Healthcare Cybersecurity

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine.

The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible.

The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected device is powered down and generates the ransom note. The second stage of the malware, stage2.exe, is a file corruptor that runs in the memory and corrupts files based on hardcoded file extensions to prevent the files from being recovered.

The attacks have so far been conducted on targets in Ukraine, but there is a risk of much broader attacks. Wiper malware such as this has been used to attack organizations in Ukraine in the past and in much broader attacks worldwide. In 2017, the NotPetya wiper was used to attack organizations in Ukraine and was delivered in a supply chain attack via legitimate tax software. NotPetya attacks were also conducted globally causing major damage to IT systems and significant data loss. NotPetya is believed to have been used by a Russian hacking group known as Voodoo Bear/Sandworm.

The current theory of the Ukrainian government is the attacks are being conducted by an Advanced Persistent Threat (APT) group known to have strong links with Belarus. There is a legitimate concern that similar attacks may occur in the United States using Whispergate, especially on critical infrastructure organizations and companies with links to Ukraine.

CISA has issued an Insights bulletin providing information on steps that can be taken to protect against the malware threat and reduce the likelihood of a damaging cyber intrusion. The bulletin also includes guidance on how to quickly detect and respond to a potential intrusion, and how to maximize resilience to a destructive cyber threat.

The post CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

2021 healthcare data breaches

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

2021 healthcare data breaches - records breached

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware
Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware
Monongalia Health System, Inc. WV Healthcare Provider 398,164 Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC FL Healthcare Provider 350,000 Hacked network server
Florida Digestive Health Specialists, LLP FL Healthcare Provider 212,509 Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc. IL Health Plan 184,500 Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky KY Healthcare Provider 106,910 Compromised email account
Fertility Centers of Illinois, PLLC IL Healthcare Provider 79,943 Hacked network server
Bansley and Kiener, LLP IL Business Associate 50,119 Ransomware
Oregon Eye Specialists OR Healthcare Provider 42,612 Compromised email accounts
MedQuest Pharmacy, Inc. UT Healthcare Provider 39,447 Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. NY Health Plan 20,579 Phishing
Loyola University Medical Center IL Healthcare Provider 16,934 Compromised email account
Bansley and Kiener, LLP IL Business Associate 15,814 Ransomware
HOYA Optical Labs of America, Inc. TX Business Associate 14,099 Hacked network server
Wind River Family and Community Health Care WY Healthcare Provider 12,938 Compromised email account
Ciox Health GA Business Associate 12,493 Compromised email account
A New Leaf, Inc. AZ Healthcare Provider 10,438 Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Causes of December 2021 healthcare data breaches

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

Location of breached PHUI in December 2021 healthcare data breaches

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 healthcare data breaches by HIPAA-regulated entity type

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State Number of Breaches
Illinois 11
Indiana 5
Florida, Oklahoma, and Texas 4
Arizona 3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia 2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming 1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack.

A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022.

According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors.

Stewart said he reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), activated the state’s cybersecurity insurance policy through the State Treasurer’s Office, and engaged third-party forensic investigators to assist with the investigation and response and recovery efforts. “The companies and personnel provided by the insurance policy are widely regarded as the best in the industry,” said Stewart.

The response to the ransomware attack required systems to be taken offline, sites on the network were isolated from each other, and external access to resources over the Internet and by third parties was blocked. The containment approach limited the ability of state employees to use computers and access shared resources and more than a month after the ransomware attack some services continue to face disruption. While the response and recovery approach has resulted in ongoing disruption, Stewart said this approach was necessary to protect the state’s network and the citizens of the state of Maryland and was important to prevent reinfection.

Atif Chaudhry, MDH Deputy Secretary for Operations, said a major focus in the aftermath of the attack was to ensure business and service continuity, which involved implementing the FEMA Incident Command System (ICS). “Under this ICS system, we formed a Unified Command Structure to address the incident. This permits MDH and DoIT to jointly collaborate to manage and address all incident-related matters. DoIT provides the technical expertise and is taking the lead on network security and IT system recovery efforts,” said Chaudhry.

