Healthcare Cybersecurity

2019 Novel Coronavirus and COVID-19 Themed Attacks Dominate Threat Landscape

Cybercriminals are now almost exclusively conducting 2019 Novel Coronavirus and COVID-19 themed-campaigns according to a new report published by Proofpoint. 80% of all threats identified by the firm are coronavirus or COVID-19 related.

The recent analysis was performed on more than half a million email messages, 300,000 malicious URLs, and over 200,000 malicious email attachments. Proofpoint researchers identified more than 140 phishing and malware distribution campaigns and report that the number of active campaigns continues to rise. The coronavirus theme spans virtually every possible threat, with COVID-19 campaigns being conducted by small players to the most prolific APT groups. The email campaigns are diverse and frequently change and Proofpoint researchers believe the diverse nature of attacks will continue and attacks will likely increase.

A report from Check Point tells a similar story. In mid-February, Check Point was seeing a few hundred coronavirus-themed malware attacks a day, but by late March the average number of attacks had increased to 2,600 a day with 5,000 attacks taking place on March 28, 2020. These attacks involved emails with “Corona” or “COVID” in the email subject line, name of an email attachment, or linked to domain or URL containing those words.

In the past two weeks alone, Check Point Research reports there have been more than 30,000 domain names purchased related to the coronavirus or COVID-19. While only 0.4% of those domains have been confirmed as malicious, 9% were suspicious, and many more could be used by cybercriminals in the near future for phishing, malware distribution, or fraud. The researchers note that there have been more than 51,000 coronavirus-related domains registered since mid-January.

An analysis of online threats by Cloudflare revealed there has been a 6-fold increase in online threats over the past month, with hacking and phishing attacks up 37% month-over-month. Barracuda Networks reports there has been a 600% increase in phishing attacks since the end of February and notes a rise in impersonation scams and business email compromise scams.

The FBI has already issued warnings about coronavirus and COVID-19-themed phishing scams and a further alert was issued on April 1, 2020 warning of the threat of attacks on software and computer systems being used to support at-home workers. The increase in the number of at-home workers during the 2019 Novel Coronavirus pandemic has seen many turn to teleconferencing and telework solutions to maintain contact with employers, colleagues and customers.

Cybercriminals are searching for exploitable vulnerabilities in virtual private network (VPN), telework, and teleconferencing solutions and the FBI anticipates increased exploits of vulnerabilities over the coming weeks. These attacks are being conducted to steal sensitive data and spread malware and ransomware.

1,200 complaints about COVID-19-related scams have been received and reviewed by staff at the FBI’s Internet Crime Complaint Center (IC3) as of March 30, 2020, and attacks have been reported on first responders and medical facilities tackling the COVID-19 crisis. The FBI has warned that these attacks will continue, and it is likely these threat actors will also start targeting individuals working from home.

“Carefully consider the applications you or your organization uses for telework applications, including video conferencing software and voice over Internet Protocol (VOIP) conference call systems,” warned the FBI in its April 1 alert. “Malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities.

Echoing the findings of Barracuda Networks, the FBI has warned about BEC scams following several complaints from businesses that cybercriminals are conducting BEC attacks requesting payments be made early due to COVID-19. These scams see new account details provided for payments and changes to regular communication methods. Attempts are also being made to change direct deposit information for employees to divert payroll.

Many businesses have been forced into buying new portable devices to allow their employees to work from home, including purchasing devices from oversees or secondhand devices. The FBI warns that these devices carry a risk of having malware pre-installed, which could easily be transferred to business networks when employees connect remotely.

The post 2019 Novel Coronavirus and COVID-19 Themed Attacks Dominate Threat Landscape appeared first on HIPAA Journal.

OCR Investigators Impersonated to Obtain PHI

While the majority of social engineering and phishing attacks take place via email, social engineering tactics are also used to convince people to part with sensitive information via other commination channels, including the telephone. Once such campaign is now being conducted over the telephone to convince healthcare employees to divulge protected health information (PHI).

Healthcare workers at several hospitals have reported instances of individuals impersonating HHS’ Office for Civil Rights investigators and requesting the PHI of patients. The attacks prompted OCR to issue a warning to healthcare providers over the weekend.

An individual is placing calls to healthcare providers and posing as an OCR investigator in an attempt to get healthcare workers to provide PHI. The caller provides no information that can be used to verify the legitimacy of the call and an OCR compliant transaction number is not provided.

