The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory stating they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

The advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain. The advisory provides technical details on the threat from Ryuk ransomware and new Trickbot malware modules named Anchor. The anticipated threat posed by this malware and ransomware is using encryption to interfere with a hospital’s access to its systems and ability to provide care and holding a decryption key for ransom.

In addition to the technical details, the advisory identifies steps hospitals and healthcare providers should take to protect themselves from this cybercrime threat. Those steps include maintaining an up-to-date business continuity plan and other best practices.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to local administration being disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication (MFA) where possible.
  • Disable unused remote access or Remote Desktop Protocol (RDP) ports and monitor remote access or RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege necessary in mind.
  • Audit logs to ensure new accounts are legitimate.

Ransomware Best Practices

  • CISA, FBI, and HHS do not recommend paying ransoms. Further, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory alerting companies of the potential sanctions risk for facilitating ransomware payments.
  • Regularly back up data, air gap, and password-protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats (such as ransomware and phishing scams) and how they are delivered.
  • Provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.

The advisory notes that addressing the risks posed by malware and ransomware attacks will be particularly challenging for hospitals and healthcare providers during the COVID-19 pandemic. Additional advice on avoiding and responding to an attack is available here. If you have questions about this advisory or how best to assess and manage the risks identified in the advisory, please contact a Jackson Lewis attorney.

 

Tags: CISA, COVID-19, cybercrime, cybersecurity, Data Security, healthcare, OFAC, ransomware, ransomware attack
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Workplace Privacy, Data Management & Security Report blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Jason represents companies with respect to inquiries from the HHS/OCR, state attorneys general, and other agencies alleging wrongful disclosure of personal/protected information. He negotiates vendor agreements and other data privacy and security agreements, including business associate agreements. His work in the area of privacy and data security includes counseling and coaching clients through the process of investigating and responding to breaches of the personally identifiable information (PII) or protected health information (PHI) they maintain about consumers, customers, employees, patients, and others, while also assisting clients in implementing policies, practices, and procedures to prevent future data incidents.

Jason represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination, and wage and hour claims in both federal and state courts. He regularly appears before administrative agencies, including the Equal Employment Opportunity Commission (EEOC), the Office for Civil Rights (OCR), the New Jersey Division of Civil Rights, and the New Jersey Department of Labor. Jason’s practice also focuses on advising/counseling employers regarding daily workplace issues.

Jason’s litigation experience, coupled with his privacy practice, provides him with a unique view of many workplace issues and the impact privacy, data security, and social media may play in actual or threatened lawsuits.

Jason regularly provides training to both executives and employees and regularly speaks on current privacy, data security, monitoring, recording, BYOD/COPE, biometrics (BIPA), social media, TCPA, and information management issues. His views on these topics have been discussed in multiple publications, including the Washington Post, Chicago Tribune, San Francisco Chronicle (SFGATE), National Law Review, Bloomberg BNA, Inc.com, @Law Magazine, Risk and Insurance Magazine, LXBN TV, Business Insurance Magazine, and HR.BLR.com.

Jason is the co-leader of Jackson Lewis’ Hispanic Attorney resource group, a group committed to increasing the firm’s visibility among Hispanic-American and other minority attorneys, as well as mentoring the firm’s attorneys to assist in their training and development. He also previously served on the National Leadership Committee of the Hispanic National Bar Association (HNBA) and regularly volunteers his time for pro bono matters.

Prior to joining Jackson Lewis, Jason served as a judicial law clerk for the Honorable Richard J. Donohue on the Superior Court of New Jersey, Bergen County.

Read more about Jason C. Gavejian
Show more Show less
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand…

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand the competing demands and unique challenges faced by in-house counsel. Before joining Jackson Lewis, he was responsible for all labor and employment law matters for the largest fully integrated community care hospital system in New England. Michael provides timely, practical advice that helps clients achieve their strategic goals while ensuring compliance with legal obligations.

With deep experience in a broad range of industries, Michael has a keen interest in the healthcare, higher education, museum, and arts & music sectors. He is dedicated to supporting clients in these areas, leveraging his extensive experience to address the specific challenges faced by institutions and organizations in these fields.

Michael regularly partners with clients to establish positive employee relations. In labor relations matters, he negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Michael’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He reviews and develops policies and procedures, written information security plans and integrated compliance programs to ensure his clients meet their obligations under privacy and data security laws. Michael represents clients in investigations of alleged data breaches and advises them on reporting obligations.. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Read more about Michael R. Bertoncini
Show more Show less
Related Posts
Firings at the US Privacy and Civil Liberties Oversight Board and Potential Impact on Transatlantic Data Transfers
February 3, 2025
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
January 28, 2025
2024 Wrap-Up of the Workplace Privacy, Data Management & Security Report
December 31, 2024