Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity
Nov13

Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity

The Proofpoint Q3 2019 Threat Report has been released. The report provides insights into the main threats in Q3, 2019 and reveals the changing tactics, techniques, and procedures used by cybercriminals. The data for the report comes from an analysis of more than 5 billion email messages, hundreds of millions of social media posts, and over 250 million captured malware samples. The report reveals scammers now favor embedded hyperlinks over attachments for spreading malware. 88% of malicious emails that were used to install malware used malicious URLs. This tactic is preferred as it makes it easier to bypass email security defenses. Proofpoint notes that ransomware still poses a significant threat, but it was noticeably absent from most email campaigns. Proofpoint suggests that the fall in the value of cryptocurrencies is making it harder for threat actors to monetize their ransomware campaigns. Greater rewards can be gained through other types of malware, such as remote access Trojans (RATs) and banking Trojans. RATs and banking Trojans were the main malware threats in Q3, 2019,...

Read More
Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach
Nov12

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations. Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches. His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS). The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm,...

Read More
Microsoft Issues Fresh Warning to Patch BlueKeep Vulnerability
Nov12

Microsoft Issues Fresh Warning to Patch BlueKeep Vulnerability

Prompt patching, or rather the lack of it, has prompted a fresh round of warnings to patch the BlueKeep vulnerability (CVE-2019-0708) that was exploited in a mass attack that started on October 23. The attack was first detected on November 2, with the delay due to the failure of the attacker to take full advantage of the vulnerability. The campaign appears to have been conducted by a low-level threat actor who exploited the vulnerability to deliver cryptocurrency mining malware. Microsoft has issued yet another warning that worse is yet to come. The first mass exploitation attempt certainly made the headlines, but it does not appear to have had much of an impact on the speed of patching. A scan conducted by the SANS Institute shows there has been little change in the rate of patching following the attacks. The number of unpatched devices has been steadily declining since Microsoft issued the patch in May, but hundreds of thousands of devices are still vulnerable to attack. The attack was on a large scale, albeit with limited success. The exploit that was used failed to work...

Read More
Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products
Nov08

Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products

6 vulnerabilities have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one critical flaw that could allow an attacker to gain access to the Valleylab Energy platform and view/overwrite files and remotely execute arbitrary code. The vulnerabilities were identified by Medtronic which reported the flaws to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy. Four vulnerabilities have been identified in the following Medtronic Valleylab products Valleylab Exchange Client, Version 3.4 and below Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and below Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and below The critical vulnerability is an improper input validation flaw in the rssh utility, which facilitates file uploads. Exploitation of the vulnerability would allow an attacker to gain administrative access to files, allowing those files to be viewed, altered, or deleted. The flaw could also allow remote execution of...

Read More
Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2019
Nov07

Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2019

A recent survey has highlighted the cost of healthcare industry data breaches, the extent to which the healthcare industry is under attack, and how often those attacks succeed. The survey was conducted by Black Book Market Research on 2,876 security professionals at 733 provider organizations between Q4, 2018 and Q3, 2019. Respondents were asked their views on cybersecurity to identify vulnerabilities and security gaps and determine why so many of these cyberattacks are succeeding. 96% of surveyed IT professionals believed that cybercriminals are outpacing medical enterprises, which is no surprise given that 93% of healthcare organizations reported having experienced a data breach since Q3, 2016. According to the report, 57% of organizations had experienced more than five data breaches during that time period. More than half of the data breaches reported by healthcare organizations were the result of hacks and other attacks by external threat actors. The healthcare industry is being attacked because providers and insurers hold huge quantities of sensitive and valuable information...

Read More
Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center
Nov06

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty for the failure to encrypt mobile devices and other HIPAA violations. URMC is one of the largest health systems in New York State with more than 26,000 employees at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry. The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation following receipt of two breach reports from UMRC – The loss of an unencrypted flash drive and the theft of an unencrypted laptop computer in 2013 and 2017. This was not the first time OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The latest investigation uncovered multiple violations of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010. Under HIPAA, data encryption is not...

Read More
Average Ransomware Payment Increased 13% to $41,198 in Q3, 2019
Nov05

Average Ransomware Payment Increased 13% to $41,198 in Q3, 2019

Ransomware is still one of the biggest cybersecurity threats faced by healthcare organizations. Not only have the attacks increased, ransom demands have increased. A new analysis by ransomware remediation and incident response firm Coveware has revealed the average ransom payment has increased by 13% to $41,198 in Q3, 2019, which is six times as much as in December 2018. Many companies have to pay considerably more. The attackers using Ryuk ransomware tend to demand payments of hundreds of thousands of dollars. Ryuk ransom payments between Q2 and Q3, 2019 ranged from $267,742 to $377,026. Ransom demands issued to large enterprises are often over $1 million. While no industry is immune to ransomware attacks, they tend to be concentrated on certain industries where there is a higher than average chance of the ransom being paid. The most targeted industry sectors are professional services (18.3%), the public sector (13.3%), healthcare (12.8%), software services (11.7%), and the retailers (8.3%). There has also been an increase in attacks on managed service providers. These attacks...

Read More
BlueKeep Vulnerability Being Actively Exploited in Real World Attacks
Nov05

BlueKeep Vulnerability Being Actively Exploited in Real World Attacks

In May 2019, Microsoft made an announcement about a critical remote code execution vulnerability in Windows Remote Desktop Services named BlueKeep – CVE-2019-0708. The cybersecurity community predicted that a weaponized exploit would be developed and be used in large-scale attacks. That prediction has now come true. Over the weekend, the first mass attacks using a BlueKeep exploit were discovered. Soon after Microsoft announced the vulnerability, several security researchers developed proof-of-concept exploits for BlueKeep. One such exploit allowed a researcher to remotely take control of a vulnerable computer in just 22 seconds. The researchers held off publishing their PoC’s due to the seriousness of the threat and the number of devices that were vulnerable to attack. Initially, millions of internet-connected devices were at risk, including around a million Internet of Things (IoT) devices. The BlueKeep vulnerability can be exploited remotely by sending a specially crafted RDP request. No user interaction is required to exploit the vulnerability. The flaw is also wormable, which...

Read More
Common Office 365 Mistakes Made by Healthcare Organizations
Nov01

Common Office 365 Mistakes Made by Healthcare Organizations

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty. Office 365 Voicemail Phishing Scam The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors. The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the...

Read More
HHS Releases Updated HIPAA Security Risk Assessment Tool
Oct31

HHS Releases Updated HIPAA Security Risk Assessment Tool

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new user-requested features to improve usability. The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights to help healthcare organizations with this important provision of the HIPAA Security Rule. The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level. The failure to conduct a comprehensive, organization-wide risk assessment is the most commonly cited HIPAA violation in OCR enforcement actions. This is perfectly understandable. If a risk assessment does not cover all systems that store or touch ePHI, vulnerabilities are likely to be missed and the confidentiality, integrity, and availability of ePHI will remain...

Read More
Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate
Oct28

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research. Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach. According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced. The study showed that 3-4 years after a breach...

Read More
57% Rely on Multi-Factor Authentication to Improve Security but MFA is Not Infallible
Oct25

57% Rely on Multi-Factor Authentication to Improve Security but MFA is Not Infallible

A recent study conducted by the password manager provider LastPass has revealed only 57% of businesses use multi-factor authentication, even though it is one of the best ways of ensuring stolen credentials cannot be used to gain access to email accounts and corporate networks. Multi-factor authentication requires a second factor to authenticate users in addition to a password. In the event of credentials being stolen, via a phishing attack for example, they could not be used to access an account unless the attacker also has an additional authentication factor – A one-time code sent to a mobile phone or a token, for example. The study, which was conducted on 47,000 businesses, showed use of multi-factor authentication has increased by 12% since last year. According to the report, 95% of companies that have implemented multi-factor authentication use a software-based system such as a mobile app. 4% use a hardware-based multi-factor authentication solution, and 1% use biometrics such as a fingerprint scan. Software-based solutions are usually the most cost-effective to implement which...

Read More
FBI Issues Warning About E-Skimming Threats and Tips for Reducing Risk
Oct25

FBI Issues Warning About E-Skimming Threats and Tips for Reducing Risk

The Federal Bureau of Investigation has issued a warning about e-skimming threats, following an increase in attacks on small and medium sized businesses and government agencies. E-skimming is the introduction of malicious code on websites that process online payments. The code captures debit and credit card information when it is entered into payment portals and the information is silently transmitted to an attacker-controlled domain in real-time. Attacks can be performed on any company that has an online payment system, most commonly on companies in the retail, travel, and entertainment industries and utility companies. Attacks are also conducted on third-party vendors, such as those that provide web analytics and online advertisements. Recently, an e-skimming attack was reported by a healthcare organization – Mission Health in Western North Carolina. Code had been loaded onto its e-commerce websites which allowed the attackers to obtain the credit card information of individuals when they purchased health products. The malicious code was active on the websites for three...

