• Feds Warn Physicians, Hospitals of Likely Cyberattacks

    AAFP Expert Offers Advice to Protect Against ‘Imminent’ Threat

    November 10, 2020, 10:02 am News Staff -- The FBI joined with HHS and a federal cybersecurity watchdog late last month to warn U.S. health care professionals and facilities about an “increased and imminent cybercrime threat” that has already ensnared hundreds of hospitals, clinics and practice sites across the country.

    ransomware concept

    In an advisory issued Oct. 28 and updated the following day, the FBI, HHS and the Cybersecurity and Infrastructure Security Agency stated that “malicious cyber actors” were targeting the so-called Healthcare and Public Health Sector ― one of the nation’s 16 critical infrastructure sectors ― using specific malware, opening up these networks to possible ransomware attacks, data theft and disruption of health care services.

    “These issues will be particularly challenging for organizations within the COVID-19 pandemic,” the groups cautioned, “therefore, administrators will need to balance this risk when determining their cybersecurity investments.”

    The groups’ advisory points to TrickBot as one of the malware culprits behind the threat. First detected in 2016 as a banking trojan, the botnet TrickBot is today considered one of the world's most prolific distributors of ransomware. BazarLoader, another piece of malware specifically identified in the advisory, is thought by most experts to have been created by the same cybercriminal enterprise behind TrickBot.

    Notably, the cybersecurity alert comes in the wake of a Ryuk ransomware attack that began Sept. 27 and eventually took down IT systems across all 400 U.S. sites of Universal Health Services ― one of the nation’s largest health care systems ― over the course of three weeks. Those UHS sites, along with others impacted by the assault, were brought back online by Oct. 12, but not before the attack drew the attention of Sen. Mark Warner, D-Va., co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus.

    In an Oct. 9 letter to UHS Chairman and CEO Alan Miller, Warner noted that although initial reports on the cyberattack indicated that no patient data had been compromised, any such incident “sharply highlights the need to ensure adequate cybersecurity hygiene in a health care setting.” 

    Story Highlights

    “The national health crisis during the COVID-19 pandemic only exacerbates the consequences of insufficient cybersecurity,” he added.

    Noting that hospital systems often point to greater consolidation as allowing for greater operational efficiencies, Warner observed, “this does not appear to be the case when it pertains to something as vital as information security.”

    “An increasing number of medical facilities sharing connected information systems and computer networks requires adequate protection for a significantly larger attack surface,” he stated. “Any failure to protect this considerable attack surface with appropriately segmented networks and data provides opportunities for lateral movement across disparate systems,” including those operating in outpatient clinics affiliated with these facilities.

    The threat doesn’t stop there, of course; individual medical practices are also at risk. But there are steps practices can and should take to mitigate the danger, said AAFP Vice President and Chief Information Officer Steven Waldren, M.D.

    According to Waldren, it’s essential for family physicians to

    • ensure all computer operating systems (e.g., Microsoft Windows, Apple macOS, Linux) and other software are up to date;
    • advise other clinicians and practice staff to not click on links in emails before verifying the sender's email address;
    • strictly limit personal use of computers at the office, especially to download applications; and
    • ensure a robust plan for backing up critical data is in place, has been adequately tested and has demonstrated that data can be restored successfully.

    Regarding the current threat highlighted by CISA, HHS and the FBI, Waldren advised that FPs discuss the situation with practice team members and ask that they be on the lookout for suspicious activity.

    Implementing these precautions is all the more urgent given that despite the recent successful effort to take down TrickBot, the botnet has since resurfaced and continues to threaten health care facilities already struggling to respond to surging COVID-19 case numbers.

    The AAFP has information on HIPAA privacy and security transaction standards compliance, including specific breach notification requirements.