Healthcare Cybersecurity

Cybersecurity Awareness Month: Fight the Phish!

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack.

Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source.

The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing 9,567 people, loses around 63,343 hours every year to phishing attacks, with the cost equating to around $1,500 per employee.

Phishing is the starting point of the costliest cyberattacks. In 2020, more than $1.8 billion was fraudulently obtained in Business Email Compromise (BEC) attacks, with the average cost of a BEC attack now $5.97 million. Phishing is often the starting point of ransomware attacks, which can have mitigation costs of the order of tens of millions of dollars. On average, an attack costs $996,000 to resolve.

Phishing may be the most common way for cybercriminals to gain access to email accounts, networks, and sensitive data, but these attacks can easily be prevented with the right technology and user training.

Organizations need to implement email security gateways/spam filtering solutions for all email accounts. This technical measure alone will prevent the majority of phishing emails from arriving in inboxes. Antivirus software and firewalls should be used to protect all endpoints, including computers, phones, tablets, and Internet of Things devices. These solutions should be regularly updated, ideally automatically.

Multi-factor authentication should be used on all accounts that require passwords to login. In the event of a password being obtained in a phishing attack, multi-factor authentication will prevent the password from providing access to the user’s account. Microsoft explained in a 2019 blog post that multi-factor authentication blocks more than 99.9% account compromise attacks.

Employees are the last line of defense in an organization, so it is vital for security awareness training to be provided. Employees need to be taught cybersecurity best practices to eradicate risky behaviors and must learn how to identify and avoid phishing attacks.

Employees should be made aware of the red flags in phishing emails such as call outs to open attachments or click links, unusual wording and formatting, spelling and grammatical errors, threats of negative consequences if rapid action is not taken, and too good to be true offers. If any red flags are identified, it is vital to verify the source of the email or text message and to make content with the sender to confirm a request is authentic. Employees should be conditioned to stop and think before taking any action requested in an email or text message and never to respond, open attachments, or click links in messages if there is any doubt about the sender or request.

According to Verizon, “There is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down.” In 2012, phishing email click rates were around 25% but by 2019 they had fallen to around 3% as a result of improved awareness of phishing and more extensive end user training.

Given the scale of the threat from phishing, once-a-year security awareness training sessions are no longer sufficient. While annual training may meet the minimum requirement for compliance with HIPAA, it is not sufficient to reduce the risk of a successful attack to low and acceptable level. Security awareness training for the workforce needs to be an ongoing process, with regular training provided throughout the year accompanied by phishing simulation exercises where the phishing identification skills of employees are put to the test. Through training and phishing simulation exercises, susceptibility to phishing attacks can be greatly reduced.

CISA has produced a tip sheet for Cybersecurity Awareness Month to help individuals fight the phish.

The post Cybersecurity Awareness Month: Fight the Phish! appeared first on HIPAA Journal.

FIN12 Ransomware Gang Actively Targeting the Healthcare Sector

Ransomware is currently the biggest cyber threat faced by the healthcare industry. Attacks often cripple healthcare IT systems for weeks or months and prevent medical records from being accessed. One study by the Ponemon Institute/Censinet shows attacks result in treatment delays, an increase in complications, poorer patient outcomes, and an increase in mortality rates.

Several ransomware gangs have publicly stated they will not attack the healthcare industry, but that is certainly not true of FIN12. According to a recently published analysis of the ransomware actor by Mandiant, around 20% of the attacks conducted by the group have been on the healthcare industry.

FIN12 is a prolific ransomware actor that focuses on big game targets. Almost all the victims of FIN12 have annual revenues over $300 million, with an average of almost $6 billion. FIN12 has been active since at least 2018 and has largely targeted North America where 85% of its attacks have occurred, although the gang has recently expanded geographically and now also conducts attacks in Europe and the Asia Pacific region. The most frequently targeted industries are healthcare, education, financial, manufacturing, and technology.

