In response to the recent US strike on Iran's nuclear facilities, the New York State Department of Health (“NYS DOH”) has issued a Cybersecurity Advisory (“Advisory”) warning health providers, including hospitals, treatment centers, and healthcare workers, that are likely to be an increase in cyberattacks and increased cybersecurity threat activity. This recommendation follows similar announcements and warnings from the US Department of Homeland Security (“DHS”), the NYS Intelligence Center (NYSIC), and Health-ISAC (Centre for Information Sharing and Analytics).
This advisory encourages healthcare providers and organizations to enhance physical and information technology (IT) security controls to protect against known attack technologies such as:
Distributed Denial of Service (DDOS), a harmful attempt to block access to a server or network by flooding traffic. Ransomware is a type of malware software that blocks access to a computer or file and requests money to unlock it. Or when the weakness of a website, also known as digital vandalism, changes the threatening actors infiltrate the website and change what it looks like and what it says.
The advisory also proposes removing operational technology (OT) connections to the public internet, changing default passwords, using strong, unique passwords, protecting remote access to the network, and segmenting the network. The provider also recalls that NYS Cybersecurity regulations require hospitals to report cybersecurity incidents to NYS DOH within 72 hours of a cybersecurity incident.
According to DHS's Cybersecurity & Infrastructure Security Agency (CISA), healthcare providers primarily retain protected health information (PHI), Personally Identifiable Information (PII), clinical and protection information, and insurance information, and insurance information, and protection information, and protection information, and protection information, and protection information, and protection information, and clinical information. Phi is permanent and personal and is especially valuable for identity theft, scary mail and fraud.
At the same time, hospitals and healthcare facilities operate in environments where system outages can damage life-saving patient care. Reliance on electronic health records (EHRs), cloud vendors and telehealth platforms broadens the threat of attacks that could allow attack-facing threat actors to penetrate such systems. This makes healthcare organizations more likely to pay ransoms to quickly restore access, making them particularly attractive to threatening actor groups. Given these risks, cybersecurity is a matter of patient safety. Therefore, proactive preparation is essential. Failure to prepare or respond quickly to an attack can lead to regulatory enforcement measures, class actions, reputational damage, and loss of patient trust and revenue.
External lawyers who have experienced cybersecurity, privacy, healthcare and government investigations can help reduce risk while maintaining privilege.
Crowell & Moring has considerable experience working with businesses to address these risks, actively and through reactive investigations in the event of potential cyber events. For more information, please contact the following teams:
