FBI, CISA Warn of North Korean Ransomware Threat Targeting Healthcare Organizations
Cyberthreats to the healthcare industry are growing, especially ransomware attacks. In a joint cybersecurity advisory, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of the Treasury warned that North Korean state-sponsored cyber actors have been using Maui ransomware to target healthcare and public health organizations since at least May 2021. They expect these attacks to continue.
“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” states the advisory.
The FBI responded to multiple incidents over the past year in which Maui ransomware was used to encrypt servers responsible for healthcare services such as electronic health records, diagnostics, imaging and hospital intranets. The initial access vector is unknown. However, some organizations’ services were impacted for prolonged periods.
Click the banner below for more HealthTech content on security and zero trust.
The U.S. Department of Justice announced on July 19 that it recently recovered two ransom payments totaling approximately $500,000 made by U.S. healthcare organizations in response to Maui ransomware attacks. The FBI and CISA highly discourage healthcare organizations from paying ransoms, as doing so doesn’t guarantee that files and records will be recovered.
However, there are several steps healthcare organizations can take to mitigate the impact of an attack and protect patient data and critical infrastructure.
Mitigation Tactics to Protect Healthcare Data from Maui Ransomware
According to the joint advisory, healthcare organizations should:
- Deploy public key infrastructure and digital certificates to authenticate connections with their network, Internet of Medical Things devices and the EHR to limit malicious actors’ access to data
- Use standard user accounts rather than administrative accounts on internal systems because administrative accounts allow for overarching system privileges and don’t ensure least privilege
- Turn off network device management interfaces for WANs; when enabled, they should be secured with strong passwords and encryption
- Secure personal identifiable information and patient health information when collected and then encrypt the data, both at rest and in transit; PII and PHI should only be stored on internal systems protected by firewalls, and extensive backups should be made
- Secure the collection, storage and processing practices for PII and PHI in compliance with HIPAA to avoid introducing malware
- Implement and enforce multilayer network segmentation with the most critical communications and data resting on the most secure and reliable layer
- Use monitoring tools to observe whether IoMT devices are behaving erratically due to a compromise
- Create and regularly review internal policies that regulate the collection, storage, access and monitoring of patient data
DISCOVER: How zero trust protects patient data against the most serious security threats.
In addition to updating software, using strong passwords and training staff, healthcare organizations also can prepare for ransomware threats by maintaining offline data backups; regularly testing backup and restoration capabilities; ensuring all backup data is encrypted and immutable, and encompasses the organization’s data infrastructure; and creating, maintaining and exercising a basic cyber incident response and communication plan that includes response procedures for a ransomware incident.
Healthcare organizations facing a ransomware threat should report the incident to the FBI, CISA or the U.S. Secret Service.