Healthcare and Public Health Sector

Cybersecurity threats to healthcare organizations and patient safety are real. Health information technology provides critical life-saving functions and consists of connected, networked systems that leverages wireless technologies, which in turn leave such systems more vulnerable to cyber-attacks. Recent highly publicized ransomware attacks on hospitals, for example, necessitated diverting patients to other hospitals and led to an inability to access patient records to continue care delivery. Such cyber-attacks can also expose sensitive patient information and lead to substantial financial costs to regain control of hospital systems and patient data. From small, independent practitioners to large, integrated health systems, cyber-attacks on healthcare records, IT systems, and medical devices have infected even the most protected systems. 

Given the increasingly sophisticated and widespread nature of cyber-attacks, the healthcare industry must make cybersecurity a priority and make the appropriate investments needed to protect its patients.

Like combatting a deadly virus, cybersecurity requires mobilization and coordination of resources across a myriad of public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments (state, local, tribal, territorial, and federal) to mitigate the risks and minimize the impacts of a cyber-attack.  Most importantly, cybersecurity is a shared responsibility, a team effort.  It is not solely an IT issue; it is an enterprise issue with impacts to mission, business, and programs.  For the health industry, it is fundamentally about patient safety and uninterrupted care delivery. Cyber Safety is Patient Safety!

Few issues are more important than ensuring the health sector's safety, security, and integrity relied upon by millions of American citizens. As the Sector Risk  Management Agency (SMRA), the Department of Health and Human Services (HHS) has a lead role in improving the safety, resilience, and security of the sector.  Specifically, the HHS Cybersecurity Program through the Office of Information Security has invested in major initiatives and partnerships to serve the needs of the sector, the HHS 405(d) - Aligning Healthcare Industry Security Approaches Program and the Health Sector Cybersecurity Coordination Center (HC3).  Below is more information about these programs and resources that the HPH sector can turn to related to ransomware. Also, visit Health Sector Coordinating Council for a list of the Cybersecurity Working Group's best practices and recommendations. 

HHS 405(d) – Aligning Healthcare Industry Security Approaches

In response to the Cybersecurity Act of 2015, Section 405(d), HHS in partnership with industry established the 405(d) Aligning Healthcare Security Approaches Program. Designed to be the leading collaboration center of the Office of the Chief Information Officer/Office of Information Security, the 405(d) program is focused on providing the HPH sector with useful and impactful resources, products, and tools that help raise awareness and provide vetted cybersecurity practices, which drive behavioral change and move towards consistency in mitigating the most relevant cybersecurity threats to the sector.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats, to include Ransomware, and presents (10) practices to mitigate those threats. The publication includes a main document, two technical volumes, and resources and templates.

Additional 405(d) Resources

In the past year the 405(d) Program has grown its reach and continues to pursue its mission of Aligning Health Care Industry Security Approaches.  The 405(d) program is now able to assist with many of your cybersecurity needs.  Whether it’s instituting a cybersecurity program structure using HICP, or educating your staff on cybersecurity, we are here for you.  Visit us at 405d.hhs.gov and follow us on Social Media @ Ask405d across LinkedIn, Twitter, Facebook, and Instagram. Also please feel free to email us at Cisa405d@hhs.gov

Health Sector Cybersecurity Coordination Center (HC3) 

The HC3 is part of the Department of Health and Human Services’ Cybersecurity Program. HC3’s mission is to support the defense of the healthcare and public health sector’s information technology infrastructure. This group advances the agency’s efforts to coordinate and share information within the sector by cultivating cybersecurity resilience, regardless of organizations’ technical capacity. HC3 develops education and mitigation resources while fostering HPH sector collaboration and partnerships.

Additional HC3 Resources: www.hhs.gov/hc3. To get the latest alerts from HC3 or be invited to the HC3 webinars, please contact HC3@hhs.gov.

Supporting Ransomware Awareness Products

• Black Basta Threat Profile
  • A HHS Report on Threat Profile: Black Basta
• LockBit 3.0 Analyst Note
  • A HHS Report on LockBit 3.0 Ransomware
• MedusaLocker Ransomware Analyst Note
  • A HHS Report on MedusaLocker Ransomware
• Royal and BlackCat Ransomware TLP Clear
  • A HHS Report on Royal and BlackCat Ransomware
• Responding to Ransomware
  • A Guide to Healthcare Organizations
• Ransomware Threat Flyer
  • A HHS poster about ransomware attacks in healthcare.
• Spotlight Webinar - Ransomware
  • A spotlight webinar series on ransomware and the healthcare industry.
• Ransomware Cyber Awareness
  • A five-threat series focusing on information ransomware attacks through the HHS Cybersecurity Program.
• Qbot/Qakbot Malware Report
  • A HHS report on Qbot/Qakbot Malware.
• Ryuk Variant Report
  • A HHS report on the Ryuk Variant.
• Conti Ransomware Analyst Note
  • A HHS analyst note on Conti ransomware due to it's attack on Ireland's national health system - the Health Service Executive (HSE). 
• Conti Ransomware Healthcare Networks
  • The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. The data from this document is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors.
• CLOP Analyst Note
  • A HHS analyst note on the CLOP ransomware variant associated with the FIN11 threat actor group. 
• TrickBot, Ryuk, and the HPH Sector
  • A HHS report on TrickBot, Ryuk, and the HPH Sector. 
• TrueFighter, and RDP Access
  • A HHS report on True Fighter and RDP Access. 
• NetWalker Ransomware
  • A HHS report on Netwalker Ransomware. 
• COVID-19 Threats Update
  • An update by HHS on the COVID-19 Cyber Threats. 
• The Dark Web and Cyber Crime
  • A HHS report on the Dark Web and Cyber Crime.
• Ransomware Activity Targeting the Healthcare and Public Health Sector
  • This joint cybersecurity advisory coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory [Alert (AA20-302A)] describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
• Cybersecurity Perspectives: Healthcare and Public Health (HPH) Response to COVID-19
  • In light of ransomware threats to the Healthcare and Public Health (HPH) sector, this CISA Insights document provides HPH entities with recommendations, observations, and findings derived from an analysis of HPH entities enrolled in CISA’s free vulnerability scanning service from March to November 2020.
• Domain-Based Message Authentication, Reporting, and Conformance(DMARC)
  • The DMARC product was created to call attention to an email authentication policy that protects against bad actors using fake email addresses disguised to look like legitimate emails from trusted sources. DMARC makes it easier for email senders and receivers to determine whether or not an email legitimately originated from the Identified sender. Further, DMARC provides the user with instructions for handling the email if it is fraudulent.
• Multi-Factor Authentication
  • Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database. This CISA fact sheet highlights why healthcare and public health organizations should be interested in MFA.