The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.  
CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. 

Heather Paunet, Senior Vice President at Untangle, says, “With each ransomware attack on a hospital or medical center, it becomes increasingly clear that back up plans are being developed or initiated as an immediate response while networks are down. There are many medical instruments, such as ventilators, insulin pumps, and other IoT devices that can become vulnerable network access points. These devices need to be audited constantly for software updates, patches, and other upgrades to ensure that outdated software isn’t leaving the network open for criminals.”

According to Daniel Norman, Senior Solutions Analyst at the Information Security Forum, the healthcare services industry has an out-of-date approach to security awareness, education and training.

He explains, "With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is imperative. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online.”

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, agrees, noting that, “Computing flaws are highly connected and can spread quickly -- ransomware or a breach of large data stores or compromise of medical equipment on a network. With the right investments, there is new technology that can shift certified workloads into safer virtual machines and put defenses around it, and better identity and authorization methods that thwart small errors from scaling organization wide.” 

Jeff Horne, CSO of Ordr, notes that some healthcare organizations are thinking about ransomware wrong. He explains, "These ransomware as a service organizations are run by sophisticated attackers and malicious developers operating more like a criminal company with customer service, online support, call centers, and payment processors. Just like a modern customer-focused business, they have people who respond to questions, assist with payment and decryption and are very organized. These ransomware as a service operators are making a considerable amount of money from this. This isn’t just autonomous ransomware that can be simply addressed with anti-virus software - these are focused, motivated and knowledgeable criminal operators that are targeting vulnerable healthcare organizations by exploiting vulnerabilities, gaining a foothold within their networks, and deploying ransomware that holds their important data hostage.”

CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information. 

Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, notes, “When cybercriminals claim they’ll avoid healthcare organizations, or make token “robin hood” payments to charities in attempt to portray themselves as somehow trustworthy, this alert reminds us of just how morally depraved cybercriminals can be. This is particularly true when they target critical to life sectors such as healthcare, which is under both seasonal pressures and the additional weight of dealing with COVID-19."

He adds, "The business of ransomware has changed. Criminals have moved to lower volume, but highly targeted ransomware attacks. These are multifaceted, complex, and unfold over extended periods of time and increasingly use the legitimate tools within our networks and cloud services. This makes traditional signature based defenses increasingly ineffective so we’re now detecting attackers by their behavior rather than looking for the specific tools or ransomware used. This makes it much more challenging and costly for attackers because even when they adapt configurations, their immutable behaviors still betray them. This new approach is both effective and durable."

The performance and analytical power of AI is needed to detect these subtle indicators of ransomware behaviors and the misuse of privileged credentials at a speed and scale that humans and traditional signature-based tools simply cannot achieve, Walmsley says. "Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalize on organizations’ valuable digital assets.”  

Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black, notes, “The ominous alert of impending destructive cyberattacks against hospitals is a credible threat should be taken seriously. The Russian cybercrime cartel who developed and distributed Trickbot and Ryuk, appear to be retaliating against the recent NSA and Microsoft take down of portions of their e-crime infrastructure. This is cyber payback and could mean a matter of life or death amid the pandemic if critical hospital systems are disrupted or destroyed interrupting patient care.”

Additionally, Tom provided the below steps that healthcare organizations can take now to protect themselves. Recommendations:

  1. Rehearse IT lock-down protocol and process including practicing backups.
  2. Ensure backup of medical records including electronic records and have a 321-backup strategy – have a hard copy or remote back-up or both.
  3. Speed up any pending software patches.
  4. Prepare to maintain continuity of operations if attacked.
  5. Review plans within the next 24 hours should you be hit.
  6. Power down IT when not used.
  7. Consider limiting the use of personal email.
  8. Be prepared to reroute patients.
  9. Ensure proper staffing for business continuity.
  10. Know how to contact federal authorities when phones are down, or email has been wiped.


Caroline Thompson, Head of Underwriting at Cowbell Cyber, says it is imperative that organizations evaluate cyber insurance for every coverage and assistance that the policy might provide prior, during and after a cyber incident. "It is often ignored that in the case of ransomware, the damage to an organization goes beyond the necessity to pay the ransom if an available backup is not a possibility. Connecting with a trusted insurance carrier, with dedicated cybersecurity expertise, is extremely important," she says.

