Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers
May13

Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers

The Five Eyes intelligence alliance, which consists of cybersecurity agencies from the United States, United Kingdom, Australia, New Zealand, and Canada, has issued a joint alert warning about the increasing number of cyberattacks targeting managed service providers (MSPs). MSPs are attractive targets for cybercriminals and nation-state threat actors. Many businesses rely on MSPs to provide information and communication technology (ICT) and IT infrastructure services, as it is often easier and more cost-effective than developing the capabilities to handle those functions internally. In order to provide those services, MSPs require trusted connectivity and privileged access to the networks of their clients. Cyber threat actors target vulnerable MSPs and use them as the initial access vector to gain access to the networks of all businesses and organizations that they support. It is far easier to conduct a cyberattack on a vulnerable MSP and gain access to the networks of dozens of businesses than to target those businesses directly. When MSP systems are compromised, it may take...

Read More
Bill Introduced that Seeks to Improve Medical Device Cybersecurity
May11

Bill Introduced that Seeks to Improve Medical Device Cybersecurity

A new bill has been introduced that seeks to address the cybersecurity of medical devices that will require manufacturers of medical devices to meet certain minimum standards for cybersecurity for the entire lifecycle of the products. The medical device cybersecurity provisions of the bill – H.R. 7667 Food and Drug Amendments of 2022 – call for device manufacturers to “have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures,” and to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure.” The processes and procedures should include making “updates and patches available to the cyber device and related systems throughout the lifecycle of the cyber device.” Those patches and updates are required on a reasonably justified regular cycle to address known vulnerabilities, and, as soon as possible out of cycle, to address critical vulnerabilities that could cause uncontrolled...

Read More
HC3 Highlights Trends in Ransomware Attacks on the HPH Sector
May10

HC3 Highlights Trends in Ransomware Attacks on the HPH Sector

The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3). In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days. Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to...

Read More
NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance
May06

NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance

On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain. Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses. The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization. While...

Read More
Average Ransom Payment Dropped by 34% in Q1, 2022
May05

Average Ransom Payment Dropped by 34% in Q1, 2022

The average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021, according to ransomware incident response firm Coveware. The average ransom payment in Q1, 2022 was $211,259 and the median ransom payment was $73,906. The fall in total ransom payments has been attributed to several factors. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands, due to the increased scrutiny by law enforcement when attacks are conducted on large enterprises. The median company size has been falling since Q4, 2020, and is now companies with around 160 employees. This appears to be the sweet spot, where the companies have sufficient revenues to allow sizable ransoms to be paid, but not so large that attacks will result in considerable scrutiny by law enforcement. Another reason why total ransom payments have fallen is fewer victims of ransomware attacks have been paying the ransom. The number of victims of ransomware attacks that pay the ransom has been steadily declining, from 85% of victims in Q1 2019...

Read More
FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion
May05

FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion

The Federal Bureau of Investigation (FBI) has issued a public service announcement warning about the threat of Business Email Compromise/Email Account Compromise (BEC/EAC) scams. The number of attacks reported to the FBI Internet Crime Complaint Center (IC3) and the amount of money lost to these scams continues to grow each year, with losses to BEC/EAC scams increasing 65% between July 2019 and December 2021. BEC/EAC scams are the leading cause of losses to cybercrime. Between June 2016 and December 2021, IC3 received 241,206 complaints about domestic and international BEC/EAC attacks with reported losses of more than $43.3 billion. The IC3 2021 Internet Crime Report shows victims reported losses of $2.4 billion in 2021 across 19,954 complaints – around one-third of all losses to cybercrime in 2021. The actual losses to these scams are undoubtedly far higher, as many victims do not report the scams to the FBI, especially if the losses are relatively small. BEC/EAC scams involve compromising email accounts and using them to send emails to businesses and individuals who perform...

Read More
HHS Information Security Program Rated ‘Not Effective’
May04

HHS Information Security Program Rated ‘Not Effective’

An audit of the Department of Health and Human Services conducted for the HHS’ Office of Inspector General (OIG) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) in the fiscal year 2021 has seen the agency’s information security program rated ‘not effective’, as was the case in fiscal years 2018, 2019, and 2020. The audit was conducted at five of the 12 operating divisions of the HHS, although OIG did not state which five divisions were audited. In order to receive an effective rating, the HHS is required to reach the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, Respond, and Recover function areas, as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics. OIG said in the report that the HHS has continued to make changes to strengthen the maturity of its enterprise-wide cybersecurity program and is making progress to sustain cybersecurity across all FISMA domains. The HHS security program strengthened the maturity of controls for several individual FISMA metrics,...

Read More
Operational Continuity-Cyber Incident Checklist Published by HSCC
May03

Operational Continuity-Cyber Incident Checklist Published by HSCC

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has published an Operational Continuity-Cyber Incident (OCCI) checklist which serves as a flexible template for responding to and recovering from serious cyberattacks that cause extended system outages, such as ransomware attacks. Ransomware attacks on healthcare organizations increased significantly during the pandemic and continue to be conducted at elevated levels. Ransomware threat actors steal sensitive data that has a high value on the black market, threaten to publish that data to pressure visitors into paying, and the extended system outages due to the attacks can cause considerable financial losses, increasing the probability of the ransom being paid. Warnings have recently been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) about ransomware groups that are actively targeting critical infrastructure, including healthcare organizations. In addition to cybercriminal groups, hospitals are a target for nation-state threat...

Read More
WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework
Apr29

WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework

The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector. Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource. WEDI has also recommended the inclusion of specific case studies of healthcare...

Read More
15 Most Exploited Vulnerabilities in 2021
Apr29

15 Most Exploited Vulnerabilities in 2021

The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021. Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws. Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor...

Read More
Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks
Apr27

Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks

The five eyes cybersecurity agencies have recently issued a joint security alert warning about the threat of cyberattacks on critical infrastructure by Russian nation-state threat actors and pro-Russia cybercriminal groups. Intelligence gathered by the agencies indicates the Russian government has been exploring opportunities for conducting cyberattacks against targets in the West in retaliation for the sanctions imposed on Russia and the support being provided to Ukraine. The agencies warn that Russian state-sponsored hacking groups have been conducting Distributed Denial of Service (DDoS) attacks in Ukraine and are known to have used destructive malware in Ukraine on government and critical infrastructure organizations. These hacking groups are highly skilled, can gain access to IT networks, maintain persistence, exfiltrate sensitive data, and can cause major disruption to critical systems, including industrial control systems. The alert names several Russian government and military organizations that have engaged in these malicious activities, including the Russian Federal...

Read More
2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry
Apr22

2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry

A new report from Comcast Business indicates 2021 was another record-breaking year for Distributed Denial of Service (DDoS) attacks. 9.84 million DDoS attacks were reported in 2021, which is a 14% increase from 2019, although slightly lower than the previous year when 10.1 million attacks were reported. The slight decline in attacks was due to several factors. 2020 was a particularly bad year as it was a full lockdown year where employees were working remotely and students were learning from home, which provided attackers with a unique landscape against which to launch an unprecedented number of DDoS attacks, and the high prices of cryptocurrencies in 2021 meant many threat actors diverted their botnets from conducting DDoS attacks to mining cryptocurrencies. DDoS attackers spared no one in 2021; however, 73% of attacks were conducted on just four sectors – healthcare, government, finance, and education. Attackers followed seasonal trends and activities throughout the year, with education being attacked to coincide with the school year, and COVID-19 and vaccine availability drove...

Read More
FBI Issues Warning About BlackCat Ransomware Operation
Apr21

FBI Issues Warning About BlackCat Ransomware Operation

The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-as-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021. It was launched shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide.  Darkside was behind the ransomware attack on the Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own. However, it is more likely that BlackCat is simply a rebrand of BlackMatter/DarkSide. The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the...

Read More
HHS Issues Warning to HPH Sector about Hive Ransomware
Apr20

HHS Issues Warning to HPH Sector about Hive Ransomware

The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP: White alert about the Hive ransomware group – A particularly aggressive cybercriminal operation that has extensively targeted the healthcare sector in the United States. HC3 has shared an analysis of the tactics, techniques, and procedures (TTPs) known to be used by the group in their attacks and has shared cybersecurity principles and mitigations that can be adopted to improve resilience against Hive ransomware attacks. The Hive ransomware group has been conducting attacks since at least June 2021. The group is known for using double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to publish the data if the ransom is not paid. The group is also known to contact victims by phone to pressure them into paying the ransom. Hive is a ransomware-a-service (RaaS) operation where affiliates are recruited to conduct attacks on the gang’s behalf in exchange for a cut of the profits that are generated, which allows the core...

