HHS Update #4: International Cyber Threat to Healthcare Organizations (Revised)
IN THIS ISSUE
- If you are the victim of ransomware or have cyber threat indicators to share (**Revised with web addresses**)
- HHS Office of Civil Rights Guidance on HIPAA specific to WannaCry
- CISA Protections for private sector information sharing
- Where can I find the most up-to-date information from the U.S. government?
- Why connect with your local fusion center?
- FDA's Public Workshop - Cybersecurity of Medical Devices
- How to request an unauthenticated scan of your public IP addresses from DHS
- Please contact your FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/
field-offices) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Please report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI's Internet Crime Complaint Center (www.ic3.gov).
- For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov
- As outlined in its guidance available on its website, OCR presumes a breach in the case of ransomware attack. The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach. A request by law enforcement to hold reports tolls the 60-day reporting deadline. For a copy of the ransomware guidance, please see: https://www.hhs.gov/
sites/default/files/ RansomwareFactSheet.pdf? language=es.
- The ransomware guidance also includes important information about ransomware and how compliance with the HIPAA Security Rule helps entities prepare for ransomware attacks, including with regard to contingency planning. For more guidance on the Rule’s requirements, please see https://www.hhs.gov/hipaa/
- OCR has shared its FAQ on sharing of cyber threat indicators under CISA with federal partners, and it is available on the OCR website. Please see https://www.hhs.gov/hipaa/
for-professionals/faq/2072/ covered-entity-disclose- protected-health-information- purposes-cybersecurity- information-sharing/index.html .
- Reporting information to law enforcement, DHS, or other HHS divisions does not constitute inadvertent or intentional reporting to OCR. All reporting of breaches to OCR should be made as required by the HIPAA Breach Notification Rule. Important Note: If the data is not encrypted by the entity to at least NIST specifications when the ransomware attack is deployed, then OCR presumes a breach occurred, due to the ransomware attack. As such, the entity would need to prove, through forensic or other evidence, that the ePHI was encrypted when the attack occurred, and the ransomware containerized (or encrypted again) already-encrypted ePHI. Please see https://www.hhs.gov/hipaa/
- For overall Cyber Situational Awareness visit the US-CERT National Cyber Awareness System webpage at: https://www.us-cert.gov/
- NCCIC portal for those who have access: hsin.dhs.gov
- Indicators Associated With WannaCry Ransomware:
- US-CERT - Alert - TA17-132A - https://www.us-cert.gov/
- ICS-CERT - Alert - 17-135-01 - https://ics-cert.us-cert.
- ASPR TRACIE: Healthcare Cybersecurity Best Practices: https://asprtracie.
- Fact Sheet on the FDA's Role in Medical Device Security: https://www.fda.
10903 New Hampshire Avenue
Bldg. 31, Room 1503
Silver Spring, MD, 20993
- NCATS focuses on increasing the general health and wellness of the cyber perimeter by broadly assessing for all known external vulnerabilities and configuration errors on a persistent basis, enabling proactive mitigation prior to exploitation by malicious third parties to reduce risk.
- Attributable data is not shared or disseminated outside of DHS or beyond the stakeholder; non-attributable data is used to enhance situational awareness.