Mandiant says FIN12 is the most prolific ransomware actor it tracks that focuses on high value targets. Around 20% of all ransomware incidents the company responds to are conducted by FIN12, which makes it the most frequently encountered ransomware deployment actor.

The reason why FIN12 targets the healthcare industry when many ransomware-as-a-service operations do not attack the healthcare sector is not entirely clear. Mandiant suggests the need for healthcare providers to regain access to patient data quickly is likely the key factor. Healthcare providers are more likely to pay the ransom and more likely to pay the ransom quickly, whereas negotiations with victims in other sectors may drag on for weeks.

Mandiant believes FIN12 is a specialist ransomware deployment actor that uses initial access brokers (IABs). IABs provide the access and credentials FIN12 requires to conduct its attacks. IABs typically receive a cut of any ransom payments that are generated, although some ransomware operations pay a flat rate for access. Mandiant has seen evidence that FIN12 pays a percentage of the ransom to the IAB, usually around 30%-35%.

One of the IABs extensively used by FIN12 is TrickBot, a botnet operation that sells persistent access to victims’ networks. The group has also partnered with the BazarLoader operation, and more recently has branched out and appears to have purchased credentials to login to Citrix environments. FIN12 most commonly deploys Ryuk ransomware, a ransomware variant that is capable of spreading throughout a network and infecting and encrypting data on multiple systems.

In contrast to many ransomware actors which spend weeks inside a victim’s network before deploying ransomware, FIN12’s attacks are rapid and have an average time-to-ransom (TTR) of less than 4 days. The gang appears to be prioritizing speed in its attacks as the TTR has been decreasing. Some of the recent attacks have had a TTR of just 2.5 days. “These efficiency gains are enabled by their specialization in a single phase of the attack lifecycle, which allows threat actors to develop expertise more quickly,” says Mandiant.

Mandiant says the gang stands out from other ransomware actors as multifaceted extortion is relatively rare. It is now very common for data to be exfiltrated prior to the use of ransomware and for ransomware gangs to threaten to publish the stolen data if victims do not pay. Mandiant suggests the decision not to engage in data theft is likely due to the effect it would have on the TTR. In attacks where FIN12 has exfiltrated data, the TTR was around 12.5 days.

While victims may be more likely to pay the ransom due to the threat of public shaming and data exposure, there is also a much higher risk of detection prior to file encryption. “FIN12’s apparent success without the need to incorporate additional extortion methods likely suggests the notion that they do not believe spending additional time to steal data is worth the risk of having their plans to deploy ransomware thwarted,” suggests Mandiant.

The post FIN12 Ransomware Gang Actively Targeting the Healthcare Sector appeared first on HIPAA Journal.

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that requires victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid.

The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States.

Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the attack.

Chainalysis believes almost $350 million in cryptocurrency was paid to ransomware gangs globally in 2020, which is a year-over-year increase of 311%. Attacks have continued to increase in 2021. According to Check Point’s mid-year security report, in the first half of 2021, there were 93% more ransomware attacks than the corresponding period last year.

As the ransomware attack on Colonial Pipeline demonstrated, the gangs behind these attacks pose a significant national security threat. That attack resulted in the closure of a major fuel pipeline for around a week. The attack on JPS Foods threatened food production, and the huge number of attacks on the healthcare industry has affected the ability of healthcare providers to provide care to patients. This year, CISA said ransomware attacks delay care and affect patient outcomes, and there has already been a death in the United States which is alleged to have been due to a ransomware attack.

Ransomware attacks are continuing to increase because they are profitable and give ransomware gangs and their affiliates a good return on investment. There is also little risk of being caught and brought to justice. Unfortunately, investigations of ransomware gangs can be hampered by a lack of data, hence the introduction of the Ransom Disclosure Act.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them.”

While the FBI encourages the reporting of ransomware attacks to assist with its investigations, reporting attacks is not mandatory. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” sad Congresswoman Ross. “I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back.”