Read More
Microsoft Sinkholes Notorious ZLoader Botnet
Apr15

Microsoft Sinkholes Notorious ZLoader Botnet

The notorious ZLoader cybercrime botnet, which was used to deliver Ryuk ransomware in attacks on healthcare providers, has been disabled by Microsoft’s Digital Crimes Unit (DCU). Microsoft recently obtained a court order from the United States District Court for the Northern District of Georgia authorizing the seizure of 65 hard-coded domains used by the ZLoader botnet for command-and-control communications. Those domains have now been sinkholed, preventing the operator of the botnet from communicating with devices infected with ZLoader malware. ZLoader malware included a domain generation algorithm (DGA) which is triggered if communication with the hard-coded domains is not possible, which serves as a failsafe against any takedown efforts. The court order also allowed Microsoft to seize 319 DGA-registered domains. Microsoft is working to block the registration of any future DGA domains. ZLoader is part of a family of malware variants that descended from the ZeuS banking Trojan. Initially, ZeuS was used for credential and financial theft, with the aim of transferring money out of...

Read More
JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots
Apr14

JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed. Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks...

Read More
Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms
Apr12

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform. The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp. Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals. Since accounts used by Mailchimp customers to send marketing campaigns such as...

Read More
Increase in Class Action Lawsuits Following Healthcare Data Incidents
Apr12

Increase in Class Action Lawsuits Following Healthcare Data Incidents

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector. Ransomware Attacks Increased in 2021 Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022. Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the...

Read More
FDA Releases Updated Guidance on Medical Device Cybersecurity
Apr11

FDA Releases Updated Guidance on Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers to help them incorporate cybersecurity protections into their products at the premarket stage, and to ensure security risks are managed for the full life cycle of the products. The FDA first released final guidance on premarket expectations for medical devices in 2014, then updated and released draft guidance in 2018. The latest update was deemed necessary due to the changing threat landscape, the increasing use of wireless, Internet- and network-connected devices, portable media, and the frequent electronic exchange of medical device-related health information. Further, the healthcare industry is being increasingly targeted by cyber threat actors, and the severity and clinical impact of healthcare cyberattacks have increased. Cyberattacks on healthcare providers have the potential to delay test results, diagnoses, and treatment, which could lead to patient harm. The FDA felt that an updated approach was necessary to ensure cybersecurity risks were managed and reduced to a low...

Read More
NCCoE Releases Final Guidance on Effective Enterprise Patch Management
Apr07

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems. Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation. “Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.” While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’...

Read More
OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity
Apr05

The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity

A bipartisan pair of senators have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which aims to improve the security of medical devices. Vulnerabilities are often identified in medical devices that could potentially be exploited by threat actors to change the functionality of the devices, render them inoperable, or to allows the devices to be used as a springboard for more extensive attacks on healthcare networks. Over the course of the pandemic, cyberattacks on healthcare organizations have increased, and medical devices and the networks to which they connect have been affected by ransomware attacks. These attacks have affected hospitals, patients, and the medical device industry. U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the PATCH Act to ensure that the U.S. healthcare system’s cyber infrastructure remains safe and secure. The PATCH Act will update the Federal Food, Drug, and Cosmetic Act to require all premarket submissions for medical devices to include details of the cybersecurity protections that have been...

Read More
Differences Between Small and Large Healthcare Organizations on Security
Apr04

Differences Between Small and Large Healthcare Organizations on Security

A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers. The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information. Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past...

Read More
Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices
Apr01

Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices

Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications. Proof-of-concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is being actively exploited. The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions and is remotely exploitable in the default configuration while running a Spring Boot application that depends on Spring Cloud Function, such as when depending on packages such as spring-cloud-function-web and spring-cloud-starter-function-web. According to VMWare, which owns Spring, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression, which will allow remote code execution and access to local resources. The vulnerability was initially assigned a CVSS severity score of 5.4, but was later upgraded to critical. Proof-of-concept exploits for the vulnerability...

Read More
Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity
Mar28

Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity

A new bill has been proposed by a bipartisan pair of senators that aims to improve the cybersecurity of the healthcare and public health (HPH) sector, in light of the recent warning from the White House about the increased threat of Russian cyber threats. Last week, President Biden and the White House issued a warning about the increased risk of Russian cyberattacks on critical infrastructure, including potential attacks on the HPH sector in response to the sanctions recently imposed by the United States on Russia due to the invasion of Ukraine. The warning was “based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” said President Biden. In response to the warning, on Thursday, March 24, 2022, U.S. Senators Jacky Rosen (D-NV) and Bill Cassidy, MD (R-LA) proposed the Healthcare Cybersecurity Act (S.3904). One of the main aims of the act is to improve collaboration between the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services. If passed, CISA would be required...

Read More
FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021
Mar24

FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released its 2021 Internet Crime Report, which reveals there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021. 14 of the 16 critical infrastructure sectors reported at least one ransomware attack, although the healthcare and public health sector was the worst affected, accounting for 148 of those attacks, followed by financial services with 89 attacks, and the information technology sector with 74. The Conti ransomware gang was the most active in 2021 with 87 reported attacks on critical infrastructure organizations, followed LockBit ransomware (58), and the now-disbanded REvil/Sodinokibi ransomware operation (51). The Conti gang favored targets in critical manufacturing, commercial facilities, and the food and agriculture sectors, LockBit most frequently attacked healthcare and public health, government facilities, and financial services, and REvil targeted healthcare and public health, financial services, and the information technology...

Read More
President Biden Urges Private Sector to Take Immediate Action to Harden Cybersecurity Defenses
Mar23

President Biden Urges Private Sector to Take Immediate Action to Harden Cybersecurity Defenses

Present Biden has issued a warning about the increased threat of cyberattacks by Russian state-sponsored hackers as a result of the economic sanctions imposed on the country in response to the invasion of Ukraine. President Biden said the warning is based on “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” A few days before President Biden’s warning, the FBI issued an alert warning that hacking groups linked to Russia could target U.S organizations in response to the recently imposed sanctions. Deputy national security adviser Anne Neuberger explained in a White House briefing on Monday that threat actors associated with Russian IP addresses had conducted “preparatory activity” for cyberattacks, such as scanning websites and other Internet-facing systems at 5 US energy firms for exploitable vulnerabilities. Scans have also been conducted on at least 18 other US companies in sectors such as defense and financial services. The FBI said the Russian IP addresses used for scanning have previously been used for destructive cyber...

Read More
OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks
Mar18

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule. The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities. Prevention of...

Read More
Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability
Mar17

Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory warning that Russian state-sponsored actors are exploiting default multi-factor authentication protocols and the PrintNightmare vulnerability to gain access to networks to steal sensitive data. These tactics have been used by Russian state-sponsored cyber actors from as early as May 2021, when a non-governmental organization (NGO) was attacked using these tactics. The threat actors were able to gain access to the network by exploiting default multi-factor authentication protocols (Cisco’s Duo MFA) on an account. The threat actors then exploited the PrintNightmare vulnerability to execute code with system privileges and were able to move laterally to the NGO’s cloud and email accounts and exfiltrated documents. PrintNightmare is a critical remote code execution vulnerability (CVE-2021-34527) in the print spooler service of Microsoft Windows. The attackers were able to enroll a new device in the NGO’s Duo MFA using compromised...

Read More
Healthcare Scores Poorly for Practicing the Cyber Incident Response
Mar15

Healthcare Scores Poorly for Practicing the Cyber Incident Response

2021 was another record-breaking year for healthcare industry data breaches with over 50 million records breached and over 900 data breaches were recorded by databreaches.net. Given the extent to which the healthcare industry is targeted by cyber actors, the risk of a data breach occurring is high. A SecureLink/Ponemon Institute study in 2021 found 44% of healthcare and pharmaceutical companies experienced a data breach in the past 12 months. While steps can be taken to improve defenses to prevent cyberattacks from succeeding, healthcare organizations need to be prepared for the worse and should have an incident response plan in place that can be immediately initiated in the event of a cyberattack. With proper planning, when a cyberattack occurs, healthcare organizations will be well prepared and will be able to recover in the shortest possible time frame. Regular exercises should be conducted to ensure everyone is aware of their responsibilities and that the plan works. All too often, victims of cyberattacks discover their incident response plan is inefficient or ineffective due...

Read More
Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021
Mar11

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021. The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net. Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020. The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a...

Read More
Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices
Mar09

Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices

7 vulnerabilities dubbed Access:7 have been identified in the web-based technologies PTC Axeda and Axeda Desktop Server, which are used to allow one or more people to securely view and operate the same remote desktop via the Internet. If exploited, an attacker could gain full system access, remotely execute code, trigger a denial-of-service condition, read and change configurations, and obtain file system read access and log information access. Three of the vulnerabilities are rated critical and have a CVSS severity score of 9.8 out of 10. PTC Axeda and Axeda Desktop Server are remote asset connectivity software solutions that are used as part of a cloud-based IoT platform. The software is extensively used in medical and Internet-of-Things (IoT) devices to manage and remotely access connected devices, including multiple medical imaging and laboratory devices. At present, none of the vulnerabilities are believed to have been exploited in the wild. The vulnerabilities affect all versions of the software. They are: CVE-2022-25246 – Hard-coded credentials – CVSS Severity Score 9.8/10...