Read More
Vulnerability Identified in Philips IntelliSpace Perinatal Information Management System
Oct25

Vulnerability Identified in Philips IntelliSpace Perinatal Information Management System

A vulnerability has been identified in the Philips IntelliSpace Perinatal obstetrics information management system. The vulnerability – CVE-2019-13546 – could be exploited remotely by an authorized remote desktop session host application user or by an individual with physical access to a locked application screen. The vulnerability affects IntelliSpace Perinatal Versions K and earlier and requires a low level of skill to exploit. The flaw has been assigned a CVSS v3 base score of 6.1 out of 10 (medium severity). Exploitation of the vulnerability would allow an attacker to break out of the containment of the application and access resources from the Windows operating system as the limited-access Windows user. If an attacker used exploits for vulnerabilities in Windows once access to the operating system had been achieved, the attacker could potentially elevate operating system privileges to administrator level. Once access to the operating system has been achieved, an attacker could execute software and view, update or delete files, directories, and alter the system...

Read More
39% of Cybersecurity Professionals Say Their Company is Under Prepared for a Data Breach
Oct24

39% of Cybersecurity Professionals Say Their Company is Under Prepared for a Data Breach

A survey of cybersecurity and IT executives in the United States has revealed 39% of companies are under prepared to handle a data breach. The survey was commissioned by the cybersecurity consulting firm Avertium for the firm’s 2019 Cybersecurity and Threat Preparedness report. The survey was conducted on 223 respondents in the United States at companies with 50 or more employees. When asked about the main problems they experienced in relation to cybersecurity, the two biggest issues were the increasing complexity of cybersecurity tech stacks, which was rated as a major pain point by 76% of respondents. Added to that is the increasing sophistication of cyberattacks, which was a pain point for 75% of cybersecurity professionals. 66% of respondents said third-party or partner vulnerabilities were a major problem area, and 65% said their jobs have been made much more difficult due to vulnerabilities introduced by their company’s digital transformation. The cost and complexity of regulatory compliance was also rated as a pain point by 65% of respondents. The types of cyberattack that...

Read More
76% of SMBs Have Experienced a Data Breach in the Past Year
Oct23

76% of SMBs Have Experienced a Data Breach in the Past Year

A recent survey conducted by the Ponemon Institute on behalf of Keeper Security has revealed 76% of small and medium sized businesses in the United States have experienced a data breach in the past 12 months. The survey was conducted on 2,391 IT and IT security professionals in the United States, United Kingdom, and Western Europe for Keeper Security’s 2109 Global State of Cybersecurity report. The survey revealed SMBs in the United States are more extensively targeted than in other countries. Globally, 66% of SMBs have experienced a data breach in the past year. The frequency of attacks has also increased. Since 2016, the number of cyberattacks on SMBs has risen by 20%. 69% of respondents said cyberattacks have become much more targeted. The main methods used by cybercriminals to attack SMBs are phishing and social engineering, which were behind 57% of SMB cyberattacks in the past 12 months. 30% of attacks involved other forms of credential theft, and 33% of breaches were due to compromised or stolen devices. 70% of surveyed SMBs said they had experienced incidents in past 12...

Read More
TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative
Oct22

TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative

Cloud security vendor and HIPAA Journal sponsor, TitanHQ, has enjoyed impressive growth in Q3, 2019, registering the busiest quarter for MSP business in the company’s 20+ year history. From humble beginnings, the company has grown into the leading provider of cloud-based email and web security solutions for managed service providers that service the SMB market. Initially, the firm sold anti-spam appliances to local businesses in Galway, Ireland. Today, the company is a global provider of cloud-based network security solutions for SMBs and MSPs. The company’s cloud-based network security solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – are used by more than 8,200 businesses around the world and the firm has over 2,200 MSP partners. TitanHQ’s success in the MSP, OEM, and service provider markets can be attributed to several factors. Many other companies have only considered MSPs after products have been developed, with additional functionality added to appeal to the MSP market. With TitanHQ, MSPs have always been at the core of the...

Read More
September 2019 Healthcare Data Breach Report
Oct21

September 2019 Healthcare Data Breach Report

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month. 1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks. Largest Healthcare Data Breaches in September 2019 The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico...

Read More
Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy
Oct18

Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy

A new project has been launched by Microsoft and the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop guidance on developing and implementing an effective patch management strategy. Following the (Not)Petya wiper attacks in 2017, Microsoft embarked on a voyage of discovery into why companies had failed to exercise basic cybersecurity hygiene and had not patched their systems, even though patches had been released months previously and could have protected against the attacks. Over the past 12 months, feedback has been sought from the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the Center for Internet Security on the risk of exploitation and patch management strategies. Microsoft has also sat down with customers to find out more about the challenges they face applying patches and to discover exactly why patching is often delayed and why in some cases patches are not applied. These meetings revealed many companies were unsure about what they should be doing in...

Read More
Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices
Oct17

Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices

Internet of Medical Things (IoMT) technology is helping to increase efficiency, improve the quality of healthcare, and lower healthcare costs; however, IoMT introduces risks. The failure to reduce those risks to a low and acceptable level leaves IoMT devices vulnerable to cyberattacks. Those attacks can be expensive to resolve, which drives up the cost of healthcare and can result in patients coming to harm. Not only must the devices be secured, cybersecurity must also be managed throughout the entire lifespan of the devices. Software and firmware must be kept up to date, patches must be applied promptly to fix vulnerabilities, and the devices need to be returned when they reach end of life and support comes to an end. Without a thorough understanding of the risks, securing IoMT devices can be a major challenge. The U.S. Department of Veteran Affairs (VA) has taken steps to improve the safety and security of IoMT devices and has been seeking solutions for securing large-scale IoMT device deployments to better protect the 9 million people under its care. The VA, in conjunction with...

Read More
Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations
Oct16

Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations

A new report from Proofpoint offers insights into the cyber threats faced by healthcare organizations and the most common attacks that lead to healthcare data breaches. Proofpoint’s 2019 Healthcare Threat Report highlights the ever-changing threat landscape and how the tactics used by cybercriminals are in a constant state of flux. The study – conducted between Q2, 2018 and Q1, 2019 – shows how the malware variants used in attacks often change. Ransomware was a popular form of malware in Q2, 2018 and was used in many attacks on healthcare organizations, but ransomware incidents then dwindled rapidly as cybercriminals switched their attention to banking Trojans. For the remaining three quarters of the study period, banking Trojans were the malware variant of choice, although ransomware is now proving popular once again. Proofpoint’s research shows banking Trojans were the biggest malware threat to healthcare organizations for the period of the study, accounting for 41% of malicious payloads delivered via email between Q2 2018 and Q1 2019. In Q1, 2019, the biggest threat...

Read More
MITA Publishes New Medical Device Security Standard
Oct14

MITA Publishes New Medical Device Security Standard

The Medical Imaging & Technology Alliance (MITA) has released a new medical device security standard which provides healthcare delivery organizations (HDOs) with important information about risk management and medical device security controls to harden the devices against unauthorized access and cyberattacks. The new voluntary standard – Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019) – was developed in conjunction with a diverse range of industry stakeholders and aligns with the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, issued in October 2018. The guidance explains that cybersecurity of medical devices is a shared responsibility. HDOs must collaborate with medical device manufacturers to ensure best practices are adopted. Device manufacturers, HDOs, government entities, and cybersecurity researchers need to work together to ensure threats to medical devices are managed and reduced to reasonable and appropriate levels. The new standard is intended to help streamline communications between...

Read More
HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations
Oct11

HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations

The U.S. Department of Health and Human Services (HHS) has proposed changes to physician self-referral and federal anti-kickback regulations which will see the creation of a new safe harbor covering hospital donations of cybersecurity software and associated services to physicians. The proposed law change is detailed in two new rules issued by the HHS’ Office of Inspector General (OIG) and the Centers for Medicaid and Medicare Services (CMS) which aim to modernize and clarify regulations that interpret the Federal Anti-Kickback Statute and Physician Self-Referral law known as Stark Law. The proposed rules are part of the HHS’s Regulatory Sprint to Coordinated Care which promotes value-based care by eliminating federal regulatory barriers that are impeding efforts to improve the coordination of care between providers. “The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks,” explained OIG. “The healthcare industry and the...

Read More
McCombs School of Business Offers Nation’s First Healthcare-Specific Professional Cybersecurity Certification Program
Oct11

McCombs School of Business Offers Nation’s First Healthcare-Specific Professional Cybersecurity Certification Program

The University of Texas at Austin McCombs School of Business has launched a unique healthcare-specific professional cybersecurity certificate program. The professional leadership and educational program is the first healthcare oriented cybersecurity certification program to be offered in the United States. The Leadership in Healthcare Privacy and Security Risk Management program aligns with the NICE Cybersecurity Workforce Framework and will equip individuals with the knowledge and leadership skills they will need to effectively manage cyber risks faced by the healthcare industry. Figures from the (ISC)² Global Information Security Workforce Study indicate the cybersecurity workforce gap is growing and there will be 1.8 million unfilled cybersecurity positions in 2022. The new certification program will help to address that shortfall in trained cybersecurity personnel, which is hampering many healthcare organizations’ efforts to address privacy and security risks. The new course was developed in collaboration with the cybersecurity industry, healthcare privacy and security experts,...

