Healthcare Cybersecurity

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.

 

 

Largest Healthcare Data Breaches Reported in August 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email

 

Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records.

Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 20 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner.

The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could not be accessed.

The medical clinic was forced to de-register from emergency care, postponed appointments and outpatient care, and all patients were advised not to visit the medical clinic until the attack was remediated. A week later and normal function at the hospital has still not resumed, although the hospital is now starting to restart essential systems.

According to a recent Associated Press report, 30 servers at the hospital were affected. A ransom demand was found on one of the encrypted servers. The hospital alerted law enforcement which made contact with the attackers using the information in the ransom note.

It would appear that the attackers did not intend on attacking the hospital, as the ransom note was addressed to Heinrich Heine University in Düsseldorf, to which the medical clinic is affiliated. Law enforcement officials made contact with the attackers using the information in the ransom note and told the attackers that the hospital had been affected and patient safety was at risk.

The attackers supplied the keys to decrypt files and made no further attempts to extort money. No further contact has been possible with the attackers. Law enforcement is continuing to investigate and it is possible that charges of manslaughter could be brought against the attackers.

Until now there have been no confirmed cases of ransomware attacks on healthcare facilities resulting in the death of a patient, but when attacks cripple hospital systems and patients are prevented from receiving treatment for life threatening conditions, such tragic events are sadly inevitable.

Several ransomware gangs have publicly stated that they will not conduct attacks on medical facilities, and if hospital systems are affected, keys to decrypt files will be provided free of charge. However, even if keys are provided to decrypt files, recovery from an attack is not a quick process. Other ransomware operations have made no such concessions and continue to attack healthcare facilities.

The post Hospital Ransomware Attack Results in Patient Death appeared first on HIPAA Journal.

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released, which could be used to attack vulnerable domain controllers.

MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft.

The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges.

Microsoft is addressing the vulnerability in a phased two-part roll out. Microsoft released a patch for the vulnerability on August 2020 Patch Tuesday which changes Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). The second “enforcement phase” is planned for Q1, 2021, on or after February 9, 2021, and will be deployed automatically.

Microsoft explained the “changes to the Netlogon protocol have been made to protect Windows devices by default, log events for non-compliant device discovery, and add the ability to enable protection for all domain-joined devices with explicit exceptions.”

The patch enforces secure RPC usage for machine accounts on Windows based devices, trust accounts, and all Windows and non-Windows DCs.  A new group policy is included to allow non-compliant device accounts.

“Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections,” explained Microsoft. “Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.”

After deploying the patch, monitoring should take place to identify warning events and actions are required on each of those events. All warning events must be resolved before the February 2021 enforcement phase begins.

Deployment guidelines for the August 2020 patch are detailed here.

The February patch will transition into the enforcement phase and will put DCs into enforcement mode regardless of the enforcement mode registry key, forcing all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.  The update will also remove logging as all vulnerable connections will be denied.

If the August 2020 patch has not yet been applied, systems will be vulnerable to attack. CISA warns that the flaw is an attractive target for attackers and immediate patching is strongly recommended. Should the vulnerability be exploited, and the Active Directory infrastructure compromised, significant damage can be caused, and the attack will be costly to mitigate.

The post CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips Clinical Collaboration Platform

5 low- to medium-severity vulnerabilities have been identified in the Philips Clinical Collaboration Platform (Vue PACS). If successfully exploited, an attacker could convince an authorized user to execute unauthorized actions or could result in the disclosure of information that could be used in further attacks.

Philips has not received any reports to indicate exploits for the vulnerabilities have been developed or used in real world attacks, and there have been no reports of incidents from clinical use associated with the vulnerabilities.

The vulnerabilities affect versions 12.2.1 and prior and range in severity from low (CVSS v3 base score 3.4) to medium (CVSS v3 base score 6.8).

  • CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8)
  • CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5)
  • CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity given by an attacker to ensure the claim is correct. (CVSS 5.0)
  • CVE-2020-14525 – Improper neutralization of scripty in attributes in a web page – Does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users. (CVSS 3.5)
  • CVE-2020-14506 – When input or data is provided, there are insufficient checks to ensure the input has the properties to allow data to be processed safely and correctly. (CVSS 3.4)

Philips released a patch for the Clinical Collaboration Platform (Version 12.2.1.5) in June 2020 for web portals which fixed two of low-severity flaws (CVE-2020-14506 and CVE-2020-14525).

Philips released a new version of the Vue PACS Clinical Collaboration Platform (Version 12.2.5) in May 2020, which corrected four of the flaws (CVE-2020-14506, CVE-2020-14525, CVE-2020-16247, and CVE-2020-16198).

The remaining vulnerability, CVE-2020-16200, could not be patched and requires manual intervention to prevent exploitation. Affected customers are encouraged to contact Philips Customer Support to receive assistance correcting the vulnerability.

Philips also recommends the following mitigations:

  • Implement physical security measures to limit or control access to critical systems.
  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.

The vulnerabilities were identified by Northridge Hospital Medical Center, which reported the vulnerabilities to Philips. Philips released a security advisory and notified relevant authorities about the flaws under its Coordinated Vulnerability Disclosure Policy.

The post Vulnerabilities Identified in Philips Clinical Collaboration Platform appeared first on HIPAA Journal.

CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups

A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities.

The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks.

Exploited Vulnerabilities

Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an authentication command injection vulnerability, CVE-2019-11539, in Pulse Secure Pulse Connect Secure software.

The remote code execution vulnerability CVE-2019-19781, which affects Citrix Gateway and Citrix SD-WAN WANOP appliances, is also being exploited along with the CVE-2020-5902 remote code execution vulnerability in F5’s BIG-IP network products.

Once access to networks has been gained, the hackers obtain admin credentials and install web shells such as ChunkyTuna, Tiny, and China Chopper for further entrenchment. They rely heavily on open source and operating system tooling to conduct operations, such as Lightweight Directory Access Protocol (LDAP) directory browser, ngrok, and fast reverse proxy (FRP). Plink and TightVNC are often used for lateral movement.

The hackers have been observed using several methods to evade detection, such as hiding tasks and services, software packing, compile after delivery, and masquerading files as legitimate Dynamic Link Library files. The hackers have also been observed cleaning files on compromised NetScaler devices every 30 minutes to minimize their footprint.

CISA suspects the hackers are stealing data due to the use of tools such as 7-Zip and the ChunkyTuna web shell, although no evidence has been found confirming that to be the case. The hackers are also known to have viewed sensitive documents on compromised networks and have been selling access to compromised organizations on a hacking forum.

While Pioneer Kitten has links to the Iranian government and supports the government’s interests, the hackers also conduct attacks for financial gain and are suspected of having the capabilities to deploy ransomware on victims’ networks.

Pioneer Kitten has attacked government agencies and organizations in several different sectors including healthcare, information technology, finance, insurance, and media organizations in the United States.

Detecting and Preventing Attacks

Many of the attacks involve the exploitation of vulnerabilities for which patches have been released, but not yet applied. The best defense against attacks is to apply patches promptly.

In addition to patching the F5, Citrix, and Pulse Secure vulnerabilities, it is important to investigate whether the vulnerabilities have already been exploited.

The hacking group makes significant use of ngrok to expose a local port to the Internet. This activity may appear as TCP port 443 connections to external cloud-based infrastructure and FRPC is used over port 7557.

CISA has included other Indicators of Compromise (IoCs) in the cybersecurity advisory along with several mitigations that should be implemented to further reduce the risk of attack.

The post CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups appeared first on HIPAA Journal.

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies.

The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful.

The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack.

Some of the most exploited vulnerabilities include:

CVE-2020-5902 – A vulnerability in the F5 Big-IP Traffic Management Interface which, if exploited, allows threat actors to execute arbitrary system commands, disable services, execute java code, and create/delete files.

