The American Hospital Association (AHA) is warning U.S. hospitals about possible cyber attacks from Russia on U.S. healthcare IT systems due to rising tensions over the war in Ukraine.
With the severe economic sanctions now starting to take a toll on the Russian economy, the AHA said there is concern that Russia may retaliate against the U.S. and allied nations with disruptive cyberattacks.
"We want hospitals, their C-suite executives and chief information officers to take this very seriously. There is a war going on and the adversary is very proficient in cyberattacks." stressed John Riggi, the AHA'snational advisor for cybersecurity and risk, and a former senior executive in the FBI’s cyber division.
"Cyber threats are not just an IT issue, it is an enterprise-wide problem," Riggi explained. This includes bringing down mission-critical systems for extended periods of time.
If previous experience with Russian malware is any gauge of what to expect, Riggi said healthcare systems need to be prepared to operate 4 to 6 weeks without the ability to use their computers or archive data. This includes electronic medical records (EMR), PACS, HIS, drug dispensing systems like Pyxis, inventory management, dictation, digital pathology, billing, scheduling, pharmacy, clinical reporting systems and all other IT networked within the healthcare enterprise.
Riggi is in close coordination with the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) regarding related threats which may pose a risk to U.S. healthcare. When he spoke with Healthcare Exec, he had just gotten off the phone from recording a webinar with the FBI aimed at helping hospitals better understand the Russian cyber threat.
The AHA said it is closely monitoring the potential for increased cybersecurity risks to the U.S. health system. The Russian military has previously used cyber attacks against Ukraine to disrupt the electrical grid, communications capabilities and financial institutions. For example, it was reported last week that cyber denial-of-service attacks, attributed to the Russian military, were launched against Ukraine’s Ministry of Defense, as well as its financial institutions.
In light of previous attacks and potential threats, CISA this past week issued a rare cyber “Shields Up” warning to the U.S. private sector, including healthcare organizations. This was based on the increased cyberthreat posed by the Russian government. The warning stated "every organization — large and small — must be prepared to respond to disruptive cyber activity."
Russia already has initiated cyber attacks against Ukraine
"The primary concern is not a direct attack, but healthcare becoming collateral damage from a cyber attack in Ukraine," Riggi warned. "They are not going to send bombers over here to bomb Wall Street, but they might send malware."
CISA and the FBI issued a warning Feb. 26 that the Russians had released destructive malware to target organizations in Ukraine, including the WhisperGate and HermeticWiper malware.
On Feb. 23, CISA, the U.K. National Cyber Security Centre (NCSC-UK), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory identifying that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to as Cyclops Blink. The NCSC, CISA, and FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST). CISA said Cyclops Blink appears to be a replacement framework for the VPN Filter malware exposed in 2018. That older malware exploited network devices, primarily small office/home office routers and network attached storage devices.
More attacks of this type are expected, CISA warned.
Russian Conti ransomware gang poses threat to healthcare organizations
Conti is a notorious Russia-linked ransomware group of hackers that have extorted millions from victims across the globe, including the U.S. and Europe. The Wall Street Journal reported Conti ransomware was used in attacks in 2021 on Ireland’s public-health infrastructure. The gang was also responsible for 16 targeted attacks on U.S. emergency responders, including hospitals and 911 call centers, the Federal Bureau of Investigation (FBI) said.
Riggi said the attacks from last year make Conti a credible threat to healthcare IT systems. He also said the hacking gang last Friday made an online statement of support for Moscow and threatened forcefully respond in kind to any cyberattacks against Russia.
American Hospital Association is coordinating cybersecurity efforts with the government and healthcare organizations
As part of AHA’s efforts, John Riggi, the association’s national advisor for cybersecurity and risk, and a former senior executive in the FBI’s cyber division, remains in close coordination with the FBI, CISA and the Department of Health and Human Services (HHS) regarding related threats which may pose a risk to U.S. healthcare.
The AHA outlined the following context of the current cyberthreat environment:
• Hospitals and health systems may be targeted directly by Russian-sponsored cyber actors.
• Hospitals and health systems may become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. healthcare entities.
• A cyberattack could disrupt hospitals’ mission-critical service providers.
"AHA’s concerns are heightened by the Russian military’s previous behavior of utilizing cyber weapons in support of military actions against Ukraine," the AHA stated in a cyber security advisory posted Feb. 23.
Previous cyber attacks on Ukraine resulted in $1 billion in damage to U.S. healthcare infrastructure
The AHA said previous Russian cyber attacks inflicted disruptive collateral damage to the U.S. healthcare system. The U.S. government in 2020 indicted six Russian military intelligence officers for the development and deployment of the destructive NotPetya malware in 2017. The malware was initially launched against Ukraine, but subsequently spread globally, disrupting operations at the U.S. pharmaceutical company Merck, the key U.S. healthcare communications company Nuance, and at some U.S. hospitals. "There were delays in treating patients because doctors' notes could not be retrieved," Riggi said.
The 2017 attack caused more than $1 billion in damages in the U.S., including Heritage Valley Health System. The U.S. Department of Justice said Heritage Valley lost access to its mission-critical computer systems. These including computer systems relating to cardiology, nuclear medicine, radiology and surgery, which were down for about a week. The health system also lost access to its administrative computer systems for almost a month. The Justice Department said this was a serious threat to public health and safety.
