Long-Term Care Toolkit Annex I: Cybersecurity

Guidance

Purpose: Minimize business disruption via ransomware and extortion, resident harm, and data breaches by doing timely detection and training. Top five threats: email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or intentional data loss; and attacks against connected medical devices.

Health Industry Cybersecurity Practices (HICP) Quick Start Guide (PDF) identifies ten best practices to mitigate the current threats: email protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.

Internal contacts:

• IT services.
• Administration/public affairs.

External contacts (see Appendix N for the following):

• Local emergency manager:
  • DPS: County Emergency Managers (PDF)
• Minnesota Duty Officer: 651-649-5451 duty.officers@state.mn.us

*See excel spreadsheets for all internal/external contacts*

Be proactive: hand hygiene for cybersecurity includes:

• Installing antivirus and malware software and scanning for viruses.
• Using firewalls to stop unauthorized used from getting information.
• Updating apps, web browsers, and operating systems on all devices regularly.
• Keeping hard drives clean by reformatting and wiping them.
• Changing passwords and using multifactor authentication.

Email phishing attacks

Email phishing is an attempt to trick you, a colleague, or someone else in the workplace into giving out information using email. An inbound phishing email includes an active link or file (often a picture or graphic). The email appears to come from a legitimate source, such as a friend, coworker, manager, company, or even the user’s own email address. Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer. Accessing the link or file may result in malicious software being downloaded or access being provided to information stored on your computer or other computers within your network.

• How to Recognize and Avoid Phishing Scams
• How to Recognize, Remove, and Avoid Malware

Ransomware attacks

The HHS Ransomware Factsheet (PDF) defines ransomware as follows:
“Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) to receive a decryption key.

Loss or theft of equipment or data

Every day, mobile devices such as laptops, tablets, smartphones, and USB/thumb drives are lost or stolen, and they end up in the hands of hackers. Theft of equipment and data is an ever-present and ongoing threat for all organizations. Although the value of the device represents one loss, far greater are the consequences of losing a device that contains sensitive data. In cases where the lost device was not appropriately safeguarded or password protected, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data.

Insider, accidental or intentional data loss

Insider threats exist within every organization where employees, contractors, or other users access the organization’s technology infrastructure, network, or databases. There are two types of insider threats: accidental and intentional. An accidental insider threat is an unintentional loss caused by honest mistakes, like being tricked, procedural errors, or a degree of negligence. For example, being the victim of an e-mail phishing attack is an accidental insider threat.

Attacks against connected medical devices

The Food and Drug Administration (FDA) defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them; intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.”

MN Executive Order 22-20

On October 13, 2022, the following message went out from MDH – Facilities/agencies need to decide for themselves what they need to do. The Executive order was attached to the email - Executive Order 22-20 FAQ: responding to directives and reporting cyber-attacks.

New cybersecurity requirements for State of Minnesota critical infrastructure providers

On August 30, Governor Tim Walz signed Executive Order 22-20, directing state agencies to implement cybersecurity measures to protect critical infrastructure in Minnesota. Your business is part of the 16 critical infrastructure types.

MDH leadership, in partnership with Minnesota IT Services (MNIT) is following this order by continuing to monitor and help reduce cybersecurity risks to protect the life and safety of Minnesotans. All service providers rely on systems that are potentially vulnerable to cybersecurity threats and will be required to take actions to protect their system security, with more details in the future from MDH.

What needs to be done?

• Register your system owners and identified staff with MN Fusion Center at MNFC. See below.
• Report cyber-attacks using guidance Executive Order 22-20 FAQ: responding to directives and reporting cyber-attacks.
• Look for additional information in the future from MDH on materials to conduct a cybersecurity self-assessment. You may also choose to have an assessment completed by an outside entity.
  • After completing the cybersecurity assessment, your system will:
    • Certify completion with MDH.
    • Continue work in addressing potential security gaps.
    • Annually certify that an updated assessment has been completed.
• Register system owner and staff with the Minnesota Fusion Center (MNFC). Personnel responsible for system ownership, system operations, and cybersecurity are expected to register at Minnesota Fusion Center: Law Enforcement and Partner Members; there is no limit to how many may register. Register under ‘Partners Membership’, complete the biographic information, then select the Critical Infrastructure applicable Key Resources Sector. Public drinking water entities should choose “Water.” Most others will select “Health Care and Public Health.” IT and cyber security personnel should select ‘Information Technology’ and a sector. Registration questions can be directed to mn.fc@state.mn.us.
• See CISA: FreeCybersecurity Services and Tools for additional guidance.

Procedures

1. If telephone service is lost due to outside causes, the telephone company must be notified immediately.
2. Unplug the fax machine and plug in the emergency phone.
3. If the emergency phone does not work, the maintenance director, or other designated person, shall be directed to go to the nearest operating telephone available to report the loss, and as much information concerning the outage as possible.
4. If the telephone service is anticipated to be out for an indefinite period, the shift charge nurse shall contact the local radio station to inform them of the phone outage so that weather and other major announcements can be relayed to the facility during the telephone outage.
5. A designated person and vehicle must always be ready to depart in an emergency to report any disaster requiring emergency services from the police, fire department, or ambulance.