HHS Releases Cybersecurity Collection and Guidance on Ransomware Attacks
The U.S. Department of Health and Human Services (HHS) has released guidance on preventing and responding to ransomware attacks and a collection of resources on cybersecurity. The cybersecurity collection, released by the HHS Technical Resources, Assistance Center, and Information Exchange (TRACIE), is available here. The ransomware guidance is available here.
Ransomware is the fastest growing malware threat, with more than 4,000 ransomware attacks occurring daily since January 2016. In a ransomware attack, a cybercriminal gains access to data, encrypts it, and holds it hostage until payment is made. Ransomware can be spread via spam email, “drive-by downloads” in which malicious software is transferred to a victim’s computer without the knowledge or any action by the victim, or by malvertising in which advertisements with malicious code are embedded in legitimate websites.
The HHS guidance includes best practices for health care providers to prevent, contain, and respond to ransomware attacks. Recommended preventive measures include:
- Implement an employee awareness and training program. Because end users are targets, employees and individuals need to be made aware of the threat of ransomware and how it is delivered.
- Enable strong spam filters to prevent phishing emails from reaching the end users, and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
- Set anti-virus and anti-malware programs to conduct regular scans automatically.
- Manage the use of privileged accounts based on the principle of least privilege: no user should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
- Configure access controls—including file, directory, and network share permissions—with least privilege in mind. If a user only needs to read specific files, the user should not have write access to those files, directories, or shares.
- Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email, instead of full Office Suite applications.
- Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
- Consider disabling Remote Desktop protocol (RDP) if it is not being used.
- Use application whitelisting, which allows systems to execute only programs known and permitted by security policy.
- Execute operating system environments or specific programs in a virtualized environment.
- Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units.
In addition, HHS recommends implementing regular, secure back-ups and conducting annual vulnerability assessments and penetration testing of information systems.
The guidance includes steps to take in the event of a ransomware attack and law enforcement authorities to contact. HHS advises against paying a ransom to recover access to data. In deciding whether to pay a ransom, HHS suggests that ransomware victims consider the following factors:
- Paying a ransom does not guarantee an organization will regain access to their data; in fact, some victims were never provided with decryption keys after paying.
- Some victims who paid a ransom were targeted again by cyber actors.
- After paying the originally demanded sum, some victims were asked to pay more to get the decryption key.
- Paying could inadvertently encourage more ransomware attacks.
Ransomware is a particularly debilitating type of cybercrime. It can immediately disrupt your ability to deliver care to your patients and residents and disable critical operations. However, the risk of an attack can be reduced through employee education, proper cyber-hygiene, comprehensive back-up procedures, and business continuity planning.
Contact: Karen Lipson, firstname.lastname@example.org, 518-867-8383 ext. 124