The company recommends that all enterprises review VPN infrastructure for updates while employees work remotely, and that it is “critical” that they be aware of the current status of related security patches. To do this, it suggests the following:

• Apply all available security updates for VPN and firewall configurations.


• Monitor and pay special attention to remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.


• Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.


• Turn on AMSI for Office VBA if you have Office 365.

It also recommends that providers build on their security protocols against human-operated ransomware by hardening internet-facing assets; ensure they have the latest security updates; secure remote desktop gateways with solutions like Azure Multi-Factor Authentication; practice the principle of least privilege, and maintain credential hygiene; and utilize the Windows Defender Firewall and hospital network firewalls to prevent RPC and SMB communication among endpoints, among other tactics.

“We continue to work with our customers, partners, and the research community to track human-operated ransomware and other trends attackers are using to take advantage of this global crisis,” it said.

Back to HCB News

Health IT Homepage