OCR has recommended healthcare providers and their business associates raise awareness of the scam with the workforce and to provide information on the correct course of action to take if such a call is received.

Healthcare employees should take steps to verify the identity that any caller requesting PHI. If a call from someone claiming to be an OCR investigator, healthcare employees should ask for their email address and ask for the request to be confirmed in writing via email from the OCR investigator’s hhs.gov email account. All OCR staff have an email address ending in @hhv.gov.

If an email is received, checks should be performed to confirm that the message has been sent from an official @hhs.gov email account and that the email address has not been spoofed.

OCR has requested any questions or concerns be directed to OCR via email – OCRMail@hhs.gov – and for any suspected cases of impersonation of OCR staff to be reported to the Federal Bureau of Investigation.

The post OCR Investigators Impersonated to Obtain PHI appeared first on HIPAA Journal.

Zoom Security Problems Raise Concern About Suitability for Medical Use

Teleconferencing platforms such as Zoom have proven popular with businesses and consumers for maintaining contact while working from home during the COVID-19 crisis, but a slew of Zoom security problems have been identified in the past few days that have raised concerns about the suitability of the platform for medical use.

Zoom Security Problems Uncovered by Researchers

Several Zoom security problems and privacy issues have been discovered in the past few days. The macOS installer was discovered to use malware-like methods to install the Zoom client without final confirmation being provided by users. This method could potentially be hijacked and could serve as a backdoor for malware delivery.

Two zero-day vulnerabilities were identified in the macOS client version of Zoom’s teleconferencing platform, which would allow a local user to escalate privileges and gain root privileges, even without an administrator password, and gain access to the webcam and microphone and intercept and record Zoom meetings.

A feature of the platform that is intended to make it easier for business users to find other individuals within the company was discovered to be leaking users’ email addresses, profile photos, and statuses. The Company Directory feature adds other people to a user’s contact list if their email address in on the same domain. Several consumers reported that strangers had been added to their contact lists when they signed up with a personal email address.

There have also been many reported cases of Zoom-bombing, which is where uninvited individuals join meetings using brute force tactics to guess meeting IDs. The FBI recently published a warning following a rise in hijacking attacks. There have been cases of people hacking Zoom meetings, abusing participants, and using the screen sharing feature to display pornography.

There have also been revelations that Zoom has been sharing background data on users with Facebook via the Facebook SDK, even when users do not have Facebook accounts.

Zoom Platform Does Not Offer End-to-End Encryption

A report published in The Intercept revealed the end-to-end encryption that Zoom claims to implement does not extend to video meetings. When The Intercept contacted Zoom for comment, a spokesperson for the company explained that “Currently, it is not possible to enable E2E encryption for Zoom video meetings.” Instead, “Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The method of encrypting data is similar to that used to secure communications between a web browser and an HTTPS website. This “transport encryption” protects data in transit from one client to the other and means that communications between meeting participants is encrypted, but Zoom has access to unencrypted audio and video content.

Zoom explained to The Intercept that while unencrypted users’ data can be accessed, “Zoom has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including—but not limited to—the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone.”

Answers Sought About Recently Disclosed Zoom Security Problems

Sen. Richard Blumenthal (D-Conn) has written to Zoom CEO and founder Eric S. Yuan seeking answers about the company’s response to the massive increase in users, the growing list of Zoom security problems, and Zoom’s handling of personal user data.

In December 2019, there were around 10 million Zoom meeting participants every day. In March 2020, the number had expanded to an astonishing 200 million a day. The company has been working to continue to provide support for users to ensure there is an uninterrupted service, but the massive increase in consumers using a platform that was designed for business users has been a challenge.

“Zoom is increasingly being used by schools and healthcare providers that have shut down or limited their operations to stop the spread of Coronavirus, raising questions about how its services comply with federal and state privacy laws protecting students, patients, and consumers,” wrote Sen. Blumenthal in the letter.

Sen. Blumenthal also expressed concern about Zoom’s “troubling history of software design practices and security lapses,” referencing the slow response to the vulnerability in the Mac client, which was not fully addressed and took months before it was finally resolved, and then only due to the intervention of Apple.

Sen. Blumenthal seeks answers about the steps being taken to detect and stop Zoom-bombing, the level of encryption used to protect users’ privacy, and the data that is collected, used, and shared with third parties such as Facebook.

