Echoing recent healthcare industry stakeholder groups, the Department of Health and Human Services is urging provider organizations to review and bolster defenses to guard against possible fallout from the Russian invasion of Ukraine. As a general rule, business continuity plans should cover between four to six weeks of continuity in the wake of an attack.
HHS is concerned that U.S. hospitals and health systems may be directly targeted by Russian-sponsored cyber actors, or become incidental victims of Russian-deployed malware or ransomware. The overt concern is that a cyberattack could disrupt hospital services.
As previously reported, the American Hospital Association and HHS Cybersecurity Coordination Center, as well as healthcare entities, have seen an increase in nefarious cyber activity like phishing attacks in the wake of the invasion.
In particular, AHA National Advisor for Cybersecurity John Riggi is concerned with the ongoing use of "vulnerability chaining" from Russian-state hackers. These attacks link multiple vulnerabilities together into a single attack to exploit networks and data, highlighting the need to use properly configured multi-factor authentication to detect and block unknown devices.
Healthcare entities should also prioritize vulnerability patching to prevent unauthorized remote access and coded execution. Riggi added that “reports of the Russian military deploying destructive malware in Ukraine continue to add urgency to acting on all alerts related to cyber threats posed by the Russian government."
Noting the complicated root cause of the Ukrainian conflict, HHS dives deeper into Russian-based threats and potential attack methods that providers should review to bolster monitoring, reviewing, and defense mechanisms.
In particular, the Conti group has expressly stated its support of the Russian attacks, especially organizations where IT outages could impact lives. The healthcare sector has been a prime target of the ransomware actors for the last two years, as such, HHS warned covered entities should review indicators of compromise.
The alert also contains attack details for NotPetya, Ryuk, and FIN12, both of which have highly targeted U.S. hospitals and healthcare entities using ransomware. Ryuk has exploited more than 235 hospitals and inpatient facilities since 2018.
One out of five FIN12 victims are in the healthcare sector, HHS explained. The group was behind multiple, major attacks on the U.S. healthcare system, “focused purely on ransomware, moving faster than its peers and hitting big targets and high-revenue victims.”
The HHS threat analysis also includes threat tactics and indicators of compromise for the more recent wiper variants spotted in the wild being used by Russian-based hacking groups.
Covered entities are being urged to ensure they’re prepared for a potential fallout, by reviewing reporting processes and minimizing personnel gaps in IT and OT security and practicing incident response, resilience, and business continuity plans to ensure care operations can continue in the event of an attack even if systems are disrupted or forced offline.
HHS also recommended geo-fencing for all inbound and outbound traffic related to Ukraine and surrounding regions. The insights include a host of free resources, including those outlining the threat of Russian-based cyberattacks.