Healthcare Cybersecurity

Researchers Describe Possible Synthetic DNA Supply Chain Attack

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences, bypassing current security controls, and delivering those sequences to healthcare customers.

Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers.

There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin.

The researchers describe an attack scenario where a bioterrorist could conduct an attack that sees harmful biological material ordered, produced, and delivered to customers, without the attacker ever having to come into contact with lab components or biological materials. The researchers say the hypothetical attack method they describe is an “end-to-end cyberbiological attack” that can be performed remotely using a computer with a carefully crafted spear phishing email that delivers a malicious browser plug-in.

An attacker could craft a spear phishing email targeting an individual and use social engineering techniques to get them to install a malicious browser plug-in on their computer. When a genuine order is placed for a specific DNA sequence, the attacker would perform a man-in-the-middle attack and change the requested DNA sequence sent to the DNA synthesis provider, without the knowledge of the person submitting the order.

Checks would be performed by the DNA synthesis company to screen out potentially dangerous sequences. Provided those checks are passed, DNA synthesis would begin, and the product would then be shipped to the customer. The sequence would be checked by the customer, but the same malicious plugin could return the requested sequence. The DNA sequence with the rogue DNA would then be used in the belief it is the sequence requested.

Source: Ben-Gurion University

The research paper describing the threat and the potential attack method – Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology – was recently published in Nature Biotechnology. The image above shows the attack process with the malicious steps detailed in red.

The Department of Health and Human Services has produced HHS Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and requires DNA synthesis providers to screen double stranded DNA. The screening process should highlight any harmful sequences and would ensure that those sequences were not released to customers; however, the researchers point out that there is currently no single, comprehensive database of all pathogenic sequences and it is potentially possible to bypass these checks.

“Currently, the software stack used to develop synthetic genes is loosely secured, allowing the injection of rogue genetic information into biological systems by a cybercriminal with an electronic foothold within an organization’s premises,” explained the researchers. The researchers also demonstrated that through the use of obfuscation, 16 out of 50 DNA samples were not detected by screening systems.

A bioterrorist attack of this nature would be complex, which limits the potential for such an attack to occur, but given the potentially devastating consequences, more rigorous security controls need to be implemented. The current safety mechanisms have been put in place to prevent the deliberate or accidental synthesis of harmful DNA, but the researchers explain that those safety mechanisms have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.

“Biosecurity researchers agree that an improved DNA screening methodology is required to prevent bioterrorists and careless enthusiasts from generating dangerous substances in their labs,” explained the researchers in the report.

The post Researchers Describe Possible Synthetic DNA Supply Chain Attack appeared first on HIPAA Journal.

FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity

Threat actors using Ragnar Locker ransomware have stepped up their attacks and have been targeting businesses and organizations in many sectors, according to a recent private industry alert from the Federal Bureau of Investigation (FBI).

Ragnar Locker ransomware was first identified by security researchers in April 2019, with the first known attack targeting a large corporation that was issued with an $11 ransom demand for the keys to decrypt files and ensure the secure deletion of the 10 terabytes of sensitive data stolen in the attack.

While not named in the FBI alert, the attack appears to have been on the multinational energy company, Energias de Portugal. The gang was also behind the ransomware attacks on the Italian drinks giant Campari and the Japanese gaming firm Capcom.

Since that attack, the number of Ragnar Locker victims has been steadily growing. Attacks have been successfully conducted on cloud service providers, and companies in communication, construction, travel, enterprise software, and other industries.

As with other human-operated ransomware attacks, the threat actors behind Ragnar Locker ransomware conduct targeted attacks to gain a foothold in victims’ networks, then have a reconnaissance phase where they identify network resources, sensitive data, and backup files. Sensitive data is exfiltrated, then the final stage of the attack involves the deployment of ransomware on all connected devices.

The Ragnar Locker gang uses a variety of obfuscation techniques to evade security solutions, with those techniques changing frequently. Ragnar Locker ransomware attacks are easily distinguished, as the encrypted files are given a unique extension – .RGNR_<ID>, with the ID created using a hash of the computer’s NETBIOS name. The attackers also identify themselves in the ransom note dropped on victim devices.

The initial attack vector is commonly Remote Desktop Protocol using stolen credentials or brute force attempts to guess weak passwords. The gang uses VMProtect, UPX, and custom packing algorithms and encrypt files from Windows XP virtual machines that have been deployed on victims’ networks. The attackers terminate security processes, including programs commonly used by managed service providers to monitor their clients’ networks, and encrypt files on all connected drives. Shadow Volume copies are deleted to make it harder for victims to recover files without paying the ransom.