Read More
HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity
Mar08

HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity

The HHS’ Health Sector Cybersecurity Coordination Center has released a new report – Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989. That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system. The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan...

Read More
HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers
Mar07

HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new Model Contract Language template for healthcare delivery organizations (HDOs) to use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of its responsibilities for cybersecurity and device management. “Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment through the device lifecycle,” explained HSCC. “These factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.” The Model Contract Language is intended to be a...

Read More
Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk
Mar07

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised. Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering. The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a...

Read More
Security Issues Identified in 75% of Infusion Pumps
Mar04

Security Issues Identified in 75% of Infusion Pumps

This week, researchers at Palo Alto’s Unit 42 team published a report that shows security gaps and vulnerabilities often exist in smart infusion pumps. These bedside devices automate the delivery of medications and fluids to patients and are connected to networks to allow them to be remotely managed by hospitals. The researchers used crowdsourced scans from more than 200,000 infusion pumps at hospitals and other healthcare organizations and searched for vulnerabilities and security gaps that could potentially be exploited. The devices were assessed against more than 40 known vulnerabilities and over 70 other IoT vulnerabilities. 75% of the 200,000 infusion pumps were discovered to have security gaps that placed them at an increased risk of being compromised by hackers. Worryingly, 52% of the analyzed devices were found to be vulnerable to two serious infusion pump vulnerabilities dating back to 2019, one of which is a critical flaw with a CVSS severity score of 9.8 out of 10 (Wind River VxWorks CVE-2019-12255), and the other is a high severity flaw with a CVSS score of 7.1 (Wind...

Read More
Paying a Ransom Doesn’t Put an End to the Extortion
Mar02

Paying a Ransom Doesn’t Put an End to the Extortion

The healthcare industry has been extensively targeted by ransomware gangs and victims often see paying the ransom as the best option to ensure a quick recovery, but the payment does not always put an end to the extortion. Many victims have paid the ransom to obtain the decryption keys or to prevent the publication of stolen data, only for the ransomware actors to continue with the extortion. The advice of the Federal Bureau of Investigation (FBI) is never to pay a ransom following a ransomware attack, as doing allows the threat actors to put more resources into their attacks, it encourages other threat groups to get involved in ransomware, and because there is no guarantee that paying a ransom will allow the recovery of data or prevent the misuse of stolen data. A recent survey conducted by the cybersecurity firm Venafi has helped to quantify the extent to which further extortion occurs. The survey has provided some important statistics about what happens when victims pay or do not pay the ransom demands. The survey was conducted on 1,506 IT security officers from the United...

Read More
HHS Warns of Potential Threats to the Healthcare Sector
Mar02

HHS Warns of Potential Threats to the Healthcare Sector

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the U.S. health sector about potential cyber threats that could spillover from the conflict in Ukraine and affect U.S. healthcare organizations. HC3 said the HHS is unaware of any specific threats to the Health and Public Health (HPH) Sector; however, it is clear that allies on both sides of the conflict have cyber capabilities and there are fears that there could be cyberattacks on the HPH sector as a consequence of the conflict. HC3 has warned that threats could come from three areas: Threat actors linked to the Russian government, threat actors linked to the Belarussian government, and cybercriminal groups operating out of Russia and its neighboring states. There is also potential for other cybercriminal groups to either get involved in the conflict or take advantage of the conflict to conduct unrelated cyberattacks. “Russia has for several decades been one of the most capable cyber powers in the world. Going back to the Moonlight Maze attacks against the US...

Read More
OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
Mar01

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...

Read More
NIST Requests Comments on How to Improve its Cybersecurity Framework
Feb28

NIST Requests Comments on How to Improve its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is seeking feedback on the usefulness of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and suggestions on any improvements that can be made. The NIST Cybersecurity Framework was released in 2014 to help public and private sector organizations implement cybersecurity standards and best practices to improve their cybersecurity posture, better defend against cyber threats, and quickly identify and respond to cyberattacks in progress to limit the harm that can be caused. The NIST Cybersecurity Framework is considered the gold standard for cyber threat management; however, that does not mean improvements could not be made. The last update to the Cybersecurity Framework occurred in April 2018 and the past four years have seen considerable changes to the cybersecurity threat landscape. New threats have emerged, the tactics, techniques, and procedures used by cyber threat actors have changed, there are new technologies and security capabilities, and more resources are available to...

Read More
NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance
Feb23

NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance

The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST guidance on Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30). Healthcare delivery organizations have been increasingly adopting telehealth and remote patient monitoring (RPM) systems to improve the care they provide to patients while reducing costs. Patient monitoring systems have traditionally only been used in healthcare facilities but there are advantages to using these solutions in patients’ homes. Many patients prefer to receive care at home, the cost of receiving that care is reduced, and healthcare delivery organizations benefit from freeing up bed space and being able to treat more patients. While there are advantages to be gained from the provision of virtual care and the remote monitoring of patients in their homes, telehealth and RPM systems can introduce vulnerabilities that could put sensitive patient data at risk and if RPM systems are not adequately protected, they could be vulnerable to cyberattacks that could disrupt patient monitoring services....

Read More
CISA Publishes List of Free Cybersecurity Tools to Advance Security Capabilities
Feb23

CISA Publishes List of Free Cybersecurity Tools to Advance Security Capabilities

Expanding security capabilities is possible with a tight budget by using free cybersecurity tools and services. Many tools and services have been developed by government agencies, the cybersecurity community, and the public and private sector that can be used to improve defenses against damaging cyberattacks, detect potential intrusions rapidly, and help organizations respond to and remediate security breaches. Finding appropriate free cybersecurity tools and services can be a time-consuming process. To help critical infrastructure organizations reduce cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has compiled a list of services provided by CISA and other government agencies, open source tools, and tools and services developed and maintained by the cybersecurity community that can be adopted to improve protection, detection, response and the remediation of cyber threats. The list of free cybersecurity tools and services is divided into four categories, based on the four goals detailed in previously published guidance: CISA Insights:...

Read More
HHS Raises Awareness of Threats to Electronic Health Record Systems
Feb21

HHS Raises Awareness of Threats to Electronic Health Record Systems

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has issued a threat brief warning about the risks associated with electronic health record systems, which are often targeted by cyber threat actors. Cyberattacks on EHRs can be extremely profitable for cyber threat actors. EHRs usually contain all the information required for multiple types of fraud, including names, addresses, dates of birth, Social Security numbers, other government and state ID numbers, health data, and health insurance information. No other records provide such a wide range of information. The information contained in the systems has a high value on the black market and can be easily sold to cybercriminals who specialize in identity theft, tax, and insurance fraud. Malware, and especially ransomware, pose a significant threat to EHRs. Ransomware can be used to encrypt EHR data to prevent access, which causes disruption to medical services and creates patient safety issues, which increases the likelihood of the ransom being paid. Phishing attacks to gain access to...

Read More
2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands
Feb18

2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands

CrowdStrike has released its annual threat report which shows there was a major increase in data leaks following ransomware attacks in 2021, rising 82% from 2020. CrowdStrike observed 2,686 ransomware attacks in 2021 compared to 1,474 in 2020. There were more than 50 ransomware attacks a week in 2021. Ransomware gangs also increased their ransom demands in 2021, which were 36% higher than in 2020. In 2021, the average ransom demand was $6.1 million. The healthcare industry was extensively targeted by ransomware gangs in 2021, even though several threat actors claimed they would not conduct attacks on healthcare organizations. CrowdStrike tracked 154 ransomware attacks on healthcare organizations in 2021, up from 94 in 2020, with healthcare ranking 6th out of all industry sectors for data leaks, down from 4th position in 2020. CrowdStrike said the threat landscape became much more crowded in 2021, with several new adversaries emerging including threat actors that have previously not been extensively involved in cyberattacks such as Turkey and Colombia. CrowdStrike identified 21 new...

Read More
HIMSS Cybersecurity Survey Suggests the Human Factor is the Largest Vulnerability in Healthcare
Feb17

HIMSS Cybersecurity Survey Suggests the Human Factor is the Largest Vulnerability in Healthcare

The Healthcare Information and Management Systems Society (HIMSS) has published the findings of its 2021 Healthcare Cybersecurity Survey which revealed 67% of respondents have experienced at least one significant security incident in the past 12 months, with the most significant security breaches the result of phishing attacks. The 2021 HIMSS Healthcare Cybersecurity Survey was conducted on 167 healthcare cybersecurity professionals, who had at least some responsibility for day-to-day cybersecurity operations or oversight. The surveyed IT professionals were asked about the most significant security breaches they had experienced in the previous 12 months, and in 45% of cases it was a phishing attack, and 57% of respondents said the most significant breach involved phishing. Phishing attacks are most commonly conducted via email, with email-based phishing attacks accounting for 71% of the most significant security incidents; however, 27% said there was a significant voice phishing incident (vishing), 21% said they had a significant SMS phishing incident (smishing), and 16% said there...