New York Attorney General Letitia James is also concerned about the recent Zoom security problems and the company’s response to the massive increase in users. In the letter, Attorney General James expressed concern that the existing security practices at Zoom may no longer be sufficient given the sudden surge in the number of users and the sensitivity of data that is now passing through the platform. She also wants to know whether a broader review of Zoom security practices has been undertaken considering the massive increase in popularity.

CEO Responds to Criticism of Zoom Security Problems

In an April 1, 2020 blog post, Zoom CEO Eric S. Yuan explained that the company is experiencing some growing pains as a result of the massive rise in popularity of the platform this year. In response to criticism of Zoom security problems, Yuan said, “we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

The massive rise in popularity of the platform was not anticipated, neither having a quarter of the world’s population in lockdown and working and socializing from home. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” said Yuan.

It should be noted that all software solutions have vulnerabilities and some of the recently disclosed Zoom vulnerabilities have been made public without giving Zoom much time to respond and fix the issues. Zoom has responded quickly and addressed some of the issues that have come to light in recent days, although several privacy and security issues remain.

Zoom has publicly committed to fix privacy and security issues and proactively assess the platform for other vulnerabilities. Over the next 90 days, Zoom will cease all regular development work and will shift all engineering resources to focus on the biggest trust, safety, and privacy issues. The bug bounty program is being enhanced and penetration tests are being conducted to assess the security of the platform.

Use of Zoom for Healthcare Communications

Enterprise-class communication solutions require enterprise-grade privacy and security protections. This is especially important in healthcare to ensure HIPAA compliance. Zoom offers an enterprise package for healthcare organizations – Zoom for Healthcare – which has been developed to incorporate the necessary safeguards to comply with the HIPAA Privacy and Security Rules; however, the latest security vulnerabilities and privacy issues cast doubt on the level of protection provided.

During the COVID-19 public health emergency, the HHS’ Office for Civil Rights has stated it will be exercising enforcement discretion and will not impose sanctions or penalties for the good faith provision of telehealth services and that applications that may not satisfy all requirements of HIPAA Rules can be used. While there is nothing to suggest OCR would make an exception for Zoom – it is not a public-facing platform – healthcare providers should exercise caution.

There are other teleconferencing solutions available for use by healthcare organizations for the provision of telehealth services, many of which do offer true end-to-end encryption and do not have the security issues that have been uncovered in Zoom. Many of those solutions are also available free of charge, and even the HIPAA-compliant secure messaging platform provider, TigerConnect, has made its platform available to healthcare organizations free of charge following the declaration of the COVID-19 public health emergency.

Since more secure videoconferencing and communications platforms are available, it is strongly advisable to use an alternative solution for telehealth and other healthcare communication during the COVID-19 crisis, and certainly until Zoom addresses its privacy and security issues and completes its platform review.

The post Zoom Security Problems Raise Concern About Suitability for Medical Use appeared first on HIPAA Journal.

Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks

The COVID-19 pandemic is forcing many employees to work from home and the infrastructure used to support those workers is being targeted by human-operated ransomware gangs. While several ransomware operators have stated they will not attack healthcare organizations during the COVID-19 public health emergency, not all cybercrime gangs are taking it easy on the healthcare sector and attacks are continuing.

Several cybercrime groups are using the COVID-19 pandemic to their advantage. Tactics, techniques and procedures (TTPs) have been changed in response to the pandemic and they are now using social engineering tactics that prey on fears about COVID-19 and the need for information to gain access to credentials to gain a foothold in healthcare networks.

Ransomware attacks on hospitals can cause massive disruption at the best of times. Ransomware attacks that occur while hospitals are trying to respond to the pandemic will severely hamper their efforts to treat COVID-19 patients. Microsoft has committed to help protect critical services during the COVID-19 crisis and has recently offered advice to healthcare organizations to help them defense against human-operated ransomware attacks.

Microsoft has been tracking the activity of ransomware gangs and information obtained from its extensive network of threat intelligence sources shows some human-operated ransomware gangs are exploiting vulnerabilities in the gateway devices and virtual private network (VPN) appliances that allow remote workers to login to their networks.

One of the most prolific human-operated ransomware gangs, REvil (Sodinokibi), has been exploiting vulnerabilities in gateways and VPN appliances for some time. Vulnerabilities are exploited to steal credentials, privileges are then escalated, and the attackers move laterally to compromise as many devices as possible before deploying ransomware and other malware payloads.

