OCR: Take Action to Avoid Becoming a Cyber Extortion VictimAgency Offers List of Steps to Take to Mitigate the Risk
Federal regulators are warning healthcare entities and business associates to take action to prevent becoming the next victim of cyber extortion, such as a ransomware attack.
"Incidents of cyber extortion have risen steadily over the past couple of years and, by many estimates, will continue to be a major source of disruption for many organizations," says the Department of Health and Human Services' Office for Civil Rights in a Tuesday cyber alert to HIPAA covered entities and business associates.
Among the steps that OCR says organizations should consider taking to reduce the chances of being a victim of cyber extortion are:
- Implementing a robust risk analysis and risk management program;
- Implementing inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
- Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
- Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
- Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
- Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malware;
- Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
- Encrypting and backing up sensitive data;
- Implementing robust audit logs and reviewing such logs regularly for suspicious activity;
- Remaining vigilant for new and emerging cyber threats and vulnerabilities by participating in cyber information sharing organization and receiving alerts from by organizations such as the Department of Homeland Security's U.S. Computer Emergency and Readiness Team.
OCR notes that because cyberattackers are creating new versions of malicious software and searching for new vulnerabilities to exploit, organizations must continue to be vigilant in their efforts to combat cyber extortion.
Extortion in the News
OCR's monthly cyber newsletter for January focusing on extortion attacks comes on the heels of a Jan. 18 ransomware attack on electronic health records vendor Allscripts that disrupted patient care delivery at about 1,500 healthcare practice clients.
While the OCR alert notes that ransomware "is a form of cyber extortion whereby the attackers deploy malware targeting an organization's data that renders the data inaccessible, typically by encryption," the agency also warns of other extortion attacks that don't necessarily involve criminals encrypting victims' data.
That includes distributed-denial-of-service attacks. "These types of attacks typically direct such a high volume of network traffic to targeted computers that the affected computers cannot respond and may appear down or otherwise inaccessible to legitimate users," OCR notes.
"In this type of attack, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to halt the attack, or the attacker could threaten an attack and demand payment to not initiate the attack."
But as Children's Hospital of Boston learned a few years ago, not all DDoS attacks on healthcare sector entities necessarily involve demands for money.
The hospital, and another Boston-area healthcare provider, were the targets of DDoS attacks in April 2014 by hacktivists who allegedly sought retaliation for the facilities' involvement in a controversial child custody case that had drawn national attention. The attacks disrupted the hospital's website and some online services, including patient appointment scheduling for several days.
In addition, OCR also reminds covered entities and business associates that other cyber extortion attempts can occur "when an attacker gains access to an organization's computer system, steals sensitive data from the organization, and then threatens to publish that data."
In this type of attack, "the attacker already has the organization's data and can sell that data to other malicious persons even after the ransom is paid," OCR says. "A variation of this type of attack occurs when an attacker steals sensitive data from an organization and then deletes that data from the organization's computers. The attackers then contact the organization informing them that its data has been deleted, but will be returned in exchange for payment."
In fact, multiple healthcare entities have been victims of those types of data-theft extortion demands, including a series of attacks by a hacker - or perhaps a group of hackers - known as TheDarkOverlord. The extortionists have been tormenting so-called soft-target entities in the healthcare, as well as schools and various businesses, since at least 2016.
OCR warns that paying a ransom to extortionists is no guarantee that an organization will get its data back.
"In fact, there have been instances where one attacker has stolen and deleted an organization's data while leaving a demand for payment only to have a second attacker gain access to the same computer system and overwrite the payment demand of the first attacker," OCR notes.
"In this circumstance, the second attacker didn't even have the data, so the organization has no chance of retrieving data from the second attacker."
Susan Lucci, chief privacy officer at the security consulting firm Just Associates, says employee education is essential in the fight against extortion attacks. In addition, "implementing and testing contingency plans with emphasis on 'testing,' is key," she says. "Having a nicely documented contingency plan might serve you well in the case of an audit or investigation, but ensuring that it works as planned is the real test of avoiding the cyber-extortion issue."
A poor risk analysis can make organizations particularly vulnerable to attack, she stresses.
"We know that security risk analysis and risk management programs are not as thorough as they should be," she says. "So to effectively reduce the risk of cyber extortion, perhaps this is a good time to go back and update the security risk analyses and spend some time on threats and controls to best protect the organization."
Keith Fricke, principal consultant at tw-Security, says organizations can reduce the chances of being a cyberattack target by keeping up on security patches, maintaining layered security defenses and vigilantly educating users about phishing and social engineering. But the threats continue to evolve.
"Organizations that are targets of intent still benefit from doing all these same things; unfortunately criminals are relentless in gaining unauthorized access to organizations they are intent on breaching," he says.
Get to Know Law Enforcement
Fricke also suggests that organizations get familiar with law enforcement agencies prior to an attack.
"For extortion involving the threat by criminals to post stolen data to public forums unless money is paid, organizations should have a good working relationship with local law enforcement, including the FBI," he says. "One way to do that is by participating in their local InfraGard chapter, which is a federally based organization bringing together the FBI with members of public and private section that are part of the national infrastructure."
He also suggests healthcare organizations also should review their cyber insurance policies, checking for the extent to which it covers extortion.
Fricke warns that all healthcare entities need to realize they are potential targets for cyberattack.
"Many smaller to mid-size organizations likely feel that they will not be the victim of an extortion attack in cases where information is stolen and demands made to pay money to prevent release of that information," he notes.
"The mindset is likely one of 'we are too small' and criminals go after the larger organizations," he says. "But criminals may pursue smaller organizations, assuming they are less secure than larger ones. Some pay the ransom ... because they are not prepared to recover from data backups."