MDH faced a shortage of equipment in the aftermath of the attack, which meant employees have had to share computers at work. To address the problem, Chaudhry said MDH ordered an additional 2,400 laptop computers and a further 3,000 will be ordered this week.  Additional IT equipment such as wireless access points and printers have also been ordered to ensure employees have the equipment they need to do their jobs. Further, alternative processes have been implemented to ensure staff can serve the most urgent needs of the public, which include migration to Google Workspaces. Google Workspaces has provided employees a suite of online tools that are unaffected by the ransomware attack ensuring employees can collaborate and save and share critical files.

The attack has caused disruption to the state’s pandemic response. On Thursday, January 12, 2022, MDH said it had restored around 95% of state-level surveillance data and it is working to restore the complete COVID-19 dataset. Reports will be updated at the earliest opportunity.

The post Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack appeared first on HIPAA Journal.

Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors.

“CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory.

The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks.

Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable Citrix, Pulse Secure, F5 Big-IP, and VMWare products, FortiGate VPNs, Microsoft Exchange, Cisco Router, and Oracle WebLogic Servers.

Russian APT actors have extensive cyber capabilities and are known to conduct highly sophisticated attacks and maintain a long-term presence in compromised networks and cloud environments, with initial access, often gained using legitimate credentials. Custom malware is often deployed on operational technology (OT) and industrial control systems (ICS) and the malware is used to exfiltrate sensitive data.

All critical infrastructure entities have been advised to closely monitor their networks and systems for signs of malicious activity and take steps to improve their cybersecurity defenses. Security professionals have been advised to create and maintain a cyber incident response plan and follow cybersecurity best practices for identity and access management.

Centralized log collection and monitoring will make it easier to investigate and detect threats in a timely manner. Security teams should search for network and host-based artifacts, review authentication logs for signs of multiple failed login attempts across different accounts, and investigate login failures using valid usernames. It is also recommended to implement security solutions capable of behavioral analysis to identify suspicious network and account activity.

It is important to implement network segmentation as this will help to limit lateral movement within compromised networks and subnetworks if the perimeter defenses are breached. Regular backups should be performed, and backups should be tested to make sure data recovery is possible. Backups should be stored offline and should not be accessible from the systems where the data resides.

If suspicious activity is detected, affected systems should be isolated from the network, backup data should be secured by taking it offline, and data and artifacts should be collected. In the event of a cyberattack, critical infrastructure entities should consider engaging a third-party cybersecurity firm to assist with response and recovery. Any attack should be reported to the FBI and CISA.

While Russian APT actors have previously concentrated their efforts on attacks on utilities, government, and defense, there is a significant threat of attacks on the healthcare and pharmaceutical sectors as a result of the COVID-19 pandemic. Russian state-sponsored APT actors continue to seek intellectual property related to COVID-19 research, vaccines, treatments, and testing, along with any clinical research data supporting those areas.

The agencies have also issued a reminder that the Department of State is running a Rewards for Justice Program, which provides a reward of up to $10 million for information about foreign actors who are engaging in malicious cyber activities, in particular cyberattacks against U.S. critical infrastructure organizations.

The post Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors appeared first on HIPAA Journal.

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks.

The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security.

The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of sight over the entire healthcare supply chain. The HSCA guidance is for the entire supply chain and explains some of the key considerations for medical device manufacturers, HDOs, and service providers to improve cybersecurity and address weaknesses before they are exploited by threat actors.

Two of the most important steps to take are to participate in at least one Information Sharing and Analysis Organization (ISAO), such as the Health Information Sharing and Analysis Center (H-ISAC), and to adopt an IT security risk assessment methodology, such as the NIST Cybersecurity Framework (CSF).

An ISAO is a community that actively collaborates to identify and disseminate actionable threat intelligence about the latest cybersecurity threats that allows members to take proactive steps to reduce risk. The NIST CSF and other cybersecurity frameworks help organizations establish and improve their cybersecurity program, prioritize activities, understand their current security status, and identify security gaps that need to be addressed.

HCSA also recommends appointing an information technology and/or network security officer who has overall responsibility for the security of the organization who can communicate risks to decision makers and oversee the security efforts of the organization.

