Healthcare Cybersecurity

CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin ransomware-as-a-service (RaaS) operation, which has extensively targeted organizations in the healthcare and medical industries.

Zeppelin ransomware, a variant of Vega malware, has been used in attacks on critical infrastructure organizations since 2019. The threat actors have been observed using a variety of vectors to gain initial access to victims’ networks, especially the exploitation of Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks use a combination of malicious links and attachments containing malicious macros.

The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks, identify data of interest, including backups and cloud storage services, and exfiltrate sensitive data. A ransom demand is then issued, usually in Bitcoin, with the demand ranging from several thousand dollars to more than a million.

The FBI has observed several attacks where the malware has been executed multiple times, which means victims have multiple IDs and file extensions and require several different decryption keys to recover their files, which adds to the complexity of recovery from an attack.

CISA and the FBI have shared Indicators of Compromise (IoCs) and Yara rules to help network defenders identify attacks in progress and block attacks before file encryption. Mitigations have also been shared to reduce the risk of compromise, which include:

  • Developing and managing password policies for all accounts in accordance with the latest standards published by the National Institute for Standards and Technology (NIST)
  • Developing a robust backup plan for all data – Create multiple backups of data and servers, store those backups in separate, segmented, and secure locations, encrypt backups, and test backups to make sure file recovery is possible
  • Implementing multifactor authentication for all services, especially webmail, VPNs, and accounts used to access critical systems.
  • Ensuring all software and firmware are kept up to date
  • Installing antivirus software on all hosts and regularly updating the software
  • Conducting regular audits of all user accounts with admin privileges
  • Applying the principle of least privilege
  • Implementing time-based controls for admin-level accounts and higher
  • Disabling all unused ports
  • Disabling hyperlinks in received emails and adding a banner to all emails from external sources
  • Disabling command-line and scripting activities and permissions to prevent lateral movement.

In the event of a successful attack, the FBI encourages victims to share information with the FBI, regardless of whether the ransom is paid. Specifically, the FBI requests boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

The post CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations appeared first on HIPAA Journal.

1H 2022 Healthcare Data Breach Report

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HC3 Warns About Risks of IoT in Healthcare and Makes Security Recommendations

The Health Sector Cybersecurity Coordination Center (HC3) has published a security advisory warning the healthcare and public health sector about the risks associated with Internet of Things (IoT) devices along with recommendations for improving the security of IoT devices.

The Internet of Things (IoT) refers to physical devices that have the capability to exchange data or connect to other devices over the Internet. Currently, there are around 7 billion devices that are connected through IoT, and IoT device use is expected to increase to 20 billion devices worldwide by 2025. These devices use sensors to collect data and communicate over the Internet and include a wide range of “smart” appliances such as TVs and washing machines, doorbell cameras, Amazon Echo devices, voice controllers, and wearable devices. IoT devices are used in industrial settings and many medical devices use IoT. While there have been major advances in IoT technology in recent years to make the technology cheaper and more accessible, the main architectural layers have largely remained unchanged and there is growing concern that the devices could provide an easy entry point into healthcare networks.

Risk of Cyberattacks Exploiting Weak IoT Security

There is growing concern over the security of IoT and the risk of cyberattacks exploiting IoT vulnerabilities. These attacks could take the form of distributed Denial of Service (DDoS) attacks, which flood IoT networks with traffic to prevent communications. IoT devices are being targeted by threat actors to add them to botnets for conducting large-scale DDoS attacks on web applications.

Man-in-the-middle attacks can occur, where bad actors eavesdrop on legitimate communications and steal sensitive data or tamper with communications.  Just as with software solutions, vulnerabilities can exist that can be exploited by bad actors to gain unauthorized access to the devices. In healthcare, IoT medical devices could be accessed, the functions of the devices changed to cause harm to patients, or sensitive patient information could be stolen.

While it is a standard security best practice to change default passwords on all devices, IoT devices are often left with factory settings, including default passwords. This makes the devices vulnerable to brute force attacks, which can give threat actors access to the networks to which the devices connect.

If IoT devices are not physically secured, they could be tampered with or have malware installed. The firmware on the devices can be hijacked by forcing the devices to perform updates to download doctored firmware, malicious drivers, or malware.

