Healthcare Cybersecurity

Cyberattacks Have Increased but Ransomware Attacks Have Declined in 2024

IT professionals and security executives believe cyberattacks have increased since 2023 according to a recent survey by Keeper Security.  The cybersecurity firm surveyed 800 IT leaders globally, and 92% said they thought cyberattacks have increased in the past year with 95% saying that cyberattacks have become so sophisticated that they feel unprepared to deal with emerging threat vectors such as AI-based attacks (35%), deepfakes (30%), leveraged 5G networks (29%), unauthorized cloud control (25%), and fileless attacks (23%). It is not only external threat actors that are conducting attacks, as 40% of respondents said they have experienced a cyberattack caused by an insider. The main types of attacks that have increased in frequency are phishing (51%), malware (49%), ransomware (44%), and password attacks (31%). A majority of IT professionals said phishing and smishing attacks have become much harder to detect, which many attribute to the use of generative AI by cybercriminals.

There was a surge in ransomware attacks in 2023; however, attacks have fallen in 2024 according to the Israeli cybersecurity firm Cyberint. In 2023, there was a 55.5% increase in victims of ransomware attacks, with 5,070 organizations reporting attacks in 2023 and 1,309 reported attacks in Q4 alone. However, in Q1, 2024, only 1,048 have been reported, down 22% from Q4, 2023.

Cyberint offers several possible explanations for the decline. There has been increased law enforcement activity, including two operations targeting two of the most active groups, LockBit and ALPHV, that disrupted their operations. In the case of LockBit, the disruption was particularly short, with the group claiming to have rebuilt its infrastructure within a week of the takedown. In Q1, 2024, 210 attacks were attributed to LockBit showing that the disruption was only temporary. In December 2023, a law enforcement operation seized some of the infrastructure of the ALPHV group, and while the group remained active, only 51 attacks were confirmed in Q1, 2024, down from 109 attacks in Q4, 2024. The group also recovered quickly and, in response, removed restrictions for affiliates, and actively encouraged attacks on healthcare targets. The ALPHV group has now shut down following the attack on Change Healthcare, although ALPHV is expected to rebrand and return.

Cyberint also suggests that the decreasing number of victims paying ransoms has made ransomware attacks less profitable, leading some affiliates to pursue other sources of income. Data from the ransomware remediation firm Coveware shows ransom payments fell to a record low in Q4, 2023, with only 29% of victims choosing to pay the ransom. Ransom payments have also fallen to an average payment in Q4, 2023 of $568,705, a 33% decrease from the previous quarter.

While some groups appear to have shut down their operations, several new groups have emerged. In Q1, 2024, Cyberint tracked the emergence of 10 new ransomware groups. While these groups have not been conducting attacks on the scale of ALPHV, there is the potential for them to scale up their operations. One of those groups, RansomHub, is attempting to extort Change Healthcare, and claims it has the data stolen in its ALPHV ransomware attack.

While the reduction in ransomware attacks is good news, it is too early to tell whether the decline will continue or if it is just a blip. What is more certain is that, in the short term at least, ransomware is likely to continue to be one of the biggest cyber threats faced by organizations.

The post Cyberattacks Have Increased but Ransomware Attacks Have Declined in 2024 appeared first on HIPAA Journal.

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Investing in cybersecurity can help organizations prevent data breaches and avoid regulatory fines, but there are other benefits. A recently released report from Diligent Institute and Bitsight shows organizations that have a strong cybersecurity program tend to have better financial performance and deliver higher returns for their shareholders.

For the report, Diligent Institute and Bitsight analyzed data from 4,149 mid to large-sized organizations in multiple sectors across Australia, Canada, France, Germany, Japan, the United Kingdom, and the United States. Cybersecurity oversight at the committee level was assessed to determine the impact on cybersecurity risk ratings and each company’s cyber oversight structure was correlated with their security performance data, with each company given a security performance classification of basic, intermediate, or advanced.

The study revealed companies with advanced security ratings created almost 4 times the amount of value for their shareholders as companies with basic security ratings. Over three and five years, companies with an advanced security rating had a Total Shareholders’ Return (TSR) of 372% and 91% higher respectively, compared to companies with a basic security rating. Over three and five years, the average TSR for companies with an advanced security rating was 71% and 67%, compared to a 37% and 14% TSR for companies with a basic security rating.