Cybersecurity training for the workforce is vital. All employees must be made aware of the threats they are likely to encounter and should be taught best practices to follow to reduce risk. Training should be provided annually, and phishing simulations conducted regularly to reinforce training. Any employee who fails a simulation should be provided with further training.

Good patch management practices are essential for addressing known vulnerabilities before they can be exploited, anti-virus software should be deployed on all endpoints and be kept up to date, firewalls should be implemented at the network perimeter and internally, least-privilege access should be applied to system resources, and networks should be segmented to prevent lateral movement in the event of a breach. Password policies should also be implemented that are consistent with the latest NIST guidance.

To prevent the interception of sensitive data, all data in transit should be encrypted, backup and data restoration procedures should be implemented and regularly tested to ensure recovery is possible in the event of a cyberattack, and the life expectancy of all devices and software solutions should be specified in all purchase agreements, including all supporting components. Plans should then be made to upgrade equipment and software prior to reaching end-of-life.

In addition to these standard cybersecurity best practices, HCSA has provided specific considerations for HDOs, device manufacturers, and service providers in the guidance – Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations – which is available for download from the HCSA website.

The post Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity appeared first on HIPAA Journal.

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches.

The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month.

Largest Healthcare Data Breaches Reported in November 2021

In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The average breach size in November was 34,862 records and the median breach size was 5,403 records.

The worst breach of the month saw the protected health information of 582,170 individuals exposed when hackers gained access to the network of Utah Imaging Associates. Planned Parenthood also suffered a major data breach, with hackers gaining access to its network and exfiltrating data before using ransomware to encrypt files.

Sound Generations, a non-profit that helps older adults and adults with disabilities obtain low-cost healthcare services, notified patients about two ransomware attacks that had occurred in 2021, which together resulted in the exposure and potential theft of the PHI of 103,576 individuals.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Cause of Breach
Utah Imaging Associates, Inc. Healthcare Provider 582,170 Hacking/IT Incident Network Server Unspecified hacking incident
Planned Parenthood Los Angeles Healthcare Provider 409,759 Hacking/IT Incident Network Server Ransomware attack
The Urology Center of Colorado Healthcare Provider 137,820 Hacking/IT Incident Network Server Unspecified hacking incident
Sound Generations Business Associate 103,576 Hacking/IT Incident Network Server Two ransomware attacks
Mowery Clinic LLC Healthcare Provider 96,000 Hacking/IT Incident Network Server Malware infection
Howard University College of Dentistry Healthcare Provider 80,915 Hacking/IT Incident Electronic Medical Record, Network Server Ransomware attack
Sentara Healthcare Healthcare Provider 72,121 Hacking/IT Incident Network Server Unspecified hacking incident at a business associate
Ophthalmology Associates Healthcare Provider 67,000 Hacking/IT Incident Electronic Medical Record, Network Server Unspecified hacking incident
Maxim Healthcare Group Healthcare Provider 65,267 Hacking/IT Incident Email Phishing attack
True Health New Mexico Health Plan 62,983 Hacking/IT Incident Network Server Unspecified hacking incident
TriValley Primary Care Healthcare Provider 57,468 Hacking/IT Incident Network Server Ransomware attack
Broward County Public Schools Health Plan 48,684 Hacking/IT Incident Network Server Ransomware attack
Consociate, Inc. Business Associate 48,583 Hacking/IT Incident Network Server  
Doctors Health Group, Inc. Healthcare Provider 47,660 Hacking/IT Incident Network Server Patient portal breach at business associate (QRS Healthcare Solutions)
Baywood Medical Associates, PLC dba Desert Pain Institute Healthcare Provider 45,262 Hacking/IT Incident Network Server Unspecified hacking incident
Medsurant Holdings, LLC Healthcare Provider 45,000 Hacking/IT Incident Network Server Ransomware attack
One Community Health Healthcare Provider 39,865 Hacking/IT Incident Network Server Unspecified hacking incident
Educators Mutual Insurance Association Business Associate 39,317 Hacking/IT Incident Network Server Malware infection
Victory Health Partners Healthcare Provider 30,000 Hacking/IT Incident Network Server Ransomware attack
Commission on Economic Opportunity Business Associate 29,454 Hacking/IT Incident Network Server Hacked public claimant portal

Causes of November 20021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in November, accounting for 50 of the reported breaches. Ransomware continues to be extensively used in attacks on healthcare providers and their business associates, with the attacks often seeing sensitive patient data stolen and posted on data leak sites. The theft of patient data in these attacks also makes lawsuits more likely. Planned Parenthood, for example, was hit with a class action lawsuit a few days after mailing notification letters to affected patients.

