State and Federal Agencies Warn of Imminent Cyberattacks
State and federal agencies warned health care providers last week of an imminent threat of cyberattacks targeting the sector. The federal Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) issued a joint advisory describing the threat of ransomware attacks known as Ryuk and Conti and the steps providers can take to mitigate the threat. At the same time, the New York State Department of Health (DOH) issued an advisory referencing three ransomware attacks occurring over the last two weeks that have impacted a health system, a separate hospital, a local health department, and its county-operated adult care facility (ACF). Phishing email has been identified as the source of attack in at least one of these incidents and is suspected in the others.
A related Dear Administrator Letter (DAL) and Frequently Asked Questions (FAQs) from DOH describe a new notification protocol to be followed to inform DOH of cybersecurity incidents. The letter includes a poster that provides contact information to be used for notifying the appropriate DOH Regional Office of a cybersecurity incident. According to the FAQs, a reportable cybersecurity incident is "any event that affects patient care, or represents a serious threat to patient safety, including intrusions whose intent appears to be breach or theft of protected health records." These include, but are not limited to:
- Successful intrusions into a health care provider’s information technology (IT) system (including those that are contracted out by the health care provider), network infrastructure, and/or medical equipment/devices.
- Ransomware attacks that disable all or part of IT operations, including administrative systems such as payroll, billing, or appointment scheduling.
- Cybersecurity incidents that have the potential to spread through established connections to other health care networks or government systems. Examples include file transfer systems or data reporting interfaces.
Providers that are uncertain whether a cybersecurity incident is covered by this definition are instructed to contact the DOH Regional Office.
The FAQs direct provider staff to follow their organization's internal policies and procedures related to alerting their central IT/information security staff or IT vendor of potential cybersecurity incidents. The incident should be validated before reporting to the DOH Regional Office. Once a cybersecurity incident is validated as credible and covered by the definition above, provider staff should report the incident to the applicable Regional Office within 24 hours. The DOH Regional Office will provide instructions to the provider regarding any follow-up activities.
More information about the Ryuk ransomware attack is available here.
Contact: Karen Lipson, klipson@leadingageny.org, 518-867-8838