The report showed that healthcare and other highly-regulated sectors appreciate the importance of cybersecurity and understand that cybersecurity is not simply an IT problem, rather it is an enterprise risk that can have an impact on the company’s short-term performance and long-term health. Healthcare outperformed other sectors in terms of cybersecurity performance and had the highest average security rating of all industries represented in the study.

In addition to the correlation between cybersecurity performance and shareholder return, the researchers found a correlation between board structure and security ratings, with companies that had specialized risk or audit committees performing better than those that did not. Companies with specialized risk or audit committees had an average security rating of 710, compared to an average rating of 650 for companies that had neither of these committees.

Integrating a cybersecurity expert into a board committee tasked with cybersecurity risk oversight makes a significant difference to an organization’s security performance; however, simply having a cybersecurity expert on the board does not mean a company will have a better security rating. Companies with cybersecurity experts on the board had an average security score of 580, compared to an average rating of 700 for companies that had cybersecurity experts on either audit committees or specialized risk committees. The researchers note that it is rare for boards to include cybersecurity experts, with only 5% of the assessed companies having cybersecurity experts on their boards. “Companies seeking to hire cybersecurity expertise for the board should first ensure that the board is appropriately organized so that expertise can be properly incorporated into the oversight mechanisms,” suggested the researchers.

The post Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders appeared first on HIPAA Journal.

Social Engineering Campaign Targets Hospital IT Helpdesks

Warnings have been issued by the American Hospital Association (AHA) and the Health Sector Cybersecurity Coordination Center (HC3) about a social engineering campaign that targets IT helpdesk at U.S. hospitals. According to the AHA, the campaign uses the stolen identities of revenue cycle employees or employees in other sensitive financial roles. The threat actor contacts the IT helpdesk and uses stolen personally identifiable information to answer security questions posed by IT helpdesk staff. Once the threat actor has navigated the questions, they request a password reset and ask to enroll a new device, often with a local area code, to receive multi-factor authentication (MFA) codes.

Once the new device has been enrolled, the threat actor logs into the user’s account and successfully passes the MFA check, the MFA code is sent to the newly registered device. The AHA warns that these attacks can also bypass phishing-resistant MFA. The main purpose of the campaign appears to be to divert legitimate payments. Once access has been gained to an employee’s email account, payment instructions are changed with payment processors, resulting in fraudulent payments to U.S. bank accounts. Access may also be used to install malware on the network.

HC3 is aware of this social engineering campaign and said IT helpdesks are told that the user has broken their phone so they cannot receive any MFA codes. The helpdesk is provided with the last four digits of the target employee’s social security number (SSN), corporate ID number, and demographic details to pass security checks. HC3 suggests the information is likely to have been obtained from publicly available sources such as professional networking sites and/or past data breaches. The tactics in the campaign mirror those used by a threat group known as Scattered Spider (UNC3944). Scattered Spider claimed responsibility for a similar campaign targeting the hospitality and entertainment industry, which led to BlackCat ransomware being used to encrypt files on the network. Ransomware is not believed to have been used in the campaign targeting the healthcare sector and it is unclear which threat group is behind the campaign.

The AHA was first made aware of the campaign in January 2024 and issued a warning to hospitals. The warning has now been reissued due to an uptick in incidents. “The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new devices,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Organizations may also want to contact the supervisor on record of the employee making such a request. In addition, a video call with the requesting employee might be initiated and a screenshot of the employee presenting a valid government-issued ID be captured and preserved.” One large health system has changed its policies and procedures following a successful attack and now requires employees to visit the IT helpdesk in person in order to change their password or register a new device.

You can view the HC3 alert and recommended mitigations here.

The post Social Engineering Campaign Targets Hospital IT Helpdesks appeared first on HIPAA Journal.

HHS Shares Credential Harvesting Mitigations

The Health Sector Cybersecurity Coordination Center (HC3) has issued a healthcare and public health (HPH) sector alert about credential harvesting, one of the most common tactics used by hackers in cyberattacks on the HPH sector.