Read More
Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors
Oct09

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to VPNs and internal networks. The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework. On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7. The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and...

Read More
An Internal Security Operations Center Cuts Data Breach Costs by More Than Half
Oct08

An Internal Security Operations Center Cuts Data Breach Costs by More Than Half

A recent survey conducted by B2B International on behalf of Kaspersky Lab has revealed the average cost of an enterprise-level data breach has risen to $1.41 million from $1.23 million in 2018. The increased risk of a data breach and the increasing remediation costs has prompted enterprises to invest more heavily in cybersecurity. When the Kaspersky Global Corporate IT Security Risks Survey was last conducted in 2018, average IT security budgets were $8.9 million. In 2019, budgets had increased to an average of $18.9 million. The biggest costs from a data breach were found to be damage to the company’s credit rating and increased insurance costs, followed by the cost of hiring external security consultants, loss of business, brand repair, additional wages for internal staff, compensation, and financial penalties and regulatory fines. While there are several things enterprises can do to cut data breach costs, the appointment of a dedicated Data Protection Officer (DPO) and deploying an internal Security Operations Center (SOC) are the two most important for reducing...

Read More
Cybercriminals Switching from Business Email Compromise to Vendor Email Compromise Attacks
Oct04

Cybercriminals Switching from Business Email Compromise to Vendor Email Compromise Attacks

The number of ransomware attacks in the United States has increased sharply in 2019, but business email compromise (BEC) attacks have similarly increased. Symantec found an average of 6,029 businesses were targeted by BEC emails in the past 12 months and figures from the FBI indicate attacked entities lost $1,297,803,489 to the scams in 2018. BEC attacks involve gaining access to business email accounts and using them for further attacks on the organization. Some BEC attacks are concerned with obtaining sensitive data such as W-2 forms for use in tax fraud, although mostly the attackers attempt to use the accounts to arrange fraudulent wire transfers. Access is gained to the CEO or other executives’ email accounts and messages are sent to the payroll department to reroute payments or to request wire transfers to attacker-controlled accounts. This week, Agari has published details of new research that reveals a new BEC attack trend: Vendor email compromise attacks.  As with other types of BEC attacks, they involve highly realistic emails requesting payment of invoices, but the...

Read More
FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed
Oct04

FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed

A recent report from New Zealand-based cybersecurity firm Emsisoft has revealed the extent to which ransomware is being used in cyberattacks in the United States. The first 9 months of 2019 have seen 621 ransomware attacks on government entities, healthcare organizations, and educational institutions. Ransomware attacks can have devastating consequences. This week, a healthcare provider announced that it will be permanently closing its doors as a result of a ransomware attack due to extensive damage to its systems and the permanent loss of patient data. This is the second healthcare provider known to have been forced out of business due to a ransomware attack this year. Even when recovery is possible – by paying the ransom or restoring files from backups – the attacks cause major disruption and result in substantial losses. A ransomware attack on DCH health system forced its three hospitals to temporarily close to all but critical patients while systems were restored. Attacks on municipalities have resulted in essential services grinding to a halt, police departments have lost...

Read More
URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning
Oct02

URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning

Security researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component used in hospital networks and certain medical devices. The vulnerabilities were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) prompting an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the flaws. The FDA alert – named URGENT/11 – explains that the vulnerabilities could be remotely exploited by a threat actor allowing full control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from working. While there have been no reports of the flaws being exploited in the wild, the FDA warns that the software required to exploit the flaws is publicly available. Interpeak IPnet TCP/IP Stack supports network communications between computers, and while it is no longer...

Read More
Sen. Rand Paul Introduces National Patient Identifier Repeal Act
Sep27

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system. Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare. The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since. This year there was hope that the ban would finally be removed following a June amendment to...

Read More
Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS
Sep27

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Sen. Mark Warner (D-Virginia) has written to TridentUSA Health Services demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA. Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security. The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million...

Read More
Businesses Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company
Sep26

Businesses Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company

A recent survey of IT professionals, conducted by IT firm Ivanti has revealed access rights to digital resources are not always terminated promptly when employees change roles or leave the company. The latter is especially concerning as there is a high risk of data theft and sabotage of company systems by former employees. There have been many reported cases of former employees taking sensitive data to new employers and conducting malicious acts in cases of termination. The survey was conducted online in the summer of 2019 on 400 individuals, 70% of whom were IT professionals. Questions were asked about setting up permissions for new employees, modifying access rights when roles change, and terminating access rights to company resources when employees are terminated, contracts end, or employees find alternative employment. The respondents came from a broad range of industries including healthcare. 27% of respondents said they were required to comply with the Health Insurance Portability and Accountability Act (HIPAA), 25% were required to comply with the EU’s General Data...

Read More
August 2019 Healthcare Data Breach Report
Sep23

August 2019 Healthcare Data Breach Report

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the monthly average in 2018 (29.5 breaches per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.   August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total). Causes of August 2019 Healthcare Data Breaches Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in...

Read More
400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS
Sep18

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks has revealed millions of medical images contained in image storage systems are freely accessible online and require no authentication to view or download the images. Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet. Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers. Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images. PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required...

Read More
Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE
Sep18

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization. The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data. Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated....

Read More
NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem
Sep17

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem. The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems. PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis. The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives. With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without...

Read More
Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors
Sep17

Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station. Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk. The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited. The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an...

Read More
Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks
Sep13

Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks

The healthcare industry experiences more than its fair share of phishing attacks. Each week, several phishing attacks are reported by healthcare organizations that have resulted in the exposure or theft of protected health information. In the majority of cases, those attacks could be prevented by following basic cybersecurity best practices. Cyberattacks are becoming more sophisticated, but the majority of attacks are not. They involve the use of default and commonly used passwords in brute force attacks or basic phishing emails. Brute force attacks can be thwarted by creating and enforcing strong password policies. It should not be possible for users to use dictionary words as passwords or commonly used weak passwords such as 12345678. Accounts are also commonly breached due to password re-use. Figures from Microsoft suggest 73% of users duplicate passwords on work and personal accounts. If a personal account is breached, the password can be used to access the user’s work account. Many phishing emails succeed in bypassing anti-spam defenses. A recent report from Avanan suggests as...

Read More
HSCC Publishes Guidance on Healthcare Information Sharing Organizations
Sep12

HSCC Publishes Guidance on Healthcare Information Sharing Organizations

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector. HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry. The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce. “Many health organizations are beginning to...

Read More
Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms
Sep11

Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms

A recent ProPublica investigation has highlighted a growing problem that is fueling the current ransomware epidemic. Insurance companies are opting to pay ransom demands as it is the most cost-effective way of settling claims, even though paying ransoms encourages further attacks. A ransom demand may be high, but it is far cheaper to pay the ransom than cover the cost of rebuilding systems from scratch and restoring data from backups. Paying the ransom demand is a win-win for the insurer and breached entity. The insurer saves money and since most insurance policies only require payment of a small deductible, the breached entity does too. They are also likely to regain access to their files and systems far more quickly, which saves time and money by reducing downtime. The hackers responsible for the attack are also happy, as their demand is met. This has been clearly demonstrated in recent attacks where the breached entity has refused to pay up. The ransomware attack on the city of Atlanta saw the attackers issued a demand of $51,000 for the keys to decrypt files. The city refused...

Read More
82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices
Sep03

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto. For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study. The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine. When asked about the consequences of a cyberattack on IoT devices, the biggest...

Read More
Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems
Sep03

Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems

A vulnerability has been discovered in Philips HDI 4000 Ultrasound systems which could be exploited to gain access to ultrasound images. In addition to stealing data, an attacker could doctor ultrasound images to prevent diagnosis of a potentially life-threatening health condition. Philips HDI 4000 Ultrasound systems are based on legacy operating systems such as Windows 2000 which are no longer supported. Any vulnerability in the operating system could be exploited to gain access to the system and patient data. One such vulnerability – CVE-2019-10988 – was detected by security researchers at Check Point, who reported the problem to Philips. US-CERT has recently issued an advisory about the vulnerability. Philips HDI 4000 Ultrasound systems reached end of life in December 2013 and are no longer sold, updated, or supported by Philips, yet many healthcare organizations continue to use the systems even through they are vulnerable to attack. US-CERT warns that multiple exploits are already in the public domain and could be used to gain access to the systems. Since the devices are...

Read More
Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices
Sep02

Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices

A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device. The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT. The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited. Change Healthcare has issued an advisory for users of the following cardiology devices: Horizon Cardiology 11.x and earlier Horizon Cardiology...