2,327,353 healthcare records were exposed or stolen across those hacking incidents, which is 98.18% of all records breached in November. The average breach size for those incidents was 42,316 records and the median breach size was 11,603 records.

There were 11 unauthorized access/disclosure breaches in November – half the number of unauthorized access/disclosure breaches reported in October. Across those breaches, 37,646 records were impermissibly accessed or disclosed. The average breach size was 3,422 records and the median breach size was 1,553 records. There were also two reported cases of theft of portable electronic devices containing the electronic protected health information of 5,601 individuals.

November Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 50 reported breaches, with four of those breaches occurring at business associates but were reported by the healthcare provider. 8 data breaches were reported by health plans, 3 of which occurred at business associates, and business associates self-reported 10 data breaches. The pie chart below shows the breakdown of breaches based on where the breach occurred.

Geographic Distribution of November Healthcare Data Breaches

Healthcare data breaches of 500 or more records were reported by HIPAA-regulated entities in 32 states and the District of Columbia.

State Number of Reported Data Breaches
California & New York 7
Maryland & Pennsylvania 4
Colorado, Kentucky, Ohio, & Utah 3
Illinois, Indiana, Michigan, Minnesota, New Mexico, Tennessee, Texas, Virginia, and the District of Columbia 2
Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Kansas, Massachusetts, Missouri, Nebraska, New Hampshire, New Jersey, North Carolina, Oregon, South Carolina, and Washington 1

HIPAA Enforcement Activity in November 2021

There was a flurry of HIPAA enforcement activity in November with financial penalties imposed by federal and state regulators. The HHS’ Office for Civil Rights announced a further 5 financial penalties to resolve alleged violations of the HIPAA Right of Access. In all cases, the healthcare providers had failed to provide patients with a copy of their requested PHI within a reasonable period of time after a request was received.

Covered Entity Penalty Penalty Type Alleged Violation
Rainrock Treatment Center LLC (dba Monte Nido Rainrock)

 

$160,000

 

Settlement HIPAA Right of Access
Advanced Spine & Pain Management $32,150

 

Settlement HIPAA Right of Access
Denver Retina Center $30,000

 

Settlement HIPAA Right of Access
Wake Health Medical Group

 

$10,000

 

Settlement HIPAA Right of Access
Dr. Robert Glaser

 

$100,000 Civil Monetary Penalty HIPAA Right of Access

The New Jersey Attorney General and the Division of Consumer Affairs announced in November that a settlement had been reached with two New jersey printing firms – Command Marketing Innovations, LLC and Strategic Content Imaging LLC – to resolve violations of HIPAA and the New Jersey Consumer Fraud Act. The violations were uncovered during an investigation into a data breach involving the PHI of 55,715 New Jersey residents.

The breach was due to a printing error that saw the last page of one individual’s benefit statement being attached to the benefit statement of another individual.  The Division of Consumer Affairs determined the companies failed to ensure confidentiality of PHI, did not implement sufficient PHI safeguards and failed to review security measures following changes to procedures. A financial penalty of $130,000 was imposed on the two firms, and $65,000 was suspended and will not be payable provided the companies address all the security failures identified during the investigation.

The post November 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has released new data on cyberattacks on the healthcare industry. According to the latest figures, 295 cyberattacks are known to have been conducted on the healthcare sector in the past 18 months between June 2, 2020, and December 3, 2021. The attacks have been occurring at a rate of 3.8 per week and have occurred in 35 countries.

Those attacks include 263 incidents that have either been confirmed as ransomware attacks (165) or are suspected of involving ransomware (98), with those attacks occurring in 33 countries at a rate of 3.4 incidents a week. Over the past 18 months, at least 39 different ransomware groups have conducted ransomware attacks on the healthcare sector. Those attacks have mostly been on patient care services (179), followed by pharma (35), medical manufacturing & development (26), and other medical organizations (23).