Many ransomware variants search for files of interest and encrypt files with specific extensions; however, Ragnar Locker will encrypt all files in folders that have not been previously marked to be skipped. The untouched folders include Windows, ProgramData, and web browser directories.

The attackers steal data and use the threat of publication to apply pressure on companies to pay the ransom. It may be possible to restore encrypted files from backups, but the threat of the release of sensitive data may be sufficient to ensure the ransom is paid. The gang recently took out Facebook ads using a compromised account to pressure Campari into paying the ransom.

To prevent Ragnar Locker ransomware attacks it is necessary to block the initial attack vector. RDP should be disabled if possible, strong passwords should be set, multi-factor authentication implemented, and all computers and systems should be kept up to date with patches applied promptly. Antivirus software should be installed and set to update automatically, and remote connections should only be possible through a VPN, and never via unsecured, public Wi-Fi networks.

To ensure that files can be recovered in the event of a successful attack, backups should be regularly performed, and copies of backups stored on a non-networked device. The FBI also points out that it should not be possible to modify or delete backups from the system where the data resides.

The post FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity appeared first on HIPAA Journal.

Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes.

Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered.

The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites, and Google Docs.  It is not just Google services that are being abused, as campaigns have been detected that abuse other free cloud services such as Microsoft OneDrive, Dropbox, Webflow, SendGrid, and Amazon Simple Email Service.

One of the campaigns impersonated American Express, with the initial message requesting account validation as the user was found to have missed information when validating their card. The emails direct the user to a phishing page created using Google Forms. The form includes the official American Express logo and a short questionnaire requesting information that can be used by the attackers to gain access to their credit card account – login information, phone number, card number and security code, and security questions and answers.

Since the link in the email directs the user to Google Forms – a legitimate Google domain and service – it is unlikely that an email security gateway would identify the URL as malicious. “Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero,” explained the Armorblox researchers.

Another campaign used Google Forms in a classic phishing lure. The emails appear to have been sent by a childless widow who has been diagnosed with terminal cancer. She is looking to donate her fortune to good causes, with the recipient of the message told that the widow would like them to make donations to good causes on her behalf. The hyperlink directs the user to an untitled Google Form. Should anyone proceed and submit an answer to the untitled question, they will be shortlisted for further extortion attempts.

A campaign was detected that used a fake email login page hosted on Google’s Firebase mobile platform, which is used to create apps, files, and images. The emails in this campaign impersonate the security team and claim important emails have not been delivered due to the email storage quota being exceeded. The campaign targets email login credentials. The link to the Firebase would be unlikely to be identified as malicious since it is a legitimate cloud storage repository.

Google Docs has also been abused in a campaign in which the payroll team is impersonated, with the Google Docs document containing a link to a phishing page where sensitive information is harvested. Since the initial link is to a legitimate and commonly used Google service, it is unlikely to be blocked by email security solutions. While some email solutions would be able to identify the malicious link in the Google-hosted document, various redirects are used to obfuscate the malicious link.

A campaign was also identified that impersonated the user’s IT department security team and Microsoft Teams, using a fake Microsoft login page hosted on Google Sites. Google Sites is a legitimate service that allows individuals to easily create webpages, but in this case has been used to create a webpage hosting a phishing form, complete with the genuine Microsoft logo.

Campaigns abusing trust in Google Docs have also been identified by researchers at Area 1 Security. The messages in that campaign impersonated the HR department and claimed the recipient had been terminated, with the Google Docs document providing details of the termination and severance pay. The document contains a malicious macro that, if allowed to run, will download the Bazar Backdoor and Buer loader malware. IRONSCALES also recently reported that around half of all sophisticated phishing campaigns were successfully bypassing the leading email security gateways.

The campaigns range from highly targeted attacks on specific groups of individuals, such as HR and payroll departments, to untargeted large-scale ‘spray and pray’ campaigns to obtain as many credentials as possible, using more general lures.

These campaigns highlight the need for advanced security solutions that are capable of identifying and blocking phishing emails that abuse legitimate cloud services and the need for ongoing security awareness training for employees to help them identify phishing emails that evade detection by their organization’s cybersecurity defenses.

The post Free Google Services Abused in Phishing Campaigns appeared first on HIPAA Journal.

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices.

The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements.

Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and use them to gain access to the healthcare systems to which they connect.