Read More
OCR Offers Advice on Managing Malicious Insider Threats
Aug30

OCR Offers Advice on Managing Malicious Insider Threats

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within. Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain. There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders. Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient...

Read More
Ransomware Attack Impacts More Than 400 U.S. Dental Practices
Aug30

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records. The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks. The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack. PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client. Some dental practices have reported file loss as a result of the attack and others have...

Read More
OMB Audit Confirms HHS Information Security Program is “Not Effective”
Aug27

OMB Audit Confirms HHS Information Security Program is “Not Effective”

The Office of Management and Budget (OMB) has submitted its annual report to Congress on the state of cybersecurity in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA). For the report, OMB assessed 4 of the 12 operating divisions of the Department of Health and Human Services (HHS) to assess compliance with FISMA and determined the HHS security program was ‘not effective.’ The agency had not achieved a Managed and Measurable level of maturity for the Identify, Protect, Detect, Respond and Recover functional areas. The HHS was determined to be managing risk in the ‘Detect’ functional area but was at risk in the other four functional areas. The HHS has been working on improving its security posture and progress has been made, but there is still a long way to go. OMB found major weaknesses in multiple areas, including identity and access management, risk management, contingency planning, and incident response. OMB notes that since the HHS is operating in a federated environment, there are many challenges in achieving a ‘Managed and...

Read More
July 2019 Healthcare Data Breach Report
Aug26

July 2019 Healthcare Data Breach Report

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July. July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018. July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July. There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year. Causes of July 2019 Healthcare Data Breaches   The main reason for the increase in...

Read More
Why Are Hackers Targeting the Healthcare Industry?
Aug22

Why Are Hackers Targeting the Healthcare Industry?

The healthcare industry is under attack. More data breaches are being reported than ever before, but what is the motivation behind these attacks? Why are hackers targeting the healthcare industry? A new report from FireEye provides some answers. For the report, FireEye researchers studied recent healthcare cyberattacks and identified the tactics being used, the actions of the hackers post-compromise, and what the ultimate goals of the attacks were. The researchers were able to classify attacks into two groups: Those concerned with theft of data and disruptive/destructive threats. Many attacks are focused on obtaining patient data although research data can also be extremely valuable. Cyberattacks concerned with obtaining research information have a low, but noteworthy impact risk to healthcare organizations. These attacks are most commonly associated with nation-state threat actors. Cybercriminal gangs and nation-state sponsored hacking groups are investing time and resources into targeting specific healthcare organizations that store treasure troves of data. That could be a...

Read More
Study Raises Awareness of Threat of Lateral Phishing Attacks
Aug21

Study Raises Awareness of Threat of Lateral Phishing Attacks

A recent study by the University of San Diego, University of California Berkeley, and Barracuda Networks has shed light on a growing threat to healthcare organizations – Lateral phishing. In a standard phishing attack, an email is sent containing an embedded hyperlink to a malicious website where login credentials are harvested. The emails contain a lure to attract a click. That lure is often tailored to the organization being attacked. These phishing emails are relatively easy to identify and block because they are sent from outside the organization. Lateral phishing is the second stage in the attack. When an email account is compromised, it is then used to send phishing emails to other employees within the organization. Phishing emails are also sent to companies and individuals with a relationship with the owner of the compromised account. This tactic is very effective. Employees are trained to be suspicious of emails from unknown senders. When an email is received from a person in the organization that usually corresponds with the employee via email, there is a much higher...

Read More
32% of Healthcare Employees Have Received No Cybersecurity Training
Aug21

32% of Healthcare Employees Have Received No Cybersecurity Training

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches. The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada. The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace. Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA. Even when training is provided, it is often insufficient. 11% of...

Read More
NIST Releases New Guidance on Securing IoT Devices
Aug07

NIST Releases New Guidance on Securing IoT Devices

The National Institute of Standards and Technology (NIST) has released a new guide for manufacturers of Internet of Things (IoT) devices to help them incorporate appropriate cybersecurity controls to ensure the devices are protected against threats when users connect them to the Internet. The guide is the second in a series of publications on the security of IoT devices. The first document outlined the risks posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – is intended to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and severity of IoT device compromises.   The draft document defines a core baseline of cybersecurity features which should be incorporated into all IoT devices, along with additional features that should be considered to provide a level of protection over and above the baseline that is appropriate for most customers. The manufacturers of IoT devices have a responsibility to ensure that their devices...

Read More
GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies
Aug07

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures. Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks. The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies. The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the...

Read More
VA OIG Report Highlights Risk of Medical Device Workarounds
Aug06

VA OIG Report Highlights Risk of Medical Device Workarounds

A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies. Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation. The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection. The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes...

Read More
Judge Approves $74 Million Premera Blue Cross Data Breach Settlement
Aug05

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records. US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation. The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years. Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that...

Read More
First Half of 2019 Sees 31.6 Million Healthcare Records Breached
Aug02

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May. According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been...

Read More
DHS Issues Best Practices to Safeguard Against Ransomware Attacks
Aug01

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse. States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors. In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks. The statement was issued primarily to state, local, territorial and tribal governments, although the...

Read More
Sonicwall 2019 Mid-Year Cyber Threat Report Shows Rise in Ransomware, Cryptojacking and IoT Attacks
Aug01

Sonicwall 2019 Mid-Year Cyber Threat Report Shows Rise in Ransomware, Cryptojacking and IoT Attacks

The Sonicwall 2019 Mid-Year Cyber Threat Report provides insights into the main threats faced by businesses and is based on data from over 200 countries and more than 1 million security sensors around the globe. The report shows there has been a 20% drop in malware attacks in the first half of 2019. While malware attacks have dropped overall, Sonicwall’s report shows an escalation in the use of open source malware kits. The first half of 2019 saw 74,360 never-before-seen malware variants. Ransomware attacks are now being reported at a higher rate and this is reflected in the report. Sonicwall’s figures show there has been a 15% increase in ransomware attacks and an escalation in the use of ransomware-as-a-service. Malware and ransomware can be installed using a variety of methods, although email continues to be the attack vector of choice for many threat actors. Email-based malware attacks most commonly use Office files and PDF files that contain code that downloads a malicious payload. Between February and March 2019, 51% of never-before-seen attacks came from PDF attachments and...

Read More
Critical VxWorks Vulnerabilities Impact 2 Billion Devices
Jul31

Critical VxWorks Vulnerabilities Impact 2 Billion Devices

Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems. Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11” VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers. Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The...

Read More
Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI
Jul29

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible. The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis. The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville. This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took...

Read More
HIPAA Compliance and Cloud Computing Platforms
Jul28

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices
Jul26

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security. Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data. The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed. Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious...

Read More
$301 Million Lost to BEC Attacks Each Month
Jul25

$301 Million Lost to BEC Attacks Each Month

Figures released by the Treasury Department show a steady rise in business email compromise (BEC) attacks over the past two years. More than twice the number of successful BEC attacks were reported in 2018 than 2016 and losses to these scams are skyrocketing. Business email compromise – BEC – is the name given to a type of an email impersonation attack. It typically involves the impersonation of the CEO or another figure of authority in the organization. Those individuals are usually targeted with spear phishing emails and are directed to phishing websites or tricked into downloading malware that steals their email credentials. The compromised email account is then used to send specially crafted messages to individuals in the organization who have the authority to make wire transfer payments, reroute payments, or change payroll information. BEC scams are becoming increasingly sophisticated and cybercriminal gangs are investing heavily in their operations due to the huge potential returns. The Treasury Department Financial Crimes Enforcement Network report revealed an average of...

Read More
How to Choose the Right Healthcare Cloud Provider
Jul24

How to Choose the Right Healthcare Cloud Provider

Healthcare organizations often turn to a HIPAA compliant cloud vendor or Managed Service Provider to help them ensure electronic patient records are secured and they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA contains an extensive set of rules for healthcare organizations which were introduced in 1996 to improve privacy and security of patient information, eliminate waste in healthcare, and combat fraud. This legislative act introduced new and legally binding requirements for healthcare providers to secure their systems, improve privacy and security protections, and keep health data private and confidential at all times. The Act and its subsequent updates have served to strengthen privacy protections, give patients new rights, and ensure that all healthcare organizations achieve a minimum standard of data security. It may seem that HIPAA is at odds with cloud computing, but there is nothing in HIPAA legislation that prohibits use of the cloud for sharing or storing patient data. HIPAA covered entities can use cloud platforms and...

Read More
2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
Jul24

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018. The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years. Average Data Breach Costs $3.92 Million Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million. Healthcare Data Breaches Cost...

Read More
June 2019 Healthcare Data Breach Report
Jul24

June 2019 Healthcare Data Breach Report

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.   While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June. Largest Healthcare Data Breaches in June 2019 The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by...

Read More
AMCA Victim Count Swells to Almost 25 Million Records
Jul23

AMCA Victim Count Swells to Almost 25 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected. The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers. AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and...

