Cyber Attacks

Question 1

First Line of Defense

Answer 1

1) Role-based Cybersecurity Training: Provide robust, customized security training for all employees based on their job function to ensure continuity of security expectations.
2) Phishing Simulation Training: Prepare employees to identify and proactively respond to phishing attacks in the workplace environment.
3) Asset Management Programs: Ensure that all data, devices, and systems are categorized and inventoried according to their importance to the organization’s objectives.
4) Cybersecurity Policies: Create and communicate your organization’s security policies to all employees to level set expectations for protecting patient data.
5) Insider Threat Training: Incorporate insider threat training into your on-boarding policies for new employees.
6) Physical Security: Put physical controls into the office environment to prevent access to or the use of company computers by unauthorized individuals.

Question 2

Behind the scenes defenses are equally important to prevent cyberattacks from occurring or spreading through your organization. Every size organization should instill a few of the following practices to protect your organization:

Answer 2

• Email System Configurations: Enact controls to enhance the security posture of your e-mail system, such as configuring your email system to tag messages as “EXTERNAL” that are sent from outside of your organization.
• Multi-Factor Authentication: Use at least two of the following to verify a user’s identity: something you know, something you have, and something you are.
• Data Protection Policies: Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
• Network segmentation: Partition networks into security zones which can be based on sensitivity of assets within the network or standard perimeter segmentations.
• Intrusion Prevention: Utilize an intrusion prevention system for reading network traffic to detect and prevent potential attacks against your network perimeter, data center, and partner connections.
• Vulnerability Management: Proactively discover vulnerabilities that will enable the organization to classify, evaluate, prioritize, remediate, and mitigate the technical vulnerability footprint from the perspective of an attacker.
• Incident Response Plans: Maintain cyber threat detection and response capabilities by establishing an Incident Response program and a Security Operations Center to manage the plan.

Question 3

Why is healthcare targeted?

Answer 3

1. Protected Health Information (PHI) and Personal Identifiable Information (PII) is worth a lot of money for attackers.
2. Ransomware attackers take advantage of the time sensitive nature of healthcare and rely on health organizations paying ransoms to continue delivering patient care.
3. The healthcare industry also encompasses outdated technology that is vulnerable to attackers.
4. Healthcare staff include a wide range of professions and not everyone is educated on cyber hygiene and safety.
5. Healthcare has a broad attack surface because of many connected devices that reside inside a small, medium, or large health organization.

Question 4

Prepare - Before the attack

GENERAL USERS AND MEDICAL PRACTITIONERS

Answer 4

1) Practice pen and paper operations to maintain hard copies of patient data
2) Understand your organization’s incident response plan
3) Identify your IT/Security point of contact in case of a cyberattack

Question 5

React- During the Attack

GENERAL USERS AND MEDICAL PRACTITIONERS

Answer 5

1) Implement your organization’s protocol for incident handling
2) Consider removing the ability to print and copy/paste from Electronic Medical Records (EMR) applications or web mail accessed from home

Question 6

Recover - After the attack

GENERAL USERS AND MEDICAL PRACTITIONERS

Answer 6

1) Take care not to reinfect clean systems during recovery

2) Document lessons learned and adjust policies and response plans accordingly

Question 7

Prepare - Before the Attack

CYBER/IT PROFESSIONALS

Answer 7

• Maintain offline, encrypted backups of data with 3-2-1 backup strategy
• Create, maintain, and exercise a cyber incident response plan to include a communication strategy during incidents
• Conduct regular vulnerability scanning
• Regularly patch and ensure devices are securely configured.
• Apply the principle of least privilege to all systems and devices • Implement security protocols and filters at the email
gateway to prevent successful phishing attempts
• Authenticate in-bound email to prevent email spoofing

Question 8

React- During the Attack

CYBER/IT PROFESSIONALS

Answer 8

1) Implement steps learned in your cybersecurity awareness and training program
2) Request assistance from CISA, HHS, MS-ISAC, and local, state, or federal law enforcement partners
3) Take a system image and memory capture of a sample of affected devices and collect relevant logs for evidence
4) Consult federal law enforcement about possible decrypts available and follow trusted guidance for the particular ransomware variant

Question 9

Recover - After the Attack

CYBER/IT PROFESSIONALS

Answer 9

• Restore data from offline, encrypted backups based on prioritization of critical services
• Issue password resets for all affected systems and users
• Follow additional technical guidance from CISA and MS-ISAC
• Monitor network traffic and run antivirus scans to identify any remaining infection
• Address any associated vulnerability and gaps in security or visibility
• Clean, rebuild, and re-connect systems based on prioritization of critical services

Question 10

Prepare- Before the Attack

EMERGENCY MANAGERS

Answer 10

• Perform risk management for third party vendors and managed service providers (verify)
• Implement a cybersecurity user awareness and training program
• Make sure you understand which personnel will support the leader during each phase of the investigation

