Federal Agencies Warn of Cyberattacks on U.S. Hospitals

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Network Best Practices. The Joint Cybersecurity Advisory provides some practical precautions that health care providers can put in place to protect their networks from these threats:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts.
  • Do not reuse the same password for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Ensure that your remote access and application “block lists” and “allow lists” are up-to-date so that only those programs and individuals with permission can access your system.
  • Audit user accounts with administrative privileges and configure access controls with minimum necessary privileges in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and address ports that are not needed. (Ports are your network’s gateways for internet data exchange. There are 65,535 TCP ports and 65,535 UDP ports. Cybercriminals scan these ports to find access into your network and you should too!)
  • Identify the critical data assets on your network and ensure that backups of these assets are not connected to the network 24-7 and the most recent backup is housed offline from the network.
  • Implement network segmentation to secure sensitive data.  For example, sensitive data files should not reside on the same server as email.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

End User Awareness and Training. As pointed out in the Joint Cybersecurity Advisory, a best practice includes focusing on user awareness and training. Because end users are the most common targets, ensure employees and stakeholders are aware of ransomware and phishing scams and how they are delivered. To ensure that you can timely mitigate the risk and deploy your data security incident response plan, ensure employees and stakeholders know who to contact if they see suspicious activity or believe they are a victum of an attack.

Addressing the Ransom Demand. The Joint Cybersecurity Advisory also includes information on what to immediately do when a ransomware attack is discovered.  In particular, it advises not paying ransoms.  For more information about this read our article on the Wyatt HITECH Law blog discussing two new Treasury Department advisories issued on October 1, 2020 about the risks of paying ransoms and the potential for sanctions when doing so.

The Wyatt Data Incident Response Team has prepared “Six Tips” on responding to a cybersecurity incident within the first 24-48 hours. For more information on Wyatt’s Data Privacy & Security Incident Response Team see our Data Privacy & Incident Response Team brochure and visit the Data Incident Response Team tab on this blog.

Massive malicious email campaign spoofs Google Docs to hijack Gmail accounts

A massive email phishing campaign started Wednesday afternoon.  The email attacks target Google accounts but have spread to other email accounts as people have been tricked into clicking on the link in the email and have unwittingly supplied their Google account access credentials and access to their contacts.

The reports of the malicious emails are coming from people across a range of industries. The emails contain what looks like a link to a Google Docs and appears to come from someone you know. These emails, however, are malicious and are designed to trick the recipient in a way that allows the cybercriminal to hijack email accounts or infect the user’s computer.

If you receive an email with a link to Google Docs, BEWARE!  These emails are designed to look like they come from a trusted or known source.  Do not click on any links in emails that you were not expecting.

A screen shot of one of the Google Docs phishing emails is shown below. If you receive one of these emails, delete it ASAP.  If you use Gmail or Google Inbox, consider activating the 2-factor authentication feature to secure your account.

Several major news organizations and cable networks are reporting on this story.  For the most up-to-date news on this developing story, use your favorite internet search engine to search for “google phishing email scam”.

A sample Google Docs phishing email.  The form and style of the email may vary from this sample.Sample Google Docs Phishing Email

To read Google’s Gmail Help on phishing emails, use your preferred internet search engine and search for: “Google Help and how to avoid and report phishing emails”.

If you are attacked by malware or a phishing email that compromises your organization’s privacy and security, Wyatt’s experienced Data Security Incident Response Team is ready to help.