Read More
Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands
Jul18

Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands

Ransomware attacks have continued to increase in Q2, 2019, according to a new report from ransomware recovery service provider Coveware. When businesses experience a ransomware attack, Coveware helps firms recover their data, either through free remediation options or by negotiating with the attackers. Coveware studied anonymized data on ransomware attacks experienced by its clients and found that ransomware payments have increased by 184% during the second quarter of 2019. The average ransom payment in Q1 was $12,762. In Quarter 2, the average payment was $36,295. In Q2, 2019, the most common method of attack was via RDP ports, which were the attack vector in 59.1% of ransomware attacks. Coveware notes that there has been a sharp quarter-over-quarter increase in email-based attacks, which accounted for 34.1% of incidents in Q2. Software vulnerabilities were exploited in 6.8% of attacks. The software vulnerabilities were exploited by the Sodinokibi ransomware threat actors, who used vulnerabilities in managed service provider (MSP) backend integrations (Webroot/Kaseya) to gain...

Read More
Direct-to-Consumer DNA Testing Company Exposed Personal Information Online
Jul12

Direct-to-Consumer DNA Testing Company Exposed Personal Information Online

San Francisco, CA-based Vitagene, a health tech company that provides direct-to-consumer DNA-testing services, has inadvertently exposed the personal and genealogy information of thousands of customers to unauthorized access over the Internet. The Vitagene DNA testing service is part of a DNA-based personalized health and wellness platform. Individuals undergo genetic testing to determine their likelihood of developing certain diseases. Vitagene then develops a personalized health and wellness action plan tailored to the individual. During beta testing, patient records were uploaded to Amazon Web Services cloud servers, but security controls had not been configured correctly. The files could be viewed by anyone without the need for any authentication. Vitagene became aware of the problem in late June and by July 1, external access to customer files was blocked. A spokesperson for Vitagene confirmed that the breach had impacted a small number of its customers who had used its DNA-testing service between 2015 and 2017. The exposed records contained information such as names,...

Read More
Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance
Jul10

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry. Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data. Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market. April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become. Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are...

Read More
Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines
Jul10

Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States. The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device. The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration. The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900. GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no...

Read More
Consumers Concerned About Medical Device Security
Jul09

Consumers Concerned About Medical Device Security

The importance consumers place on the privacy and security of their health information has been explored in a recent nCipher Security survey. The survey was conducted on 1,300 U.S. consumers and explored attitudes toward online privacy, the sharing of sensitive information, and data breaches. The survey revealed consumers are more concerned about their financial information being hacked than their health information. 42% of respondents said their biggest cybersecurity concern was their financial information being stolen, compared to 14% whose main concern was the theft of their health data. Concern about financial losses is understandable. Theft of financial information can have immediate and potentially very serious consequences. Theft of health data may not be viewed to be as important by comparison, but consumers are still concerned about the consequences of a breach of their personal information. Over one third of consumers said they were worried that hackers would tamper with their data and 44% were concerned about identity theft after a data breach. 22% of consumers said they...

Read More
Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software
Jul08

Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software

Researchers at Sandia National Laboratories have discovered a vulnerability in open source software used by genomic researchers. If exploited, an attacker could gain access to and alter sensitive genetic information. DNA screening is a two-step process. First, a patient’s DNA is sequenced and their genome is mapped. Then, the patient’s genetic information is compared with a standardized human genome. Any differences between the two are assessed to determine whether genetic differences are due to diseases. A software tool is used to make the comparison. Sandia researchers discovered a stack-based buffer overflow vulnerability – CVE-2019-10269 – in the Burrow-Wheeler Aligner (BWA) program used by many researchers to perform DNA-based medical diagnostics. The vulnerability is present at the point where BWA imports the standardized human genome from government servers. Patient information is transmitted via an insecure channel and could be intercepted in a man-in-the-middle attack. An attacker could intercept the standardized human genome, combine it with malware, and then...

Read More
U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability
Jul05

U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks. U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation. The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened. U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33. APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force...

Read More
Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices
Jul03

Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices

A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices. For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices. One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data. The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are...

Read More
Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk
Jun28

Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk

The United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA) have issued alerts about cybersecurity flaws in certain Medtronic insulin pumps. The affected insulin pumps connect with other devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices using wireless RF. Vulnerabilities have been identified in certain MiniMed 508 and MiniMed Paradigm insulin pumps which could allow an attacker with adjacent access to an affected product to intercept, modify, or interfere with the RF communications to or from the product. Consequently, it would be possible to read data sent to and from the device, alter the settings of the insulin pump, and take control of insulin delivery. An attack could therefore result in hypoglycemia, diabetic ketoacidosis, or death. The flaw – CVE-2019-10964 – is due to the communications protocol not properly implementing authentication or authorization and has been assigned a CVSS v3 base score of 7.1 out of 10. The flaw was uncovered by security researchers Nathanael Paul,...

Read More
DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors
Jun25

DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’ The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory. The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets. Iranian threat actors have also been highly active. There have been...

Read More
Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches
Jun24

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported. Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches. Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals. The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers....

Read More
May 2019 Healthcare Data Breach Report
Jun20

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information. On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day. From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year. It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm. May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of...

Read More
High and Critical Severity Vulnerabilities Identified in Certain BD Alaris Gateway Workstations
Jun18

High and Critical Severity Vulnerabilities Identified in Certain BD Alaris Gateway Workstations

Two vulnerabilities have been identified in certain Becton Dickinson (BD) infusion pumps. One of the vulnerabilities is rated critical and has been given the maximum CVSS v3 score of 10 out of 10. BD has a history of proactively searching for vulnerabilities, addressing cybersecurity issues, and communicating details of the vulnerabilities in a timely fashion. BD voluntarily disclosed the two vulnerabilities in recent security bulletins and shared details of the flaws with information Sharing and Analysis Organizations (ISAOs). In this instance, the vulnerabilities were discovered by Elad Luz of CyberMDX and reported to BD. The Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT) has also issued a security advisory about the flaws. Both flaws affect BD Alaris™ Gateway Workstations, but not any gateway workstations that are sold or used in the United States. The affected devices are used in around 50 countries, mostly in Europe in Germany, Spain, the Netherlands, and the United Kingdom. The vulnerability affects fewer than 3,000...

Read More
HHS One of Three Departments in Most Critical Need of IT Modernization
Jun13

HHS One of Three Departments in Most Critical Need of IT Modernization

The Government Accountability Office (GAO) has published the findings of an audit of all federal government systems that run on legacy systems. The aim of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most critical need of modernization. In total, 65 federal agency systems were assessed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then assessed the agencies’ plans to update their systems and measured those plans against IT modernization best practices. The Department of Health and Human Services (HHS) is one of the top three departments in need of modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were deemed to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland Security. The level of modernization required by HHS is considerable. One legacy system is 50 years old yet is still being extensively used to support clinical and patient administrative...

Read More
Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape
Jun11

Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape

A recent report from Carbon Black has revealed 66% of healthcare organizations have experienced a ransomware attack in the past year and 45% experienced an attack in which data destruction was the main motivation behind the attack. The figures come from Carbon Black’s latest report: Healthcare Cyber Heists in 2019. Carbon Black sought input from 20 industry leading CISOs and questioned them about the cyberattacks they had experienced in the past year, the tactics used in the attacks, and how the threat landscape is evolving. Last year was a record-breaking year for healthcare data breaches and attacks are continuing at an unprecedented level. April 2019 was the worst ever month for healthcare data breaches with 46 major breaches (500+ records) reported to the HHS’ Office for Civil Rights. “The potential, real-world effect cyberattacks can have on healthcare organizations and patients is substantial,” explained Rick McElroy, Carbon Black’s Head of Security Strategy and co-author of the report. “Cyber attackers have the ability to access, steal and sell patient information on the...

Read More
Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent
Jun05

Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent

Microsoft has issued a fresh warning about the recently discovered BlueKeep vulnerability in Remote Desktop Services (CVE-2019-0708) following the online publication of proof-of-concept exploits for the flaw. Microsoft released fixes for the flaw on May 14, 2019. As was the case with the vulnerability that was exploited in the WannaCry ransomware attacks in 2017, patches were also released for unsupported Windows versions. The vulnerability is critical and could be exploited remotely via Remote Desktop Protocol (RDP) without any user interaction required. As one security researcher has shown, finding devices that have not been patched is far from difficult. Robert Graham of Errata Security performed a scan of the internet and found almost 1 million devices that have still not had the patch applied or protected using Microsoft’s recommended mitigations. Graham is not the only person to have performed scans for vulnerable devices. There has been a major increase in scans in recent days. It appears that cybercriminals are preparing for attacks. The fresh warning is an unusual step for...

