Shields up: U.S. health care system warned of Russian cyberthreat
Federal watchdogs warn dangerous new malware could target critical U.S. infrastructure industries as the threat of a retaliatory Russian cyberattack looms, emphasizing the need for practices’ cybersecurity refreshers.
On April 13, a Cybersecurity Advisory released jointly by the Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and the FBI warned of evidence that “advanced persistent threat actors” have new malicious cyber tools that could gain full system access to industrial controls and data acquisition devices inside the U.S. While the agencies declined naming the source of the threat, private sector partners said the “exceptionally rare and dangerous” tools appear consistent with Russian actors.
The public alert is not the first cybersecurity warning magnified by the eight-week-long Russia-Ukraine war. For weeks, the Biden administration released intelligence and warnings that Russian actors may try cyberattacks on U.S. soil—like those attempted in Ukraine itself—in retaliation for ratcheting sanctions. In preparation for such an attack, the CISA launched its “Shields Up” campaign to help organizations mitigate and respond to cyber incidents.
“I think we are dealing with a very dangerous, very sophisticated, very well-resourced cyber actor,” noted Jen Easterly, CISA director, on CBS “60 Minutes” on April 17. “And that’s why we’ve been telling everybody consistently, shields up. What does that mean? It means assume there will be disruptive cyber activity and make sure you are prepared for it.”
Cyberthreats to the U.S. health sector
While recent advisories specifically flag critical infrastructure, such as the energy sector, health care was among the first U.S. industries alerted to a possible Russian cyber conflict. Days after the Russian invasion, the Department of Health and Human Services (HHS) cybersecurity division, known as HC3, issued its own albeit nonspecific alert to health care organizations.
That HC3 advisory emphasized no specific threat was detected but highlighted two malware variants of concern. Referred to as “data wipers,” these malware variants erase infected computer hard drives or act as ransomware and have been “observed in significant use against Ukraine” in the leadup to Russia’s invasion. Such is the case; the HC3 followed up in late-March with recommendations to health care organizations, including:
- Have Business Continuity Plans in place and ensure those plans consider cascading impacts due to failures in other sectors, e.g., connectivity, electricity, water, etc.
- Understand your threat surface, i.e., what are all the areas your IT network may be vulnerable to unauthorized users or attackers who could exploit vulnerabilities to confidential data.
- Change your system default passwords and use multi-factorial authentication (MFA).
- Share incident and threat information to collectively protect the health care community.
Only weeks later in early April, the software-giant Microsoft announced it disrupted a Russian-based hacking group from targeting organizations in the U.S. and European Union. While the threat was against media organizations and foreign policy-related institutions, the developments add urgency and validity to ongoing administration concerns.
In response to those warnings, Sens. Jacky Rosen, D-Nev., and Bill Cassidy, M.D., R-La., introduced the Healthcare Cybersecurity Act that directs CISA to collaborate with HHS to analyze and bolster cybersecurity in the health care sector, as well as authorize training for health care entities on how to mitigate cybersecurity risks. The bill has been sent for markup by the Senate Homeland Security and Governmental Affairs Committee.
“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks,” Sen. Cassidy noted in a news release. “This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”
5 tips to improve your optometric practice’s cybersecurity
Strengthening optometry practices’ resilience to cyberthreats can seem like a daunting task, but there are several steps that practices can take to mitigate their risk now. AOAExcel® Endorsed Business Partner Lockton Affinity, providing cyber liability insurance options specifically designed for AOA members, suggests five ways that practices can protect their systems:
- Incorporate an MFA process. Two-factor authentication or MFA requires users to acknowledge their login credentials via a phone call, text message or app notification after correctly entering their password.
- Implement password protocols. To better protect your systems, consider applying stronger password protocols that include 12+ characters; a combination of letters, capitalization, numbers and symbols; require different passwords for each account or service; incorporate rolling updates to prompt users to change passwords either monthly or quarterly; and update passwords when a personnel change occurs.
- Allow regular software patches and updates. Don’t postpone regular software maintenance updates and patching as this process helps fix bugs and other vulnerabilities. Conduct an inventory of devices, operating system versions and applications; monitor and audit patches; and check with your IT company to make sure updates won’t impact any of your systems.
- Conduct employee training. Regularly remind employees that they are also responsible for the practice’s cybersecurity, and to be mindful of email phishing attempts, suspicious links, password sharing or other malicious schemes.
- Consider working with cybersecurity professionals. In addition to working with a cybersecurity firm to conduct a comprehensive risk assessment of your practice’s network or systems, doctors may find peace of mind through cyber liability insurance. Through AOA membership, doctors have access to cyber liability insurance administered by Lockton Affinity. This policy helps cover the costs associated with notifying all affected parties, ongoing credit monitoring, outside investigations and more.
Interested in learning more about cybersecurity and optometry practices? Read “Health care in the crosshair,” in the September/October 2019 issue of AOA Focus.
Access AOAExcel® business solutions to help practice with confidence
The annual public health observance is happening just before a new phase of the AOA’s Eye Deserve More campaign kicks off this spring, but you don’t have to wait to participate.
It takes a village: Optometry’s Meeting® courses emphasize doctors’ roles on interdisciplinary care teams
Register now for Optometry’s Meeting®, June 15-18, to get your pick of 150 expert-led courses for doctors of optometry, optometry students and paraoptometrics at the profession’s premier event.