Read More
CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure
Feb14

CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure

A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health. The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including...

Read More
Immediate Patching Required to Fix Critical SAP Vulnerabilities
Feb10

Immediate Patching Required to Fix Critical SAP Vulnerabilities

The German business software provider SAP has released patches to fix a set of critical vulnerabilities that affect SAP applications that use the SAP Internet Communications Manager (ICM). The vulnerabilities were identified by researchers at Onapsis Research Labs, who dubbed the flaws ICMAD (Internet Communications Manager Advanced Desync). All three of the flaws could be exploited to achieve remote code execution, which would allow remote attackers to fully compromise vulnerable SAP applications. The vulnerabilities affect the following SAP applications: SAP NetWeaver AS ABAP ABAP Platform SAP NetWeaver AS Java SAP Content Server 7.53 SAP Web Dispatcher The flaws could be exploited to steal victim sessions and credentials in plaintext, change the behavior of applications, obtain PHI and sensitive business data, and cause denial-of-service. The vulnerability CVE-2022-22536 is the most serious of the three and has been assigned the maximum CVSS severity score of 10/10. Onapsis said the flaw can be easily exploited by an unauthenticated attacker on SAP applications in the default...

Read More
Latest Phishing Kits Allow Multi-Factor Authentication Bypass
Feb09

Latest Phishing Kits Allow Multi-Factor Authentication Bypass

Phishing attacks allow threat actors to obtain credentials, but multi-factor authentication (MFA) makes it harder for phishing attacks to succeed. With MFA enabled, in addition to a username and password, another method of authentication is required before account access is granted. Microsoft has previously said multi-factor authentication blocks 99.9% of automated account compromise attacks; however, MFA does not guarantee protection. A new breed of phishing kit is being increasingly used to bypass MFA. Researchers at Proofpoint explained in a recent blog post that phishing kits are now being used that leverage transparent reverse proxy (TRP), which allows browser man-in-the-middle (MitM) attacks. The phishing kits allow the attackers to compromise browser sessions and steal credentials and session cookies in real-time, allowing a full account takeover without alerting the victim. There are multiple phishing kits that can often be purchased for a low cost that allow MFA to be bypassed; some are simple with no-frills functionality, while others are more sophisticated and...

Read More
HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive
Feb08

HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a report providing insights into the May 2021 Conti ransomware attack on the Health Service Executive (HSE) in Ireland, and advice for healthcare and public health organizations to help them prepare, respond, and recover from ransomware attacks. The report provides information on the vulnerabilities and weaknesses that were exploited by the Conti ransomware gang, and how the HSE’s lack of preparedness for ransomware attacks hampered its efforts to detect, respond and remediate the attack and contributed to the long and expensive recovery process. The Conti ransomware gang, believed to be a reincarnation of the notorious Ryuk ransomware operation, first gained access to the HSE network on May 7, 2021, and the networks of six voluntary hospitals and one statutory hospital were compromised between May 8, 2021, and May 12, 2021. One of the affected hospitals detected the attack on May 10, and the HSE was alerted to the cyberattack on May 12. Between May 12 and May 13, the attacker accessed files and...

Read More
FBI Shares Technical Details of Lockbit 2.0 Ransomware
Feb08

FBI Shares Technical Details of Lockbit 2.0 Ransomware

The Federal Bureau of Investigation (FBI) has released indicators of compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) associated with Lockbit 2.0 ransomware. Lockbit is a ransomware-as-a-service (RaaS) operation that has been active since September 2019. In the summer of 2021, a new version of the ransomware – Lockbit 2.0 – was released that had more advanced features, including the ability to automatically encrypt files across Windows domains via Active Directory group policies, and a Linux based malware was also developed that could exploit vulnerabilities in VMware ESXi virtual machines. The affiliates working for the ransomware operation use a  range of TTPs in their attacks, which makes prevention, detection, and mitigation a challenge for security teams. Initial access is gained by exploiting unpatched vulnerabilities, using zero-day exploits, and purchasing access to business networks from initial access brokers (IABs). Shortly after the relaunch of the RaaS, the threat actor started advertising on hacking forums trying to recruit...

Read More
Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors
Feb04

Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors

Ransomware gangs are increasingly targeting unpatched vulnerabilities in software and operating systems to gain access to business networks, and they are weaponizing zero-day vulnerabilities at record speed. Unpatched vulnerabilities are now the primary attack vector in ransomware attacks, according to Ivanti’s Ransomware End of Year Spotlight report. Ivanti partnered with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware for its report, which identified 32 new ransomware variants in 2021 – An increase of 26% from the previous year. There are know 157 known ransomware families that are being used in cyberattacks on businesses. Ivanti says 65 new vulnerabilities were identified in 2021 that are known to have been exploited by ransomware gangs – an increase of 29% year-over-year – bringing the total number of vulnerabilities tied to ransomware attacks to 288. 37% of the new vulnerabilities were trending on the dark web and have been exploited in multiple attacks, and 56% of the 223 older...

Read More
HC3:  BlackMatter Ransomware Threat Level Reduced
Feb03

HC3: BlackMatter Ransomware Threat Level Reduced

In September 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an advisory to the health sector about an elevated threat of BlackMatter ransomware attacks. A few days ago, a second advisory was issued stating the threat level has been reduced to Blue/Guarded. HC3 said the ransomware-as-a-service (RaaS) operation appears to have been shut down and there have been no further victims listed on the BlackMatter RaaS data leak site since October 31, 2021. The BlackMatter ransomware operation is believed by many security experts to be a rebranding of the DarkSide ransomware gang, which conducted the ransomware attack on Colonial Pipeline in May 2021 that disrupted fuel delivery to the Eastern Seaboard. The DarkSide operation was shut down shortly after the Colonial Pipeline attack, and BlackMatter ransomware attacks started in July 2021. Approximately half of the attacks conducted by the BlackMatter ransomware gang were on entities based in the United States, including at least four healthcare organizations – A...

Read More
Technologies Supporting Telehealth Have Placed Healthcare Data at Risk
Feb02

Technologies Supporting Telehealth Have Placed Healthcare Data at Risk

A new report from Kaspersky shows the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed. Massive Increase in the Use of Telehealth The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth. Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give...

Read More
Settlement Reached in Excellus Class Action Data Breach Lawsuit
Jan26

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015. The attack involved the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers. The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the...

Read More
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
Jan25

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...

Read More
More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability
Jan24

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy. The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound...

Read More
Healthcare Cybersecurity Risks in 2022
Jan24

Healthcare Cybersecurity Risks in 2022

The healthcare industry continues to face a considerable range of threats, with ransomware attacks and data breaches still highly prevalent. Throughout 2021, healthcare data breaches were being reported at a rate of almost 2 per day, and while there was a reduction in the number of ransomware attacks compared to 2020, ransomware remains a major threat with several ransomware gangs actively targeting the healthcare sector. In its Q4, 2021 Healthcare Cybersecurity Bulletin, released on Friday, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of some of the ongoing cyberattack trends that are expected to continue in Q1, 2022. Ransomware Law enforcement agencies in the United States and Europe have increased their efforts to bring the operators of ransomware operations and their affiliates to justice, with those efforts resulting in the arrests of key members of several ransomware groups. This year, in a rare act of cooperation between the United States and Russia, 14 suspected members of the notorious REvil ransomware gang...

Read More
CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks
Jan21

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine. The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible. The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack
Jan14

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack. A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022. According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors. Stewart said he...

Read More
What is a HIPAA Violation?
Jan14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors
Jan13

Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors. “CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory. The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks. Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable...

Read More
HIPAA Social Media Rules
Jan12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity
Dec31

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks. The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security. The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector
Dec20

New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has released new data on cyberattacks on the healthcare industry. According to the latest figures, 295 cyberattacks are known to have been conducted on the healthcare sector in the past 18 months between June 2, 2020, and December 3, 2021. The attacks have been occurring at a rate of 3.8 per week and have occurred in 35 countries. Those attacks include 263 incidents that have either been confirmed as ransomware attacks (165) or are suspected of involving ransomware (98), with those attacks occurring in 33 countries at a rate of 3.4 incidents a week. Over the past 18 months, at least 39 different ransomware groups have conducted ransomware attacks on the healthcare sector. Those attacks have mostly been on patient care services (179), followed by pharma (35), medical manufacturing & development (26), and other medical organizations (23). The CyberPeace Institute studied darknet publications, correspondence with ransomware gangs, and interviews and identified 12 ransomware groups that had stated they would not conduct attacks on the healthcare sector...

