On February 10, 2023, the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) issued a joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against healthcare and public health sector organizations and other critical infrastructure sector entities.

Given the multi-national involvement in this CSA, healthcare organizations should take particular note of the importance of its contents.

The intent of the CSA is to supplement prior reports on actions of the Democratic People’s Republic of Korea (DPRK), namely Maui and H0lyGh0st ransomware. The CSA highlights additional observed tactics, techniques, and procedures by DPRK cyber actors suspected to be targeting South Korean and U.S. healthcare systems.

Included in the CSA are a list of potential tactics, techniques, and procedures observed in ransomware efforts, including efforts to:

  • acquire infrastructure;
  • obfuscate identities;
  • purchase VPNs and VPSs; and
  • expose vulnerabilities to gain access.

The CSA also offers a list of mitigations to help protect an organization. Many of these should already be in place, but if not should be considered by an organization with urgency:

  • Limit access to data by authenticating and encrypting connections with network services, Internet of Things (IoT) medical devices, and the electronic health record system
  • Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges
  • Turn off weak or unnecessary network device management interfaces and secure with strong passwords and encryption when enabled
  • Protect stored data by masking the permanent account number when displayed and rendering it unreadable when stored
  • Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI)
  • Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise

The CSA concludes by outlining a list of actions to prepare for potential ransomware attacks, including the following:

  • Maintaining isolated backups of data, and regularly testing the backup and restoration
  • Creating, maintaining, and exercising a basic cyber incident response plan
  • Installing software updates as soon as they are released
  • Implementing user training programs
  • Requiring strong passwords
  • Auditing user accounts
  • Installing and regularly updating anti-virus and anti-malware software

Organizational leadership and IT professionals within healthcare organizations should be aware of this CSA and its contents to ensure all possible protective actions have been taken. Continued and persistent vigilance is critical as these cyberattacks seem to only be getting more frequent and more sophisticated in their efforts.

Case in point: On February 15, 2023, it was reported that Community Health Systems, a large Tennessee-based healthcare organization with close to 80 hospitals in 16 states, confirmed that criminal hackers accessed the personal and protected health information of up to 1 million patients. While this breach appears to have been the work of a Russia-linked ransomware group, it serves to highlight how these risks can impact even the largest and most sophisticated organizations. Thus, continued vigilance is critical.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.