Read More
40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months
May31

40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months

Healthcare organizations have been slow to correct the flaw in Remote Desktop Services that was patched by Microsoft on May 14, 2019, but a new report from cybersecurity firm Armis has revealed many healthcare organizations have still not patched the Windows Server Message Block (SMB) flaw that was exploited in the WannaCry ransomware and NotPetya wiper attacks in May and June 2017. The WannaCry attacks served as a clear reminder of the importance of prompt patching. Microsoft released patches for the vulnerability on March 2017. On May 12, 2017, the WannaCry ransomware attacks started. In the space of just a few days, more than 200,000 devices were infected in 150 countries. The hackers behind the attack used the NSA exploits EternalBlue and DoublePulsar to spread the malware across entire networks. The National Health Service (NHS) in the UK was hit particularly badly due to the extensive use of legacy systems and the failure to apply patches promptly. Around one third of NHS Trusts in the UK were affected, 19,000 appointments had to be cancelled at a cost of around £20 million,...

Read More
Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw
May30

Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw

More than two weeks after Microsoft issued a patch for a critical, wormable flaw in Remote Desktop Services, nearly 1 million devices have yet to have the patch applied and remain vulnerable. Those devices have also not had the recommended mitigations implemented to reduce the potential for exploitation of the flaw. The vulnerability – CVE-2019-0708 – can be exploited remotely with no user interaction required and could allow a threat actor to execute arbitrary code on a vulnerable device, view, change, or delete data, install programs, create admin accounts, and take full control of the device. It would also be possible to then move laterally and compromise other devices on the network. Microsoft has warned that the vulnerability could be exploited via RDP and could potentially be used in another WannaCry-style attack. Microsoft released patches for the vulnerability on May 14 and, due to the seriousness of the flaw, the decision was taken to also release patches for unsupported Windows versions. The flaw affects Windows XP, Windows 7, Windows 2003, Windows Server 2008, and...

Read More
Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw
May29

Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw

Six security advisories have been issued covering Siemens Healthineers products. The flaws have been assigned a CVSS v3 score of 9.8 and concern the recently announced Microsoft BlueKeep RDS flaw – CVE-2019-0708. CVE-2019-0708 is a remotely exploitable flaw that requires no user interaction to exploit. An attacker could exploit the flaw and gain full control of a vulnerable device by sending specially crafted requests to Remote Desktop Services on a vulnerable device via RDP. The flaw is wormable and can be exploited to spread malware to all vulnerable devices on a network in a similar fashion to the WannaCry attacks of 2017. The severity of the vulnerability prompted Microsoft to issue patches for all vulnerable operating systems, including unsupported Windows versions which are still used in many healthcare and industrial facilities. The flaw affects Windows 2003, Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. If the patch cannot be applied, RDP should be disabled, port 3389 should be blocked at the firewall, and Network Level Authentication (NLA) should...

Read More
Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering
May28

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000. MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules. Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen. A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in...

Read More
HHS Confirms When HIPAA Fines Can be Issued to Business Associates
May27

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules. On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate. Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.   You can download the HHS Fact Sheet on direct liability of business associates on this link. Penalties for HIPAA Violations by Business Associates The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the...

Read More
Medical Informatics Engineering Settles HIPAA Breach Case for $100,000
May24

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000. MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach. OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules. OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). As a result of that failure, there was an impermissible disclosure of 3.5 million...

Read More
April 2019 Healthcare Data Breach Report
May20

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches were reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years. While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks. Largest Healthcare Data Breaches in April 2019 Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients. The ransomware was deployed 7 months after the attacker had first gained...

Read More
Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points
May17

Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points

Siemens has discovered several high-severity vulnerabilities and one critical vulnerability in the Scalance W1750D direct access point. The vulnerabilities can be exploited remotely and require a low level of skill to exploit. If exploited, an attacker could gain access to the W1750D device and execute arbitrary code within its underlying operating system, gain access to sensitive information, perform administrative actions on the device, and expose session cookies for an administrative session. The vulnerabilities are present in all versions prior to 8.4.0.1 CVE-2018-7084 is a critical command injection vulnerability in the web interface that could allow arbitrary system commands to be performed within the underlying operating system. If exploited, files could be copied, the configuration could be read, the device could be rebooted, and files could be written or deleted.  The vulnerability has been assigned a CVSSv3 base score of 9.8 out of 10. CVE-2019-7083 is a high-severity information exposure vulnerability that could allow an attacker to access core dumps of previously...

Read More
New Study Uncovers Serious Holes in Healthcare Cybersecurity
May16

New Study Uncovers Serious Holes in Healthcare Cybersecurity

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured. 75 global healthcare deployments were analyzed for the study, which included more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs). The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft. The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is also commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also...

Read More
Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks
May15

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017. The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP. The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction. If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations. Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware. The vulnerability is not present in Windows 8 and Windows 10, only...

Read More
DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations
May14

DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations

Body: The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a new analysis report highlighting some of the common risks and vulnerabilities associated with transitioning from on-premise mail services to cloud-based services such as Microsoft Office 365. The report details best practices to adopt to manage risks and prevent user and mailbox compromises. Many healthcare organizations have realized the benefits of transitioning to cloud-based email services yet lack the in-house expertise to manage their migrations. Many have used third-party service providers to migrate their email services to Office 365. CISA notes that use of third parties to manage Office 365 migrations has led to an increase in security incidents. Over the past 6 months, CISA has had several engagements with customers who have used third-party service providers to manage their migrations and discovered a range of different Office 365 configurations that lowered organization’s security posture and left them vulnerable to phishing and other cyberattacks. CISA notes that the majority of those...

Read More
Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records
May10

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice. 32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015. “The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.” The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer. According to the indictment, the international hacking scheme saw Wang and...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat
May03

Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat

Malwarebytes has released a new report detailing the current tactics and techniques being used by cybercriminals to gain access to business networks and sensitive data. Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 was compiled using data collected by its intelligence, and data science teams and telemetry from its consumer and business products between January 1 and March 31, 2019. The report reveals there has been a 235% increase in cyberattacks on corporate targets in the past 12 months. There has also been a marked decline in cryptomining and other threats on consumers, which fell by 40% in 2018. It is clear from the report that cybercriminals are concentrating their efforts on attacking businesses and SMBs are most at risk as they typically lack the resources to significantly improve their cybersecurity defenses. The report shows that Trojans are currently the biggest malware threat. Attacks involving Trojans are up 650% from the same time last year and attacks increased by 200% in Q1, 2019. The biggest threat is Emotet, which Malwarebytes describes as the “most...

Read More
OIG Gives HHS Information Security Program Rating of “Not Effective”
May02

OIG Gives HHS Information Security Program Rating of “Not Effective”

The U.S Department of Health and Human Services’ Office of Inspector General (OIG) has released a report of its annual review of the HHS to assess compliance with the Federal Information Security Management Act of 2014 (FISMA). An audit of the HHS information security program was conducted by Ernst & Young LLP in 2018 on behalf of OIG. The audit uncovered several security weaknesses in the HHS information security program, including some areas where security had deteriorated compared to the 2017 review. As a result of those weaknesses, the HHS information security program was determined to be “not effective”. OIG notes in its report that the HHS has made efforts to strengthen security across the entire agency, but overall, those efforts were insufficient to raise the level of maturity of its information security program to the ‘managed and measurable’ level in the five cybersecurity framework areas: Identify, protect, detect, respond, and recover. In order to attain the managed and measurable level, it is critical for the HHS to implement a continuous diagnostics and mitigation...

Read More
Vulnerability Identified in Philips Tasy EMR
May01

Vulnerability Identified in Philips Tasy EMR

A vulnerability has been identified in the Philips Tasy EMR information system. If exploited, an attacker could send unexpected information to the system, execute arbitrary code, alter information flow, and gain access to patient information. The flaw was identified by security researcher Rafael Honorato who reported the vulnerability to Philips, which reported the flaw to the National Cybersecurity and Communications Integration Center. An advisory about the vulnerability was issued by ICS-CERT on April 30, 2019. The vulnerability – CVE-2019-6562 – is present in Tasy EMR versions 3.02.174 and earlier, and mostly affects healthcare providers in Brazil and Mexico. The vulnerability has not been exploited in wild and no public exploits have been identified. The cross-site scripting vulnerability is caused by improper neutralization of user-controllable input during web page generation. The vulnerability requires a low level of skill to exploit by an individual on the customer site or connecting via a VPN. Despite the potential for information exposure, the vulnerability...

Read More
Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI
Apr26

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information. The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information. DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened. This design feature is part...

Read More
Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers
Apr24

Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers

Two vulnerabilities have been identified in Fujifilm computed radiography cassette readers. If exploited, an attacker could gain access to the operating system, execute arbitrary code, render the devices inoperable, alter functionality, and cause image loss. The vulnerabilities are present in the following Fujifilm computed radiography cassette readers: CR-IR 357 FCR Capsula X CR-IR 357 FCR Carbon X CR-IR 357 FCR XC-2 The most serious vulnerability – CVE-2019-10950 – is due to improper access controls on telnet services. A remote attacker with a relatively low level of skill could exploit the vulnerability to gain access to the operating system and remotely execute code and affect the functionality of the device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10. The second vulnerability – CVE-2019-10948 – is due to uncontrolled resource consumption. An overflow of TCP packets could be caused in a denial of service (DoS) attack. If exploited, a DoS attack could render the device in operable and would require a reboot to restore functionality. The...