When the rules were first proposed, commenters emphasized the need for a safe harbor to allow non-abusive, beneficial arrangements between physicians and other healthcare providers, such donations of cybersecurity solutions to help safeguard the healthcare ecosystem. The CMS first proposed the changes in October 2019 as part of the Regulatory Sprint to Coordinated Care.

The CMS final rule clarifies the Stark Law exceptions concerning donations of electronic health record donations to physicians, expanding the EHR exception to include cybersecurity software and services. A standalone exception has also been introduced for broader cybersecurity donations, including donations of cybersecurity hardware.

“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” said the CMS.

The changes recognize the risk of cyberattacks on the healthcare sector and create a safe harbor for cybersecurity technology and services to protect cybersecurity-related hardware, and will help to ensure that cybersecurity software and hardware are available to all healthcare providers of all sizes.

The safe harbor applies to, but is not limited to, “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption and email traffic filtering.” The exception also covers the “hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity” and a broad range of cybersecurity services such as updating and maintaining software and cybersecurity training services. There is no distinction in the rule between locally installed and cloud-based cybersecurity solutions.

Under the cybersecurity exception, recipients are not required to contribute to the cost of the donated cybersecurity technology or services. Under the EHR exception, the cost contribution requirement for donations of EHR items or services is retained.

“It is our position that allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire health care ecosystem,” said the HHS.

The final rules are due to be published in the federal register on December 2, 2020 and are expected to take effect on January 19, 2021.

The post HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations appeared first on HIPAA Journal.

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud.

Healthcare data breaches Sept 2019 to Oct 2020

The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months.

Healthcare records breaches in the past 12 months

Largest Healthcare Data Breaches Reported in October 2020

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause
Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack
AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware
Presbyterian Healthcare Services Healthcare Provider Hacking/IT Incident 193,223 Phishing Attack
Sisters of Charity of St. Augustine Health System Healthcare Provider Hacking/IT Incident 118,874 Blackbaud Ransomware
Timberline Billing Service, LLC Business Associate Hacking/IT Incident 116,131 Ransomware Attack
Greenwich Hospital Healthcare Provider Hacking/IT Incident 95,000 Blackbaud Ransomware
OSF HealthCare System Healthcare Provider Hacking/IT Incident 94,171 Blackbaud Ransomware
Geisinger Healthcare Provider Hacking/IT Incident 86,412 Blackbaud Ransomware
CCPOA Benefit Trust Fund Health Plan Hacking/IT Incident 80,000 Ransomware Attack
Ascend Clinical, LLC Healthcare Provider Hacking/IT Incident 77,443 Phishing and Ransomware Attack
Centerstone of Tennessee, Inc. Healthcare Provider Hacking/IT Incident 50,965 Phishing Attack
Georgia Department of Human Services Healthcare Clearing House Hacking/IT Incident 45,732 Phishing Attack
Connecticut Department of Social Services Health Plan Hacking/IT Incident 37,000 Phishing Attack
State of North Dakota Healthcare Provider Hacking/IT Incident 35,416 Phishing Attack
AdventHealth Shawnee Mission Healthcare Provider Hacking/IT Incident 28,766 Blackbaud Ransomware

Causes of October 2020 Healthcare Data Breaches

As the above table shows, the healthcare industry in the United States has faced a barrage of ransomware attacks. Two thirds of the largest 15 data breaches reported in October involved ransomware. CISA, the FBI, and the HHS issued a joint alert in October after credible evidence emerged indicating the Ryuk ransomware gang was targeting the healthcare industry, although that is not the only ransomware gang that is conducting attacks on the healthcare sector.

Phishing attacks continue to plague the healthcare industry. Phishing emails are often used to deliver Trojans such as Emotet and TrickBot, along with the Bazar Backdoor, which act as ransomware downloaders.

Phishing and ransomware attacks are classed as hacking/IT incidents on the HHS breach portal. In total there were 46 hacking/IT incidents reported to the HHS’ Office for Civil Rights in October – 73% of all reported breaches in October – and 2,450,645 records were breached in those incidents – 97.39% of all records breached in the month. The mean breach size was 53,275 records and the median breach size was 13,069 records.

There were 12 unauthorized access/disclosure incidents reported in October involving 54,862 healthcare records. The mean breach size was 4,572 records and the median breach size was 1,731 records. There were 4 reported cases of theft of paperwork or electronic devices containing PHI. The mean breach size was 4,290 records and the median breach size was 1,293 records. One incident was reported that involved the improper disposal of computer equipment that contained the ePHI of 4,290 individuals.

causes of October 2020 Healthcare Data Breaches

The graph below shows where the breached records were located. The high number of network server incidents shows the extent to which malware and ransomware was used in attacks. Almost a third of the attacks involved ePHI stored in email accounts, most of which were phishing attacks. Several breaches involved ePHI stored in more than one location.