While there are more secure ways of authenticating individuals and controlling access to accounts and resources, credentials such as usernames, passwords, and personal information are commonly used. Credentials provide access to online accounts, email systems, patient data, and network resources. If credentials are obtained, hackers will gain the user’s privileges and a foothold in the network.

Credential harvesting leads to data breaches, but oftentimes credential harvesting is the first stage in a much more extensive attack. The access may allow a hacker to compromise further accounts and escalate privileges, exploit vulnerabilities in internal systems, deploy malware, move laterally within the network, disrupt administrative functions, and cause system downtime, which can impair healthcare professionals’ ability to provide patient care.

Credential harvesting is most commonly associated with phishing, but credentials can be obtained using a variety of methods, the most common of which are:

  • Phishing: The use of deceptive messages to trick users into disclosing their login credentials, often on attacker-controlled websites
  • Keylogging: Malware that records keystrokes as they are entered by users, including usernames and passwords.
  • Brute Force Attacks: Automated attempts using numerous combinations of usernames and commonly used passwords until the correct combination is identified.
  • Person-in-the-Middle (PITM) Attacks: The interception of communications between two parties, capturing login credentials exchanged during the authentication process.
  • Credential Stuffing: The use of credentials obtained in one data breach to access accounts on other platforms/systems where the same username/password combinations have been used.

Since there are a variety of ways that credentials can be harvested, there is no single mitigation that can protect against this tactic. Healthcare organizations need to be proactive and implement several mitigations to reduce risk. Multi-factor authentication (MFA) is one of the most important security measures as it adds an extra layer of authentication. If credentials are compromised, without the additional authentication, account access will not be granted. Phishing-resistant MFA provides the highest level of protection.

Many credential harvesting attacks use email to make initial contact with users. Email filtering solutions such as spam filters will block the majority of these messages and prevent them from reaching end users; however, even the most advanced email security solutions will not block all malicious messages. Employee training and awareness are therefore important. Members of the workforce (from the CEO down) should be educated about phishing and other credential harvesting methods and be taught cybersecurity best practices.

Monitoring and detection solutions should be used to identify suspicious login attempts and suspicious user behavior, endpoint security solutions can protect against malware such as keyloggers, systems should be kept up to date to prevent the exploitation of vulnerabilities, and organizations should ensure they have comprehensive incident response plans to minimize the harm caused should an attack prove successful.

This is the second sector alert to be issued by HC3 this month on tactics used by malicious actors in attacks on the HPH sector. The earlier alert covers email bombing, which is used for denial of service attacks.

The post HHS Shares Credential Harvesting Mitigations appeared first on HIPAA Journal.

Legislation Introduced to Provide Advance Payments to Providers Affected by Cyberattacks

This week, Senator Mark R. Warner (D-VA) introduced new legislation that will allow for advance and accelerated payments to healthcare providers in the event of a cyberattack. The new legislation was introduced in response to the recent ransomware attack on Change Healthcare, which caused an outage that lasted for more than 4 weeks. The outage prevented physicians and hospitals from processing claims, billing patients, and checking insurance coverage for care, and the reimbursement delays have left many healthcare providers struggling to pay workers and buy supplies, with some placed at risk of becoming financially insolvent.

Given the increase in cyberattacks on the healthcare sector in recent years, a major attack that caused massive nationwide disruption to healthcare was an inevitability, and there will likely be other highly damaging healthcare cyberattacks in the future. The Health Care Cybersecurity Improvements Act of 2024 will help to ensure that in the event of another attack, healthcare providers will not face such challenging financial problems.

Sen. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, has been sounding the alarm about healthcare cybersecurity for some time. In 2022, he published a white paper that framed cybersecurity as a patient safety issue. The Change Healthcare ransomware attack demonstrated how a cyberattack can prevent patients from receiving timely care and essential medications. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

The Health Care Cybersecurity Improvements Act of 2024 will allow for advance and accelerated payments to healthcare providers in the event of a cyber incident; however, they would only qualify if they and their vendors meet minimum cybersecurity standards. In the press release announcing the new legislation, Sen. Warner did not mention what those minimum cybersecurity standards are, as that will be left to the HHS Secretary to determine.