Read More
Third Version of Log4j Released to Fix High Severity DoS Vulnerability
Dec20

Third Version of Log4j Released to Fix High Severity DoS Vulnerability

The original vulnerability identified in Log4j (CVE-2021-44228) that sent shockwaves around the world due to its seriousness, ease of exploitation, and the extent to which it impacts software and cloud services, is not the only vulnerability in the Java-based logging utility. After releasing version 2.15.0 to fix the flaw, it was determined that version 2.15.0 was still vulnerable in certain non-default configurations due to an incomplete patch. The new vulnerability is tracked as CVE-2021-45046 and was fixed in version 2.16.0 of Log4j. Initially, the vulnerability was assigned a CVSS score of 3.7 (low severity); however, the severity score has since been increased to critical (CVSS 9.0), as while this flaw was initially reported as a denial-of-service bug, it was later determined that it could be exploited to allow data exfiltration and remote code execution. According to Apache, “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious...

Read More
Learnings from a Major Healthcare Ransomware Attack
Dec13

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country. Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE. Cybersecurity Failures that are Common in the Healthcare Industry PWC’s recently published report highlights a number of...

Read More
Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild
Dec13

Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild

A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services. The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected. The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0. The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been...

Read More
High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products
Dec10

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password. The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account. The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10. According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products: Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1 Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1 Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0 Welch Allyn Vision Express:...

Read More
SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances
Dec09

SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances

SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series remote access appliances that fixes 8 vulnerabilities including 2 critical and 4 high-severity flaws. Vulnerabilities in SonicWall appliances are attractive to threat actors and have been targeted in the past in ransomware attacks. While there are currently no known cases of the latest batch of vulnerabilities being exploited in the wild, there is a high risk of these vulnerabilities being exploited if the firmware is not updated promptly. SMA 100 series appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, all of which are affected. The most serious vulnerabilities are buffer overflow issues which could be exploited remotely by an unauthenticated attacker to execute code on vulnerable appliances. These are CVE-2021-20038, an unauthenticated stack-based buffer overflow vulnerability (CVSS score of 9.8), and CVE-2021-20045, which covers multiple unauthenticated file explorer heap-based and stack-based buffer overflow issues (CVSS score 9.4). A further...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More
Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks
Dec06

Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct. The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector. In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade...

Read More
APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells
Dec03

APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus. The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus (on-premises) prior to version 11306. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the...

Read More
HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
Dec03

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...

Read More
CISA Publishes Mobile Device Cybersecurity Checklist for Organizations
Nov30

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices. The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks. CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities. A policy should be...

Read More
Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend
Nov23

Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations in the United States about the increased risk of cyberattacks over Thanksgiving weekend. Cyber threat actors are often at their most active during holidays and weekends, as there are likely to be fewer IT and security employees available to detect attempts to breach networks. Recent attacks have demonstrated holiday weekends are prime time for cyber threat actors, with Las Vegas Cancer Center one of the most recent victims of such an attack on the Labor Day weekend. The warning applies to all organizations and businesses, but especially critical infrastructure firms. Cyber actors around the world may choose Thanksgiving weekend to conduct attacks to disrupt critical infrastructure and conduct ransomware attacks. CISA and the FBI are urging all entities to take steps to ensure risk is effectively mitigated ahead of the holiday weekend to help prevent them from becoming the next victim of a costly cyberattack. Steps that should be taken immediately...

Read More
HC3 Warns Healthcare Sector About Risk of Zero-day Attacks
Nov23

HC3 Warns Healthcare Sector About Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level. A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw. Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program. More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it...

Read More
Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors
Nov19

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors. IntelliBride EC 40 and EC 80 Hub Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data. The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication. Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10. Philips has not yet issued an...

Read More
Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities
Nov18

Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector. Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks. The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption. The threat actors are exploiting three vulnerabilities in Fortinet Devices –...

Read More
82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months
Nov18

82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months

A new study conducted by Medigate and CrowdStrike has highlighted the extent to which healthcare Internet of Things (IoT) devices are being targeted by threat actors and warns about the worrying state of IoT security in the healthcare industry. The number of IoT devices being used in healthcare has increased significantly in recent years as connected health drives a revolution in care delivery. Healthcare providers are increasingly reliant on IoT devices to perform a range of essential functions, and while the devices offer huge clinical benefits, full consideration should be given to cybersecurity. Cyber threat actors have disproportionately targeted healthcare organizations for many years due to the high value of healthcare data, the ease at which it can be monetized, and the relatively poor cybersecurity defenses in healthcare compared to other industry sectors. The rapid adoption of IoT devices has resulted in a major increase in the attack surface which gives cyber actors even more opportunities to conduct attacks. Further, IoT devices often have weaker cybersecurity controls...

Read More
Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft
Nov16

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations. The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare. The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months. Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data...

Read More
Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities
Nov15

Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities

13 vulnerabilities have been identified in the Siemens Nucleus RTOS TCP/IP stack that could potentially be exploited remotely by threat actors to achieve arbitrary code execution, conduct a denial-of-service attack, and obtain sensitive information. The vulnerabilities, dubbed NUCLEUS:13, affect the TCP/IP stack and related FTP and TFTP services of the networking component (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS), which is used in many safety-critical devices. In healthcare, Nucleus is used in medical devices such as anesthesia machines and patient monitors. One critical vulnerability has been identified that allows remote code execution which has a CVSS v3 severity score of 9.8 out of 10. Ten of the vulnerabilities are rated high severity flaws, with CVSS scores ranging from 7.1 to 8.8. There are also two medium-severity flaws with CVSS scores of 6.5 and 5.3. The vulnerabilities were identified by security researchers at Forescout Research Labs, with assistance provided by researchers at Medigate. The vulnerabilities affect the following Nucleus RTOS...

Read More
DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information
Nov11

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States. Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses. Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin. The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat...

Read More
HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations
Nov10

HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors. Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector. Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets. Cobalt Strike includes a spear phish tool that can be used to create and send...

Read More
3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions
Nov10

3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions

Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information, to an untrusted environment. Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10. The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited. The...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Nov09

The HIPAA Password Requirements and the Best Way to Comply With Them

It is important that Covered Entities and Business Associates understand the HIPAA password requirements and the best way to comply with them because if a data breach is found to be attributable to a lack of compliance, the penalties could be significant. However, understanding the HIPAA password requirements is not straightforward. HIPAA is intentionally technology-neutral; so whereas Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”, there is no indication what procedures should be implemented or even that user verification should be password-based. Guidance published by the Department of Health and Human Services suggests there are three ways in which users can verify their identity: With something only known to the user, such as a password or PIN, With something the user possesses, such as a smart card or key, or With something unique to the user, such as a fingerprint or facial image. In addition to the above, a required...

Read More
Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw
Nov08

Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education. The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity. The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems. On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion
Nov03

FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion

Ransomware gangs often use double extortion tactics to encourage victims to pay the ransom. In addition to file encryption, sensitive data are stolen and a threat is issued to sell or publish the data if the ransom is not paid. The Federal Bureau of Investigation (FBI) has recently issued a private industry notification warning of a new extortion tactic, where ransomware gangs target companies and organizations that are involved in significant time-sensitive financial events, steal sensitive financial data, then threaten to publish that information if payment is not made. Ransomware gangs conduct extensive research on their victims before launching an attack, which includes gathering publicly available data and nonpublic material. The attacks are then timed to coincide with the release of quarterly earnings reports, SEC filings, initial public offerings, and merger and acquisition activity, with the release of information having the potential to significantly affect the victim’s stock value. “During the initial reconnaissance phase, cyber criminals identify non-publicly...

Read More
42% of Healthcare Organizations Have Not Developed an Incident Response Plan
Nov02

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data. The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It. The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats....

Read More
OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance
Nov02

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections they have implemented to secure their legacy IT systems and devices. A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks. Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices. Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy...

Read More
Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses
Nov01

Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses

The advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was behind the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers, according to a recent alert from Microsoft. Rather than conducting attacks on many companies and organizations, Nobelium is favoring a compromise-one-to-compromise-many approach. This is possible because service providers are often given administrative access to customers’ networks to allow them to provide IT services. Nobelium is attempting to leverage that privileged access to conduct attacks on downstream businesses and has been conducting attacks since at least May 2021. Nobelium uses several techniques to compromise the networks of service providers, including phishing and spear phishing attacks, token theft, malware, supply chain attacks, API abuse, and password spraying attacks on accounts using commonly used passwords and passwords that have previously been stolen in data breaches. Once access to service providers’ networks has been...

Read More
Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI
Oct27

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to...

Read More
International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure
Oct27

International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation. The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United...

Read More
Cybersecurity Awareness Month: Put Cybersecurity First
Oct25

Cybersecurity Awareness Month: Put Cybersecurity First

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people. Cybersecurity Advice for Companies One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought. Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam...

Read More
44% of Healthcare Organizations Don’t Have Full Visibility into 3rd Party Access and Permissions
Oct25

44% of Healthcare Organizations Don’t Have Full Visibility into 3rd Party Access and Permissions

A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations. As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated. The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic. SecureLink’s study, the results of which were published in the report, A Matter...