The CyberPeace Institute studied darknet publications, correspondence with ransomware gangs, and interviews and identified 12 ransomware groups that had stated they would not conduct attacks on the healthcare sector during the pandemic, yet still continued to attack healthcare organizations, with at least six of the 12 having conducted attacks on hospitals.

The definition of healthcare used by the gangs differs from what many people would assume to be healthcare. For instance, while all 12 of the ransomware gangs said they would not attack hospitals, many used vague terms to describe healthcare, such as medical organizations. While that may suggest all healthcare was off-limits, many of the gangs considered the pharmaceutical industry to be fair game, since pharma companies were said to be profiting from the pandemic.

Three ransomware operations admitted mistakes had been made and healthcare organizations had been attacked in error. They said publicly that when a mistake is made, the keys to decrypt files would be provided free of charge.  However, there were cases where there was some dispute about whether an organization was included in the gangs’ definitions of exempt organizations.

It should be noted that when an attack occurs and files are encrypted, the damage is already done. Even if the keys to decrypt data are provided free of charge, the attacked organizations still experience disruption to business operations and patient services. The process of restoring data from backups is not a quick process and attacked organizations still have to cover extensive mitigation costs. 19% of attacks have been confirmed as resulting in canceled appointments, 14% saw patients redirected, and 80% have involved the exposure or a leak of sensitive data.

The CyberPeace Institute said some threat actors have specifically targeted the healthcare sector. One example provided was a member of the Groove ransomware operation who was actively seeking initial access brokers who could provide access to healthcare networks. The Groove ransomware operation had the highest percentage of healthcare targets than other sectors based on its data leak site.

Data from Mandiant have revealed 20% of ransomware victims are in the healthcare sector, suggesting the industry is being extensively targeted. The FIN 12 threat actor is known to target the healthcare sector, and ransomware operations such as Conti, Pysa, and Hive have high percentages of healthcare organizations in their lists of victims (4%, 9%, and 12% respectively).

While there has been some targeting of the healthcare sector, many ransomware gangs use spray and pray tactics and indiscriminately conduct attacks that result in healthcare organizations being attacked along with all other industry sectors. These attacks often involve indiscriminate phishing campaigns, attacks on Remote Desktop Protocol, (RDP), or brute force attacks to guess weak passwords.

“Regardless of whether the targeting of healthcare organizations is by mistake, design, or indifference, ransomware operators are acting with impunity and are de facto defining what organizations constitute legitimate targets and what is off-limits,” concluded the CyberPeace Institute. “Their simplistic distinctions ignore the complexities and interconnectedness of the healthcare sector, in which attacking pharmaceuticals during a pandemic can have an equally devastating human impact as attacking hospitals.”

The post New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector appeared first on HIPAA Journal.

Third Version of Log4j Released to Fix High Severity DoS Vulnerability

The original vulnerability identified in Log4j (CVE-2021-44228) that sent shockwaves around the world due to its seriousness, ease of exploitation, and the extent to which it impacts software and cloud services, is not the only vulnerability in the Java-based logging utility.

After releasing version 2.15.0 to fix the flaw, it was determined that version 2.15.0 was still vulnerable in certain non-default configurations due to an incomplete patch. The new vulnerability is tracked as CVE-2021-45046 and was fixed in version 2.16.0 of Log4j. Initially, the vulnerability was assigned a CVSS score of 3.7 (low severity); however, the severity score has since been increased to critical (CVSS 9.0), as while this flaw was initially reported as a denial-of-service bug, it was later determined that it could be exploited to allow data exfiltration and remote code execution.

According to Apache, “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.”

Apache strongly recommended organizations upgrade again to version 2.16.0 to prevent exploitation of the new vulnerability; however, a further vulnerability has now been identified, which is tracked as CVE-2021-45105. CVE-2021-45105 is a high severity DoS bug (CVSS 7.5) and affects all versions of Log4j from 2.0-beta9 to 2.16.0.

According to the Apache Software Foundation (ASF), “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.”