Read More
Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules
Apr16

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed many healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules. For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules. The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year. Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%). Out of the...

Read More
HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations
Apr15

HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations

The U.S. Department of Health and Human Services has been slow to implement cybersecurity recommendations made by the Government Accountability Office. In total, 392 recommendations have yet to be addressed, including 42 which GAO rated as high priority. Over the past four years, GAO has made hundreds of recommendations, but the HHS has only addressed 75% of them, 2% less than other government agencies. The poor implementation rate was outlined in a March 28, 2019 letter from the GAO to HHS secretary Alex Azar. GAO explained that healthcare is part of the nation’s critical infrastructure and relies heavily on computerized systems and electronic data to function. Those systems are regularly targeted by a diverse range of threat actors, so it is essential they are secured and protected from unauthorized access. GAO drew attention to four high priority recommendations covering health IT and cybersecurity that are still outstanding. “The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health...

Read More
Data Security Incident Response Analysis Published by BakerHostetler
Apr11

Data Security Incident Response Analysis Published by BakerHostetler

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018. BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches. In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered. This has led many companies to create committees to help manage data breaches,...

Read More
Study Reveals How Well Consumers Feel Health Data is Protected
Apr11

Study Reveals How Well Consumers Feel Health Data is Protected

The results of a study on healthcare cybersecurity from the perspective of consumers has recently been published by cybersecurity firm Morphisec. More than 1,000 consumers were surveyed to obtain their opinions on healthcare cybersecurity, the healthcare threat landscape, how their personal health information is being targeted, and how well they feel their health information is protected. The transition from paper records to electronic health records has improved efficiency and allows health information to be shared more easily, but vulnerabilities have been introduced that can be exploited by hackers. Morphisec notes that cyberattacks on the healthcare industry occur at more than double the rate of attacks on other industry sectors. The volume of attacks and frequency that they are reported in the media undoubtedly affects how secure consumers believe their health records are. Since 2009, more than 190 million healthcare records have been exposed or stolen, which is equivalent to 59% of the population of the United States, yet when consumers were asked if their providers have...

Read More
Hardin Memorial Health Cyberattack Results in EHR Downtime
Apr09

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime. The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack. The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units. Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt. Upon discovery of the security breach, emergency procedures were...

Read More
Malware Alters CT Scans and Creates and Removes Tumors
Apr05

Malware Alters CT Scans and Creates and Removes Tumors

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans. The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment. In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism. Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient...

Read More
Cross-sector and Bi-partisan Collaboration Critical for Improving Healthcare Organizations
Apr04

Cross-sector and Bi-partisan Collaboration Critical for Improving Healthcare Organizations

On February 21, 2019, Sen. Mark Warner (D-Va) wrote to several healthcare organizations and federal agencies requesting feedback on how the U.S. government and the healthcare industry can improve cybersecurity. Sen. Warner is concerned about the number of successful healthcare cyberattacks in recent years, the huge numbers of Americans who are impacted by the attacks, and the cost to the healthcare industry of remediating the attacks. In his letter, Sen. Warner referenced a study conducted by Accenture in 2015 that suggested cyberattacks would cost the healthcare industry more than $305 billion over the next 5 years. Sen. Warner asked healthcare industry stakeholders several well-crafted questions inviting them to share their thoughts on steps that are currently being taken to improve cybersecurity, address vulnerabilities, and respond to attacks. He also sought suggestions on potential strategies for the U.S. government to adopt to improve cybersecurity at a national level. Many of those contacted have responded to the request, including AdvaMed, the American Hospital Association...

Read More
OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits
Apr04

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter. Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals. Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation. There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits. An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain...

Read More
Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing
Apr04

Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing

The healthcare industry is particularly vulnerable to phishing attacks and successful attacks commonly result in significant data breaches. It is now something of a rarity for a week to pass without a healthcare phishing attack being reported. While healthcare organizations are providing security awareness training to staff and are using email security solutions, those defenses are not always effective. To improve understanding of why advanced attacks are managing to evade detection by traditional email security solutions, email security solution provider TitanHQ is hosting a webinar. During the webinar TitanHQ will explain about the threat from phishing and how organizations can protect themselves and their customers/patients. The webinar will also explain how two new features of TitanHQ’s SpamTitan email security solution – DMARC authentication and sandboxing – can protect against advanced email threats, zero-day attacks, malware, phishing, and spoofing. Webinar Details: Date : Thursday, April 4th, 2019 Time: 12pm EST Duration: 30 minutes Sign up to the Webinar here....

Read More
Study Reveals Health Information the Least Likely Data Type to be Encrypted
Apr03

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Health information is the least likely data type to be encrypted, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher. The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data. The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data. The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence...

Read More
Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices
Mar27

Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices

Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules. Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities. It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly. At...

Read More
Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern
Mar26

Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern

Through compliance with HIPAA, healthcare organizations have achieved a baseline standard of security, but there is still plenty of room for improvement and healthcare cybersecurity is at best mediocre. Security Scorecard has ranked the healthcare industry 8th out of the 18 industry sectors for cybersecurity. The findings have been detailed in its 2019 Healthcare Cybersecurity Report. The worst aspects of security for the healthcare industry were DNS health and endpoint security, where the industry ranked 13th and 12th respectively. Without proper DNS security measures in place, attacks could take place in which DNS records are changed. Such an attack would allow cybercriminals to route web traffic to fraudulent websites where credentials could be harvested. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method in January 2019. Endpoint security is another big concern. In healthcare, employees use a wide range of different types of devices to gain access to healthcare networks, which introduces risks and...

Read More
Concerns Raised with FDA over Medical Device Security Guidance
Mar22

Concerns Raised with FDA over Medical Device Security Guidance

The U.S. Food and Drug Administration (FDA) is reviewing feedback on the guidance for medical device manufacturers issued in October 2018. Comments have been submitted on the guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, by more than 40 groups and healthcare companies before the commenting period closed on March 18. Feedback will be taken on board and the guidance will be updated accordingly. The final version of the guidance is expected to be released later this year. The requirement for medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ to the FDA as part of the premarket review has been broadly praised. The CBOM needs to include a list of software and hardware components which have vulnerabilities or are susceptible to vulnerabilities. The CBOM will help healthcare organizations assess and manage risk. However, concerns have been raised by several groups about having to include all hardware components, as it may not even be possible for device manufacturers to provide that information. If hardware...

Read More
Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs
Mar22

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability. The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on. An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device. The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3. A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices
Mar15

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX). Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices. Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices. Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is...

Read More
Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks
Mar14

Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks

The healthcare industry is being targeted by cybercriminals and phishing is one of the most common ways that they gain access to healthcare networks and sensitive data. The number of successful phishing attacks on healthcare institutions is a serious concern. At HIMSS19, OCR highlighted email as being the main location of breached ePHI and the high risk of data breaches from phishing attacks. Could the high number of successful phishing attacks be mostly down to the industry being targeted more than other industry sectors, or are healthcare employees more susceptible to phishing attacks? A recently published study has provided some answers. Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team conducted a study to determine the susceptibility of healthcare employees to phishing attacks. For the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used custom-developed tools or vendor solutions to send simulated phishing emails to their employees. The researchers analyzed data from simulated...

Read More
OIG Audits Reveal Multiple Vulnerabilities at HHS Operating Divisions
Mar14

OIG Audits Reveal Multiple Vulnerabilities at HHS Operating Divisions

Audits conducted by the HHS’ Office of Inspector General (OIG) have uncovered multiple security vulnerabilities at HHS Operating Divisions (OPDIVs). Between 2016 and 2017, OIG conducted a series of audits at eight HHS OPDIVs to determine whether implemented security controls were effective at preventing cyberattacks. OIG also tested the ability of HHS OPDIVs to detect cyberattacks and the level of skill attackers would likely need to compromise OPDIV systems or gain access to sensitive data. In addition to the audits of security controls, policies, and procedures, OIG arranged for Defense Point Security (DPS) to conduct penetration tests on behalf of OIG to assess the effectiveness of security protections. The penetration tests were conducted in accordance with government auditing standards and agreed-upon Rules of Engagement between OIG and the OPDIVs. The audits and penetration tests revealed security vulnerabilities at all eight HHS OPDIVs in configuration management, access control, data input controls, and software patching. The root causes of the problems were reported to...