CVE-2019-19781– A vulnerability in Citrix VPN appliances which can be exploited to achieve directory traversal.

CVE-2019-11510 – A vulnerability in Pulse Secure VPN appliances which can be exploited to gain access to internal networks.

CVE-2020-0688 – A vulnerability in MS Exchange which can be exploited to gain access to Exchange servers and execute arbitrary code.

There is no single action that can be taken to block these threats, but many of the successful attacks have exploited known vulnerabilities. Scans are often conducted within hours or days of a vulnerability being made public. Since many public and private sector organizations do not apply patches promptly, it gives hackers the opportunity to gain access to networks. Applying patches promptly is therefore one of the best forms of defense.

“Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks,” explained CISA in its security advisory. “If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.”

Scans are being conducted using tools such as the Shodan search engine to identify potential targets that may be susceptible to attacks. The hackers also leverage the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities (NVD) databases to obtained detailed information about vulnerabilities that can be exploited.

“Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” explained CISA. “These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”

Other tactics often used by these threat actors include spear phishing and brute force attempts to guess weak passwords. It is therefore essential to enforce the use of strong passwords, provide phishing awareness training to the workforce, and implement software solutions capable of detecting/blocking phishing attacks.

The post CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws appeared first on HIPAA Journal.

8 Vulnerabilities Identified in Philips Patient Monitoring Devices

8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges.

The vulnerabilities affect the following Philips patient monitoring devices:

  • Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
  • PerformanceBridge Focal Point Version A.01
  • IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
  • IntelliVue X3 and X2 Versions N and prior

Vulnerabilities

CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw.

CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it to be handled safely. Exploitation could trigger a denial of service condition through a system restart.

CVE-2020-16224 – CVSS 6.5/10 – Moderate Severity. When the software parses a formatted message or structure, it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. This could trigger a restart of the surveillance station resulting in interrupted monitoring.

CVE-2020-16228 – CVSS 6.0/10 – Moderate Severity. The software incorrectly checks the revocation status of a certificate, potentially allowing a compromised certificate to be used.

CVE-2020-16222 – CVSS 5.0/10 – Moderate Severity. When individuals claim to have a particular identity, there is insufficient authentication to prove the identity of that individual, potentially allowing unauthorized access to data.

CVE-2020-16214 – CVSS 4.2/10 – Moderate Severity. User-provided information is saved into a CSV file, but since special elements are not correctly neutralized, they could be interpreted as a command when the CSV file is opened using spreadsheet software.

CVE-2020-16218 – CVSS 3.5/10 – Low Severity. The product incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Exploitation could give an attacker read-only access to patient data.

CVE-2020-16220 – CVSS 3.5/10 – Low Severity. Product does not validate or incorrectly validates input to ensure it complies with the syntax, which could be exploited to cause the service to crash.

The vulnerabilities were identified by security researchers at ERNW Research GmbH, ERNW Enno, and Rey Netzwerke GmbH who reported the flaws to Philips. Philips reported the flaws to CISA and other government agencies under the company’s coordinated vulnerability disclosure policy.

There have been no reported cases of any of the vulnerabilities being exploited in the wild. Updates will be issued starting in 2020; however, in the meantime Philips recommends the following mitigations to make it harder for the vulnerabilities to be exploited:

  • Physically or logically isolate the devices from the hospital local area network (LAN).
  • Implement access control lists that restrict access in and out of the patient monitoring network for only necessary ports and IP addresses.
  • Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.
  • Enter a unique password of 8-12 unpredictable and randomized digits when enrolling new devices using SCEP
  • Physically secure the devices to prevent unauthorized login attempts and ensure servers are located in locked data centers.
  • Control access to patient monitors at nurses’ stations
  • Block remote access to PIC iX servers if not required, and if remote access is necessary, only grant remote access on a must-have basis
  • Apply the principle of least privilege and only allow access to bedside monitors to trusted users.

