The Russia-Ukraine conflict is increasing the risk of ransomware attacks and other cyber threats for U.S. companies, and those in the health care industry may be targeted. In a recent analyst note from the Department of Health & Human Services (“HHS”), HHS describes the cyber capabilities of Russia, one of the world’s major cyberpowers, and analyzes two malware variants most likely to impact the U.S. health care and public health sector. These are HermeticWiper and WhisperGate, two malware variants that have been used against Ukraine during the conflict. Although HHS is not currently aware of any specific threat to the U.S. health care and public health sector, organizations in the sector should remain vigilant and proactively take measures to mitigate the risk of a cyber-attack.
In a recent blog post, Lisa Pino, Director for the Office for Civil Rights, outlines several ways health care organizations can prepare for cyberattacks in 2022. As the blog post notes, 2021 saw multiple cyberattacks on hospitals and health care systems, leading to cancellations of procedures such as surgeries and radiology exams due to the impact of such cyberattacks. The blog post calls on covered entities and business associates to improve their cyber posture in 2022, and one area of focus should be the enterprise-wide risk analysis. Risk analyses should be comprehensive in scope and cover all electronic protected health information across the organization. Other best practices noted in the blog post include maintaining offline, encrypted backups of data and regularly testing backups; conducting regular vulnerability scans; regularly patching and updating software and operating systems; and training employees on phishing and other common IT attacks.