Cybersecurity Advisory: Russia May Use Cyberattacks as Retaliation

On Feb. 23, the American Hospital Association (AHA) published a cybersecurity advisory warning that Russia may use cyberattacks as a form of retaliation due to the economic and military sanctions placed on the country by the U.S. government and NATO allies.

The advisory states that “The AHA is closely monitoring the potential for increased cyber risks to the U.S. health system stemming from the ongoing military operations in the Russia/Ukraine region. The Russian military has previously used cyberattacks against Ukraine to disrupt the electrical grid, communications capabilities and financial institutions. For example, it was reported last week that cyber denial-of-service attacks, attributed to the Russian military, were launched against Ukraine’s Ministry of Defense, as well as its financial institutions.”

That said, “In light of previous attacks and potential threats, the Cybersecurity and Infrastructure Security Agency last week issued a related-and-rare cyber ‘Shields Up’ warning to the U.S. private sector, including healthcare, based upon the increased cyberthreat posed by the Russian government.”

John Riggi, AHA’s national advisor for cybersecurity and risk, and a former senior executive in the FBI’s cyber division, will remain in close coordination with the FBI, CISA and the Department of Health and Human Services regarding related threats which may pose a risk to U.S. healthcare.

The advisory says that there are three concerns for the healthcare field:

• Hospitals and health systems being targeted by Russian-sponsored cyber actors
• Hospitals and health systems becoming collateral damage to Russian-deployed malware or destructive ransomware
• A cyberattack that could disrupt hospital’s mission-critical service providers

As to what can be done, the advisory includes the following measures:

• “Share this Cyber Security Advisory with your organization’s IT and cyber infrastructure teams.
• Hospitals and health systems should review the above-identified alerts and bulletins for guidance on risk mitigation procedures, including increased network monitoring for unusual network traffic or activity, especially around active directory. Additionally, it is important to heighten staffs’ awareness of increased risk of receiving malware-laden phishing emails.
• Geo-fencing for all inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region may help mitigate direct cyber risks presented by this threat; however, it will have limited impact in reducing indirect risk, in which malware transits through other nations, proxies and third parties.
• AHA also recommends that organizations identify all internal and third-party mission-critical clinical and operational services and technology; in doing so they should put into place four-to-six week business continuity plans and well-practiced downtime procedures in the event those services or technologies are disrupted by a cyberattack.
• It is essential at this time to check the redundancy, resiliency and security of your organization’s network and data backups, and ensure that multiple copies exist: off-line, network segmented, on premises and in the cloud, with at least one immutable copy.
• It is also critical that a cross-function, leadership-level cyber incident response plan be fully documented, updated and practiced. This should include emergency communications plans and systems.”