Skip to Content

The Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in late October that cybercriminals were increasing their attacks on the health sector, even as hospitals struggle to keep up with the increasing number of COVID-19 cases.

Now is the time to review incident response plans

In light of this warning, hospitals and health care institutions should review their incident response plans and consider convening a meeting of the incident response team to discuss this warning and to review the response measures to a ransomware attack.

Additionally, hospitals and health care institutions should review their cyber liability coverage carefully and understand the process for reporting cyberattacks to their insurance carrier.

Moreover, these organizations should be familiar with the resources provided under the policy that can respond quickly in the event of a cyberattack. This would include having a detailed plan and understanding the risks of paying any ransom demand.

Adams and Reese recently published an alert, “With Cyber Incidents on the Rise, Treasury Department Issues Two Advisories to Help Guide Businesses in Response to Ransomware Attacks,” which contains important guidance in consideration of any decision to pay an attacker’s ransom demands.

Finally, hospitals and healthcare institutions should engage with experienced professionals to plan a response before an attack occurs in order to test response plans in a simulated environment to identify gaps and prepare for a real event.


“CISA, FBI, and HHS have credible information of an increased an imminent cybercrime threat to U.S. hospitals and healthcare providers,” the October joint statement from the FBI, HHS, and CISA says.

These attacks often lead to ransomware attacks, data theft, and the disruption of healthcare services.

“CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

According to the statement, Trickbot malware with a Ryuk ransomware payload locks up hospital computers until a ransom exceeding $1 million is paid.

Look out for infected links and documents mimicking internal communications

The malware is launched when employees click on an infected link. These links often appear in documents mimicking internal communications, including Google Doc and PDF attachments.

Since early 2019, the FBI has observed a new Trickbot module named Anchor, which includes anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System tunneling. The function allows the ransomware to evade typical network defense productions and blend malicious communications with legitimate data traffic.

To counter this vicious virus, the federal agencies urge the health sector to take the following immediate actions:

  • Instruct everyone on their email system not to click on any link, no matter how innocent it seems, whether links appear in emails, text messages, or on videoconference platforms
  • Ensure all systems are up-to-date and have current patches installed
  • Scan backups for latent malware
  • Change network security settings to filter out active links in emails and strip attachments from emails
  • Disconnect critical systems from the organization’s network

Here’s what organizations can do to stay safe in the long run

Implementing data security best practices over the long term is also vital to successfully battling malware and ransomware attacks. Examples of best practices include:

  • Implementing a rapid-response plan and training staff to deal with ransomware when it does appear
  • Using micro-segmentation and zero-trust concepts to prevent malware from spreading within the organization
  • Implementing multi-factor authentication
  • Implementing a continuity of operations plan, including off-site storage and remote storage of backup data
  • Developing an IT lockdown plan, which is trained and rehearsed

Ransomware has consequences, but should ransom be paid?

Ransomware attacks on hospitals can have life-and-death consequences. The same type of ransomware now targeting U.S. hospitals recently targeted a German hospital, causing its servers to crash and one woman to die after she was unable to receive life-saving care.

Despite the potentially dire consequences, the CISA, FBI, and HHS do not recommend paying the ransom, as it does not ensure data is encrypted or that the systems or data is no longer compromised.

The CISA strongly recommends responding by using the Ransomware Response Checklist located in the CISA and MS-ISAC’s Joint Ransomware Guide. Among the recommended items to consider as part of any ransomware checklist are:

  • Maintaining regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
  • Retaining backup hardware to rebuild systems in the event rebuilding the primary system is not preferred
  • Making applicable source code or executables available in addition to system images (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.
  • Implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents. Conduct organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails.
  • Implementing filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious Internet Protocol (IP) addresses at the firewall.

Adams and Reese’s Privacy, Cybersecurity and Data Management team will continue to monitor developments in this arena.