How to Minimize Risk from IoT Devices in Healthcare

The high rate of adoption of IoT devices in healthcare has widened the attack surface considerably, giving bad actors a much broader range of devices to attack to gain access to healthcare networks. If healthcare organizations have a flat network, where IoT devices, standard IT devices, and operational technology (OT) are all on the same network, gaining access to an IoT device could allow a threat actor to move laterally and access all devices on the network. This is a major security risk, especially considering the relative lack of security on IoT devices.

One of the most important steps to take to improve security is to implement network segmentation to reduce the attack surface. With network segmentation, the network is divided into subnetworks or zones. This can reduce congestion and limit failures, but also limits lateral movement. If an IoT device is compromised, it cannot be used to access other parts of the network.

HC3 makes several other recommendations for reducing the risk from IoT devices.

  • Change default settings – Default settings on routers should be changed along with the privacy and security settings on all IoT devices.
  • Set strong passwords – Default passwords should be changed, and a unique, strong password should be used for all devices to reduce the risk of brute force attacks.
  • Avoid Universal Plug and Play (UPnP) – UPnP can leave office equipment vulnerable to cyberattacks.
  • Update all software and firmware – All software and firmware should be kept up to date. The latest releases have fixes for vulnerabilities and active exploits.
  • Adopt zero trust – Adopt the principle of zero trust, which means nothing is inherently trusted, even if it is within the network. Limit access to resources to the small number of individuals who require access to perform their work duties.

The post HC3 Warns About Risks of IoT in Healthcare and Makes Security Recommendations appeared first on HIPAA Journal.

Most Common Malware Strains in 2021

The U.S. Cybersecurity and Infrastructure Security Agency has published a list of the top malware strains identified in 2021. Malware is used by threat actors to compromise devices, giving them a backdoor into devices and networks for performing a range of nefarious activities. Malware can also be destructive and be used to sabotage systems, such as wipers that delete all data in systems. The rise in the value of cryptocurrencies has seen an increase in the use of cryptocurrency miners, which hijack the resources of systems for mining cryptocurrencies. Malware such as worms are able to not just compromise one device, but also self-propagate and infect all other vulnerable devices on a network.

In recent years there has been a major increase in the use of ransomware. Ransomware encrypts files on targeted systems to prevent data access, and a ransom demand is issued for the keys to unlock the encryption. Most ransomware variants also support data exfiltration, and files are stolen prior to encryption. The ransom must then be paid not just to decrypt files, but also to prevent the publication or sale of the stolen data. While ransomware is a type of malware, it is common for threat actors to use malware such as Remote Access Trojans (RATs) to gain initial access to networks, and for the access to be sold to ransomware gangs.

Malware is installed using a variety of attack vectors. Malware is commonly delivered via email, through the exploitation of vulnerabilities in Remote Desktop Protocol, and by exploiting known vulnerabilities in software. Initial access to accounts may be gained using brute force tactics to guess weak credentials. With such a variety of attack vectors, there is no single cybersecurity measure that can be used to block all malware infections. It should also be noted that while antivirus software can detect malware based on malware signatures in the definition lists of the software, it cannot block malware unless there is such a signature in the definition list. Many different variants of malware are released, and small tweaks can be all that are required to evade antivirus solutions.

In 2021, remote access Trojans, banking Trojans, information stealers, and malware were the most common types of malware used in attacks. The top malware strains in 2021 were:

  1. Agent Tesla – Information stealer
  2. AZORult – Information stealer
  3. Formbook – Information stealer
  4. Ursnif – Banking Trojan and information stealer
  5. LokiBot – Trojan information stealer
  6. MOUSEISLAND – Ransomware dropper
  7. NanoCore – Information stealer
  8. Qakbot – Banking Trojan, commonly used for reconnaissance and data exfiltration, and delivering additional malware payloads
  9. Remcos – Remote management and pen testing tool used to create a backdoor in victims’’ systems
  10. TrickBot – Banking Trojan cum botnet cum malware dropper
  11. GootLoader – Malware loader

These malware strains have been used in attacks for several years and have evolved to make them more evasive and provide them with new capabilities. Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot have all been used for more than 5 years, while Qakbot and Ursnif have been in use for more than a decade.

In addition to providing access to victims’ systems to the malware gangs, Qakbot and TrickBot are malware droppers and have been extensively used to give access to systems to ransomware gangs such as Conti. The Conti gang is known to have conducted at least 450 ransomware attacks in the first half of 2021. Throughout 2021, the malware strains Formbook, Agent Tesla, and Remcos have been extensively distributed in phishing emails, taking advantage of the pandemic and using COVID-19-themed lures.

