National Guard Helps in Ransomware Recovery, While Other Healthcare Entities Turn Off Email
The University of Vermont Medical Center is recovering from a ransomware attack with help from the National Guard.
Are the latest cyber threats facing the healthcare sector leading to drastic measures?
On Wednesday, Vermont Governor Phil Scott called up the state’s National Guard to assist the University of Vermont Health Network recover from an Oct. 25 ransomware attack that is continuing to disrupt patient services at the organization’s six hospitals and other care facilities.
Meanwhile, several healthcare entities in Massachusetts acknowledge they had temporarily “shut off” their email systems to enhance security while fending off phishing and other potential attacks.
Those moves come in the wake of the FBI and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issuing an Oct. 28 alert warning hospitals about a fresh wave of Ryuk ransomware attacks that have recently targeted healthcare facilities around the country (see U.S. Hospitals Warned of Fresh Wave of Ransomware Attacks).
“The adversarial intent of these attacks on healthcare organizations is changing, and must be taken seriously,” says Caleb Barlow, CEO of security consultancy CynergisTek.
Some of the latest attacks on the sector don’t appear to be primarily motivated by victims meeting extortion demands, but rather on disrupting healthcare delivery in the U.S. and causing potential harm to patients.
“This isn’t the best move by cybercriminals to make money – drawing the ire of security agencies,” he notes.
The Oct. 25 attack on the UVM Health Network is among the latest cyber incidents under investigation by federal law authorities.
“FBI Albany can confirm we are investigating a potential cyberattack at UVM Health Network, along with our federal, state, and local partners,” an FBI spokeswoman tells Information Security Media Group. “This is an active investigation, and we decline to comment further at this time,” she says.
In a statement Friday, UVM said it was working with the Vermont Army National Guard “to clear thousands of end-user computers and devices.”
Recovery work was still ongoing, and a variety of patient services, was still on hold as of Friday.
“While there has been significant and steady progress toward recovery, we know the impact of this cyberattack has been felt by some patients more than others,” UVM said. “We are working vigorously to restore systems that have negatively affected our ability to provide some cancer treatments. …The process is expected to take some time.”
National Guard Deployed
The National Guard has deployed 10 soldiers to help with the UVM recovery, Major Scott Detweiler, acting deputy public affairs officer of the Vermont National Guard tells ISMG.
“Our cyber team participated in training exercise Operation Cyber Shield 2020 in September, where they worked with over 800 National Guard soldiers and airmen as well as industry network owners and law enforcement partners to ensure they are ready to meet the demands of defending the state’s critical infrastructure from cyber incidents,” he says.
“They are highly trained by both industry and Department of Defense cyber experts and fully ready to support the state with their cyber capability.”
Still, this is the first time the governor of Vermont has requested the Vermont National Guard to support the state with cyber capabilities, Detweiler says.
Back Up Help
While it may appear as a dramatic move, the National Guard being called up to help assist in other cyber incidents is not unusual, says Wayne Hall, a spokesman at the National Guard’s headquarters in Virginia tells ISMG.
“It’s not really talked about much, but it’s not uncommon,” he says. Hall did not have available statistics for the number of times the National Guard has been called up to assist in cyber incident response.
However, the National Guard provides such support to the states at the direction of the state governors, he added.
Guardsman who assist in these situations are often security experts who work for security vendors or in other cybersecurity roles at private sector organizations, he adds. The National Guard personnel called in to help in these situations at the request of state governors are paid by the state for the work, he adds.
Still, having a back-up plan that spotlights calling in the National Guard for help following a cyberattack is probably not a advisable, says former FBI special agent Vincent D’Agostino, co-founder of security vendor BlueVoyant.
“I will say, if victims believe that when a breach happens, they will be able to call the National Guard to swoop in and fix their network, I would urge them to reconsider. The sheer volume of breaches coupled with liability considerations would make this not realistic.”
Meanwhile, among Massachusetts entities taking extra actions to address escalating email threats in the wake of the warning last week by the FBI and DHS is Signature Healthcare in Brockton, Mass., which took down its external email communication starting on Oct. 29 for four days, CIO Nick Szymanski tells ISMG.
While phishing concerns have been an issue for years, “we needed to take action to match these threats” as highlighted by the recent FBI and DHS alert, he said.
As external email capabilities were brought back up slowly on Monday, Signature Health is taking extra caution, including with monitoring network traffic and analyzing email, he says.
Holyoke Medical Center in Holyoke, Mass. took similar steps following the recent alert from the federal agencies.
“We temporarily turned off our email system as our team reviewed and ensured that our security was good,” a spokeswoman for the Holyoke, Mass.-based health system tells ISMG, declining to provide further details.
Meanwhile, UMass Memorial Medical Center in Worcester, Mass. did not turn off its email system, but rather intensified a number of controls following the federal warnings last week, the healthcare provider’s CISO Bruce Forman tells ISMG.
That includes “tightening down access to file shares,” sandboxing URLs, having external emails land to users’ “junk” folders instead of the inbox, as well as increasing scanning and antivirus protection.
“We all know that phishing is one of the biggest threats, but now there’s an increased level of threat.”
Difficult Balancing Act
Some experts note that completely shutting down email, even temporarily, could prove an extreme way to prevent an organization from falling victim to phishing attacks, so such measures should be taken with great caution.
“Turning off email systems completely at this time is a drastic move and something I would not recommend,” says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.
“Turning off an email system entirely is a drastic step that can usually be avoided.”
—Vincent D’Agostino, BlueVoyant
“The disruption to the business would be severe and the ability to stay up-to-date on the latest threats and countermeasures would be very difficult without access to email,” he adds.
Drex DeFord, executive healthcare strategist of vendor CI Security, and a former CIO at several healthcare entities and also the U.S. Air Force, offers a similar assessment about email system security precautions.
“The ‘cutoff’ steps are not to be taken lightly – it will likely degrade the ability to accomplish the healthcare delivery mission,” he says.
However, “turning off email, and cutting off access to the internet are two scenarios that should be part of every healthcare organization’s incident response plan and exercise, DeFord says.
“Having a clear set of criteria to determine when and how those actions should occur, and who has the authority to make those decisions quickly can be critical to preventing or limiting a cyberattack.”
The decision to shut down email temporarily while enhancing security protections – such as the measures some of the Massachusetts entities have taken, is less troubling, says BlueVoyant’s D’Agostino.
“If email was turned off while they implemented spear phish filtering, that is no big deal,” he says. However, “turning off an email system entirely is a drastic step that can usually be avoided.”
CEOs, CIOs, CISOs and other IT leaders across the country “should take the opportunity now, as they watch this situation unfold, to also reconsider who on the staff truly needs external email access, and unrestricted web browser access,” DeFord says.
“Limiting access can be a tough decision mostly because it’s never been done. But limiting access does reduce the ‘attack surface’ available to the bad guys,” he says.
“So, in the spirit of ‘never waste a good crisis,’ now may be the time to review and restrict access for some employees,” he says.