Microsoft says these attackers are highly skilled, have extensive knowledge of systems administration, and are aware of the common network security misconfigurations that can be exploited. The threat actors adapt their techniques based on the security weaknesses and vulnerable services they discover during reconnaissance of healthcare networks and often spend several weeks or months in networks before ransomware is deployed.

Microsoft reports that the REvil gang has been scanning for the internet to identify vulnerable systems and is taking advantage of the increase in use of VPNs and gateways to support remote workers during the COVID-19 pandemic. The vulnerabilities that are being exploited are often fairly low on the list of priorities to fix and therefore remain unaddressed for relatively long periods.

During the course of its investigations and through its threat intelligence sources, Microsoft identified several hospitals that have vulnerable gateways and VPN appliances within their infrastructure. The vulnerabilities identified are exactly the same as those exploited by the REvil gang. Microsoft has notified those hospitals directly to advise them about the flaws and has strongly recommended they perform immediate updates to prevent exploitation of the vulnerabilities.

Microsoft explained that managing VPNs and virtual private server (VPS) infrastructure requires knowledge of the current status of related security patches. The company has recommended all organizations that have VPN and VPS infrastructure should conduct a thorough review and identify any updates that are available and apply those updates as soon as possible.

For several months, nation-state and cybercrime actors have been targeting unpatched VPN systems and are tailoring exploits to take advantage of remote workers, often leveraging the updater services used by VPN clients to deploy malware payloads.

Organizations unsure about how best to secure their VPNs and VPS infrastructure can obtain further information from the National Institute of Standards and Technology (NIST) and the DHS Cybersecurity and Infrastructure Security Agency (CISA), both of which have recently published guidance on how to secure VPN/VPS infrastructure.

The post Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks appeared first on HIPAA Journal.

Hackers Target WHO, HHS, and COVID-19 Research Firm

The World Health Organization (WHO) and its partners have been targeted by a sophisticated group of hackers who attempted to steal login credentials to gain access to its network by impersonating WHO’s internal email system. Spear phishing emails were sent to several WHO staffers that included links to a malicious website hosting a phishing kit.

The attack was detected on March 13 by cybersecurity expert, Alexander Urbelis, an attorney with New York-based Blackstone Law Group. The malicious website used to host the fake WHO login page had previously been used in other attacks on WHO employees.

It is unclear who was responsible for the campaign, but it is believed to be a South Korea-based threat group called DarkHotel. The aims of the attackers are not known, although Urbelis suggests the highly targeted nature of the attack, suggests the attackers were looking for specific credentials. DarkHotel has previously conducted several attacks in East Asia for espionage purposes. It is possible that the hackers were trying to gain access to information about possible treatments, potential cures, or vaccines for COVID-19.

The story was first reported by Reuters, which contacted WHO CISO, Flavio Aggio for further information. Aggio said the campaign was not successful and no data was harvested by the attackers. Aggio confirmed that there has been a large increase in incidents targeting WHO in recent weeks. WHO has been impersonated in several phishing campaigns that attempt to steal credentials and spread malware. According to Aggio, attacks targeting and impersonating WHO have more than doubled during the coronavirus pandemic.

Phishers Abuse Open Redirect on HHS Website to Deliver Racoon Information Stealer

Phishers have been discovered to be abusing an open redirect on the HHS.gov website to send individuals to a phishing webpage.

Open redirects are used on websites to redirect visitors to other webpages. Open redirects can be used by anyone and are often abused by cybercriminals in phishing campaigns. URLs start with the official website of the site hosting the open redirect, so individuals checking the link may be fooled into thinking they are navigating to a legitimate website. They will be initially, but the final destination is a phishing webpage.

The email used a COVID-19 lure and provided information about the coronavirus and included a link with the text “Find and research your medical symptoms.”

The open redirect was discovered by security analyst @SecSome on a subdomain of the Departmental Contracts Information System. It was used to link to a malicious attachment that included a lnk file that unpacks a VBS script that downloads the Racoon information stealer. The Racoon information stealer is capable of stealing credentials and sensitive data from around 60 different applications.

Maze Ransomware Gang Attacks UK COVID-19 Research Firm

The Maze ransomware gang has attacked the UK vaccine research firm Hammersmith Medicines Research (HMR) and succeeded in encrypting files and stealing sensitive data. HMR has previously developed a vaccine for Ebola and performs early clinical trials. The company is also reportedly working on a vaccine for the 2019 Novel Coronavirus.

