Healthcare Cybersecurity

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Posted by HIPAA Journal

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Posted by HIPAA Journal

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Posted by HIPAA Journal

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.

April 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points

Posted by HIPAA Journal

Siemens has discovered several high-severity vulnerabilities and one critical vulnerability in the Scalance W1750D direct access point. The vulnerabilities can be exploited remotely and require a low level of skill to exploit.

If exploited, an attacker could gain access to the W1750D device and execute arbitrary code within its underlying operating system, gain access to sensitive information, perform administrative actions on the device, and expose session cookies for an administrative session.

The vulnerabilities are present in all versions prior to 8.4.0.1

CVE-2018-7084 is a critical command injection vulnerability in the web interface that could allow arbitrary system commands to be performed within the underlying operating system. If exploited, files could be copied, the configuration could be read, the device could be rebooted, and files could be written or deleted.  The vulnerability has been assigned a CVSSv3 base score of 9.8 out of 10.

CVE-2019-7083 is a high-severity information exposure vulnerability that could allow an attacker to access core dumps of previously crashed processes via the web interface of the device. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-16417 is a high-severity information exposure vulnerability that could allow an attacker to access recently cached configuration commands by sending a specially crafted URL to the web interface. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-7082 is a high-severity command injection vulnerability that could allow an authenticated administrative user to execute arbitrary commands on the underlying operating system. The vulnerability has been assigned a CVSSv3 base score of 7.2 out of 10.

CVE-2019-7064 is a medium-severity cross-site scripting vulnerability that could allow an attacker to perform administrative actions on a vulnerable device or expose admin session cookies by tricking an administrator into clicking a malicious hyperlink. The vulnerability has been assigned a CVSSv3 base score of 6.4 out of 10.

Siemens has fixed all flaws in version 8.4.0.1 and advises users to upgrade the operating system as soon as possible to correct the flaws.

If the update cannot be applied, the following workarounds will reduce the risk of the vulnerabilities being exploited:

  • Restrict access to the web-based management interface to the internal or VPN network.
  • Do not browse other websites and do not click on external links while being authenticated to the administrative web interface.
  • Apply appropriate strategies for mitigation.

Siemens Sinamics Perfect Harmony GH180 Fieldbus Network Vulnerability

A high-severity vulnerability has been identified in the Siemens Sinamics Perfect Harmony GH180 Fieldbus Network. ). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

The flaw is present in the follow medium voltage converters

  • Siemens Sinamics Perfect Harmony GH180 with NXG I control and GH180 with NXG II control: MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -: The flaw affects all versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46

The flaw concerns improper input validation and could be exploited to trigger a denial-of-service condition by sending specially crafted packets to the device, causing the device to restart, which would compromise the availability of the affected system. Network access to the device would be required to exploit the vulnerability.

The vulnerability – CVE-2019-6574 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Disable the fieldbus parameter read/write functionality
  • Apply cell protection concept and implement defense in depth

Siemens Sinamics Perfect Harmony GH180 Drives NXG I and NXG II Vulnerability

A high-severity vulnerability has been identified in Siemens Sinamics Perfect Harmony GH180 Drives (NXG I and NXG II). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

If exploited, an individual with access to the Ethernet Modbus Interface could trigger a denial-of-service condition exceeding the number of available connections and compromise the availability of the affected system.

The vulnerability is present in all versions of GH180 with NXG I control and CH180 with NXG II control (MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -)

The vulnerability – CVE-2019-6578 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Install a protocol bridge that isolates the networks and eliminates direct connections to the Ethernet Modbus Interface.
  • Apply cell protection concept and implement defense in depth.

The post Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points appeared first on HIPAA Journal.

New Report Uncovers Serious Holes in Healthcare Cybersecurity

Posted by HIPAA Journal

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured.

75 global healthcare deployments were analyzed for the study, which comprised more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs).

The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft.

The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also highly prevalent.

There has been a rapid deployment of a diverse range of connected medical devices such as infusion pumps, patient monitors, tracking and identification tools, and imaging systems. The number and variety of devices that connecting to healthcare networks has greatly increased the attack surface. Those devices have introduced considerable security risks which, in many cases, have not been effectively mitigated.

The sheer number of devices and different operating systems is causing major headaches for IT security teams. The study revealed 40% of deployments used more than 20 different operating systems. 41% of VLAN platforms used a variety of mobile, network, and embedded infrastructure and 34% of healthcare deployments had more than 100 vendors connecting to the network. Many vendors are responsible for patching their systems and healthcare IT teams are unaware if those patches have been correctly applied.

While it is important to ensure that all devices are secured, first IT teams must identify all devices that connect to the network, which is a major challenge especially following mergers and acquisitions. There have been many cases of devices being used without the knowledge or oversight of the IT department.

The complexity of healthcare networks makes security difficult to manage and the variety of devices and operating systems makes patching a gargantuan task. It is often not possible to keep on top of patching and software updates. In some cases, medical devices cannot be patched to correct known vulnerabilities and legacy apps may not work on newer operating systems. It is not uncommon for vendor approval to be required before patches can be applied. Acute care providers cannot easily take critical care systems offline without jeopardizing patient care, which means vulnerabilities often cannot be addressed.

