CISA, FBI, HHS Warn Hospitals of ‘Increased and Imminent’ Cybercrime Threat

By Jack O’Brien

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint advisory Wednesday warning hospitals and health systems about an “increased and imminent cybercrime threat.”

“CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” the advisory read.

The advisory described the tactics, techniques, and procedures used by cybercriminals to infect healthcare providers with Ryuk ransomware.

The notice also listed two key findings: the cybercriminals are targeting the Healthcare and Public Health (HPH) Sector with Trickbot malware, which can lead to “ransomware attacks, data theft, and the disruption of healthcare services,” and that these challenges will be heightened for organizations dealing with the ongoing COVID-19 pandemic.

The advisory stated that administrators will “need to balance this risk when determining their cybersecurity investments.”

The joint advisory was released almost one month after HHS released an update on Ryuk ransomware threats.

This came less than a week after Universal Health Services, Inc. had to temporarily shut down user access to IT applications due to a malware cyberattack.

In preparation for potential cybercrime threats, the three federal agencies urged HPH organizations to maintain “business continuity plans” to minimize service interruptions, warning that without these processes in place, hospitals “may be unable to continue operations.”

The advisory also listed best practices for networks, ransomware, and user awareness, as well as recommended mitigation measures.

“System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data,” the advisory read. “Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs.”

Jack O’Brien is the finance editor at HealthLeaders, a Simplify Compliance brand.