National Security Agencies Warn of Ransomware Attacks Targeting Health Care Providers

The Federal Bureau of Investigation (FBI) and two federal agencies are warning of an "imminent cybercrime threat" to United States hospitals and health care providers, noting that several hospitals across the country have already been hit.

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), FBI and the U.S. Department of Health and Human Services (HHS) said they have "credible information" that cybercriminals are taking new aim at health care providers and public health agencies as the COVID-19 pandemic reaches new heights.

"Malicious cyber actors" may soon be planning to "infect systems with Ryuk ransomware for financial gain" on a scale not yet seen across the American health care system. Hospitals, physician practices, and public health organizations should take "timely and reasonable precautions to protect their networks from these threats." Malware targeting techniques often lead to “ransomware attacks, data theft, and the disruption of healthcare services." The agencies recommend several mitigation steps and best practices for health care entities to take to reduce their risk, including the following:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
    • Disallow use of personal email accounts
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Identify critical assets; create backups of these systems and house the backups offline from the network.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

The HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides additional information for entities regulated by the HIPAA rules and regulations.