Location of PHI in October 2020 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in October with 54 breaches reported, followed by health plans with 3 breaches and one breach at a healthcare clearinghouse. While there were only 5 data breaches reported by business associates of covered entities, business associates were involved in 23 data breaches in October, with 18 of the incidents being reported by the affected covered entity.

October 2020 Healthcare Data Breaches by Covered Entity Type

Healthcare Data Breaches by State

October’s 63 data breaches were spread across 27 states. Connecticut was the worst affected state with 7 breaches, followed by California and Texas with 5 each, Florida, Ohio, Pennsylvania, and Virginia with 4 apiece, Iowa and Washington with 3, and Arkansas, Michigan, New Mexico, New York, Tennessee, and Wisconsin with 2. A single breach was reported in each of Georgia, Hawaii, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Missouri, North Dakota, New Jersey, and South Carolina.

HIPAA Enforcement Activity in October 2020

2020 has seen more financial penalties imposed on covered entities and business associates than any other year since the HIPAA Enforcement Rule gave OCR the authority to issue financial penalties for noncompliance.  Up to October 30, 2020, OCR has announced 15 settlements to resolve HIPAA violation cases, including 4 financial penalties in October.

The health insurer Aetna paid a $1,000,000 penalty to resolve multiple HIPAA violations that contributed to the exposure of HIV medication information in a mailing. OCR investigators found issues with the technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI, an identity check failure, a minimum necessary information failure, insufficient administrative, technical, and physical safeguards, and an impermissible disclosure of the PhI of 18,849 individuals.

The City of New Haven, CT paid a $202,400 penalty to resolve its HIPAA case with OCR that stemmed from a failure to promptly restrict access to systems containing ePHI following the termination of an employee. That failure resulted in an impermissible disclosure of the ePHI of 498 individuals. OCR also determined there had been a risk analysis failure and a failure to issue unique IDs to allow system activity to be tracked.

Two of the penalties were issued as part of OCR’s HIPAA Right of Access enforcement initiative, with the fines imposed for the failure to provide patients with timely access to their medical records at a reasonable cost. Dignity Health, dba St. Joseph’s Hospital and Medical Center, settled its case with OCR and paid a $160,000 penalty and NY Spine settled for $100,000.

State attorneys general also play a role in the enforcement of HIPAA compliance. October saw Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC settle a multi-state action related to a breach of the ePHI of 6.1 million individuals in 2014. The investigators determined there had been a failure to implement and maintain reasonable security practices. The case was settled for $5 million.

The post October 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Office 365 users have been warned about an ongoing phishing campaign which harvests user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested.

A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes.

The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code.

Microsoft notes that the redirector sites have a unique subdomain that includes a username and the targeted organization’s domain name to add realism to the campaign. The phishing URLs have an extra dot after the top-level domain, after which is the Base64 encoded email address of the recipient. The phishing URLs are often added to compromised websites, rather than used on attacker owned domains. Since many different subdomains are used, it is possible to send large volumes of phishing emails and evade security solutions.

Office 365 credentials are highly sought after. Email accounts can be accessed and used for further phishing attacks, business email compromise scams, and the accounts often contain a wealth of sensitive data, including protected health information. Once an attacker has access to the Office 365 environment, they can access sensitive stored documents, and conduct further attacks on the organization.

Microsoft explained that Microsoft 365 Defender for Office 365 can detect phishing emails in this campaign and resolve attacks, but a recent study by IRONSCALES has shown that many email security gateways fail to block these sophisticated phishing threats.

The Israel-based security firm recently published data from a test of the leading secure email gateways and found they failed to block around half of advanced phishing attempts, including spear phishing and social engineering attacks. The company used its Emulator to test the effectiveness of five of the top secure email gateways, including Microsoft’s Advanced Threat Protection (APT), and simulated real-world phishing scenarios to see how each performed.

For the tests, IRONSCALES conducted 162 emulations (16,200 emails) against the top 5 secure email gateways and found 47% of the emails were delivered to inboxes – 7,614 emails.  The penetration rate – the percentage of emails that bypassed the secure email gateways – ranged from 35% to 55% across the 5 tested security solutions.