AHA guidance related to government warnings of Russian cyberattacks
The AHA said it has served as a platform to amplify and provide guidance related to recent government warnings and advisories:
• The AHA on Jan. 28, 2022, received an FBI request for information regarding Russia’s recent buildup of armed forces along its shared border with the Ukraine.
• CISA Jan. 16 issued an advisory on destructive malware identified on networks in the Ukraine and to take action to strengthen their networks against potential cyberthreats.
• The AHA and the Health-Information Sharing and Analysis Center (H-ISAC) Jan. 14 issued a joint advisory strongly recommending organizations identify, and consider blocking, any direct or third-party business associate connections and email contacts based in the Ukraine and that region of the world.
• The FBI and National Security Agency on Jan. 11 released recommendations to help healthcare and other critical infrastructure organizations prevent, detect and respond to common Russian state-sponsored cyberthreats.
What hospitals can do to prepare against Russian cyber attacks
The AHA urging hospitals and health systems to take the following cybersecurity steps immediately to help mitigate cybersecurity attack risks:
• Share the AHA cyber security advisory with your organization’s IT and cyber infrastructure teams.
• Hospitals and health systems should review the above-identified alerts and bulletins for guidance on risk mitigation procedures, including increased network monitoring for unusual network traffic or activity, especially around active directory. Additionally, it is important to heighten staffs’ awareness of increased risk of receiving malware-laden phishing emails.
• Geo-fencing for all inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region may help mitigate direct cyber risks presented by this threat; however, it will have limited impact in reducing indirect risk, in which malware transits through other nations, proxies and third parties.
• AHA also recommends that organizations identify all internal and third-party mission-critical clinical and operational services and technology; in doing so they should put into place four-to-six week business continuity plans and well-practiced downtime procedures in the event those services or technologies are disrupted by a cyberattack.
• It is essential at this time to check the redundancy, resiliency and security of your organization’s network and data backups, and ensure that multiple copies exist: off-line, network segmented, on premises and in the cloud, with at least one immutable copy.
• It is also critical that a cross-function, leadership-level cyber incident response plan be fully documented, updated and practiced. This should include emergency communications plans and systems.
Information on Russian cyberattacks in Ukraine in January and February 2022
While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and its Allies.
The U.K. has determined Russia was also involved in distributed denial of service (DDoS) attacks in Ukraine in the days prior to the invasion. The U.K. government National Cyber Security Centre said the Russian Main Intelligence Directorate (GRU) was involved in the distributed denial of service attacks against the financial sector in Ukraine Feb 15-16.
CISA issued an initial warning from Microsoft in late January 2022 that Russian hackers were using destructive malware targeting Ukrainian organizations. This software is now being used in force against Ukrainian organizations. It appears as a ransomware app that shows a ransom note for data, but loads a master boot record (MBR) wiper software that deletes all files on the network.
Microsoft was alerted to these attacks in progress and worked to contain the damage and stop the spread of the malware.
Read more detailed information on these attacks.
COVID remote working opened the door to attacks on health IT systems
Since the start of the COVID-19 pandemic, cyberattacks on healthcare institutions have risen significantly, Riggi said. He explained that as non-clinical staff were sent home to work using web-based computer connections, this vastly expanded the surface area of networks and made them more vulnerable to attacks.
In 2021, there were about 500 breaches of healthcare IT systems. Riggi said this was 60% higher than attacks in 2020 and impacted records of about 43 million patients.
Even in the hospital, Riggi said employees are often the weak link in security, many times because they do not realize the possible impacts of their actions.
"Sometimes the bad guys will identify someone at a healthcare organization and send them a personalized email to their person email address," Riggi said. "They hope that the person they sent the message to will be checking their personal email one their hospital computer." Once the person opens the email or an attachment, the bad actors can have a convenient way to bypass all the firewalls and logins to deliver malware.
Riggi offered another example of a cyber attack from unexpected quarters was at a hospital where malware entered the hospital network via the cash registers in then hospital gift shop.
One of the first large scale ransomware attacks in the U.S. was caused by a breach into the hospitals's system from a soda machine that was wirelessly connected to the hospital's inventory management system.
How to protect healthcare IT systems from Russian cyber attacks
CISA recommends all organizations, regardless of size, adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. CISA said healthcare organization need to maximize their resilience to any type of destructive cyber incident.
Recommended actions include:
• Reduce the likelihood of a damaging cyber intrusion.
• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
• Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.
• Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
• Take steps to quickly detect a potential intrusion into IT systems.
• Ensure that cybersecurity IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
• Confirm that the organization's entire network is protected by antivirus/anti-malware software and that signatures in these tools are updated.
• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations. Closely review access controls for that traffic.
• Ensure that the organization is prepared to respond if an intrusion occurs.
• Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
• Assure availability of key personnel and identify means to provide surge support for responding to an incident.
• Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack. Ensure that backups are isolated from network connections.
• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
• CISA also recommends organizations visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
By implementing the steps above, CISA said all organizations can make near-term progress toward improving cybersecurity and resilience.
Other resources to mitigate cyberattacks:
AHA Cybersecurity Advocacy Resources, Thought Leadership and Latest News
CISA: Destructive Malware Targeting Organizations in Ukraine
CISA: Preparing for and mitigating potential cyber threats
U.K. National Cyber Security Centre: Actions to take when the cyber threat is heightened
Related Russian war in Ukraine content:
Radiology leaders speak out in support of Ukraine
War in Ukraine: Doctor from pediatric cardiology clinic shot dead
Cardiologists across the world share support for Ukraine as violent war continues