A new advisory coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warns of the potential for ransomware attacks against hospitals and medical systems. 

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” the advisory states. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

According to the Department of Health and Human Services, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). HHS also notes that the HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. 

Veteran FBI cybersecurity expert and current Senior Incident Response Advisor at CRITICALSTART, Allyn Lynd notes that Ransomware attacks, “have only accelerated under the lockdowns being used to combat COVID-19. The cost of the ransom has risen, and according to some reports the average ransom demand is now about $1.4 million, with some ransoms reaching into the tens of millions.”

He emphasizes that the cost of ransomware attacks on the healthcare sector extend beyond dollars, pointing to the reported death of a patient in Duesseldorf, Germany last year. The critically ill patient had to be routed to a distant hospital when the local facility was closed due to IT system failure.

“Hospitals and health care providers must have plans in place to identify these attacks before they reach the level of concrete ransom demands,” Mr. Lynd stresses.

The recent advisory offers recommendations and best practices for protecting practices. Among the recommendations, the advisory states:

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following: 

• Regularly back up data, air gap, and password protect backup copies offline. 
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.