United States: Health Care Sector Facing More Ransomware Attacks

The health care sector and medical service providers are seeing a significant rise in ransomware attacks, many emanating from organized criminal groups operating out of Russia. Yesterday, the Cybersecurity and Infrastructure Agency (CISA), the FBI, and the Health and Human Services Department warned of an increased and imminent threat from ransomware to the health care sector. Several groups, including those using the Ryuk ransomware, are seeing considerable success in quick attacks that disable entire networks in a matter of hours. Ransom demands have escalated rapidly; they often begin at more than $5 million and sometimes higher. Once a system has been impacted, a company can expect to be offline for several days at best; more typically, recovery back to a working-level baseline can take weeks. The COVID-19 pandemic has presented a unique opportunity for health-related cybercrime; the increased use of network-connected and remote technologies means a wider attack surface for exploitation.

HIPAA-covered entities and their business associates must keep in mind that a ransomware attack may be a reportable breach even if protected health information (PHI) is not exfiltrated. HHS states in its “Ransomware and HIPAA” fact sheet that if ransomware encrypts PHI, a presumptive breach has occurred because unauthorized individuals have taken possession or control of the information, resulting in acquisition and therefore “disclosure.” The covered entity must comply with the Breach Notification Rule reporting requirements unless it can rebut the presumption of breach through a “low probability of compromise” analysis. Even PHI that was already encrypted at the time of the attack can be breached by a ransomware attack, depending on the manner and level of the original encryption.

Whether recovery from a ransomware attack is even feasible is a complex issue that depends on the type of network, backup practices, and how soon the ransomware is detected before the network is taken down. Unfortunately, we are often seeing data on key enterprise systems, primarily databases, irreparably damaged because the ransomware has unexpected effects on large databases or files that are in use when the encryption occurs.

The FBI has provided some good technical recommendations for reducing vulnerabilities to Ryuk, which we summarize below. For any network of even modest complexity, a risk assessment that helps a company understand the vulnerabilities and key assets in the face of the threat, combined with a strong incident response plan and employee training are key. Most ransomware attacks succeed because employees inadvertently trigger the malware in an email or because the network has not been tested inside and out for misconfigured systems. Once the attack begins, the response has to be exceedingly quick to isolate the damage. The HHS also provides guidance to HIPAA-regulated entities on preventing and detecting ransomware attacks.

FBI Recommendations

In preparation for potential Ryuk attacks, please consider the following: 

• Disable Remote Desktop Services for systems that do not require it.
• Block TCP port 3389 on the firewall, if possible.
• Carefully monitor the indicators associated with this campaign.
• Monitor e-mail traffic for threats and prevent executable files from reaching end users.
• Refrain from opening attachments or links from unknown sources.
• Implement architectural controls for network segregation.
• Implement allow lists & block lists for specific applications to prevent unauthorized applications.
• Use anti-virus protection and ensure that it is kept updated.
• Use least-privilege to limit administrative access on accounts.
• Maintain encrypted backups of all critical systems as well as off-site copies.
• Disable macros for documents received via email.

If you have questions about how to mitigate ransomware risks or how to prepare internally for dealing with an incident response, please contact our Data Security and Privacy team. Guillermo Christensen, a former CIA officer and now a partner in our Washington, D.C. office, has handled myriad cyber-incidents involving ransomware. Kim Metzger, a partner in our Indianapolis office, regularly handles complex cyber-breaches involving HIPAA for covered entities and business associates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.