Read More
Serious Security Risks Found in Healthcare Laptops
Mar14

Serious Security Risks Found in Healthcare Laptops

A recent analysis of healthcare security risks by the Clearwater CyberIntelligence Institute (CCI) has shown laptop computers pose a major threat to hospitals, health systems, and their business associates. Laptops are portable and can easily be lost or stolen which places data at risk. The devices can be accessed remotely and used to access healthcare networks, and many organizations fail to monitor how the devices are used by employees. CCI ranked laptop computers 6th among sources of risk for healthcare organizations. CCI research showed 70% of high and critical risk scenarios for laptop vulnerabilities were in three areas: Endpoint data loss (29.9%), excessive user permissions (22.4%), and dormant accounts (17.8%). The most serious risk is endpoint data loss, which was rated critical or high due to the number of vulnerabilities in this area. Within this category, 98.9% of laptops had vulnerabilities related to the failure to lock down external ports such as USB, CD, DVD, and Firewire. Consequently, it is easy for data to be copied onto portable storage devices by users. 63.3%...

Read More
Security Risks of Medical Devices Explored by Check Point
Mar12

Security Risks of Medical Devices Explored by Check Point

Researchers at Check Point have demonstrated just how easy it can be to gain access to IoT medical devices and warn that the security risks of medical devices cannot be ignored. There have been major technological advances in recent years that has resulted in an explosion of new medical devices, but the IT environments that the devices are incorporated into often lack appropriate security controls. One of the main problems is many medical devices run on legacy systems and operating systems such as Windows XP, Windows 2000, and Windows 7. Those operating systems are no longer patched and contain vulnerabilities that could easily be exploited to gain access to patient data or the network to which the devices connect. Even when patches are available, applying them can be difficult and involves considerable downtime. Consequently, devices often remain unpatched and vulnerable to attack. Many healthcare providers also use medical devices from a wide range of manufacturers. Even identifying vulnerabilities and ensuring patches are applied can be a major challenge. Check Point...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents
Mar07

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services. Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%). Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017. While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches. Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all...

Read More
HIPAA Compliance at Odds with Healthcare Cybersecurity
Mar06

HIPAA Compliance at Odds with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses. Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs. In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes. “Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.” The use of technology and data sharing are essential for improving the level of care that can be provided to...

Read More
Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack
Mar06

Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks. Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk. For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk. The health insurance, pharmaceutical, and...

Read More
IRS Issues Warning About Tax-Related Phishing Scams
Mar05

IRS Issues Warning About Tax-Related Phishing Scams

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft. Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats. During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email. On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam. Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to...

Read More
New HIPAA Regulations in 2019
Mar04

New HIPAA Regulations in 2019

While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements. HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of  substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver...

Read More
Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity
Feb28

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy [for] reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.” The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million...

Read More
Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices
Feb27

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI). The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline. The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA). Healthcare organizations can adopt cybersecurity frameworks, create layered...

Read More
New Cybersecurity Requirements for Ohio Health Insurers
Feb27

New Cybersecurity Requirements for Ohio Health Insurers

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information. The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals. Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
NIST NCCoE Releases Mobile Device Security Guide
Feb22

NIST NCCoE Releases Mobile Device Security Guide

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches. Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes. However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them. There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of...

Read More
Maryland Considers Tougher Penalties for Ransomware Attacks
Feb20

Maryland Considers Tougher Penalties for Ransomware Attacks

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state. The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock. Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more. The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable...

Read More
Free Decryptor for GandCrab Ransomware v5.1 Released
Feb20

Free Decryptor for GandCrab Ransomware v5.1 Released

A free decryptor for GandCrab ransomware has been released that allows victims to recover files encrypted by versions 5.0.4 to 5.1 of the ransomware. Previous decryptors have only worked on version 1, 4, and some of the early version 5 variants. The new GandCrab ransomware decryptor was developed by the Romanian police with assistance provided by Bitdefender, Europol, and law enforcement agencies in Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, UK, Canada and the United States. GandCrab ransomware was first used in attacks in January 2018. The first version of the ransomware was somewhat crude and a free decryptor was rapidly developed and released in February. Latter variants were more advanced and more adept at evading detection; however, in October, a second GandCrab ransomware decryptor was released that worked on version 4 of the ransomware. According to Europol, those decryptors have been downloaded more than 400,000 times and have allowed around 10,000 users to decrypt their files free of charge. To date, GandCrab ransomware has been used in more than...

Read More
Data Access and Sharing Risks Identified at National Institutes of Health
Feb15

Data Access and Sharing Risks Identified at National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world. The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff. While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made. OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with...

Read More
Healthcare Email Fraud Attacks Have Increased 473% in 2 Years
Feb14

Healthcare Email Fraud Attacks Have Increased 473% in 2 Years

A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years. Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013. These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack. The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare. For the report, Proofpoint analyzed more than 160 billion emails sent by...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns
Feb12

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps. 166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018. This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident. In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations. The most common actors implicated in security incidents were online scam artists (28%)...

Read More
Vulnerabilities Identified in IDenticard PremiSys Access Control System
Feb04

Vulnerabilities Identified in IDenticard PremiSys Access Control System

ICS-CERT has issued an alert about three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software prior to version 4.1 are affected by the vulnerabilities. Successful exploitation of the vulnerabilities could result in full access being gained to the system with administrative privileges, theft of sensitive information contained in backups, and access being gained to credentials. The vulnerabilities could be exploited remotely and require a low level of skill to exploit. Details of the vulnerabilities have been publicly disclosed. The highest severity vulnerability CVE-2019-3906 concerns hard-coded credentials which allow full admin access to the PremiSys WCF Service endpoint. If successfully exploited, and attacker could obtain full access to the system with administrative privileges. The vulnerability has been assigned a CVSS v3 base score of 8.8. User credentials and other sensitive information stored in the system are encrypted; however, a weak method of encryption has been used which could potentially be cracked...

Read More
New Cybersecurity Framework for Medical Devices Issued by HSCC
Jan30

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle. The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector. More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing...

Read More
Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds
Jan30

Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds

Stryker has identified nine vulnerabilities that affect some of its Medical Beds. The vulnerabilities could potentially be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames. The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices. The nine vulnerabilities are summarized below: CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake. CVE-2017-13078: Reinstallation of group key in the four-way handshake. CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake. CVE-2017-13080: Reinstallation of group key in the group key handshake. CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake. CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake. CVE-2017-13086: Reinstallation of...

Read More
Vulnerability Identified in BD FACSLyric Flow Cytometry Solution
Jan30

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit. BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions. The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC). The vulnerability is present in the following cytometry solutions: BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018) The U.S. release of BD FACSLyric IVD Windows 10 Professional...

Read More
GDPR Incorporated into the HITRUST CSF
Jan29

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements. Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater. Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible. “As countries around the world continue to adopt and advance...

Read More
Multiple Flaws Identified in LabKey Server Community Edition
Jan29

Multiple Flaws Identified in LabKey Server Community Edition

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser. LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed. CVE-2019-3911 – Reflected XSS Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication. CVE-2019-3912 – Open Redirects Open redirects via...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
DHS Issues Emergency Warning About DNS Hijacking Attacks
Jan24

DHS Issues Emergency Warning About DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has issued an emergency warning about DNS hijacking attacks. All government agencies have been instructed to audit their DNS settings in the next 10 days. CISA reports that hackers have been targeting government agencies and modifying their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By modifying the DNS records, web traffic and email traffic can be re-routed. This method of attack allows sensitive data to be stolen without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go unnoticed and web traffic could be re-routed to identical copies of legitimate sites.  Since those sites have TLS/SSL certificates, no warning would be triggered by browsers. DNS attacks allow hackers to gather information about the websites visited by users and the information could be used in phishing campaigns. The attacks appear to be...

Read More
New Report Reveals Spiraling Cost of Cyberattacks
Jan23

New Report Reveals Spiraling Cost of Cyberattacks

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there has been a 52% increase in the cost of cyberattacks on businesses in since 2017. For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks. The 2018 Threat Landscape 93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware. Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now...

Read More
Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors
Jan23

Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) has issued an advisory about three vulnerabilities affecting Dräger Infinity Delta patient monitoring devices. The flaws affect all versions of Infinity Delta, Delta XL, Kappa, and infinity Explorer C700 patient monitoring devices. The flaws could lead to the disclosure of sensitive information stored in device logs, be leveraged to conduct Denial of Service (DoS) attacks, or could potentially allow an attacker to gain full control of the operating system of a vulnerable device. The flaws were discovered by Marc Ruef and Rocco Gagliardi of scip AG. The vulnerabilities are detailed below, in order of severity: CVE-2018-19014 (CWE-532) – Exposure of Information in Log Files Log files are not appropriately secured and are accessible over an unauthenticated network. An attacker could gain access to device log files and view sensitive information relating to the internals of the monitor, location of the device, and its wired network configuration. The flaw has been assigned a CVSS v3 base...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
State AG Proposes Tougher Data Breach Notification Laws in North Carolina
Jan21

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents. The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims. Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents. The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows...

Read More