The ransomware attack occurred on March 14, 2020, prior to the press release from the Maze ransomware gang stating they would not be attacking healthcare organizations during the COVID-19 crisis. HMR detected the attack quickly and managed to block the attack, avoid downtime, and restore data the same day without having to pay the ransom. As is typical of the gang, when the ransom is not paid, sensitive data is published online to pressure victims into paying the ransom.

The published information has since been taken down but included sensitive information about past patients and employees. According to HMR, the data related to around 2,300 patients and was between 8 and 20 years old. It included passport copies, national insurance numbers, driver’s license copies, and sensitive personal and medical information. HMR said it has no intention of paying the ransom and does not have the money available to do so. The Maze gang has since taken the data offline.

The post Hackers Target WHO, HHS, and COVID-19 Research Firm appeared first on HIPAA Journal.

Cybersecurity Best Practices for Protecting Remote Employees During the COVID-19 Crisis

The COVID-19 crisis has meant many individuals have had to self-quarantine or self-isolate, and organizations are under increasing pressure to let their employees work from home whenever possible. While these measures are necessary to keep people safe and avoid infection, having so many employees working remotely increases cyber risk. When people work from home and connect to work networks remotely using portable electronic devices, the attack surface grows considerably and new vulnerabilities are introduced that can exploited by attackers. With attacks targeting remote workers increasing, it is important to ensure that cybersecurity best practices for protecting remote employees are adopted to reduce risk.

Phishing Campaigns Targeting Remote Workers

Cybercriminals are already exploiting the coronavirus pandemic and are using COVID-19 and coronavirus-themed lures in phishing and social engineering attacks to steal credentials and spread malware. The first major coronavirus-themed phishing and malware distribution campaigns were detected in early January and the volume of malicious messages has grown substantially in the following weeks. Phishing attacks are likely to continue to rise as cybercriminals try to steal remote access credentials, as are weaponized email attacks that spread malware.

Campaigns have also recently been detected targeting remote workers. One such campaign alerts remote employees to positive COVID-19 tests in their organization. The messages impersonate their employer and claim to contain details of emergency protocols that have been implemented, which remote workers are told they must open, read and print out. Opening the attachments and enabling content will see malware downloaded. Security researchers have also detected an increase in domains being used for drive-by malware attacks.

VPN Vulnerabilities Being Exploited

Last year, several critical vulnerabilities were identified in the Virtual Private Network (VPN) solutions that are used by remote workers to securely connect to their work networks. Pulse Connect Secure and Pulse Policy Secure gateways and FortiGuard solutions were discovered to have vulnerabilities, and while patches were released to correct the flaws, many organizations failed to apply the patches since the solutions were in use 24/7. APT groups took advantage and exploited the vulnerabilities to gain access to organizations’ networks. Now with so many workers using VPNs and working from home, attacks are increasing again.

Many organizations are now using teleconferencing solutions, VPN services, and other remote access tools for the first time, and have had to deploy the solutions rapidly. Web and email services that were only accessed internally have now had to be reconfigured to ensure external access is possible. For the first time those internal services have been exposed to the internet. The speed at which the changes have been made to accommodate telecommuting workers has meant organizations have not had time to test thoroughly and ensure security is buttoned down.

Cybersecurity Best Practices for Protecting Remote Employees

With attacks increasing it is important to adopt cybersecurity best practices for protecting remote employees against phishing attacks and malware infections.

Organizations must ensure that the latest versions of VPNs are used and patches are applied promptly. On March 13, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued another warning about patching and updating VPNs for remote workers to make sure vulnerabilities are addressed. Organizations were also urged to implement multifactor authentication for all VPNs to further enhance security.

The COVID-19 crisis is likely to last for several months, during which time many updates will need to be performed on software and operating systems. Scanning devices and ensuring patches are applied becomes more complicated with remote workers. Because it is difficult to maintain a persistent and routable connection to users’ devices when working remotely, the cloud should be considered for managing cybersecurity rather than in-house corporate cybersecurity solutions.

Ensure multifactor authentication is implemented for all applications accessed remotely by employees. An increase in phishing attacks targeting remote workers means it is more likely that credentials will be compromised. Multifactor authentication will help to ensure stolen credentials cannot be used to access company resources.

It is essential for home workers to have effective security solutions on their devices. IT teams can ensure solutions are deployed on corporate-issued devices, but email security, web security, and anti-virus solutions must also be deployed on employee-owned devices that are allowed to connect to the network.