Mitigations

CISA has provided a list of recommended mitigations for blocking malware threats and reducing the impact of successful attacks, the most important of which are to update software and patch promptly, enforce multifactor authentication, secure and monitor RDP and other potentially risky services, and provide end user security awareness training.

The post Most Common Malware Strains in 2021 appeared first on HIPAA Journal.

55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year

Cyberattacks on businesses have been increasing year over year across all industry sectors, and there has been an increase in cyberattacks involving third parties. From the point of view of a cyber threat actor, it makes more sense to attack a vendor such as a managed service provider, as if the attack is successful, the threat actor will be able to gain access to the networks of the company’s clients. Already in 2022, there have been several major cyberattacks on vendors used by healthcare organizations, one of which impacted 650 of the company’s HIPAA-covered entity clients.

SecureLink, a provider of access management solutions for businesses, has recently explored how businesses are managing the risk associated with providing vendors with privileged access to their systems and has identified areas where the risks are not being effectively managed, even though efforts are being made to improve cybersecurity.

For SecureLink’s latest report, The State of Cybersecurity and Third-Party Remote Access Risk, the company surveyed 600 U.S. companies across a range of industry sectors, including healthcare, to learn more about their cybersecurity practices and how they are managing third-party risk.

55% of healthcare organizations that responded to the survey said they had experienced a third-party data breach in the last 12 months, which was the second highest percentage of all industry sectors, beaten only by the financial sector where 58% of companies had experienced a third-party data breach. Both of these industry sectors rely heavily on third parties, and those third parties have access to sensitive data that is of high value to cybercriminals.

65% of healthcare organizations said they did not feel that their IT systems are making third-party security and access a top priority, and across all industry sectors, 50% of companies said managing third-party security is overwhelming and a drain on internal resources.

Organizations had a budget of $365 million for IT in 2021, of which $78.5 million of which is spent on cybersecurity – Around 21.5% of the IT budget, yet despite the investment in cybersecurity, 54% of organizations experienced a data breach in the past 12 months. 52% of respondents said there had been an increase in cyberattacks compared to the previous year, and the number of third-party attacks increased from 44% to 49%.

The survey confirmed that organizations are starting to understand how to keep their systems and data safe; however, the number of cyberattacks is increasing and so is the sophistication of those attacks. The result is little headway has been made, with many organizations struggling to innovate their cybersecurity as fast as other aspects of their operations.

The SecureLink survey indicates organizations are failing to treat third-party vendors relative to the security risk they pose. For example, in 2022, only 49% of organizations had a comprehensive inventory of all third parties that had access to their systems. This is an improvement from the 42% in 2021, but only slightly. There has been a greater percentage increase in organizations that have identified all third parties with access to their most sensitive data, rising from 35% in 2021 to 45% in 2021, but the figure is still worryingly low.

“While there is a statistically significant increase in terms of identifying third parties, that number is hovering under 50% while the reliance on third parties and a remote workforce is trending upwards. And while there is an increase in those measures, organizations are still finding managing third-party access to be overwhelming. All those numbers add up to a major risk point,” said SecureLink.

One of the main problems that organizations face is the complexity of their third-party relationships, which was stated as a problem by 48% of respondents. Added to that is monitoring is often a manual process, which is not a great use of internal resources that are already stretched. The survey revealed only 36% of organizations have automated the process of monitoring third parties. With a lack of monitoring and automation, it is not surprising that 47% of respondents said they are not highly effective at detecting third-party threats.

“The biggest challenge businesses face is having the manpower to manage third-party identities and cyber risk. With more streamlined systems and automated workflows, access is more manageable and less burdensome on employees,” said SecureLink. “Automation and efficiency are key factors in a successful cybersecurity strategy. Using security technology to streamline operations creates efficiency, which in turn, will be more effective in mitigating threats and pulling in/retaining talent to manage cybersecurity.”

The post 55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year appeared first on HIPAA Journal.

Ransom Payment Data Suggests More Victims are Choosing Not to Pay

The average payment in ransomware attacks increased in Q2, 2022; however, there was a fall in the median payment for the second successive quarter, indicating more victims of ransomware attacks are choosing not to pay up. The data comes from the latest quarterly report from the ransomware remediation firm, Coveware. The average ransom payment in Q2, 2022 was $228,125, which is an 8% increase from the previous quarter. The median ransom payment was $36,360, which is a 51% decrease from Q1, 2022.

