November 4, 2020

In an Oval Office scene from a Tom Clancy political thriller, the president at one point states, “These drug cartels represent a clear and present danger to the national security of the United States.”  That was his cryptic way of implying that action needed to be taken to remove the threat.  It is an unfortunate fact of history that, from time to time, there are those who wish to cause harm to our national interests or infrastructure, and it is incumbent upon our leaders to take appropriate action to preserve and protect.  In recent days, another massive threat against our nation has been identified.

Examining the Threat Level

Last week, the federal government issued a warning concerning a credible and imminent threat to our national healthcare security.  The Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) conducted an urgent conference call with leaders of the healthcare industry on Oct 28, informing them that the government has received reliable information that international hackers—perhaps with ties to Russia—are planning to breach the IT systems of some 400 hospitals and clinics throughout the United States.  It sounds like the kind of improbable plot one might find in a James Bond movie; but, sadly, Sean Connery is no longer here to help us.

According to the KrebsonSecurity website, Mandiant—a cybersecurity incident response firm out of Alexandria, Virginia—has released a list of domains and internet addresses used by the ransomware threat (known as “Ryuk”) in previous attacks this year.  Charles Carmakal, senior vice president for Mandiant, told Reuters that the tactic commonly used by Ryuk is among the “most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.”  He went on to say that “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline.”

Considering the Countermeasures

Unfortunately, the conference call initiated by the FBI, HHS and DHS did not provide specific guidance on countering the impending attack, other than undertaking the following general precautionary measures, as reported by Reuters: (a) back up systems, (b) disconnect systems from the internet where possible, (c) avoid using personal email accounts.

So, it will be up to the CIO/CTO at each facility to determine where the gaps exist in their cybersecurity measures and to then create ways to quickly fix these weak links or initiate temporary workarounds.  To help facilitate strategic planning, here are some things that other hospitals and hospital systems around the country are doing to respond to the Ryuk threat, according to a November 2 report in Becker’s Health IT:

• Claxton-Hepburn Medical Center in Ogdensburg, N.Y. shut down its email to prevent cyberattacks, though online patient portals and the hospital’s website are still operating. The hospital remains open and has not reduced patient services.
• Morrisville, Vt.-based Copley Hospital is automatically backing up patient information every night and has back-up information not connected to its online systems.
• UnityPoint Health in West Des Moines, Iowa has made significant investments in measures to detect, stop and prevent cybersecurity threats, and backs up its system on a regular basis. 
• Premier Health System in Dayton, Ohio has used the latest threat as an opportunity to reeducate their staff on security measures and protocols.

The DHS Cybersecurity & Infrastructure Security Agency (CISA) provided specifics as to which domains and IP addresses the Ryuk ransomware strain has used historically.  Of course, this does not mean it won’t mutate or change its structure to bypass these known indicators of compromise (IOCs).  At the guidance of these agencies, MiraMed updated all its public-facing systems, i.e., those with a direct line to the internet.  In addition, MiraMed already has in place the following security controls:

1. We train all of our employees on information security with a focus on HIPAA security and social engineering tactics and techniques.
2. We conduct tabletop exercises around security incident response and remediation.
3. We do not allow non-administrator accounts to install executables (computer programs, such as Ryuk) from their workstation’s temporary directories.  This is typically where email attachments are saved to and executed from when opened directly as an attachment.
4. We have secure email gateways that defang attachments by stripping scripts and other malicious content.
5. We use tripwires to detect malicious file extensions and names.  When a malicious file is detected, IT gets alerted; and, if that same alert triggers again within the next 5 minutes, we automatically disable (isolate) systems and thereby prohibit any further spread of the ransomware.
6. All servers and workstations have up-to-date antivirus.
7. All backups are performed nightly with copies stored offline.

Responding to an Attack

It’s worth the time and effort to familiarize yourself with the pen and paper processes that used to surround the perioperative theatre.  In the event of a full-scale ransomware attack, pen and paper may be the only way to continue healthcare operations while systems are restored.

NOTE: The FBI does NOT recommend paying the ransom.  The reasoning is two-fold: (a) the ransomware operators may not release the decryption key even after receiving the payment, and (b) the payment allows the cyber threat actor to continue its operations and use these funds to attack more organizations.  Don’t forget to tap into your cyber insurance policy to learn of organizations directly able to assist with incident response, digital forensics, public relations, specialized legal counsel and cyber negotiators.

Ransomware infections are reportable to the HHS OCR as they violate all three pillars of security: confidentiality, Integrity and availability.  Ransomware infections will gain unauthorized access to ePHI (lack of confidentiality) and will modify (encrypt) it—thereby jeopardizing its integrity, which ultimately renders the data unusable (unavailable).

We at MiraMed Global Services are to here to help you prevent and/or respond to this latest threat to the healthcare industry.  Please reach out to us if we can be of service to you and your facility.  You can contact us at info@miramedgs.com.  I wish to thank our national director for information security, Bryan Hemerka, for his contribution to this article.