- UPDATE: HHS released an additional update on May 15 with new details regarding the ransomware attack.
Last week, multiple countries around the world reported falling victim to the WannaCry ransomware attack. Numerous hospitals and healthcare information systems, including the National Health Service (NHS), were impacted.
NHS had to cancel certain services, patient records were unavailable and phones reportedly did not work.
However, an “accidental hero” stopped the ransomware attack from continuing to spread by registering a domain name that had been hidden in the malware, according to multiple reports. The researcher, who identified himself as MalwareTech, found and inadvertently activated a “kill switch” in the malicious software.
Even so, numerous US agencies are warning healthcare organizations to continue exercising caution in their online activities, especially when it comes to opening emails.
“HHS is aware of a significant cyber security issue in the UK and other international locations affecting hospitals and healthcare information systems,” HHS-ASPR-OEM Critical Infrastructure Protection Lead Laura Wolf explained in an email. “We are also aware that there is evidence of this attack occurring inside the United States.”
“We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems.”
HHS stressed that organizations be careful in opening any emails, along with email attachments, as this can be a key way for ransomware to spread.
HHS suggested the following steps to protect against ransomware attacks through email:
- Only open up emails from people you know and that you are expecting. The attacker can impersonate the sender, or the computer belonging to someone you know may be infected without his or her knowledge.
- Don’t click on links in emails if you weren’t expecting them – the attacker could camouflage a malicious link to make it look like it is for your bank, for example.
- Keep your computer and antivirus up to date – this adds another layer of defense that could stop the malware.
The HHS Office of the Chief Information Officer implemented enterprise block across all OpDivs and StaffDivs, and is working to keep all patching up to date. Furthermore, the agency is working with the Department of Homeland Security to scan HHS’ CIDR IP addresses through the DHS NCATS program to identify RDP and SMB.
HHS added that it was coordinating with NHS, UK-CERT, and notified the VA and DHA.
“HHS through its law enforcement and intelligence resources with the Office of Inspector General and Office of Security and Strategic Information, have ongoing communications and are sharing and exchanging information with other key partners including the US Department of Homeland Security and the Federal Bureau of Investigation,” HHS stated.
US-CERT also announced on Friday, May 12 that it had “received multiple reports of WannaCry ransomware infections in several countries around the world.”
The agency reiterated that organizations should not pay a requested ransom because paying the money will not guarantee that systems will be restored.
“Ransomware spreads easily when it encounters unpatched or outdated software,” US-CERT explained. “The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, users and administrators are encouraged to review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010.”
Organizations were also urged to report any incidents of ransomware attacks to the Internet Crime Complaint Center (IC3).
HITRUST also urged healthcare organizations to be cautious in the wake of the reported ransomware attacks.
“Given the reported impacts to care delivery and the rate this has spread to other systems and other countries, we consider this a serious incident,” HITRUST stated in an email announcement. “While we have not seen, or had a member report, a similar incident within the HITRUST CTX in North America, we will be tracking the incident and reporting as more information becomes available.”
UPDATE: On May 15, HHS sent an email update to the Healthcare and Public Health Sector (HPH), warning organizations of a reported “exploitative social engineering activity.”
A partner told HHS that an individual called a hospital and claimed to be from Microsoft. The individual offered support if the hospital would give server access.
“It is likely that malicious actors will try and take advantage of the current situation in similar ways,” the email warned. “Additionally, we received anecdotal notices of medical device ransomware infection.”
HHS emphasized the necessity of healthcare cybersecurity best practices, reminding organizations to visit the US-CERT National Cyber Awareness System web page, the NCCIC portal for those who have access, and the FBI FLASH page.
Furthermore, entities can take note from the ASPR TRACIE guidelines.
“ASPR TRACIE also has the best and promising healthcare cybersecurity practices available in our Technical Resources domain,” HHS explained. “Issue 2 of The Exchange (released in 2016) highlights lessons learned from a recent attack on a U.S. healthcare system and features articles that demonstrate how collaboration at all levels is helping healthcare facilities implement practical, tangible steps to prevent, respond to, and recover from cyberattacks.”
Organizations can also request an unauthenticated scan of their public IP addresses from DHS.
“The US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides integrated threat intelligence and provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks,” the agency stated. “NCATS focuses on increasing the general health and wellness of the cyber perimeter by broadly assessing for all known external vulnerabilities and configuration errors on a persistent basis, enabling proactive mitigation prior to exploitation by malicious third parties to reduce risk.”
HHS added that “attributable data is not shared or disseminated outside of DHS or beyond the stakeholder; non-attributable data is used to enhance situational awareness.”