The leading secure email gateways were effective at blocking emails containing malicious attachments, with only 4% being delivered to inboxes, and just 3% of emails containing links to malicious files were delivered. However, they were far less effective at blocking social engineering and email impersonation attacks, which accounted for 30% of all successfully delivered emails. Domain name impersonations accounted for 25% of the delivered emails. These emails linked to a domain name that had the right records set in the DNS. Emails containing links to URLs containing fake login pages were delivered 16% of the time.

The tests highlighted the need for AI-driven security solutions that have natural language understanding and the importance of providing security awareness training to the workforce, as many of these advanced phishing threats will reach end user inboxes.

The post Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users appeared first on HIPAA Journal.

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, sating, “At this time, we consider the threat to be credible, ongoing, and persistent.”

In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020.

Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a matter of days or even hours.

A long period between compromise and deployment gives victim organizations time to identify the compromise and take steps to eradicate the hackers from the network in time to prevent file encryption. The short duration makes this far more difficult.

“CISA, FBI, and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”

A variety of techniques are now being used to deploy ransomware, including other malware variants such as TrickBot and BazarLoader, which are commonly delivered via phishing emails, as well as manual deployment after networks have been compromised by exploiting vulnerabilities.

Healthcare organizations should take steps to combat the ransomware threat by addressing the vulnerabilities that are exploited to gain access to healthcare networks. This includes conducting vulnerability scans to identify vulnerabilities before they are exploited and ensuring those vulnerabilities are addressed. Anti-spam and anti-phishing solutions should be implemented to block the email attack vector, and healthcare organizations should adopt a 3-2-1 backup approach to ensure files can be recovered in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one copy stored securely off-site. The recent ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient information was permanently lost as a result of the attack when the ransom was not paid.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” explained ASPR. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Indicators of Compromise (IoCs), suggested mitigations, and ransomware best practices are detailed in the October 28, 2020 CISA/FBI/HHS alert.

The post ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector appeared first on HIPAA Journal.

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data.

The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29).

The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently in advanced clinical trials. One of the targeted companies has developed a COVID-19 test and the clinical research firm is involved in conducting COVID-19 vaccine trials. While the attacked companies were not named by Microsoft, cyberattacks have been reported by the Indian pharma firms Dr. Reddy’s and Lupin, and the U.S. biotech firm Moderna is known to have been attacked.

Microsoft reports that some of the attacks have been successful, although Microsoft did not say whether that means systems have been breached or if intellectual property and vaccine and research data were obtained.

The Russian Strontium group has favored brute force tactics to crack passwords for employee accounts, while the Lazarus group has been sending spear phishing emails to key employees to obtain passwords. One tactic used by the Lazarus group involves posing as recruiters and sending fake job descriptions. Cerium, which is believed to be a new North Korean hacking group, has also been using phishing emails to gain access to employee credentials. Its campaign involved impersonating the World Health Organization (WHO).

The motivation behind the attacks are clear. Research and vaccine data would give foreign countries a huge strategic advantage, with research and vaccine data potentially worth billions of dollars. These attacks appear to be solely concerned with data theft. The attacks so far do not appear to have been conducted to hamper efforts to conduct research or develop vaccines but there are many cybercriminal groups that are conducting destructive cyberattacks.

Healthcare organizations have faced a barrage of financially motivated cyberattacks by cybercriminals organizations using ransomware in recent months. Recently, CISA, the FBI, and HHS issued a joint advisory following an increase in targeted Ryuk ransomware attacks on healthcare organizations in the United States. The Ryuk and other ransomware gangs have also attacked healthcare organizations in France, Germany, Thailand, Spain, and the Czech Republic. The ransomware attack on a hospital in Germany resulted in the first known patient death due to a ransomware attack, and several attacks in the United States have resulted in major disruption and have forced hospitals to cancel elective procedures and reroute patients to alternative healthcare facilities.

Several industry groups are offering assistance to organizations in the healthcare sector such as the Health Sector Coordinating Council and Health-ISAC, and are providing indicators of compromise (IoCs) and detailed information on recent attacks to help organizations improve their defenses against cyberattacks and better defend their networks and data.

Microsoft has been taking an active role in attack prevention and has recently participated in the Paris Peace forum, a multi-stakeholder coalition working on combating these attacks, in particular to stop attacks on critical infrastructure from succeeding. Prior to the Paris Peace Forum, over 65 healthcare organizations joined the Paris Call for Trust and Security in Cyberspace. The Paris Call is largest multi-stakeholder coalition to date that addresses cybersecurity issues faced by the healthcare industry.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a Friday blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

The post Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development appeared first on HIPAA Journal.