Currently, in certain situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can experience cash flow difficulties due to specific circumstances that are beyond their control, as happened following the Change Healthcare ransomware attack. The Centers for Medicare and Medicaid Services (CMS) has provided temporary financial relief to Medicare Part A providers and Part B suppliers through Accelerated and Advance Payment (AAP) programs, which provide advance payments from the federal government, which are later recovered by withholding payments for later claims.

The Health Care Cybersecurity Improvements Act of 2024 will modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program. If the legislation is passed, the HHS Secretary will determine if the need for payment results from a cyber incident, and if it does, the healthcare provider requiring the payment must meet minimum cybersecurity standards, which will be determined by the Secretary. For instance, a healthcare provider may be required to implement the essential cybersecurity performance goals recently announced by the HHS. If the provider has implemented those minimum cybersecurity measures and the provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards in order for the provider to receive the payments.

If passed, the act would take effect two years from the date of enactment, which will give healthcare organizations sufficient time to ensure they comply with the cybersecurity requirements set by the HHS Secretary.

The post Legislation Introduced to Provide Advance Payments to Providers Affected by Cyberattacks appeared first on HIPAA Journal.

Senator Cassidy Demands Answers About HHS Cyberattack and $7.5M Theft

Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has demanded answers from the Department of Health and Human Services (HHS) about a 2023 cyberattack that resulted in the theft of millions of dollars of grant funds and the failure of the HHS to notify Congress about the incident.

In January this year, Bloomberg published a report about a hacking incident at the HHS. According to the report, hackers had access to an HHS system that processed civilian grant payments between March 2023 and November 2023 and stole $7.5 million. The money should have been transferred to five accounts to provide support for at-risk populations, including children, pregnant women, and patients in rural communities.

Hackers are thought to have used spear phishing emails to target HHS staff, who were tricked into disclosing credentials that allowed access to the grantees’ accounts. The HHS provided a statement at the time confirming the incident had been reported to the HHS’ Office of Inspector General; however, in January, an HHS OIG spokesperson could neither confirm nor deny that an investigation had been launched into the incident.

In his letter to HHS Secretary Xavier Becerra, Sen. Cassidy said the HHS did not notify Congress about the incident and has so far failed to publicly acknowledge the breach, even though federal law requires government agencies to disclose major cyberattacks. Sen. Cassidy said any disruption to grant funding can place healthcare facilities under significant financial strain and the delay in receiving grant awards could delay life-saving care to patients. Cyberattacks on healthcare organizations are increasing and the HHS has issued regular guidance to HIPAA-regulated entities on the steps that should be taken to improve cybersecurity and has recently announced voluntary cybersecurity performance goals for the HPH sector. Senator Cassidy said, “This attack raises serious questions about HHS’ ability to safeguard its own systems and protect taxpayer funds and sensitive data.”

Senator Cassidy also criticized the HHS for the lack of transparency about the breach and its incident response.  “HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” wrote Sen. Cassidy. “Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again.”

Sen. Cassidy has demanded answers about when the HHS identified the breach of its Payment Management Services (PMS) system, when the system was accessed by hackers, how many grantees were affected, how much was stolen, when the HHS notified the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) about the breach, whether the attack delayed any payments of grant awards, and what steps the HHS has taken to try to recover the stolen funds. Questions were also asked about the safeguards that were in place prior to the attack, its internal incident response plan, the steps that have been taken to identify and address any vulnerabilities in HHS systems, and how the HHS can justify failing to notify Congress. Sen. Cassidy has requested answers on a question-by-question basis by April 5, 2024.

A spokesperson for the HHS confirmed that the HHS has been in regular contact with Congress about the incident and is working to ensure that the affected grantees will have access to the funds that they were awarded. “The event in December was a targeted fraud campaign against the Payment Management System, not a cyberattack,” said the HHS spokesperson. “HHS promptly reported the incident to the HHS Office of Inspector General. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance.”

The post Senator Cassidy Demands Answers About HHS Cyberattack and $7.5M Theft appeared first on HIPAA Journal.