CVE-2021-45105 has now been corrected in version 2.17.0, which is the third version of Log4j to be released in 10 days. Further information on the Log4j vulnerabilities and the latest updates can be found here.

The post Third Version of Log4j Released to Fix High Severity DoS Vulnerability appeared first on HIPAA Journal.

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country.

Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE.

Cybersecurity Failures that are Common in the Healthcare Industry

PWC’s recently published report highlights a number of security failures that allowed HSE systems to be infiltrated. While the report is specific to the HSE cyberattack, its findings are applicable to many healthcare organizations in the United States that have similar unaddressed vulnerabilities and a lack of preparedness for ransomware attacks. The recommendations made by PWC can be used to strengthen defenses to prevent similar attacks from occurring.

While the HSE ransomware attack affected a huge number of IT systems, it started with a phishing email. An employee was sent an email with a malicious Microsoft Excel spreadsheet as an attachment on March 16, 2021. When the attachment was opened, malware was installed on the device. The HSE workstation had antivirus software installed, which could have detected the malicious file and prevented the malware infection; however, the virus definition list had not been updated for over a year, which rendered the protection near to non-existent.

From that single infected device, the attacker was able to move laterally within the network, compromise several accounts with high-level privileges, gain access to large numbers of servers, and exfiltrate data ‘undetected’.  On May 14, 2021, 8 weeks after the initial compromise, Conti ransomware was extensively deployed and encrypted files. The HSE detected the encryption and shut down the National Health Network to contain the attack, which prevented healthcare professionals across the country from accessing applications and essential data.

During the 8 weeks that its systems were compromised, suspicious activity was detected on more than one occasion which should have triggered an investigation into a potential security breach, but those alerts were not acted upon. Had they been investigated the deployment of ransomware could have been prevented and potentially also the exfiltration of sensitive data.

Simple Techniques Used to Devastating Effect

According to PWC, the attacker was able to use well-known and simple attack techniques to move around the network, identify and exfiltrate sensitive data, and deploy Conti ransomware over large parts of the IT network with relative ease. The attack could have been far worse. The attacker could have targeted medical devices, destroyed data at scale, used auto-propagation mechanisms such as those used in the WannaCry ransomware attacks, and could also have targeted cloud systems.

The HSE made it clear that it would not be paying the ransom. On May 20, 2021, 6 days after the HSE shut down all HSE IT system access to contain the attack, the attackers released the keys to decrypt data. Had it not been for a strong response to the attack and the release of the decryption keys the implications could have been much more severe. Even with the keys to decrypt data it took until September 21, 2021, for the HSE to successfully decrypt all of its servers and restore around 99% of its applications. The HSE estimated the cost of the attack could rise to half a billion Euros.

Ireland’s Largest Employer Had No CISO

PWC said the attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues.  PWC said there was a lack of cybersecurity leadership, as there was no individual in the HSE responsible for providing leadership and direction of its cybersecurity efforts, which is very unusual for an organization with the size and complexity of the HSE. The HSE is Ireland’s largest employer and had over 130,000 staff members and more than 70,000 devices at the time of the attack, but the HSE only employed 1,519 staff in cybersecurity roles. PWC said employees with responsibility for cybersecurity did not have the necessary skills to perform the tasks expected of them and the HSE should have had a Chief Information Security Officer (CISO) with overall responsibility for cybersecurity.

Lack of Monitoring and Insufficient Cybersecurity Controls

The HSE did not have the capability to effectively monitor and respond to security alerts across its entire network, patching was sluggish and updates were not applied quickly across the IT systems connected to the National Health Network. The HSE was also reliant on a single anti-malware solution which was not being monitored or effectively maintained across its entire IT environment. The HSE also continued to use legacy systems with known security issues and remains heavily reliant on Windows 7.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organizations face today,” concluded PWC. “It does not have sufficient subject matter expertise, resources, or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale. There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”

Similar vulnerabilities in people, processes, and technology can be found in many health systems around the world, and the PWC recommendations can be applied beyond the HSE to improve cybersecurity and make it harder for attacks such as this to succeed.

The PWC report, recommendations, and learnings from the incident can be found here (PDF).

The post Learnings from a Major Healthcare Ransomware Attack appeared first on HIPAA Journal.