Implement a zero-trust architecture on the network for remote workers and apply the principle of least privilege. Make sure remote workers only have access to the resources they need to perform their work duties and restrict privileges as far as is possible. If credentials are compromised, this will limit the harm that can be caused.

IT departments are now seeing large numbers of new devices remotely connecting to their networks, some of which will not have connected to the network before. That makes it much harder to identify attackers and easier for them to hide their connections from the security team. Monitoring must therefore be stepped up to identify malicious and suspicious behavior to identify cyberattacks in progress.

You must ensure you have sufficient licenses for software and SaaS applications to cope with the increase in remote workers. Sufficient bandwidth must be made available to cope with the increase in remote traffic. Calculate how much bandwidth you will need, then double it.

It is important not to underestimate the importance of training. A large percentage of cyberattacks occur as a result of user error. Refresher training is important for all remote workers to remind them about the risks of phishing and spoofing. With phishing attacks on remote workers soaring, training and phishing simulations are more important than ever.

Some workers may be using laptops to connect to work networks for the first time. It is essential for them to be trained on how to use new applications and security solutions. Unfamiliarity increases the potential for errors.

Remote employees should also be reminded of basic IT security practices that must be adopted when working from home. Remote workers must also be reminded about the procedures for reporting threats and potential compromises, and what to do if they think they have fallen for a scam.

The post Cybersecurity Best Practices for Protecting Remote Employees During the COVID-19 Crisis appeared first on HIPAA Journal.

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records.

Largest Healthcare Data Breaches in February 2020

The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in.

The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causes of February Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports, accounting for two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The average breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents involved hacked email accounts.

There were 6 unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one involved a portable electronic device. 15,826 records were impermissibly disclosed in those incidents. The average breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents reported, they accounted for 42.78% of breached records. The average breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost paperwork containing the PHI of 5,904 patients and two improper disposal incidents involving paper files containing the PHI of 15,507 patients.

Location of Breached Protected Health Information

As the bar chart below shows, the biggest problem area for healthcare organizations is protecting email accounts. All but one of the email incidents were hacking incidents that occurred as a result of employees responding to phishing emails. The high total demonstrates how important it is to implement a powerful email security solution and to provide regular training to employees to teach them how to recognize phishing emails.

Breaches by Covered Entity Type

26 data breaches were reported by HIPAA-covered entities in February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The average breach size was 50,124 records and the median breach size was 15,010 records.

Healthcare Data Breaches by State

The data breaches reported in February were spread across 24 states. Texas was the worst affected with 4 breaches. Three data breaches were reported in Arkansas, California, and Florida. There were two reported breaches in each of Georgia, Indiana, Michigan, North Carolina, Virginia, and Washington. One breach was reported in each of Arizona, Hawaii, Illinois, Iowa, Maine, Massachusetts, Minnesota, Missouri, New Mexico, New York, Oregon, Pennsylvania, Tennessee, and Wisconsin.

HIPAA Enforcement Activity in February 2020

There was one HIPAA enforcement action reported in February. The HHS’ Office for Civil Rights announced that Steven A. Porter, M.D had agreed to pay a financial penalty of $100,000 to resolve a HIPAA violation case. The violations came to light during an investigation of a reported breach involving the practice’s medical records company, which Dr. Porter claimed was impermissibly using patient medical records by preventing access until payment of $50,000 was received.

OCR found that Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI. The practice had also not reduced risks to a reasonable and appropriate level, and policies and procedures to prevent, detect, contain, and correct security violations had not been implemented.

The post February 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk.

Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes.

One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities.

Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a ransomware attack that affected its website, a source of important information for people about the coronavirus pandemic. A DDoS attack was also conducted on the U.S. Department of Health and Human Services.

Some Threat Groups are Stopping Ransomware Attacks on Healthcare Organizations

While the cyberattacks are continuing, it would appear than at least some threat actors have taken the decision not to attack healthcare and medical organizations currently battling to treat patients and deal with the COVID-19 outbreak.

BleepingComputer reached out to several ransomware gangs that have previously conducted attacks on healthcare organizations to find out if they plan on continuing to conduct attacks during the COVID-19 outbreak.