The Ransom Disclosure Act will require:

  • Ransomware victims (except individuals) to disclose any ransom payments within 48 hours of the date of payment, including the amount, currency used, and any information that has been gathered on the entity demanding the ransom.
  • The DHS will be required to publish information disclosed during the previous year about the ransoms paid, excluding identifying information about the entities who paid.
  • The DHS will be required to set up a website for individuals to voluntarily report ransom payments.
  • The Secretary of Homeland Security will be required to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated the attacks, and make recommendations for protecting information systems and strengthening cybersecurity.

The post Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours appeared first on HIPAA Journal.

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers.

MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps.

The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery could result in diabetic ketoacidosis and even death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were already the subject of a product recall. Cybersecurity vulnerabilities had previously been identified in the pumps that could not be adequately mitigated through updates or patches.

The latest security issue has seen Medtronic expand the product recall to include all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been manufacturing or distributing the affected remote controllers since July 2018, but the devices are still used by certain patients, healthcare providers, and caregivers.

This is a Class 1 product recall – the most serious category – as the issues with the remote controllers could result in serious injury or death. The FDA says there have been no reported cases of the vulnerabilities in the devices being exploited to cause harm to patients.

The FDA says users should immediately stop using the affected remote controller, turn off the easy bolus feature, turn off the radio frequency function, delete all remote controller IDs programmed into the pump, disconnect the remote controller from the insulin pump, and return the remote controller to Medtronic.

The post Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability appeared first on HIPAA Journal.

Insider Threat Self-Assessment Tool Released by CISA

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs.

In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm.

Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by insiders can be considerable due to the knowledge those individuals have about a business and the fact they are trusted and have privileged access to systems and sensitive data.

Large organizations are likely to have conducted risk assessments and put measures in place to mitigate insider threats. Small- and medium-sized businesses tend to have limited resources and may not have assessed their risk level and are most likely to benefit from using the new tool.

The tool consists of a series of questions that will establish the level of vulnerability to insider threats and will provide feedback to users to help them develop appropriate mitigations to guard against insider threats and reduce risk to a low and acceptable level.

“CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats.  Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future,” said CISA Executive Assistant Director for Infrastructure Security David Mussington.

The post Insider Threat Self-Assessment Tool Released by CISA appeared first on HIPAA Journal.

Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests training is lacking at many HIPAA-regulated entities.

The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report.

The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data.

Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile device being infected with malware, and 45% of respondents believe they do not need to implement additional cybersecurity safeguards because they do not work in the IT department.

Changing that thinking is one of the goals National Cybersecurity Awareness Month, which this year has the theme “Do Your Part. BeCyberSmart.” The aim of this initiative is to empower individuals and organizations to own their role in protecting their part of cyberspace, and that means all individuals, not only individuals in the IT department.

Security awareness training courses should explain cybersecurity best practices and teach employees how to practice good cyber hygiene in order to eliminate risky behaviors. It is also vital to teach employees how to identify and avoid phishing emails, and the procedures to follow if suspicious emails are received. Through training it is possible to reduce susceptibility to phishing emails and malware attacks and develop a security culture in an organization; however, that will only be achieved by providing continuous training to employees.

The healthcare industry ranked second highest behind government for continuous security awareness training in 2020. 59% of healthcare respondents said their employer continued to provide security awareness training throughout 2020; however, the survey revealed 24% of healthcare respondents said their employer had not provided any security awareness training.

Out of all industry sectors, healthcare employees were the least aware of social engineering threats such as phishing and business email compromise (BEC), with only 16% of healthcare employees saying they understood those threats very well.

If adequate training is not provided, employees cannot be expected to recognize and avoid threats and HIPAA-regulated entities will face a much higher risk of suffering costly data breaches. In the event of an audit or data breach investigation, if training is found to be lacking OCR may impose substantial financial penalties. The failure to provide any security awareness training is a clear violation of the HIPAA Security Rule and was one of the violations cited in OCR’s enforcement action against West Georgia Ambulance in 2019.