Five Eyes Agencies Urge Critical Infrastructure to Take Volt Typhoon Threat Seriously

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and other U.S. and international partners have issued a joint fact sheet warning critical infrastructure entities to take the threat of attacks by Chinese state-sponsored actors seriously. The warning follows on from a February 2024 cybersecurity alert about an advanced persistent threat group known as Volt Typhoon, which was discovered to have embedded itself in the networks of many critical infrastructure entities, including transportation, energy, communications, and water and wastewater systems. The intrusions are believed to be strategic, with the threat actors maintaining persistent access to potentially disrupt or destroy critical services in the event of increased geopolitical tension or military conflicts.

Volt Typhoon uses living-of-the-land techniques rather than malware to maintain access to compromised networks and conduct its activities to evade detection. The extent of the compromises has yet to be determined but they could be extensive. Many critical infrastructure entities have had systems compromised and efforts are ongoing to ensure the threat actors are removed from those systems.

The fact sheet provides leaders of critical infrastructure entities with guidance to help them prioritize the protection of critical infrastructure and functions. The issuing agencies urge leaders to recognize cyber risk as a core business risk, which is essential for good governance and national security. Leaders should empower cybersecurity teams to make informed resourcing decisions to better detect and defend against Volt Typhoon intrusions and malicious cyber activities, such as implementing cybersecurity performance goals. Cybersecurity teams should also be empowered to effectively apply detection and hardening best practices, the staff should receive continuous cybersecurity training and skill development, and organizations should develop and test comprehensive information security plans and drive a cybersecurity culture in their organization.

Leaders have also been advised to secure their supply chains by establishing strong vendor risk management processes, exercising due diligence, selecting vendors that adhere to secure-by-design principles, ensuring vendors have patching plans, and limiting usage of any product that breaks the principle of least privilege.

The post Five Eyes Agencies Urge Critical Infrastructure to Take Volt Typhoon Threat Seriously appeared first on HIPAA Journal.

HPH Sector Warned About Email Bombing Attacks

Healthcare organizations have been warned about the threat of email bombing attacks, which are a type of denial-of-service (DoS) attack that targets email systems. As with other types of DoS attacks, the aim is to render systems unavailable. These attacks, also known as mail bomb or letter bomb attacks, usually involve a botnet – a network of malware-infected computers under the control of an attacker.

Once a target is selected, an email server is flooded with hundreds or thousands of email messages that overload the email system. These attacks are an inconvenience for the victim; however, these attacks can hide other malicious activities. For example, security warnings may be hidden within all the emails making it easier for those warnings to be missed. Those warning emails may be about account sign-in attempts, updates to account information such as changes to contact information, information about financial transactions, or online order confirmations. These attacks can also be used as a smokescreen to draw the attention of security teams while other systems are attacked. When email servers are targeted in email bombing attacks, network performance is often downgraded which can potentially lead to direct business downtime.

There are various types of email bombing attacks, one of the most common of which is registration bombs. These attacks use automated bots to crawl the web to find newsletter sign-up forms on legitimate websites. The targeted user is then signed up to hundreds or thousands of newsletters all at once, resulting in the user getting a steady flow of unwanted emails. An alternative form of this attack involves link listing, where email addresses are added to multiple subscription services that do not require verification. These attacks can result in emails being received for months or even years after the initial attack. In addition, victims’ email addresses are often added to various smalling, phishing, and malware lists.

Attachment attacks involve sending multiple emails with large attachments, which are designed to slow down mail delivery and overload server storage space, rendering email servers unresponsive. A zip bomb attack, aka a decompression bomb or zip of death attack, involves a large, compressed archive being sent to an email address, which consumes available server resources when decompressed, thus impacting server performance. Email bombing attacks may be conducted by a single actor or a group of actors, and threat actors offer these types of services on the dark web. One well-known seller of these services charges $15 for every 5,000 messages, with costs reducing based on the volume of messages required. E.g. $30 for 20,000 messages.

In a recent HC3 Sector Alert, the HHS Health Sector Cybersecurity Coordination Center (HC3) provided an example of a damaging attack in 2016 where an unknown group of assailants subjected thousands of  .gov email inboxes to an email bombing attack that used subscription requests for legitimate companies. The attack rendered the email system unavailable for several days. “Organizations and individuals are encouraged to implement protections, security policies, and address user behavior in order to prevent future attacks,” said HC3. “Given the potential implications of such an attack on the HPH sector, especially concerning unresponsive email addresses, downgraded network performance, and potential downtime of servers, this type of attack remains relevant to all users.”

