The Department of Health and Human Services’ (HHS) recent Cybersecurity Report details six steps providers should take in the event of a cyberattack.
- Contact your Federal Bureau of Investigation (FBI) Field Office Cyber Task Force fbi.gov/contact-us/field/fieldoffices immediately to report a cyber incident and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cybercriminals globally and to assist victims of cybercrime.
- Please report cyber incidents to the United States Computer Emergency Readiness Team (US-CERT) www.us-cert.gov/ncas and the FBI’s Internet Crime Complaint Center ic3.gov.
- For further analysis and healthcare-specific indicator sharing, contact HHS’ Health Sector Cybersecurity Coordination Center (HC3) at HC3@hhs.gov
Have plans in place to respond nimbly to a cyberattack. For example, a Missouri healthcare organization was victim to a ransomware attack, leading the organization to redirect ambulances as a safety measure. This was a small clinic of under 50 beds that specialized in treating trauma and stroke patients. The attack compromised the entire electronic health record (EHR) system, prompting the facility to take precautions in an effort to guarantee quality of care.
If a monitoring team or employees see suspicious activity on your organization’s servers, don’t assume that it can’t be an attack because your organization is only small or medium-sized. Hackers look for targets that require the least time, effort, and money to exploit. Do not make the mistake of thinking that your practice, no matter how small, is not a target for indiscriminate cyberattacks. Malicious actors will always exist. Whether you are a small-practice physician or the chief information security officer (CISO) of a large healthcare entity, your job is to make it difficult for these attackers to succeed.
If you discover that your computer has been infected, immediately disconnect from the network and notify your IT security team. Do not power off or shut down the computer or server in case a volatile RAM memory image needs to be collected for forensics and incident response investigations. Due to the severity and time sensitivity of ransomware attacks, it is in your best interest and that of your organization to always seek out the help of professional IT security or a similar point of contact when you think your computer is infected with ransomware.
Ransomware’s defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that destroys or exfiltrates data, or ransomware in conjunction with other malware that does so. Paying a ransom does not guarantee that the hacker will unencrypt or unlock the stolen or locked data. Ransomware threats may incorporate tactics or techniques that are the same as or identical to other threats. For example, successful phishing attacks may lead to the installation of ransomware.
Cyberattacks can also affect medical devices, such as heart monitors and even hospital beds. Know your organization’s protocols in case of a potential shutdown or attack against medical devices. Help patients and staff by understanding the processes and procedures; this can help mitigate the impact. That means asking:
- How do we notify patients if their medical devices are compromised?
- How do patients notify us if they suspect their medical devices are compromised? Each organization should have IT security professionals to help answer any questions on the policy and governance associated with medical devices. If your organization does not, ask your supervisor for information and/or resources allowing you to learn more about the threat. Vendors or manufacturers of medical devices may need to be engaged to understand vulnerabilities, risks, and appropriate protection and response measures.