According to Coveware, the recent fall in payments indicates the changing profile of attacked companies, with ransomware gangs now tending to focus on attacking mid-market companies. Attacks on large enterprises are costly due to their large budgets for cybersecurity but the potential returns are greater. While ransomware attacks on mid-market firms mean the ransom demands must be smaller, the risks associated with attacks are also lower. Mid-market firms appear to be the sweet spot. The profits are sufficiently high to make the attacks worthwhile, and the ransomware gangs are less likely to face geopolitical pressure and action by law enforcement. Coveware also notes that a trend has been identified where large enterprises are refusing to even engage with ransomware gangs if their initial ransom demand is too large.

When ransomware gangs started exfiltrating data prior to encrypting files the percentage of victims paying ransoms increased, as many victims chose to pay even if they had backups to prevent the sale or public disclosure of the stolen data. In Q2, 2022, 86% of ransomware attacks involved data theft and a threat to release the stolen data publicly. While the payment of the ransom is needed to prevent the publication of stolen data, Coveware notes that it has seen growing evidence that ransomware gangs are not making good on their promise to delete the data, which means the ransom payment was unnecessary.

If a ransomware attack involves data theft, Coveware says payment of the ransom does not mitigate the risk of harm, nor any liability the victim has to protect impacted parties. While some victims might view payment of the ransom as a way to protect against future class action lawsuits, “Paying a ransom is not going to thwart a meritless lawsuit, and there has been no case law to suggest that the risk of a suit happening, or the resulting settlements or damages are mitigated by paying a ransom,” said Coveware. Coveware also suggests that paying the ransom does not limit brand damage, nor does it show that a company has done everything to protect customers or clients. “A far better narrative is to be candid, honest, and contrite. Your impacted constituents will understand that this happens, and will appreciate the transparency.”

Q2, 2022 saw a change in the ransomware landscape following the shutdown of the Conti ransomware operation, which instead is working with smaller ransomware operations. Ransomware attacks are now spread out much more broadly across several smaller operations, with BlackCat having a market share of 16.9%, followed by LockBit 2.0 with 13.2%, Hive with 6.3%, and Quantum, Conti V2, Phobos, Black Basta, and AvosLocker, which each have a market share of around 5%. There appears to be a trend where RaaS affiliates are choosing to spread their attacks across multiple ransomware brands.

As was the case in Q1, 2022, the most popular attack vector is still email phishing, although RDP compromise remains popular. The exploitation of software vulnerabilities and other attack vectors are still used, and Coveware suggests that affiliates are not limiting themselves to one attack vector.

In Q2, 2022, professional services was the most attacked sector, accounting for 21.9% of attacks, followed by the public sector (14.4%), healthcare (10%), and software services (9.4%). There was a slight increase in the number of attacks on healthcare organizations, which is largely due to the Hive ransomware gang expanding its operations. The Hive ransomware gang has no qualms about conducting attacks on the healthcare sector.

The post Ransom Payment Data Suggests More Victims are Choosing Not to Pay appeared first on HIPAA Journal.

Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare

SonicWall has released a mid-year update to its 2022 Cyber Threat Report, which highlights the global cyberattack trends in 1H 2022. The data for the report was collected from more than 1.1 million global sensors in 215 countries and shows a global fall in ransomware attacks, with notable increases in malware attacks for the first time in 3 years.

Ransomware

SonicWall reports a 23% fall in ransomware attacks globally in 1H 2022, which fell to 236.1 million attempted attacks, continuing the downward trend that has been observed for the previous four quarters. June 2022 saw the lowest number of ransomware hits in the past 23 months. While ransomware attacks are down overall, that is not the case for the healthcare industry, which saw a 328% increase in attacks in 1H 2022.

While the reduction in attacks is certainly good news, it should be noted that the year-to-date figures for ransomware attacks are still higher than they were in all of 2017, 2018, and 2019. In the United States, SonicWall recorded an average of 707 ransomware attempts per customer in the first half of 2022. SonicWall attributes the decrease in attacks to the combination of geopolitical forces, volatile cryptocurrency prices, and an increased government and law-enforcement focus on ransomware gangs.