Users should contact their local or regional Philips service support teams for further information on updating the affected patient monitoring devices and applying mitigating measures.

The post 8 Vulnerabilities Identified in Philips Patient Monitoring Devices appeared first on HIPAA Journal.

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats.

NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks.

Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include current and former employees, contractors, interns, and other individuals who have been given access to data or systems. Those trusted insiders could accidentally or deliberately take actions which are disruptive to the business. Those actions could cause damage to company facilities, systems, or equipment, result in financial harm, or expose or disclose intellectual property and sensitive data.

To combat insider threats, organizations need to establish an insider threat mitigation program to detect, deter, and respond to threats from malicious and unintentional insiders. The program should protect critical assets against unauthorized access and malicious acts, and the workforce should be trained how to identify insider threats and conditioned to report any suspicious behavior or activities. The program should also involve the collection and analysis of information to help identify and mitigate insider threats quickly.

The SARS-CoV-2 pandemic has created a new set of challenges. The changes made by organizations in response to the pandemic, such as the expansion of remote working to include the entire workforce, has increased the risk of espionage, unauthorized disclosures, fraud, and data theft. It is more important than ever for organizations to have an effective insider threat mitigation program.

The main focus of NITAM 2020 is improving resilience to insider threats. This can be achieved by improving awareness through education of the workforce, using the resources made available in September to learn how to detect and mitigate the actions of insider threats, and to improve protection against those threats.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) is helping to raise awareness of insider threats and has published resources that can be used by healthcare organizations to improve organizational resilience and mitigate risks posed by insider threats. Games, videos, graphics, posters, and case studies to promote NITAM are available here.

The post Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats appeared first on HIPAA Journal.

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems.

The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack.

The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks while reducing the potential for negative consequences.

When incident response teams identify malicious activity, the focus is often on terminating a threat actors’ access to the network. While it is important to terminate any access a threat actor has to a device, network, or system, it is important that the correct approach is taken to avoid alerting the attacker that their presence has been detected.

“Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” said CISA. 

When responding to a suspected intrusion it is first necessary to collect and remove relevant artifacts, logs, and data that will allow the incident to be thoroughly investigated. If these elements are not obtained before any mitigations are implemented, the data could easily be lost, which will hamper any efforts to investigate the breach. Systems also need to be protected, as a threat actor may realize that the intrusion has been detected and change their tactics. Once systems have been protected and artifacts obtained, mitigating steps can be taken with care taken not to alert the threat actor that their presence in the network has been discovered.

When suspicious activity is detected, CISA recommends considering seeking support from a third-party cybersecurity company. Cybersecurity companies have the necessary expertise to eradicate an attacker from a network and ensure that security issues are avoided that could be exploited in further attacks on the organization once the incident has been remediated and closed.

Responding to a security breach requires a variety of technical approaches to uncover malicious activity. CISA recommends conducting a search for known indicators of compromise (IoCs), using confirmed IoCs from a wide range of sources. A frequency analysis is useful for identifying anomalous activity. Network defenders should calculate normal traffic patterns in network and host systems that can be used to identify inconsistent activity. Algorithms can be used to identify when there is activity that is not consistent with normal patterns and identify inconsistencies in timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.

A pattern analysis is useful for detecting automated activity by malicious scripts and malware, and regular repeating actions by human threat actors. An analyst review should also be conducted based on the security team’s knowledge of system administration to identify errors in collected artifacts and find anomalous activity that could be indicative of threat actor activity.

The guidance details some of the common mistakes that are made when responding to incidents and lists technical measures and best practices for investigation and remediation processes.

Source: CISA

CISA also makes general recommendations on defense techniques and programs that will make it much harder for a threat actor to gain access to the network or system and remain there undetected. While these measures may not stop a threat actor from compromising a system, they will help to slow down any attack which will give incident response teams the time they need to identify and respond to an attack.

You can view the CISA guidance here: Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A)

The post CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity appeared first on HIPAA Journal.