This saw many hospitals hit at once, but only because they were all connected. In other words, it wasn’t a string of attacks, but rather a single attack that affected multiple sites."

Editor's note: This story has been updated to include commentary from Kevin Coleman and Peter Mackenzie.

Jack O'Brien is the Content Team Lead and Finance Editor at HealthLeaders, an HCPro brand.

Get the latest on healthcare leadership in your inbox.