On February 10, 2023, the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) issued a joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against healthcare and public health sector organizations and other critical infrastructure sector entities.
Given the multi-national involvement in this CSA, healthcare organizations should take particular note of the importance of its contents.
The intent of the CSA is to supplement prior reports on actions of the Democratic People’s Republic of Korea (DPRK), namely Maui and H0lyGh0st ransomware. The CSA highlights additional observed tactics, techniques, and procedures by DPRK cyber actors suspected to be targeting South Korean and U.S. healthcare systems.
Included in the CSA are a list of potential tactics, techniques, and procedures observed in ransomware efforts, including efforts to:
- acquire infrastructure;
- obfuscate identities;
- purchase VPNs and VPSs; and
- expose vulnerabilities to gain access.
The CSA also offers a list of mitigations to help protect an organization. Many of these should already be in place, but if not should be considered by an organization with urgency:
- Limit access to data by authenticating and encrypting connections with network services, Internet of Things (IoT) medical devices, and the electronic health record system
- Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges
- Turn off weak or unnecessary network device management interfaces and secure with strong passwords and encryption when enabled
- Protect stored data by masking the permanent account number when displayed and rendering it unreadable when stored
- Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI)
- Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise
The CSA concludes by outlining a list of actions to prepare for potential ransomware attacks, including the following:
- Maintaining isolated backups of data, and regularly testing the backup and restoration
- Creating, maintaining, and exercising a basic cyber incident response plan
- Installing software updates as soon as they are released
- Implementing user training programs
- Requiring strong passwords
- Auditing user accounts
- Installing and regularly updating anti-virus and anti-malware software
Organizational leadership and IT professionals within healthcare organizations should be aware of this CSA and its contents to ensure all possible protective actions have been taken. Continued and persistent vigilance is critical as these cyberattacks seem to only be getting more frequent and more sophisticated in their efforts.
Case in point: On February 15, 2023, it was reported that Community Health Systems, a large Tennessee-based healthcare organization with close to 80 hospitals in 16 states, confirmed that criminal hackers accessed the personal and protected health information of up to 1 million patients. While this breach appears to have been the work of a Russia-linked ransomware group, it serves to highlight how these risks can impact even the largest and most sophisticated organizations. Thus, continued vigilance is critical.