The threat group behind DoppelPaymer ransomware confirmed they do not tend to conduct attacks on hospitals and nursing homes but said if an error is made and a healthcare organization does have files encrypted, they will be decrypted free of charge. That offer has not been extended to pharmaceutical companies. The Maze ransomware gang has similarly stated that all activity against medical organizations will be stopped until the “stabilization of the situation with the virus.”

Cybersecurity Firms Offer Free Ransomware Assistance During Coronavirus Pandemic

Several cybersecurity firms have announced they are offering free support to healthcare providers that experience ransomware attacks during the coronavirus pandemic, including Emsisoft and Awake Security.

Emsisoft helps ransomware victims recover their files when the decryptors provided by the attackers fail. Coveware is an incident response company that helps ransomware victims negotiate with hackers if the decision is taken to pay the ransom. The two firms will be partnering to help hospitals and other healthcare providers recover if they experience a ransomware attack. The services being provided free of charge include a technical analysis of a ransomware attack, the development of a decryption tool, if possible, and negotiation, transaction handing, and recovery assistance. Emsisoft will also develop a custom decryption tool to replace the one provided by the attackers, which will have a greater chance of success and will lower the probability of file loss.

Awake Security has announced that hospitals and other healthcare providers responding to the coronavirus pandemic will be provided with free access to its security platform for 60 days, with the possibility of an extension.

“As more IT and security workers have to operate remotely, we feel strongly that it is our moral duty to ensure the security of the infrastructure they protect,” said Rahul Kashyap, CEO, Awake Security. “We are glad to see many in the security industry step up to tackle this global crisis, and we hope others will join us in the #FightCOVID19 pledge.”

The platform monitors networks and detects threats from non-traditional computing devices, remote users logging in via VPNs, and the core and perimeter networks. The offer also includes free access to its Managed Detection and response solution which provides ongoing threat monitoring, proactive intelligence-driven threat hunting, and access to Awake Security support services.

Akamai is providing 60 days of free access to its Business Continuity Assistance Program, 1-Password has removed its 30-day free trial limit for business accounts, SentinelOne is offering free endpoint protection and endpoint detection until May 16, 2020, and Cyber Risk Aware is providing free COVID-19 phishing tests for businesses to help them prepare the workforce for coronavirus-themed phishing attacks. To support COVID-19-related healthcare communications, TigerConnect has made its secure healthcare communications platform available free of charge in the United States.

The post Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic appeared first on HIPAA Journal.

Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server

Advisories have been issued about recently discovered vulnerabilities in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server.

Improper Access Control Identified in Insulet Omnipod Insulin Management System

ThirdwayV Inc. has discovered a high severity flaw in the Omnipod Insulin Management System which could allow an attacker with access to a vulnerable insulin pump to access the Pod and intercept and modify data, change insulin pump settings, and control insulin delivery.

The vulnerable insulin pumps communicate with an Insulet manufactured Personal Diabetes Manager device using wireless RF. The researchers discovered the RF communication protocol does not implement authentication or authorization properly.

The following versions are affected:

  • Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160
  • UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)

The vulnerability is tracked as CVE-2020-10597 and has been assigned a CVSS v3 base score of 7.3 out of 10. There have been no reported cases of exploitation of the vulnerability.

Patients should not connect any third-party devices or use unauthorized software and should be attentive to pump notifications, alarms and alerts. Patients should monitor their blood glucose levels carefully and any unintended boluses should be cancelled at once. Insulet recommends updating to the latest model of the insulin pump, which has greater cybersecurity protections.

Patients using one of the vulnerable products have been advised to contact Insulet Customer Care or their healthcare provider for further information on the risk posed by the vulnerability.

Cross-Site Scripting Vulnerability Found in Systech NDS-5000 Terminal Server

An NDS-5000 Terminal Server cross-site scripting vulnerability has been identified that could allow an attacker to perform privileged operations on behalf of the users, access sensitive data, limit system availability, and potentially remotely execute arbitrary code. The vulnerability can be exploited remotely and requires only a low level of skill to exploit.

The vulnerability is tracked as CVE-2020-7006 and has been assigned a CVSS v3 base score of 6.8 out of 10 (medium severity). The vulnerability affects DS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30 and has been corrected in firmware version 02F.6.

Uses of the affected product should contact Systech Technical Support for further information on updating the firmware to prevent exploitation.

The vulnerability was identified by Murat Aydemir, Critical Infrastructure Penetration Test Specialist at Biznet Bilisim A.S.

The post Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server appeared first on HIPAA Journal.