Review Policies on Cyberattacks as FBI, HHS Send New Warning

CMS also requires under its Emergency Management CoP that hospitals include the possibility of a cyberattack as part of its all-hazards risk assessment.

Editor's note: This article was originally published by the HCPro Accreditation & Quality Compliance Center.

Review your hospital policies about preventing ransomware and other outside cybersecurity attacks on your electronic health information systems. The Department of Health and Human Services (HHS) released a joint advisory along with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) earlier this week warning hospitals and health systems about an "increased and imminent cybercrime threat."

The advisory described the tactics, techniques, and procedures used by cybercriminals to infect healthcare providers with Ryuk ransomware, according to HealthLeaders.

The notice also listed two key findings: Cybercriminals are targeting the Healthcare and Public Health (HPH) Sector with Trickbot malware, which can lead to "ransomware attacks, data theft, and the disruption of healthcare services," and that these challenges will be heightened for organizations dealing with the ongoing COVID-19 pandemic, according to HealthLeaders.

Hospitals are required under the Medicare Conditions of Participation (CoP), Medical Record Services, to ensure that “unauthorized individuals” cannot gain access to or alter patient records. Deficiencies can be cited under Tag A-0442.

CMS also requires under its Emergency Management CoP that hospitals include the possibility of a cyberattack as part of its all-hazards risk assessment.

The Joint Commission (TJC) requires hospitals, under Information Management standard IM.02.01.03, to maintain “the security and integrity of health information.” That includes under element of performance (EP) 2 having a written policy addressing among other things, the “intentional destruction of health information.”

Hospitals are required under EP 5 to protect “against unauthorized access, use, and disclosure of health information.”

In addition, hospitals can be cited under Emergency Management standard EM.01.01.01, which states that the all-hazards risk assessment should include possible “human-made” emergencies, including cyberattacks.

The other accrediting organizations, including DNV-GL Healthcare, HFAP, and the Center for Improvement in Healthcare Quality, all have similar standards and requirements.

Consultants have said that CMS is pressuring TJC and other AOs to step up inspection of cybersecurity in hospitals as ransomware and other attacks have continued.

Warning offers guidance

The joint warning by the FBI, CISA, and HHS on the current cyberthreats include detailed information how healthcare organizations can respond.

The warning states: “CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.”

The warning includes these suggested network best practices:

• Patch operating systems, software, and firmware as soon as manufacturers release updates.
• Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
• Use multi-factor authentication where possible.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Audit logs to ensure new accounts are legitimate.
• Scan for open or listening ports and mediate those that are not needed.
• Identify critical assets such as patient database servers, medical records, and telehealth and telework infrastructure; create backups of these systems and house the backups offline from the network.
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

If your organization faces a ransomware attack, the alert says “CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

Best practices

In addition to network best practices, the warning includes these best practices to battle against ransomware:

• Regularly back up data, air gap, and password protect backup copies offline.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

The alert also suggests these “user awareness” best practices:

• Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
• Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

The lengthy alert also carries a vast number of other best practices as well as technical aspects of the detected threats to help inform information technology specialists as they address the potential threat.