The Interlock ransomware threat actor is aggressively targeting Healthcare and Public Health (HPH) Sector organizations. The uptick in Interlock ransomware incidents is impacting the breadth of the sector and does not appear to be targeting specific types of HPH organizations or geographic regions. Sector partners are encouraged to be vigilant and continue to implement strong cyber hygiene practices to defend against threats to our nation’s healthcare system.
This bulletin provides actionable guidance for HPH organizations to strengthen defenses against ransomware attacks.
Key Recommendations:
Owners and operators of HPH infrastructure should possess a well-developed cybersecurity program encompassing a comprehensive vulnerability management strategy, an asset inventory, vulnerability scanning, and penetration testing. The Department of Health and Human Services (HHS) has published a set of voluntary Healthcare and Public Health Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices which can be used in establishing cybersecurity controls and assisting in the prevention, response and recovery from ransomware attacks:
- Implement Multi-Factor Authentication (MFA) to enhance the security of data and applications. MFA requires users to provide a combination of two or more credentials to confirm their identity during the login process. MFA significantly bolsters security; even if one credential is compromised, unauthorized individuals will be unlikely to fulfill the second authentication requirement, thus preventing access to sensitive physical locations, computing devices, networks, or databases. For more information, refer to HPH CPG Essential Goals ID-3, 3.M.A, Essential Goals ID-3, 3.M.C, and Essential Goals ID-3, 3.M.D.
- Safeguard critical assets by implementing micro-segmentation networks secured by firewalls and intrusion detection systems. This approach will enhance asset protection by partitioning the network into smaller, isolated segments, thereby enabling organizations to isolate critical assets, reduce the risk of lateral movement during an attack, enforce granular access controls based on the principle of least privilege, and detect any suspicious activities. For more information on implementation, refer to HPH CPG Enhanced Goals ID-17, 6.M.B.
- Deploy intrusion detection systems (IDS) to identify suspicious activities and alert the system administrator before any substantial damage occurs. A network-based IDS with sensors on the micro-segments can effectively monitor network traffic and identify known threats as well as suspicious or malicious activities. For more information, see HPH CPG Essential Goals ID-1, 7.M.A and Enhanced Goals ID-16, 2.L.C.
- Restrict remote user access to encrypted, secure Virtual Private Network (VPN) connections. Utilizing a VPN allows the organization to conceal its private network information and prevent hackers from intercepting sensitive data. Additionally, VPNs can be configured to provide multifactor authentication, track user activities, and limit access. For more information, refer to HPH CPG Essential Goals ID-9, 3.M.D.
- Enhance monitoring and auditing procedures at the network, user, and host (instrument) layers. If not already in place, consider the implementation of a Security Information and Event Manager (SIEM) to facilitate monitoring and response capabilities. For information, refer to HPH CPG Enhanced Goals ID-19, 8.M.A, and Enhanced Goals ID-19, 8.M.B.
- Review and evaluate your continuity and disaster recovery strategies, which should include procedures for database backup and recovery. For more information, refer to HPH CPG Enhanced Goals ID-19, 8.M.B, Enhanced Goals ID-14, 7.L.A, and Enhanced Goals ID-14, 7.L.C.
- Regularly update and patch operating systems, applications, and firmware on all devices to mitigate known vulnerabilities. This reduces the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the Internet. For additional information, refer to HPH CPG Enhanced Goals 11 Asset Inventory.
- Conduct regular employee training to recognize phishing emails and social engineering tactics. Establish clear procedures for reporting suspicious activities or potential cyber incidents. For additional information refer to Essential CPG 4.
- Regularly back up critical data and ensure backups are stored offline and tested for integrity. Encrypt backup data to prevent exposure if backups are targeted and maintain a well-documented and tested backup recovery process. For additional information, refer to Essential Goal 7 Enhanced Goal 13.
- Establish email security to reduce risk from common email-based threats, such as email spoofing, phishing, malicious attachments and fraud. The HPH (Healthcare and Public Health) Cybersecurity Performance Goals (CPGs) include several measures to enhance email security, recognizing that email is a primary vector for cyberattacks.
Resources
1. HHS Cyber Gateway
Overview: The HHS Cyber Gateway is a one-stop shop for resources including best practice guidance, education, threat specific intelligence, and more to ensure you are staying up to date on the most pertinent cybersecurity resources available to support the HPH sector.
2. HPH Cybersecurity Performance Goals
Overview: The HPH CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.
3. 405(d) Program HPH Cybersecurity Resources
Overview: The 405(d) Program provides organizations across the nation with useful and impactful HPH focused resources, products, and tools that help educate, raise awareness, and provide vetted cybersecurity best practices and strengthen the sector’s cybersecurity posture against cyber threats.
4. #StopRansomware Cybersecurity Advisory (CSA) Series
Overview: An ongoing effort by CISA and the FBI to publish technical information on ransomware variants, threat actors, best practices, and ways to prevent, protect, and respond to ransomware attacks. In addition, the #StopRansomware Guidance includes general resources for addressing ransomware threats, such as prevention, response, and recovery strategies.
5. CISA’s Mitigation Guide
Overview: While not specific to the ransomware threat, this guidance can be used to combat pervasive cyber threats affecting the HPH Sector.
6. CISA’s HPH Web Page
Overview: Provides an overview of no-cost resources designed to assist healthcare organizations in enhancing their cybersecurity measures.
7. Cyber Hygiene Resources
Overview: HPH Sector organizations are encouraged to use these resources to address their distinct cybersecurity needs.
8. Ransomware – Internet Crime Complaint Center (IC3)
Overview: The IC3 has published these tips and incident response steps to aid in handling and understanding ransomware attacks.