Healthcare institutions are just as vulnerable as any other type of organization when it comes to cyber threats from nation states. Whether the criminal motive is profit, business disruption, or sowing instability, healthcare is a target.
Yesterday the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned of continuing cyberthreats from Russia’s Foreign Intelligence Service, or SVR, which is believed to be responsible for the SolarWinds software attack we learned about late last year. The largest and most threatening cyber intrusion against the U.S. in history continues to shadow large organizations and may get worse. Read more about SolarWinds here.
Between March and June of last year, hackers attached malicious code to software sold by a Texas company called SolarWinds. When SolarWinds distributed a routine software update to thousands of its customers worldwide, the malicious code went with it, and into thousands of organizations’ systems. The hackers roamed around networks spying for nine months before being detected. Companies like Microsoft, Intel and Cisco were hit. Federal agencies on the list include the Treasury, Justice and Energy departments, the Pentagon and the National Institute of Health. Even CISA was hacked — CISA is the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
The American Hospital Association has published a white paper, Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event. The white paper’s purpose is “to identify what other “SolarWinds” like issues might be lurking in enterprise networks.” The white paper is a good read, geared to all audiences, technical and non-technical alike, and designed to help decision makers take the right defensive steps.
Russian Threat Actors Aim Widely
On April 15, 2021 the Biden administration announced sanctions against Russia for the alleged interference in the 2020 election, the SolarWinds cyberattack against U.S. government and corporate networks, illegal annexation and occupation of Crimea, and human rights abuses. National intelligence officials in the U.S. are confident that SVR is responsible for the hacks, although Russia denies it.
The Russian Foreign Intelligence Service primarily targets government networks, think tank and policy analysis organizations, and information technology companies. This last sector is the one that carries the biggest threat to healthcare because the IT companies have so many healthcare customers, and spyware or malicious code travels over the internet connecting suppliers and customers. And during the pandemic, healthcare has been particularly vulnerable for other reasons. Academic and research institutions developing COVID vaccines were hacked and data stolen; hackers used fear and uncertainty around the pandemic to cause email recipients in healthcare to click on malicious links.
Prepare to Defend Your Cybersecurity
Read the full Joint Cybersecurity Advisory for a complete list of tactics, techniques, and defensive measures. Not surprisingly, the recommendations track much of the HIPAA Security Rule requirements. Much of the advice is not new, but it’s worth repeating.
A few of the Advisory’s recommended defenses are here:
- Mandatory multi-factor authentication for all users from both on premises and remote locations.
- Enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.
- Maintain a regular schedule of security awareness training for all employees.
- Audit log files to identify attempts to access privileged certificates and creation of fake identity providers.
- Deploy software to identify suspicious behavior on systems, including the execution of encoded PowerShell.
A Path to the Best Defense is HIPAA Compliance
Complete HIPAA compliance is a blueprint for cybersecurity defense – you don’t need a degree in information technology or compliance.
Every recommendation in the FBI/CISA Advisory is mirrored in a full HIPAA Risk Analysis that follows the HIPAA Privacy and Security Rules. If you follow the steps laid out in The HIPAA E-Tool® you can lower your risk to a manageable level, stay ahead of the hackers, and answer an audit from the regulators.