Read More
Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats
Oct22

Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats

A recent survey conducted on Chief Information Security Officer (CISO) members of the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has highlighted the impact cybersecurity incidents have had on the healthcare industry and the need for federal assistance to deal with the threats. The healthcare industry has long been targeted by cybercriminals, but attacks have increased during the pandemic. 67% of respondents said their organization had experienced a security incident in the past 12 months with almost half saying they were the victim of a phishing attack. Phishing and business email compromise attacks, malware ransomware, hacking, and insider threats were the most common security exploits used in cyberattacks on the industry. Cyberattacks can cause patient safety issues. One recent study indicates mortality rates increase following a ransomware attack, as do medical complications and the length of hospital stays. The survey confirmed the impact on patient safety, with 15% of respondents...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
Alert Issued About Ongoing BlackMatter Ransomware Attacks
Oct19

Alert Issued About Ongoing BlackMatter Ransomware Attacks

A joint alert has been issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) about ongoing BlackMatter ransomware attacks. The group has been conducting attacks in the United States since July 2021, which have included attacks on critical infrastructure entities and two organizations in the U.S. Food and Agriculture Sector. Evidence has been obtained that links the gang to the DarkSide ransomware gang that conducted attacks between September 2020 and May 2021, including the attack on Colonial Pipeline, with BlackMatter ransomware potentially a rebrand of the DarkSide operation. Investigations into the attacks have allowed the agencies to obtain important information about the tactics, techniques, and procedures (TTPs) of the group, and an analysis has been performed on a sample of the ransomware in a sandbox environment. The group is known to use previously compromised credentials to gain access to victims’ networks, then leverages the Lightweight Directory Access Protocol (LDAP) and...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Cybersecurity Awareness Month: Fight the Phish!
Oct12

Cybersecurity Awareness Month: Fight the Phish!

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack. Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source. The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing...

Read More
FIN12 Ransomware Gang Actively Targeting the Healthcare Sector
Oct12

FIN12 Ransomware Gang Actively Targeting the Healthcare Sector

Ransomware is currently the biggest cyber threat faced by the healthcare industry. Attacks often cripple healthcare IT systems for weeks or months and prevent medical records from being accessed. One study by the Ponemon Institute/Censinet shows attacks result in treatment delays, an increase in complications, poorer patient outcomes, and an increase in mortality rates. Several ransomware gangs have publicly stated they will not attack the healthcare industry, but that is certainly not true of FIN12. According to a recently published analysis of the ransomware actor by Mandiant, around 20% of the attacks conducted by the group have been on the healthcare industry. FIN12 is a prolific ransomware actor that focuses on big game targets. Almost all the victims of FIN12 have annual revenues over $300 million, with an average of almost $6 billion. FIN12 has been active since at least 2018 and has largely targeted North America where 85% of its attacks have occurred, although the gang has recently expanded geographically and now also conducts attacks in Europe and the Asia Pacific region....

Read More
Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours
Oct11

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that, if passed, will require victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid. The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States. Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the...

Read More
Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability
Oct07

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers. MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps. The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery...

Read More
Expert Insights Recognizes TitanHQ with 4 Best of Awards for SpamTitan, WebTitan & ArcTitan
Oct07

Expert Insights Recognizes TitanHQ with 4 Best of Awards for SpamTitan, WebTitan & ArcTitan

The online B2B publication Expert Insights has recognized TitanHQ’s cybersecurity solutions in its Fall 2021 Best of Cybersecurity Awards. The Irish cybersecurity firm collected 4 awards for its email security, web security, and email archiving solutions, which were each rated best-in-class by the editorial team. Expert Insights is used by over 80,000 individuals each month to identify cybersecurity and cloud-based security solutions that meet their business needs, saving countless hours in the search for the right solutions. Expert Insights conducts research into cybersecurity and cloud-based security solutions and publishes buyers’ guides, blog posts, and industry analyses. Each year, the best cybersecurity solutions are selected based on independent technical analyses, customer feedback, and reviews by the US- and UK-based editorial teams. For the second successive year, TitanHQ has had a clean sweep and collected Best Of Awards for each of its three security solutions. SpamTitan received Best of Awards in two categories, being selected as the top product in the Best Email...

Read More
Insider Threat Self-Assessment Tool Released by CISA
Oct06

Insider Threat Self-Assessment Tool Released by CISA

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs. In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm. Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by...

Read More
Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training
Oct05

Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests training is lacking at many HIPAA-regulated entities. The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report. The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data. Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile...

Read More
Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death
Oct04

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack and that the mother was not informed that patient care had been affected by the incident. Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts. Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.” During the system downtime, Teiranni Kidd arrived at the hospital to have her baby...

Read More
National Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart
Oct04

National Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

October is National Cybersecurity Awareness Month. Throughout October, the importance of cybersecurity is highlighted and resources are made available to raise awareness of cyber threats and encourage individuals and organizations to adopt cybersecurity best practices and better protect accounts and sensitive data. Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed. The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training. This year has the overall theme – “Do Your Part,...

Read More
NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security
Sep30

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions. VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive target for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices. Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050)....

Read More
Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack
Sep27

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack. Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted. While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents...

Read More
CISA and FBI Warn About Escalating Conti Ransomware Attacks
Sep23

CISA and FBI Warn About Escalating Conti Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about escalating Conti ransomware attacks. CISA and the FBI have observed Conti ransomware being used in more than 400 cyberattacks in the United States and globally. Like many ransomware gangs, prior to deploying Conti ransomware the gang exfiltrates data from victims’ networks. A ransom demand is issued along with a threat to publish the stolen data if the ransom is not paid. The developers of Conti ransomware run a ransomware-as-a-service operation, where affiliates are recruited to conduct attacks. Under this model, affiliates usually receive a percentage of any ransoms they generate. Conti appears to operate slightly differently, where affiliates are paid a wage to conduct attacks. A variety of methods are used to gain access to victims’ networks. Spear phishing emails are common, where malicious attachments such as Word documents with embedded scripts are used as malware droppers. Typically, a malware variant such as TrickBot or IcedID is downloaded...

Read More
Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attacks
Sep13

Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attacks

The health and public health sector is facing an elevated risk of ransomware attacks by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation, according to the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services. The BlackMatter threat group emerged in July 2021 shortly after the DarkSide ransomware gang shut down its operation and the Sodinokibli/REvil took its infrastructure offline. The Russian speaking threat group is believed to originate in Eastern Europe and has conducted many attacks over the past couple of months in Brazil, Chile, India, Thailand, and the United States. The group also started leaking data stolen in attacks on its data leak site on August 11, 2021. The threat group has mostly conducted ransomware attacks on companies in the real estate, food and beverage, architecture, IT, financial services, and education sectors, and while the ransomware gang has publicly stated it would not attack hospitals, critical infrastructure companies, nonprofits, government, and defense contractors, there is...

Read More
NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders
Sep08

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders. Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required. Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any...

Read More
CISA Updates List of Cybersecurity Bad Practices to Eradicate
Sep06

CISA Updates List of Cybersecurity Bad Practices to Eradicate

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of cybersecurity bad practices that must be eradicated. Cyber threat actors often conduct highly sophisticated attacks to gain access to internal networks and sensitive data, but oftentimes sophisticated tactics, techniques and procedures are not required. The Bad Practices Catalog was created in July 2021 to raise awareness of some of the most egregious errors that are made in cybersecurity that leave the door wide open to hackers. There have been many lists published on cybersecurity best practices to follow, and while it is vital that those practices are followed, it is critical that these bad practices are eradicated, especially at organizations that support critical infrastructure or national critical functions (NCFs). These bad practices significantly increase risk to the critical infrastructure relied upon for national security, economic stability, and life, health, and safety of the public. When the Bad Practices Catalog was first published, two entries were added. First on the list is the...

Read More
FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend
Sep02

FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to all public and private sector organizations about the increased risk of ransomware attacks at times when offices are normally closed, such as long holiday weekends. While many employees will be having a long weekend due to Labor Day, this is a time when threat actors are usually highly active. The low staff numbers during holidays and weekends make it less likely that their attacks will be detected and blocked. The CISA and the FBI explained in the warning that they have observed an increase in “highly impactful ransomware attacks occurring on holidays and weekends,” and provided multiple examples of threat actors conducting attacks over holiday weekends in the United States in 2021. Most recently, the Sodinokibi/REvil ransomware actors conducted an attack on the Kaseya remote monitoring and management tool over the Fourth of July 2021 holiday weekend. The attack affected hundreds of organizations including many managed service providers and their...

Read More
Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals
Sep01

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021. Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers. While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data. “It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers...

