On February 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) jointly released an update to the advisory #StopRansomware: ALPHV Blackcat. This update includes new indicators of compromise (IOCs) and details on tactics, techniques, and procedures (TTPs) associated with the ALPHV Blackcat ransomware as a service (RaaS). ALPHV Blackcat affiliates have been actively targeting the healthcare sector.
To ensure swift action, the Centers for Medicare & Medicaid Services (CMS) sent an email on February 29 advising healthcare providers to disseminate the advisory within their organizations. Specifically, they recommend sharing it with IT departments and encouraging network-wide distribution to heighten awareness and preparedness.
In response to the escalating threat of ransomware attacks, CISA issued urgent recommendations. These actions are crucial for safeguarding your organization against potential breaches. Take the following steps today to strengthen your defenses:
- Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
- Prioritize remediation of known exploited vulnerabilities.
- Enable and enforce multifactor authentication with strong passwords.
- Close unused ports and remove applications not deemed necessary for day-to-day operations.
You can access the advisory here.
Compliance Perspective
Issue
The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. Recent attacks on healthcare institutions underscore the severity of the threat. ALPHV operates as a Ransomware-as-a-Service group, making their ransomware available to criminal affiliates using a software-as-a-service (SaaS) model. In 2023, ALPHV ranked second among the most active big game ransomware groups. ALPHV Blackcat affiliates employ advanced social engineering techniques and conduct open-source research on targeted companies. They pose as IT or helpdesk staff, using phone calls or SMS messages to obtain employee credentials and gain initial access to the network. After gaining access to a victim network, they deploy remote access software in preparation of data exfiltration.
Discussion Points
- Review policies and procedures related to cybersecurity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Make sure the facility has a well-defined incident response plan in place.
- Train appropriate staff on how to avoid phishing schemes, malware exposures, unauthorized release of protected health information (PHI), and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for cybersecurity are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