Question 11

React- During the Attack

EMERGENCY MANAGERS

Answer 11

• Determine which devices were affected and immediately isolate them
• Power down affected systems for investigation and recovery
• Triage affected systems for investigation and recovery
• Contain any associated systems that may be useful for further or continued unauthorized access

Question 12

Recover - After the Attack

EMERGENCY MANAGERS

Answer 12

• Confer with team and stakeholders to document what happened
on initial analysis
• Consider sharing lessons learned and indicators of compromise with CISA or your sector ISAC/ISAO for further sharing and to benefit others within the community

Question 13

Medical Device Attack Mitigation Practices to Consider

Answer 13

Establish and maintain communication with medical device manufacturer’s product security teams (9.L.A)
Patch devices after patches have been validated, distributed by the medical device manufacturer, and properly tested (7.S.A, 9.M.B )
Assess current security controls on networked medical devices (9.M.B, 9.M.E, 9.S.A)
Assess inventory traits such as IT components that may include the Media Access Control (MAC) address, Internet Protocol (IP) address, network segments, operating systems ,applications, and other elements relevant to managing information security risks (9.M.D)
Implement pre-procurement security requirements for vendors (9.L.C)
Engage information security as a stakeholder in clinical procurements (9.L.C) Use a template for contract language with medical device manufacturers and others (9.L.C)
Implement access controls for clinical and vendor support staff, including remote access, monitoring of vendor access

Question 14

Staying Resilient to Medical Device Attacks
Know your organization’s protocols in case of a potential shutdown or attack against medical devices. Help patients and staff by understanding the processes and procedures which can help mitigate the impacts. That means asking:

Answer 14

• Who is responsible for working with manufacturers to confirm security settings and software updates are maintained properly on each device?
• What additional security controls and monitors be put in place to protect each device?
• How will our staff and patients be notified if medical devices are compromised?
• What is our plan if medical devices are compromised and how will patients notify us if they suspect a compromise?

Question 15

Insider, Accidental or Intentional Data Loss Mitigation Practices to Consider

Answer 15

1) Train staff and IT users on data access and financial control procedures to mitigate social engineering or procedural errors (1.S.B, 1.M.D)
2) Implement and use workforce access auditing of health record systems and sensitive data (3.M.B)
3) Implement and user privileges access management tools to report access to critical technology infrastructure and systems (3.M.C)
4) Implement and use data loss prevention tools to detect and block leakage of PHI and PII via e-mail and web uploads (4.M.E, 4.L.A)

Question 16

WHEN TO ASK ABOUT INSIDER, ACCIDENTAL OR INTENTIONAL DATA LOSS

Answer 16

Conduct regular security training sessions to further employees’ education and awareness. Train and test your staff to make sure they understand the security risks and the consequences of falling victim to insider attack. When employees leave your organization, there should be established procedures, ideally automated, so that they no longer have access to accounts, files, or the facility. By doing so, you can lower the probability of such attacks happening in your organization.

Always consult your IT security professionals when exposed to a situation of stolen data or employee misconduct. Every situation will vary so your IT security professionals will be able to guide you because a cyber-threat is not limited to hacking.

Question 17

AUDIT AND MONITORING FOR INSIDER, ACCIDENTAL OR INTENTIONAL DATA LOSS

Answer 17

Regular audits and monitoring on your network and systems can be the difference between stopping a problem or being surprised by one. What are some of the activities you should be looking for on your network and why?

Look for things like too many login attempts or access from a different location. The same applies for access patterns in your patient record systems don’t forget to watch those too. If an insider’s credentials are compromised or the insider is abusing their access, you should have a way to monitor and catch these anomalies before it becomes a problem.

Question 18

Staying Resilient to Loss or Theft of Equipment or Data

Answer 18

Heading out on a business trip or a personal holiday? You need to follow the same, and maybe greater, security procedures as you do in the office. Make sure you know your organization’s policy on removing equipment from the workplace by asking:
• Can I travel with my equipment?
• Can I take my equipment offsite to work remotely?
• Are USB or other portable storage devices allowed?
• Is the information on the computer or storage device encrypted?
• Is there a secure VPN that I can use, along with secure, password-protected Wi-Fi, to log into the network and work?

Question 19

WHEN TO ASK ABOUT LOSS OR THEFT OF EQUIPEMENT OR DATA

Answer 19

As soon as you realize that your device or equipment has been stolen or misplaced, your supervisor and IT security professional should be notified immediately so appropriate measures can be taken to safeguard the data saved on your device or equipment.

Your IT security support staff or similar point of contact should be notified when a work device or equipment has been misplaced, lost, or stolen. The data saved on them are now compromised and susceptible to unauthorized access, dissemination, and use. This is a serious cyber breach and should be handled by trained IT security professionals.

