HAP's Latest News

Hospital Community Closely Monitoring New Health Care Cybersecurity Threat

October 29, 2020

Hospitals across the country and within Pennsylvania are closely monitoring a new credible cybersecurity threat issued by the Cybersecurity and Infrastructure Security Agency (CISA). The threat is through ransomware known as “TrickBot” and “Ryuk” and could impact hospitals and health care providers. The American Hospital Association (AHA) is in close communication with federal agencies and is serving as a source of information and support to the hospital community.

TrickBot is a type of modular banking Trojan that uses third party branding familiar to the recipient, such as invoices from accounting and financial firms. The emails typically include an attachment, such as a Microsoft Word or Excel document. The opened attachment will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware. TrickBot runs checks to ensure it is not in a sandbox environment and then attempts to disable antivirus programs, such as Microsoft’s Windows Defender. Once executed, TrickBot redeploys itself in the “%AppData%” folder and creates a scheduled task that provides persistence.

Ryuk is a type of ransomware used in targeted attacks, where the threat actors make sure that essential files are encrypted so they can ask for large ransom amounts. A typical Ryuk ransom demand can amount to a few hundred thousand dollars. 

Pennsylvania hospitals’ primary concern is the health and safety of patients and health care workers, including the security of their health information. HAP’s emergency management (EM) experts recommend that all hospitals, health systems, and health care providers refer to CISA’s ransomware guide for best practices to prevent cybersecurity breaches, and make sure to communicate with the executive, emergency management, information technology, and communications teams to ensure preparedness for a potential breach. If a hospital or health care facility suspects or experiences a breach due to TrickBot, Ryuk, or otherwise, it should report it to the appropriate federal agency.

The HAP EM team regularly works with the Pennsylvania hospital community to assess cybersecurity risk and make recommendations about ways to improve the information technology security of facilities.

HAP will continue to monitor this situation and work with the AHA and members to provide resources and updates about this threat, as well as best practices to enhance health care security.

For more information, contact Scott Mickalonis, HAP’s vice president, emergency management, or Rachel Moore, HAP’s director, media relations.