Malware

Ransomware attacks had increased for two straight years, but malware attacks have been at very low levels, with 2021 seeing malware attacks hit a 7-year low. 1H 2022 has seen a sharp increase in malware attacks, with 11% more attacks than 1H 2021, reaching 2.8 billion in 1H 2022 with an average of 8,240 attempts per customer. There was a marked rise in never-before-seen malware variants in 2022, which increased by 45% from 1H 2021. Cryptojacking has increased by 30% compared to 1H 2021, even with the sharp fall in the value of cryptocurrencies. Cryptjacking attacks in healthcare fell by 87%.

The biggest increase in malware was seen in IoT malware, which increased by 77% increase from 1H 2021 with 57 million detections, which was the highest rate of detection since the attacks started to be tracked by SonicWall. The number of hits in 1H 2022 was only slightly lower than the total hits recorded in all of 2021. IoT attacks in the United States increased by 228% in June and IoT malware attacks in healthcare increased by 123%.

Malicious Files

SonicWall reported in its mid-year 2021 update that there had been a 54% fall in the number of malicious Office files and a 13% drop in malicious PDF files, but the fall in number was short-lived, with this year seeing an increase in malicious file detections. In the first half of 2022, detections of malicious Office files increased by 18%, and malicious PDF file detections increased by 9%. PDF files now account for 18% of malicious file types, with Office files accounting for 10%, with more than 84% of malicious Office files being Excel files. Excel Macro 4.0 (XLM) files are the most common, accounting for 64% of malicious Excel files. Executable files are still the most common malicious file types, accounting for more than one-third of malicious files.

Encrypted Attacks

SonicWall observed a 132% increase in encrypted attacks in 1H 2022, continuing the trend of the past two years. May 2022 was the second highest month for malware over HTTPS ever recorded. Encrypted threats were most prevalent in the United States, and accounted for 41% of the global volume, with a 284% increase over the corresponding period last year. Encrypted attacks in healthcare fell by 6%.

Intrusion Attempts

Intrusion attempts rose by 18% globally in 1H 2022, but the number of malicious intrusions fell by 19%. However, in North America, there was an increase in intrusion attempts but the attacks appear to have peaked in June. Intrusion attempts increased by 39% in healthcare, 46% in government, and 200% in retail. Even with these increases, the 1H 2022 figures are lower than they were in 2021.

The post Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM Security. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020.

The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services.

Summary of 2022 Data Breach Costs

  • Global average cost of a data breach – $4.35 million (+2.6%)
  • Global average cost per record – $164 (+1.9%)
  • Average cost of a U.S. data breach – $9.44 million (+4.3%)
  • Average cost of a healthcare data breach – $10.1 million (+9.4%)
  • Average cost of a ransomware attack – $4.54 million (-1.7%)
  • Average cost where phishing was the initial attack vector $4.91 million
  • Average cost of a $1 million record data breach – $49 million
  • Average cost of 50-60 million record data breach – $387 million

For the first time in at least six years, the biggest component of the data breach costs was detection and escalation, which cost $1.44 million in 2022, up from $1.24 million in 2021. Next was lost business, which cost an average of $1.42 million in 2022, down from $1.59 million in 2022. Post-breach response increased slightly from $1.14 million in 2021 to $1.18 million in 2022, and there was a small increase in notification costs, which rose from $0.27 million in 2021 to $0.31 million in 2022.

On average, 52% of the breach costs are incurred in the first year, 29% in the second year, and 19% after two years. In highly regulated industries such as healthcare, a much larger percentage of the costs are incurred later, with 45% of costs in the first year, 31% in year 2, and 24% later than year 2, which was attributed to regulatory and legal costs.

The report explored the different initial attack vectors and found that the most common entry route was the use of stolen credentials, which accounted for 19% of all data breaches, with these data breaches costing an average of $4.5 million. Phishing attacks accounted for 16% of all data breaches, and phishing was the costliest attack vector, with an average data breach cost of $4.91 million, closely followed by business email compromise attacks, which accounted for 6% of all data breaches and cost an average of $4.89 million. Cloud misconfigurations accounted for 15% of data breaches and cost an average of $4.14 million, and vulnerabilities in third-party software accounted for 13% of data breaches and cost an average of $.55 million per breach.

The average time to identify a data breach was 207 days in 2022, down from 212 days in 2021. The average time to contain a data breach was 277 days, down from 287 days in 2021. A shorter data breach lifecycle (time to identify and contain a breach) equates to a lower breach cost. Data breaches with a lifecycle of fewer than 200 days cost 26.5% ($1.12 million) less on average than data breaches with a lifecycle of over 200 days.