Read More
Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps
Aug31

Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps. The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses. The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient. McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks
Aug20

CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks

Ransomware attacks dramatically increased in 2020 and cyberattacks using the file-encrypting malware are showing no sign of abating. Attacks have continued to increase this year to the point where there were almost half the number of attempted ransomware attacks in Q2, 2021 as there were all of 2019. Most threat actors conducting ransomware attacks are now using double extortion tactics, where ransoms must be paid to obtain the keys to decrypt files but also to prevent the publication of data stolen in the attacks. The theft of data prior to file encryption has not only helped ransomware gangs demand huge ransom payments, but the threat of leaking data has greatly increased to probability of the ransom being paid. Many victims end up paying the ransom to prevent data leakage, even though they have valid backups that will allow them to restore the encrypted data for free. To help public and private sector organizations deal with the threat of these double-extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance, which...

Read More
Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks
Aug19

Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks

Last month, SonicWall published a mid-year update of its Cyber Threat Report which confirmed there has been a major increase in cyberattacks since 2020. In the first 6 months of 2021, cryptojacking attacks increased by 23%, encrypted threats rose by 26%, IoT attacks rose by 59%, and there was a 151% increase in ransomware attacks compared to the corresponding period last year. Ransomware attacks have been steadily increasing since Q1, 2020, but the rate of increase jumped considerably between Q1 and Q2, 2021, rising to a Q2 total of 188.9 million attempted attacks: an increase of 63.1% from the previous quarter. In June alone there were 78.4 million attempted ransomware attacks, which is more than the total number of attacks in the second quarter of 2020 and almost half of the total number of attempted ransomware attacks in all of 2019. In total, there were 304.7 million attempted ransomware attacks in the first half of 2021. “Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year...

Read More
Scripps Health Ransomware Attack Cost Increases to Almost $113 Million
Aug18

Scripps Health Ransomware Attack Cost Increases to Almost $113 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack. While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected. Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four...

Read More
CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure
Aug18

CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert warning about a vulnerability affecting Blackberry’s QNX Real Time Operating System (RTOS), which is extensively used by critical infrastructure organizations and affects multiple consumer, medical, and industrial networks. The vulnerability is one of 25 that are collectively known as BadAlloc, which affect multiple IoT and OT systems. The flaws are memory allocation integer overflow or wraparound issues in memory allocation functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. On August 17, 2021, Blackberry announced that its QNX products were affected by one of the BadAlloc vulnerabilities – CVE-2021-22156. The flaw could be exploited by a remote attacker to cause a denial-of-service condition, or even achieve remote code execution, with the latter potentially allowing an attacker to take control of highly sensitive systems. The flaw affects the calloc() function in the C runtime library of...

Read More
Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms
Aug16

Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms

Reposify, a provider of an external attack surface management platform, has published the findings of a study of security vulnerabilities at pharmaceutical firms which shows the vast majority of pharma firms have unresolved vulnerabilities that are putting sensitive data and internal systems at risk of compromise. The study was conducted to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs and other security issues. Data analyzed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report were collected over a two-week period in March 2021 and covered 18 of the leading pharmaceutical companies worldwide and more than 900 of their subsidiaries. Pharmaceutical companies hold vast amounts of sensitive personal data and extremely valuable drug and vaccine research data. That has made them an attractive target for cybercriminals. During the COVID-19 pandemic, nation state hackers targeted pharma and biotech firms to gain access to sensitive COVID-19 research and vaccine development data. According to the 2020 Cost of a Data...

Read More
New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers
Aug13

New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers

A new ransomware variant has been detected by researchers at Heimdal Security that is being used by a threat group that calls itself DeepBlueMagic. The ransomware differs considerably from all other previously identified ransomware strains. Heimdal Security researchers discovered the new ransomware variant on Wednesday, August 11, 2021, which had been used in an attack on a device running Windows Server 2012 R2. The analysis of the attack revealed DeepBlueMagic ransomware works completely differently to any other ransomware encountered in the past. The researchers determined DeepBlueMagic ransomware disables security solutions installed on devices to prevent detection, then proceeds to encrypt entire hard drives using a third-party disk encryption tool rather than files. All drives on the targeted server are encrypted with the exception of the system drive (“C:\” partition). The ransomware uses BestCrypt Volume Encryption software from Jetico. In the attack, the D:\ drive was turned into a RAW partition rather than NTFS, which rendered it inaccessible. Following an attack, any...

Read More
NIST Updates Guidance on Developing Cyber Resilient Systems
Aug12

NIST Updates Guidance on Developing Cyber Resilient Systems

The National Institute of Standards and Technology (NIST) has released a major update to its guidance on developing cyber-resilient systems. A draft version of the updated guidance – NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been released which includes updates to reflect the changing tactics, techniques, and procedures (TTPs) of cyber threat actors, who are now conducting more destructive attacks, including the use of ransomware. Organizations used to be able to focus their resources on perimeter defenses and penetration resistance; however, these measures are no longer as effective as they once were at preventing attacks. A modern approach is now required which requires more resilience to be built into IT systems, which requires measures to be taken to limit the ability of an attacker to damage infrastructure and move laterally within networks. “The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their...

Read More
Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms
Aug11

Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms

A recent study published in the Journal of the American Medical Informatics Association (JAMIA) sought to identify the relationship between cybersecurity risk ratings and healthcare data breaches. The study was conducted using data obtained from the Department of Health and Human Services between 2014-2019 and hospital cybersecurity ratings obtained from BitSight. The data sample included 3,528 hospital-year observations and Fortune 1000 firms were used as the benchmark against which hospital cybersecurity ratings were compared. For many years, healthcare has lagged other industries when it comes to managing and reducing cybersecurity risk. The researchers found that in aggregate, hospitals had significantly lower cybersecurity ratings than the Fortune 1000 firms; however, the situation has been improving and, based on BitSight risk ratings, the healthcare industry has now caught up with Fortune 1000 firms. By 2019, the difference between the cybersecurity risk ratings of hospitals and Fortune 1000 firms was no longer statistically significant. While the gap has virtually been...

Read More
NCSC Password Recommendations
Aug10

NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability.  There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in brute force attacks. Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean end users will set strong passwords. The Problem with Password Complexity Requirements The minimum requirements for password complexity are typically to have at least one lower-...

Read More
73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months
Aug05

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months. The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year. The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make...

Read More
Healthcare Industry has Highest Number of Reported Data Breaches in 2021
Aug05

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security. Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets. The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked...

Read More
NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments
Aug04

NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments

Kubernetes is a popular open-source cloud solution for deploying and managing containerized apps.  Recently there have been several security breaches where hackers have gained access to poorly secured Kubernetes environments to steal sensitive data, deploy cryptocurrency miners, and conduct denial-of-service attacks. This month, security researchers discovered Kubernetes clusters were being targeted by cyber actors who were exploiting misconfigured permissions for the web-facing dashboard of Argo Workflows instances. In these attacks, the computing power of Kubernetes environments were harnessed for mining cryptocurrencies. In another attack, a vulnerability in the Kubernetes API Server was being exploited to steal sensitive data. In light of these attacks, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a 52-page technical report that includes detailed guidance on how to correctly set up and manage Kubernetes environments to make it harder for the environments to be compromised by hackers. The report includes details...

Read More
Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals
Aug03

Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals

Nine critical vulnerabilities have been identified in the Nexus Control Panel of Swisslog Healthcare Translogic Pneumatic Tube System (PTS) stations, which are used in more than 80% of major hospitals in the United States. Pneumatic tube systems are used to rapidly send test samples and medications around hospitals and the vulnerable PTS stations are present in 3,000 hospitals worldwide, including 2,300 in the United States. The vulnerabilities, collectively named ‘PwnedPiper’, were discovered by researchers at Armis Security. In total, 9 critical flaws were identified in the Nexus Control Panel and the firmware of all current models of Translogic PTS stations are affected. The vulnerabilities identified by the researchers are common in Internet of Things (IoT) devices but are far more serious in pneumatic tube systems, which are part of hospitals’ critical infrastructure. The Armis researchers pointed out that these systems are prevalent in hospitals, yet they have never been thoroughly analyzed or researched. The flaws could be exploited by a threat actor to cause denial of...

Read More
CISA Publishes List of the Most Commonly Exploited Vulnerabilities
Jul29

CISA Publishes List of the Most Commonly Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint cybersecurity advisory about the most common vulnerabilities exploited by cyber actors in 2020, many of which are still being widely exploited in 2021. The advisory lists the top 30 exploited Common Vulnerabilities and Exposures (CVEs), how each vulnerability is exploited, recommended mitigations, indicators of compromise, and tools and methods that can be used to check whether the vulnerabilities have already been exploited. Recently disclosed vulnerabilities are exploited by cyber threat actors, but most of the commonly exploited vulnerabilities are not new and were disclosed in the past two years. In 2020, the pandemic forced many businesses to switch from an office-based to a remote workforce, so it is not surprising that 4 of the most commonly exploited vulnerabilities in 2020 concern remote working solutions such as VPNs and cloud-based technologies....

