October 14, 2021

Federal Agencies to Healthcare Organizations: Implement Ransomware Prevention and Response Immediately

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

The FBI, Department of Health and Human Services (HHS), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning on Wednesday, October 28, 2020, about the imminent threat of ransomware activity targeting U.S. hospitals and healthcare providers (HPH). These federal authorities have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers" and advised HPH institutions to be on "high-alert" for ransomware attacks this weekend. They believe the attackers have already infiltrated many HPH systems, but have not yet activated the encryption activity.

In light of this impending cyber threat, hospitals and healthcare providers should take proactive measures to secure their networks and protect patient care by immediately implementing the measures outlined in this advisory.

Continuity of care preparations

The Office of Civil Rights (OCR) considers "all mitigation efforts taken by the entity during any particular breach investigation" in assessing (retroactively) an organization's response to an incident. Proper implementation of a contingency plan will allow an organization to continue to operate critical services during an emergency and recover sensitive data, such as ePHI. 

  • Establish and practice out of band, non VoIP, communications.
  • Make sure staff members have copies of the plans—and review their roles/responsibilities—for emergency response, business continuity, and disaster recovery.
  • Consider limiting use of personal email. 
  • Ensure proper staffing for continuity. 
  • Be prepared to re-route patients if patient care is disrupted due to IT outage.
  • Ensure sufficient staffing to maintain continuity of operations with disrupted IT networks.
  • Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at 855-292-3937.
  • Know how to contact federal authorities when phones are down, or email has been wiped.

Technical preparations

An organization's incident response procedures can greatly limit the damage caused by a ransomware attack. Successful ransomware deployment often depends on exploitation of technical vulnerabilities such as outdated software, unsecured ports, and poor access management/provisioning. Even without a detailed plan in place, critical precautions can be taken now to mitigate potential harm from an attack.

  • Rehearse IT lockdown protocol and process, including practicing backups. 
  • Make sure IT staff and security incident response team members have copies of the plans—and review their roles/responsibilities.
  • Implement effective access controls to stop or impede and attacker's movements and access to sensitive data (e.g., by segmenting networks to limit unauthorized access and communications).
  • Ensure off-line backup of medical records, including electronic records and have a 321-backup strategy - have hard copy or remote backup or both.
  • Expedite patching response plan (IRP) within 24 hours.
  • Prepare to maintain continuity of operations if attacked. 
  • Power down IT where not used. 
  • Consider limiting/powering down non-essential internet facing IT services.
  • Limit personal email services.

In September, CISA issued a comprehensive Ransomware Guide. Part II of the Guide outlines important steps to take immediately if your organization is under attack.

End user awareness and training

Users of Information systems are often the weakest links in an organization's security posture - they are the targets the attackers seek out to gain access to the network.

  • Reinforce this high alert message with all staff who have e-mail, EMR, or other network access.
  • Reinforce that all staff are responsible to immediately report suspicious/unusual activity
  • If any incoming e-mail or other message—even ones that appear to be internal to the organization—are unusual in any way, the recipient should not click on links or open attachments.
  • Call the sender to verify.

In the joint advisory, HPH Sector organizations are encouraged to review and establish patching plans, security policies, user agreements, and business continuity plans to ensure they address these current threats posed by malicious cyber actors. Now, more than ever, HPH Sector organizations should review and update their security incident response plan and business continuity and recovery plan with particular focus on the risks presented and preparedness gaps revealed by these imminent ransomware threats to the HPH sector.

The Buchanan cybersecurity and data protection team is available to work with you and cybersecurity experts to address this ransomware and other cybersecurity threats. Even if you believe that your system is not currently impacted, an independent review of your information security program and incident response plan and testing are prudent. In the face of these threats a healthcare organization may be expected to take proactive measures to thwart this kind of attack.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Buchanan Ingersoll & Rooney

Ninth Circuit Refuses to Boot FLSA Claims: Time Spent Logging On is Compensable

By Christian Antkowiak Buchanan Ingersoll & Rooney November 10 , 2022

Is an employer obligated to pay employees for the time spent booting up and signing into their computers prior to clocking in?

Protecting Your Brand - Amazon's Brand Registry Program

By Bassam N. Ibrahim Buchanan Ingersoll & Rooney November 09 , 2022

Trademarks are a useful tool for brand protection.

SEC Adopts Final Incentive Compensation Clawback Rules

By Jennifer R. Minter Buchanan Ingersoll & Rooney November 04 , 2022

On October 26, 2022, the Securities and Exchange Commission (SEC) adopted final rules that will require listed companies to disclose and implement policies to “claw back” or recover incentive compensation paid as a result of erroneously reported financial information that is subject to a required accounting restatement.

More From Cybersecurity

Coverage of COVID-19 Testing and the End of the COVID-19 Emergency

By Jacob M. Mattinson McDermott Will & Emery March 08 , 2023

A key feature of the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) was the government’s ability to provide access and coverage of COVID-19 tests.

New Erythritol Study Creates Potential Litigation Exposure for Makers, Sellers of Erythritol-Containing Products

By Gregory E. Ostfeld Greenberg Traurig March 07 , 2023

The U.S. Food and Drug Administration (FDA) regulates food and food additives.

Preparing for the End of the COVID-19 Emergency: Coverage of COVID-19 Vaccines

By Jacob M. Mattinson McDermott Will & Emery March 06 , 2023

The Biden administration has announced its intent to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our prior article for more information).

Featured Stories