One of the most important steps to take to improve security is to adopt zero trust strategies, but only 59% of organizations had adopted zero trust, and almost 80% of critical infrastructure organizations had yet to implement zero-trust strategies. The average breach cost for critical infrastructure organizations without zero trust was $5.4 million, which was $1.17 million more than those that had implemented zero trust strategies.

Cost of Data Breaches by Breach Cause

The average cost of a ransomware attack fell slightly by 1.7% to $4.54 million, not including the cost of the ransom itself. Ransomware attacks increased significantly in 2022 and accounted for 11% of all data breaches, up from 7.8% of data breaches in 2021. Ransomware attacks took 49 days longer to identify and contain than the global average, taking an average of 237 days to identify the intrusion and 89 days to contain the attack. Paying the ransom only saw a $610,000 reduction in data breach costs, on average, not including the amount of the ransom. Since ransom amounts are often high, the report indicates that paying the ransom does not necessarily lower the breach cost. In fact, paying may well increase the cost of the breach.

Around one-fifth of data breaches were the result of supply chain compromises. The average cost of a supply chain compromise was $4.46 million, which was 2.5% higher than the overall average cost of a data breach. It took an average of 235 days to identify the breach and 68 days to contain the breach – 26 days more than the average data breach

45% of data breaches occurred in the cloud, with data breaches in the public cloud costing considerably more than data breaches with a hybrid cloud model. 43% of organizations that experienced a data breach in the cloud were in the early stages of their migration to the cloud and had not started applying security practices to secure their cloud environments. Organizations in the early stages of cloud adoption had data breach costs of an average of $4.53 million, whereas those at a mature stage had average breach costs of $3.87 million.

Data Breach Cost Savings

IMB identified several steps that organizations can take to reduce the financial cost and reputational consequences of a data breach. The main cost-saving elements were:

  • Fully deployed security AI and automation – $3.05 million
  • Incident response team with regularly tested IR plan – $2.66 million
  • Adoption of zero trust – $1.5 million
  • Mature cloud security practices – $720,000
  • Being fully staffed vs insufficiently staffed $550,000
  • Use of extended detection and response (XDR) technologies – 29-day reduction in response time

The post IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million appeared first on HIPAA Journal.

Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management.

Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches.

Cyberattacks on vendors serving the healthcare industry have increased in recent years. Rather than attacking an HDO directly, a cyber actor can attack a vendor to gain access to sensitive data or to abuse the privileged access the vendor has to a HDO’s network. For example, a successful intrusion at a managed service provider allows a threat actor to gain access to the networks of all of the company’s clients by abusing the MSP’s privileged access to client systems. This is advantageous for a hacker as it means it is not necessary to hack into the networks of each MSP client individually.

When third-party vendors are used, the attack surface is increased significantly, and managing and reducing risk can be a challenge. While third-party vendors are used in all industry sectors, third-party vendor security risks are most prevalent in the healthcare sector. The CSA suggests that this is due to the lack of automation, extensive use of digital applications and medical devices, and the lack of fully deployed critical vendor management controls. Since healthcare organizations tend to use a large number of vendors, conducting comprehensive and accurate risk assessments for all vendors and implementing critical vendor management controls can be a very time-consuming and costly process.

“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group. “This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies.”

If an HDO chooses to use a third-party vendor, it is essential that effective monitoring controls are implemented, but it is clear from the number of third-party or vendor-related data breaches that many healthcare organizations struggle to identify, protect, detect, respond to, and recover from these incidents, which suggests the current approaches for assessing and managing vendor risks are failing. These failures can have a major financial impact, not just in terms of the breach mitigation costs, but HDOs also face the risk of regulatory fines from the HHS’ Office for Civil Rights and state Attorneys General and there is also significant potential for long-lasting reputation damage.

The CSA makes several suggestions in the paper, including adopting the NIST Cybersecurity Framework for monitoring, measuring, and tracking third-party risk. The NIST Framework is mostly concerned with cybersecurity, but the same principles can also be applied for measuring other types of risk. The core functions of the framework are identify, protect, detect, respond, and recover. Using the framework, HDOs can identify risks, understand what data is provided to each, prioritize vendors based on the level of risk, implement safeguards to protect critical services, ensure monitoring controls are implemented to detect security incidents, and a plan is developed for responding to and mitigating any security breach.

“The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential,” said Michael Roza, a contributor to the paper.

The post Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations appeared first on HIPAA Journal.