US healthcare organizations warned of cyber threats related to Russian invasion of Ukraine

The American Hospital Association believes there are three areas of concerns for the U.S. healthcare sector, in light of the Russian invasion on Ukraine: hospitals and health systems may be directly targeted, or become incidental victims of Russian-backed threat actors, and could see operational disruptions brought on by a cyberattack.

These concerns are wrought from Russia’s previous attack methods of using cyberweapons as military action against Ukraine. For example, the 2017 NotPetya incident impacted at least 10 U.S. healthcare organizations, despite a Ukraine entity being the primary target.

As such, AHA warned that “hospitals and health systems may become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. healthcare entities.”

AHA and the Department of Health and Human Services Cybersecurity Coordination Center are urging healthcare delivery organizations to be on alert and take action on key security mitigations to prevent potential operational disruptions.

The U.S. government and NATO issued economic and military actions in response to the invasion, which raises concerns that Russia could retaliate with disruptive cyberattacks for political and military gain. The Cybersecurity and Infrastructure Security Agency previously issued an alert to the private sector of the increased cyberthreat to critical infrastructure.

AHA has been closely monitoring the potential for increased cyber risk to the U.S. health system stemming from these ongoing military actions, as Russia has previously employed cyberattacks against Ukraine to disrupt operations. 

John Riggi, AHA national adviser for cybersecurity and risk, has been closely coordinating with CISA, FBI, HHS on potential threats to the healthcare sector. The collaboration has resulted in key recommendations hospitals and health systems should immediately take to proactively protect its environment from potential Russian-backed threats.

“Our other cyber adversaries — mainly China, Iran, North Korea and Russia based ransomware gangs — may see this as an opportunity to increase their cyber espionage and attack activity,” Riggi warned.

Healthcare organizations advised to be on heightened alert

AHA and CISA previously issued a number of alerts and bulletins for risk mitigation strategies, which healthcare organizations should review to better understand the ongoing threat and potential worst-case scenarios. Some of those previous recommendations include network monitoring to identify unusual activity or traffic, with a close look at the active directory.

All workforce members should be urged to be on heightened alert around the potential to receive malware-laden phishing emails.

Healthcare security leaders should apply “geo-fencing for inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region,” in an attempt to mitigate direct cyber risks. But AHA warned it would “have limited impact in reducing indirect risk, in which malware transits through other nations, proxies and third parties.”

If not previously implemented, entities should work to identify internal and third-party mission-critical clinical and operational services and tech, in addition to implementing business continuity plans and well-practiced downtime procedures for four to six weeks to ensure operations can be maintained if disrupted by a cyberattack.

With the heightened alert, it’s the ideal opportunity to recheck network and data backups for redundancy, resiliency, and overall security to ensure multiple copies exist, are kept offline, segmented, and kept offline with at least one immutable copy.

Healthcare entities are encouraged to reach out directly to AHA with any questions. HC3 also issued an alert on the potential for cyber adversaries to target entities with foreign influence operations, such as misinformation, disinformation, and malinformation.” These attacks are meant to shape public opinion, undermine trust, amplify division, and sow discord.

The healthcare sector should review the CISA alert, while identifying potential vulnerabilities that could be exploited through misinformation campaigns. HC3 warns that “foreign actors engage in these actions to bias the development of policy and undermine the security of the U.S. and our allies, disrupt markets, and foment unrest.”