HC3 offered advice on how to defend against these attacks and mitigations for organizations that experience an email bombing attack. To defend against attacks, user behavior, and technical processes are suggested, such as covering these types of attacks in security awareness training and advising employees not to sign up for non-work-related services with their work email addresses. Online exposure can also be limited by using contact forms that do not expose email addresses. Employees should be told how they can recognize an attack in progress, and if one occurs, told never to engage as doing so can easily result in escalation. In the event of an attack, employees should immediately contact their IT or cybersecurity team.

Businesses can protect against these attacks using reCAPTCHA, which determines if a human is using the platform. reCAPTCHA prevents bots from hijacking sign-up processes that could facilitate email bombing attacks. In the event of an attack, email administrators should contact their email provider, who may be able to offer assistance in deleting the spam/junk emails from the email system.

The post HPH Sector Warned About Email Bombing Attacks appeared first on HIPAA Journal.

63% of Known Exploited Vulnerabilities Can be Found in Hospital Networks

A typical U.S. hospital has between 10 and 15 medical devices per bed, which means a 1,000-bed hospital could have around 15,000 medical devices. Those devices include imaging devices, clinical IoT devices, and surgery devices, and they significantly increase the attack surface. A vulnerability in any of those devices could be exploited by a threat actor to gain access to the internal network and sensitive data, especially vulnerabilities in internet-facing devices.

Research conducted by the cyber-physical systems (CPS) protection company Claroty – published in Claroty’s State of CPS Security Report: Healthcare 2023 Report – has revealed hospitals are not keeping their medical devices up to date. The researchers found that 63% of the vulnerabilities in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog can be found on healthcare networks, 23% of medical devices have at least one known exploited vulnerability, and 14% of medical devices are running an unsupported or end-of-life operating system.

The study found 22% of hospitals have connected devices that bridge guest networks and internal networks and 4% of the medical devices used in surgeries can be accessed from guest networks at hospitals. Guest networks provide visitors and patients with Wi-Fi access and they are generally the least well-secured and the most exposed place for medical devices to be connected. The researchers looked at medical devices that are remotely accessible and found many of the remotely accessible devices have a high consequence of failure, such as devices that defibrillators, robotic surgery systems, and defibrillator gateways. 66% of imaging devices, 54% of surgical devices, and 40% of patient devices were found to be remotely accessible.

The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood that a software vulnerability will be exploited in the wild. The researchers examined devices with high EPSS scores and 11% of patient devices – such as infusion pumps – and 10% of surgical devices had vulnerabilities with high EPSS scores. 85% of devices with unsupported operating systems had vulnerabilities with high EPSS scores.

Keeping medical devices up to date is challenging. Medical devices are in constant use, and updating software or firmware and applying patches means those devices are made temporarily unavailable. Hospitals must also contend with 360 medical device manufacturer (MDM) patch certification programs to ensure compliance requirements and verify that products provide reasonable protection against risk. While the majority (93%) of critical vulnerabilities in CISA’s KEV Catalog can be fixed with an operating system update or vendor patch, it often takes months for MDMs to certify a patch before it can be applied to an individual device. During that time, devices are vulnerable to attack. Another problem with defending medical devices is hospitals often do not have a complete and up-to-date inventory of all medical devices connected to the network, and defenders cannot adequately protect devices that they are blind to.

Claroty recommendations are for hospitals to develop cybersecurity policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. They should limit remote access to endpoints, secure remote access through proper provisioning of credentials, ensure that multifactor authentication is enabled, restrict third-party connections from vendors and contractors, and conduct regular and continuous vulnerability scanning of assets that are exposed to the internet. Hospitals must also ensure they have complete visibility into the medical devices connected to their networks and the inventories should list whether assets are internet-facing. Defenders can then prioritize patching those assets as they are the ones that are most likely to be targeted by threat actors.

The post 63% of Known Exploited Vulnerabilities Can be Found in Hospital Networks appeared first on HIPAA Journal.