“As the COVID-19 pandemic is overcrowding US hospitals, these attacks are coming at the worst possible time. The first line of defense here is educating hospital employees to ensure they can recognize phishing attempts and respond properly," says Horne. "The main thing that I urge every organization to do is to patch vulnerabilities quickly and to build a robust backup strategy for data in order to diminish the harm that ransomware can do. Organizations that regularly patch and have a robust backup strategy drastically reduce both the attack surface and impact of ransomware. Backup with redundancy, and offline backup specifically, and a strategy to restore systems quickly is ultimately the way you can defeat this."

He adds, "Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT (internet of medical things) devices, as we’ve seen this year with radiology machines. Once attackers are on an infected host, they can easily pull passwords out of memory and then laterally move throughout the network, infecting devices through compromised accounts and vulnerabilities.”

“Hospitals and healthcare entities are often targeted by ransomware, and they make attractive targets because they hold significant PHI and typically have weaker security infrastructure. Threat actors have opportunistically targeted healthcare entities during the COVID-19 pandemic because the drastic changes in their operating procedures have made healthcare organizations even more vulnerable. However, the threat actors behind ransomware attacks are purely motivated by financial gain. In our claims experience, hospitals are targeted less frequently than many other industries, including auto dealerships, despite having significantly more infrastructure and higher internet-facing exposure. Our data shows that within similar sample sizes of 700-800 domains, 79 auto dealerships were compromised as opposed to 56 hospitals. The recent CISA and FBI advisory may, unfortunately, result in more harm than good for healthcare entities as insurers increase the use of sub-limits on extortion or otherwise limit access to coverage” says Jeremy Turner, Head of Threat Intelligence at Coalition.

Mimecast’s Principal Security Strategist Matthew Gardiner says, "Ransomware focused cybercriminals are continuing to hone and focus their attacks. They clearly are going to where they believe the financial payoff will be the highest. This means they look for a combination of ease of entry, meaning relatively weak security programs, combined with a high willingness and ability to pay. These cybercriminals have increasingly found this combination in healthcare delivery hospital systems. These types of enterprises are highly dependent on IT to run their operations and also house some of the most sensitive data in existence. It seems clear that multiple cybercriminal groups have simultaneously discovered, particularly in this time of high pandemic related pressure, that healthcare providers around the world are very profitable targets for their financially motivated criminal activity. It remains absolutely critical that these organizations honestly assess their security programs and fill key gaps or these terrible stories will continue to be a daily occurrence."

Commenting on the news, Chester Wisniewski, Principal Research Scientist at Sophos, says, “Considering the importance of their role during the pandemic, all healthcare organizations across the world should be on high alert and should be extra vigilant following this warning from CISA. Ryuk is a serious adversary and combatting them effectively requires such vigilance, comprehensive protection and detection abilities and strong human-led mitigation when the first signs of a breach are discovered. Ryuk isn't the only game in town either. While they may be distracted by focusing on healthcare providers as CISA alleges, there are many other groups targeting anything that moves that may have a bank account. REvil, WastedLocker and others are happy to continue to target the rest of us while we breathe a sigh of relief that we aren't the CISO at a hospital. To effectively defend against this type of attack, organizations must have ubiquitous security coverage of their computing infrastructure, locked down and patched remote access infrastructure and investigate security alerts as if they are the beginning of an incident, not the end."

Peter Mackenzie, Incident Response Manager at Sophos, notes, “It is important to note that ransomware attacks on hospitals are common, but in our experience they are not affected more than other industries. Earlier in the pandemic there were fewer attacks targeting hospitals after many ransomware groups publicly stated that they would avoid them. It is clear the operators behind Ryuk are back from their summer break, and now targeting hospitals along with other industry sectors. Most of the heightened interest in these attacks stems from the attack on UHS hospitals a few weeks back. This saw many hospitals hit at once, but only because they were all connected. In other words, it wasn’t a string of attacks, but rather a single attack that affected multiple sites.”