CISA: HPH Cyber Threat Insights, Ransomware Reduction Campaign

January 25, 2021 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency recently unveiled a campaign designed to tackle ransomware risks and threats across the US. Earlier, CISA shared insights on healthcare and public health sector threats amid the COVID-19 response.

The Reduce the Risk of Ransomware Campaign is focused on creating a sustained, coordinated effort to encourage all public and private sector entities to implement best practices, tools, and resources to mitigate the risks and threats tied to ransomware.

Across all sectors, but particularly in the healthcare and education sectors, ransomware has increasingly disrupted services, caused data loss and theft, and impacted the bottom line. Its hackers have increasingly modified their attack methods to increase the odds of a higher payout -- to great success.

In the past year, CISA has consistently shared threat information and guidance to support a range of entities in combating the threat. To Acting CISA Director Brandon Wales, the campaign furthers the agency’s commitment to supporting sectors in protecting their networks from ransomware.

“This includes working collaboratively with our public and private sector partners to understand, develop and share timely information about the varied and disruptive ransomware threats,” Wales said in a statement.

READ MORE: Key 2021 Insights: Proactive Security Needed for Ransomware, Phishing

“Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems,” he added.

The campaign will have a particular focus on supporting COVID-19 response organizations and educational institutions, which have received the brunt of these attacks. CISA is hoping to raise awareness on the importance of tackling the ransomware issue, as part of an entity’s broader cybersecurity and data protection best practices.

CISA plans to leverage its social media platforms for the next several months to “iterate key behaviors or actions with resource links that can help technical and non-technical partners combat ransomware attacks.”

As part of the campaign announcement, CISA launched a one-stop ransomware resource page broken down into four categories: alerts, guides and services, fact sheets, and training and webinars.

Many of the resources were developed in collaboration with the Multi-State Information Sharing and Analysis Center, the FBI, and others.

READ MORE: 560 Healthcare Providers Fell Victim to Ransomware Attacks in 2020

CISA also recently shared insights on threats to the healthcare and public health sector in response to COVID-19. The agency performed data analysis on observations and findings from health and public health entities enrolled on CISA’s free vulnerability scanning services from March to November 2020.

During that time, 47 percent of those entities had risky ports and services exposed on internet-facing assets. The concern is that hackers are leveraging internet-facing ports and services, like the remote desktop protocol (RDP) to gain access to enterprise networks and later deliver ransomware.

As CISA previously warned, the findings revealed that threat actors are also chaining critical vulnerabilities on perimeter devices with newer flaws to compromise networks. In the most recent attacks, these hackers are exploiting unpatched virtual private networks (VPNs) and perimeter device flaws.

Lastly, 56 percent of entities were continuing to use unsupported legacy,or end-of-life software and operating systems. These vulnerable, unsupported technologies leave systems wide-open to attacks.

“Disruptive ransomware and other malicious cyberattacks significantly reduce HPH entities’ ability to provide patient care and can contribute to patient mortality,” CISA wrote. “Threat actors aim to disrupt HPH entities who have a low tolerance for down-time and may be experiencing resource and staffing constraints due to the COVID-19 pandemic.”

READ MORE: Biggest Healthcare Security Threats, Ransomware Trends into 2021

CISA is encouraging organizations to review these insights and take action using recommended mitigation strategies. These best practice steps include restricting internet-facing services to limit the exposure on the network.

Administrators should disable or securely configure risky services using multi-factor authentication and encryption wherever possible on risky services, such as RDP, SMB, Telnet, and DICOM. 

Notably, research shows millions of patient records have been exposed via picture archiving and communication system (PACS)is a medical imaging and the vulnerable DICOM protocol.

CISA also recommended organizations employ diligent mission-critical patch management policies, ensuing that actively exploited flaws are patched first. Administrators should also review vulnerability backlogs and patch all legacy flaws, which are actively used in chaining attacks.

“Triage then apply patches and software updates on systems supporting hospital operations and patient care,” CISA recommended. “Implement compensating controls or adjust security architecture to mitigate risk when patching is not possible.”

“Isolate and segment legacy systems to prevent lateral movement,” they added. “Upgrade or replace unsupported legacy software and operating systems, [and] maintain accurate hardware and software inventory.”

Previously released guidance from the Office for Civil Rights can also provide insights for public health entities and health information exchanges to ensure compliance amid the COVID-19 response.