Read More
The Average Cost of a Healthcare Data Breach is Now $9.42 Million
Jul29

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident. The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches. According to IBM, data breaches...

Read More
Report: The State of Privacy and Security in Healthcare
Jul28

Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019. With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek. To compile the report – The State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF...

Read More
The Average Ransomware Payment Fell by 38% in Q2, 2021
Jul27

The Average Ransomware Payment Fell by 38% in Q2, 2021

The average ransom payment made by victims of ransomware attacks fell by 38% between Q1 and Q2, 2021, according to the latest report from ransomware incident response company Coveware. In Q2, the average ransom payment was $136,576 and the median payment decreased by 40% to $47,008. One of the key factors driving down ransom payments is a lower prevalence of attacks by two key ransomware operations, Ryuk and Clop, both of which are known for their large ransom demands. Rather than the majority of attacks being conducted by a few groups, there is now a growing number of disparate ransomware-as-a-service brands that typically demand lower ransom payments. In Q2, Sodinokibi (REvil) was the most active RaaS operation conducting 16.5% of attacks, followed by Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk only accounted for 3.7% of attacks and Clop 3.3%. The Sodinokibi gang has now gone silent following the attack on Kaseya and appears to have been shut down; however, the group has shut down operations in the past only to restart with a new ransomware...

Read More
June 2021 Healthcare Data Breach Report
Jul21

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year. While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June. More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month. Largest Healthcare Data Breaches in June 2021 There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
U.S. Government Launches New One-Stop Ransomware Website
Jul19

U.S. Government Launches New One-Stop Ransomware Website

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have announced the launch of a new web resource that will serve as a one-stop-shop providing information to help public and private sector organizations deal with the growing ransomware threat. The new resource – StopRansomware.gov – is an interagency resource that provides guidance on ransomware protection, detection, and response in a single location. The new resource provides general information about ransomware, including what ransomware is and how it is used by cybercriminals to extort money from public and private sector organizations. Detailed information is provided on how organizations can improve their security posture and defend against attacks, including ransomware best practices, bad practices to avoid, cyber hygiene tips, FAQs, and training material. The website includes a newsroom with the latest ransomware-related advice, along with alerts from CISA, the FBI, Department of Treasury, and other federal agencies about the ever-evolving tactics, techniques, and procedures used...

Read More
Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances
Jul15

Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances

SonicWall has issued an urgent security notice warning users of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running end-of-life firmware about an imminent ransomware campaign using stolen credentials. The campaign exploits a known vulnerability in 8.x firmware on the devices. SonicWall patched the vulnerability in later versions of the firmware. All users of these devices that are still running the vulnerable firmware version have been advised to update to version 9.x or 10.x of the firmware immediately. SonicWall became aware of threat actors targeting the vulnerability in SMA 100 series and SRA products through collaboration with trusted third parties. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” explained SonicWall. Customers using end-of-life SMA or SRA devices running the vulnerable 8.x firmware should apply the update immediately or disconnect their appliances and reset passwords. EOL devices are: SRA 4600/1600 (EOL...

Read More
CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses
Jul15

CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses

Managed Service Providers (MSPs) are attractive targets for cybercriminals. They typically have privileged access to their clients’ networks, so a cyberattack on a single MSP can see the attacker gain access to the systems of many, if not all, of their clients. The recent Kaseya supply chain attack showed just how serious such an attack can be. An REvil ransomware affiliate gained access to Kaseya systems, through which it was possible to access the systems and encrypt data of around 60 of its customers, many of which are MSPs. Through those MSP customers, ransomware was deployed on up to 1,500 downstream businesses. Small- and mid-sized businesses often do not have staff to manage their own IT systems or may lack the skills or hardware to store sensitive data and support sensitive processes. Many turn to MSPs to provide that expertise. It is often more cost effective for SMBs to scale and support their network environments using MSPs rather than manage their resources themselves. Outsourcing IT or security functions to an MSP introduces risks, which need to be mitigated by SMBs....

Read More
REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown
Jul14

REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown

The notorious REvil ransomware gang’s Internet and dark web sites have suddenly gone offline, days after President Biden called Vladimir Putin demanding action be taken against ransomware gangs and other cybercriminals conducting attacks from within Russia on U.S. companies. At around 1 a.m. on Tuesday, the websites used by the gang for leaking data of ransomware victims, their ransom negotiation chat server, and command and control infrastructure went offline and have remained offline since. For one of the gang’s sites, the server IP address is no longer resolvable via DNS queries. REvil has grown into one of the most prolific ransomware-as-a-service operations. The gang was behind many ransomware attacks in the United States and worldwide, including the recent attack on JBS Foods and the supply chain attack on Kaseya, which saw ransomware used in attacks on around 60 managed service providers and up to 1,500 of their clients on July 2. A ransom demand of $70 million was issued to supply the keys to decrypt all victims’ devices, with the demand falling to $50 million shortly...

Read More
Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack
Jul12

Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack

Kaseya has announced a security update has been released for the Kaseya KSA remote management and monitoring software solution to fix the zero-day vulnerabilities recently exploited by the REvil ransomware gang in attacks on its customers and their clients. The vulnerabilities exploited in the attack were part of a batch of seven flaws that were reported to Kaseya in April 2021 by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had developed patches to correct four of the seven vulnerabilities in its Virtual System Administrator solution and released these as part of its April and May security updates; however, before patches could be released for the remaining three vulnerabilities, one or more of them were exploited by an REvil ransomware affiliate. The attack affected approximately 60 customers who had deployed the Kaseya VSA on-premises, many of which were managed service providers (MSPs). The REvil ransomware gang gained access to their servers, encrypted them, and pushed their ransomware out to approximately 1,500 business clients of those companies. Following...

Read More
Multiple Critical Vulnerabilities Affect Philips Vue PACS Products
Jul07

Multiple Critical Vulnerabilities Affect Philips Vue PACS Products

Multiple vulnerabilities have been identified in Philips Vue PACS products, including 5 critical flaws with a 9.8 severity rating and 4 high severity flaws. Some of the vulnerabilities can be exploited remotely and there is a low attack complexity. Successful exploitation of the flaws would allow an unauthorized to gain system access, eavesdrop, view and modify data, execute arbitrary code, install unauthorized software, or compromise system integrity and gain access to sensitive data or negatively affect the availability of the system. The vulnerabilities were recently reported to CISA by Philips and affect the following Philips Vue PACS products: Vue PACS: Versions 12.2.x.x and prior Vue MyVue: Versions 12.2.x.x and prior Vue Speech: Versions 12.2.x.x and prior Vue Motion: Versions 12.2.1.5 and prior Critical Vulnerabilities CVE-2020-1938 – Improper validation of input to ensure safe and correct data processing, potentially allowing remote code execution – (CVSS v3 9.8/10) CVE-2018-12326 – Buffer overflow issue in Redis third-party software allowing code execution and...

Read More
Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies
Jul05

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide. The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure. It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed. Fast Response Limited Extent of the Attack...

Read More
HHS: Take Action Now to Secure Vulnerable PACS Servers
Jul05

HHS: Take Action Now to Secure Vulnerable PACS Servers

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP:White Alert warning about vulnerabilities in the Picture Archiving Communication Systems (PACS) used by hospitals, clinics, small healthcare practices, and research institutions for sharing patient data and medical images. The HC3 Sector Alert warns that PACS vulnerabilities are exposing sensitive patient data and placing systems at risk of compromise. Vulnerable Internet-exposed PACS servers can easily be identified and compromised by hackers, threatening not just the PACS servers but also any systems to which those servers connect. PACS was initially developed to help with the transition from analog to digital storage of medical images. PACS servers receive medical images from medical imaging systems such as magnetic resonance imaging (MRI), computed tomography (CT), radiography, and ultrasound and store the images digitally using the Digital Imaging and Communications in Medicine (DICOM) format. DICOM is now three decades old and was discovered to have vulnerabilities that could easily be exploited....

Read More
CISA Releases Ransomware Readiness Assessment Audit Tool
Jul05

CISA Releases Ransomware Readiness Assessment Audit Tool

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new tool that can be used by organizations to assess how well they are equipped to defend and recover from a ransomware attack. The threat from ransomware has gown significantly over the past year. The Verizon Data Breach Investigations Report shows 10% of cyberattacks now involve the use of ransomware, with SonicWall reporting a 62% global increase in ransomware attacks since 2019 and a 158% spike in attacks in North America during the same period. BlackFog predicts loses due to ransomware attacks will increase to $6 trillion in 2021, up from $3 trillion in 2015. The Ransomware Readiness Assessment (RRA) audit module has been added to CISA’s Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides network defenders through a step-by-step process of assessing their cybersecurity practices for both their information technology (IT) and operational technology (OT) networks. CSET can be used to perform a comprehensive evaluation of an organization’s cybersecurity posture using...

Read More