Question 20

Loss or Theft of Equipment or Data Mitigation Practices to Consider

Answer 20

Encrypt sensitive data, especially when you store it and transmit it (4.S.B, 4.M.C)
Establish data backup processes with regular testing (4.M.D) Acquire and use data loss prevention tools (4.M.E, 4.L.A)
Promptly report loss/theft to designated company individuals to terminate access to the device and/or network (3.S.A)
Maintain a complete, accurate, and current asset inventory to mitigate threats, especially the loss and theft of mobile devices such as laptops and USB/thumb drives (5.S.A)
Encrypt data at rest on mobile devices to be inaccessible to anyone who finds the device (4.M.C)
Process and identify clear accountabilities to clean sensitive data from every device before it is retired, refurbished, or resold (5.S.C, 5.M.D)

Question 21

Staying Resilient to Ransomware Attacks

Answer 21

Most ransomware attacks are sent in phishing campaign emails asking you to either open an attachment or click on an embedded link. Be sure you know how to identify these phishing e-mails! Stay alert when any email asks you to enter your credentials. As a proactive measure, check to see whether the computer and network to which you are connected have the proper intrusion prevention system or software in place.

That means asking:
• Do I have a business-grade firewall?
• Do I have my firewall configured to only allow certain ports to be open?
• Is there training I should be aware of to understand my organization’s security policies?
• Do I have an incident response plan? Do I have an emergency response plan?
• Do I have visibility to detect unusual behavior?

Question 22

WHEN TO ASK ABOUT RANSOMWARE

Answer 22

Provide user awareness and compliance training during the onboarding process or when purchasing a new laptop or desktop equipment. If you discover that your computer has been infected, immediately disconnect from the network and notify your IT security team.

Do not power off or shut down the computer or server, incase a volatile Random Access Memory (RAM) memory image needs to be collected for forensics and incident response investigations.

Due to the severity and time sensitivity of ransomware attacks, it is in

Question 23

Ransomware Attack Mitigation Practices to Consider

Answer 23

1) Ensure that users understand authorized patching procedures (7.S.A)
2) Patch software according to authorized procedures (7.S.A)
3) Use strong/unique username and passwords with multi-factor authentication (MFA) (1.S.A, 3.S.A, 3.M.C) Limit users who can log in from remote desktops (3.S.A, 3.M.B)
4) Limit the rate of allowed authentication attempts to thwart brute-force attacks (3.M.C)
5) Deploy anti-malware detection and remediation tools (2.S.A, 2.M.A, 3.L.D)
6) Separate critical or vulnerable systems from threats (6.S.A, 6.M.B, 6.L.A)
7) Maintain a complete and updated inventory of assets (5.S.A, 5.M.A)
8) Implement a proven and tested data backup and restoration test (4.M.D)
9) Implement a backup strategy and secure the backups, so they are not accessible on the network they are backing up (4.M.D)
10) Implement proven and tested incident response procedures (8.S.A, 8.M.B) 11) Establish cyber threat information sharing with other healthcare organizations (8.S.B, 8.M.C)
12) Develop a ransomware recovery playbook and test it regularly (8.M.B)
13) Once ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures (HHS Ransomware Fact Sheet)

Question 24

Staying Resilient to Phishing Attacks

Answer 24

On average, a person will receive a large number of emails per day. Knowing which are safe to open can get tricky if you are not asking yourself the following questions:

• Do I know the sender?
• Are there any spelling or grammatical errors or any other indicators that the tone or style of the email is off?
• Beware of emails that are familiar that may be compromised; is the email expected/does it make sense from the sender?
• Before clicking on a link, did I hover over it to identify the website address?
• Are you suspicious of the email? If in doubt, do NOT open any attachments.
• What are my organization’s processes for reporting suspicious emails? If in doubt- call your HelpDesk/IT Support or administrators.

Question 25

WHEN TO ASK ABOUT E-MAILS

Answer 25

Familiarize yourself with your organization’s policies for reporting a suspicious email regularly so you are prepared when you need it. Whenever you receive an email that sounds too good to be true or that you were not expecting, verify it before opening it!
Check with colleagues to find out whether they received the same phishy email. You can always seek the guidance of your IT security support team or similar point of contact. Talk to them to find out whether your account is protected with the proper security filters to ward off unwanted junk mail.

Question 26

E-mail Phishing Attack Mitigation Practices to Consider

Answer 26

Be suspicious of emails from unknown senders, emails that request sensitive information such as Protected Health Information (PHIo) r personal information, or emails that include a call to action that stresses urgency or importance (1.S.B)
Train staff to recognize suspicious e-mails and to know where to forward them (1.S.B)
Never open email attachments from unknown senders (1.S.B)
Tag external emails to make them recognizable to staff (1.S.A)
Implement incident response plays to manage successful phishing attacks (8.M.A)
Implement advanced technologies for detecting and testing e-mail for malicious content or links (1.L.A) Implement multi-factor authentication (MFA) (1.S.A, 3.M.D)
Implement proven and tested response procedures when employees click on phishing e-mails (1.S.C) Establish cyber threat information sharing with other healthcare organizations (8.S.B, 8.M.C)