Recent attacks encouraged new guidelines from the National Institute for Standards and Technology (NIST).
In its May 12th Executive Order, the White House stated, “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” This Executive Order followed the May 7th Colonial Pipeline ransomware attack, which underscored the vulnerabilities of the government and energy industry participants.
The healthcare industry is likewise plagued by a myriad of cybersecurity-related attacks, including ransomware. First, let’s consider a recent criminal indictment, whereby Vikas Singla, a former employee of Gwinnett Medical Center (Lawrenceville, GA) who ran a network security company that offered services for the healthcare industry, was charged with the following:
The hackers went so far as to voice their displeasure with the hospital (GMC) for denying it had been hacked stating, “does GMC have control of this system. The answer is no. The last time we checked, we own their Ascom system and their data.” This arrogance is similar to that of many cybercriminals, including those that prompted CISA, DOJ, FBI, and HHS to publish Joint Cybersecurity Advisory - Ransomware Activity Targeting the Healthcare and Public Health Sector(Updated October 29, 2020), in light of six ransomware attacks against hospitals across the United States. The primary tactics utilized to infect systems with ransomware for financial gain were Ryuk and Conti. The primary activities “include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware.”
In light of the heightened awareness and the increased proclivity of attacks, the National Institute for Standards and Technology (NIST) published Tips & Tactics Ransomware, which includes quick steps persons can immediately take to reduce the threat of a ransomware attack:
Every person has an obligation to do his or her part to protect corporate IT systems. With remote working scenarios, many companies and individuals were lacking to ensure appropriate technical, administrative, and physical safeguards. In sum, and as a reminder, failing to take relevant precautions, can lead to government enforcement actions, class action lawsuits, and potential criminal cases.