Regular security awareness training will ensure employees have the skills they need to identify and avoid cyber threats. KnowBe4 says when employees are provided with training once a month they are 34% more likely to believe clicking a link in an email is a risky behavior than employees that only receive training once or twice a year.

The survey also showed there is considerable confusion about the need for HIPAA compliance. 61% of respondents in healthcare knew that their organization was required to comply with HIPAA, but 19% said they were unsure. 20% said they knew or believed their organization was not a HIPAA-regulated entity. There was also uncertainty about the need to comply with other privacy and security regulations, with around half of respondents unsure if their organization had to comply with the California Privacy Rights Act, Family Educational Rights and Privacy Act (FERPA) and the EU’s General Data Protection Regulation (GDPR).

“That’s a problem. As with cybersecurity, employees are the last line in addressing privacy issues, and so they must know that privacy protections must be applied to the customer data they handle,” said KnowBe4 in the report. “The fact that such a large proportion of employees is simply not sure whether their employer is subject to various privacy regulations does not bode well for organizations’ ability to adequately process information that is subject to privacy regulation.”

The post Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training appeared first on HIPAA Journal.

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama Hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack.

Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts.

Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.”

During the system downtime, Teiranni Kidd arrived at the hospital to have her baby delivered. Her baby was born on July 17, 2019 but tragically the umbilical cord had become wrapped around the baby’s neck resulting in severe brain damage. Following the birth, Kidd’s daughter Nicko was transferred to a neonatal intensive care unit. Due to the brain damage, Nicko required frequent oxygen supplementation, had to be fed through a gastrointestinal tube, and needed around the clock medical care. Nicko died 9 months later on April 16, 2020.

In January 2020, a lawsuit was filed in the Circuit Court of Mobile County, AL on behalf of Teiranni Kidd, as mother and next friend of Nicko Silar. The lawsuit alleges the hospital failed to inform the plaintiff about the cyberattack and outage, and had the hospital done so, she would have chosen a different hospital for labor and delivery.

The lawsuit alleges physicians and nurses at Springhill Medical Center failed to conduct multiple tests prior to the birth which would have revealed the umbilical cord had wrapped around the baby’s neck and that those tests were not conducted due to the distraction caused by the ransomware attack.

The lawsuit alleges a wireless tracker used to locate medical staff was out of order, patient health records were inaccessible, and electronic systems that provided fatal tracing information were also not working. The lawsuit alleges patient information was not available at the nurses’ station and the only fetal monitoring information was a paper record at the patient’s bedside in the labor and delivery room.

“As a result, the number of healthcare providers who would normally monitor [the plaintiff’s] labor and delivery were substantially reduced and important safety-critical layers of redundancy were eliminated,” according to the lawsuit, which claims medical malpractice and wrongful death.

“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” according to the lawsuit.

The lawsuit alleges that as a proximate consequence of the non-disclosure of the attack and outage, the baby suffered “personal injuries and general damages, including permanent injury from which she died.” The hospital has denied any wrongdoing.

Following a ransomware attack, hospitals continue to provide medical services to patients in their care and follow their emergency protocols and switch to recording patient information on paper charts and conducting normally automated processes manually. It is common for emergency patients to be redirected to alternative facilities as a precaution while systems are restored and access to medical records is regained.

This is the first case where a ransomware attack is alleged to have resulted in a patient death, although it is not the only attack where patient safety has been put at risk. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report on healthcare ransomware attacks during the pandemic and confirmed the impact they have had on patient care and outcomes. “Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” explained CISA in the report.

Also, a recent survey on IT and IT security professionals at healthcare delivery organizations in the United States conducted by the Ponemon Institute on behalf of cybersecurity risk management firm Censinet revealed respondents believed ransomware attacks resulted in an increase in the length of patient stays in hospital, delays in testing, and an increase in medical complications. 22% of respondents believed there was an increase in patient mortality after a ransomware attack.

The post Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

October is Cybersecurity Awareness Month; a full month where the importance of cybersecurity is highlighted, and resources are made available to help organizations improve their security posture through the adoption of cybersecurity best practices and improving security awareness of the workforce.

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed.

The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training.

This year has the overall theme – “Do Your Part, #BeCyberSmart” – and is focused on communicating the importance of everyone playing a role in cybersecurity and protecting systems and sensitive data from hackers and scammers. Throughout the month, the National Cyber Security Alliance and its partners will be running programs to raise awareness of specific aspects of cybersecurity, with each week of the month having a different theme.

  • Week of October 4 (Week 1): Be Cyber Smart.
  • Week of October 11 (Week 2): Phight the Phish!
  • Week of October 18 (Week 3): Explore. Experience. Share.
  • Week of October 25 (Week 4): Cybersecurity First

Cybersecurity Awareness month kicks off with the theme of “Be Cyber Smart” in week 1, where cybersecurity best practices are highlighted to protect the vast amounts of personal and business data that are stored on Internet-connected platforms.

“This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” said the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Best practices being highlighted in week 1 are those that businesses and individuals should be implementing. They include always creating strong passwords, implementing multi-factor authentication on accounts, keeping software updated and patching promptly, and creating backups to ensure data can be recovered in the event of a ransomware attack or other destructive cyberattack.

“Since its inception, Cybersecurity Awareness Month has elevated the central role that cybersecurity plays in our national security and economy.  This Cybersecurity Awareness Month, we recommit to doing our part to secure and protect our internet-connected devices, technology, and networks from cyber threats at work, home, school, and anywhere else we connect online,” said, President Biden in a White House statement announcing the start of Cybersecurity Awareness Month. “I encourage all Americans to responsibly protect their sensitive data and improve their cybersecurity awareness by embracing this year’s theme: “Do Your Part.  Be Cyber Smart.”

Each week this month, HIPAA Journal will share information and resources based on the theme of the week that can be used to raise awareness of cybersecurity in your organization and improve your resilience to cyberattacks and privacy threats.

Be Cyber Smart – Your Role in Cybersecurity

Cybersecurity Basics – How to Secure Your Online Life

CISA – Cybersecurity Awareness Tip Sheets

The post Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart appeared first on HIPAA Journal.

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions.

VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive targeted for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices.

Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050). In some cases, threat actors have been observed exploiting vulnerabilities in VPN solutions within 24 hours of patches being made available.

Earlier this year, the NSA and CISA issued a warning that APT groups linked to the Russian Foreign Intelligence Service (SVR) had successfully exploited vulnerabilities in Fortinet and Pulse Secure VPN solutions to gain a foothold in the networks of U.S. companies and government agencies. Chinese nation state threat actors are believed to have exploited a Pulse Connect Secure vulnerability to gain access to the networks of the U.S. Defense Industrial Base Sector. Ransomware gangs have similarly been targeting vulnerabilities in VPNs to gain an initial foothold in networks to conduct double-extortion ransomware attacks.

The guidance document is intended to help organizations select secure VPN solutions from reputable vendors that comply with industry security standards who have a proven track record of remediating known vulnerabilities quickly. The guidance recommends only using VPN products that have been tested, validated and included in the National Information Assurance Partnership (NIAP) Product Compliant List. The guidance recommends against using Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, which use non-standard features to tunnel traffic via TLS as this creates additional risk exposure.

The guidance document also details best practices for hardening security and reducing the attack surface, such as configuring strong cryptography and authentication, only activating features that are strictly necessary, protecting and monitoring access to and from the VPN, implementing multi-factor authentication, and ensuring patches and updates are implemented promptly.

The post NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security appeared first on HIPAA Journal.