One of the solutions to improve security and decrease the attack surface is to segment networks and ensure vulnerable devices and systems are kept separate from other parts of the network and are not Internet-facing. Restrictions also need to be implemented to ensure that devices and systems can only be accessed by individuals who need access for their day to day work duties.

However, this best practice is not particularly evident in the data analyzed for the study. Only a small number of VLANs were being used for medical devices, which suggests many healthcare providers are not using network segmentation to a large extent.

Forescout researchers do concede that applying network segmentation best practices across the organization and managing and enforcing segmentation can be a challenge, but it is necessary to improve security. Forescount also recommends enabling agentless discovery of all devices, identifying and auto-classifying devices, and ensuring all devices are continuously monitored.

“It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture,” wrote the researchers. “A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”

The post New Report Uncovers Serious Holes in Healthcare Cybersecurity appeared first on HIPAA Journal.

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

Posted by HIPAA Journal

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017.

The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP.

The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP protocol to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction.

If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations.

Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware.

The vulnerability is not present in Windows 8 and Windows 10, only older Windows versions. However, it is of concern for the healthcare industry as many healthcare organizations are still using older, vulnerable operating systems.

Patches have been released for Windows 7, Windows Server 2008, and Windows Server 2008 R2. The flaw is so serious that Microsoft has taken the unusual step of issuing patches for Windows XP and Windows Server 2003, even though both operating systems are no longer supported.

A workaround is available for all organizations that use the above operating systems but are not able to apply the patch. In such cases, TCP port 3389 should be blocked and Network Level Authentication should be enabled to prevent the flaw from being exploited. Given the speed at which vulnerabilities are exploited once a patch has been released, it is imperative that the patch or workaround is implemented as a priority.

It was slow patching that allowed the 2017 WannaCry attacks to succeed. Those attacks clearly demonstrated that many organizations are slow to apply patches, even those that address critical and actively exploited vulnerabilities.

The WannaCry attacks occurred in May 2017 yet the patch to address the flaw – MS17-010 – was released by Microsoft in March. Had the patch been applied promptly, the attacks would not have been possible.

The UK’s National Health Service (NHS) was badly affected by WannaCry. Around one third of all NHS Trusts and 8% of GP practices were affected. The attacks cost the NHS an estimated £92 million and resulted in the cancellation of 19,000 appointments. The global cost of WannaCry has been estimated to be $4 billion.

Attacks exploiting CVE-2019-0708 have potential to be much worse than WannaCry. It is unlikely that a malware variant will be developed to exploit the vulnerability that contains such an easily activated kill switch as WannaCry.

In addition to the wormable vulnerability, Microsoft has issued updates to correct a further 21 critical flaws, including one that is being actively exploited and another that was disclosed publicly prior to a patch being released. Patches have also been released to address a new type of vulnerability in Intel processors. The Microarchitectural Data Sampling (MDS) flaws could allow a threat actor to deploy malware that can obtain sensitive data from applications, virtual machines, operating systems and trusted execution environments.

The post Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks appeared first on HIPAA Journal.

DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations

Posted by HIPAA Journal

Body:

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a new analysis report highlighting some of the common risks and vulnerabilities associated with transitioning from on-premise mail services to cloud-based services such as Microsoft Office 365. The report details best practices to adopt to manage risks and prevent user and mailbox compromises.

Many healthcare organizations have realized the benefits of transitioning to cloud-based email services yet lack the in-house expertise to manage their migrations. Many have used third-party service providers to migrate their email services to Office 365. CISA notes that use of third parties to manage Office 365 migrations has led to an increase in security incidents.

Over the past 6 months, CISA has had several engagements with customers who have used third-party service providers to manage their migrations and discovered a range of different Office 365 configurations that lowered organization’s security posture and left them vulnerable to phishing and other cyberattacks.

CISA notes that the majority of those organizations didn’t have a dedicated IT security team that was focused on cloud security and, as a result, vulnerabilities went unnoticed. In some cases, the organization experienced mailbox compromises as a result of the risks and vulnerabilities introduced during Office 365 migrations.

According to the AR19-133A analysis report, some of the most common vulnerabilities that were identified which could easily lead to data breaches are:

The failure to implement multifactor authentication for Global Active Directory (AD) Global Administrators. Despite these accounts having the highest level of privileges at the tenant level, MFA is not enabled by default.

Disabled mailbox auditing – The failure to implement mailbox auditing means actions taken by mailbox owners, delegates, and administrators will not be logged. This will hamper investigations into mailbox activity and potential data breaches. Customers who implemented Office 365 prior to 2019 are required to explicitly enable mailbox auditing.

Enabled password syncing – With this setting enabled, the password from on-premises AD overwrites the password in Azure AD, which means that if a mailbox was compromised prior to migration to Office 365, when the sync occurs, an attacker would be able to move laterally to the cloud.

Authentication not supported by legacy protocols – Office 365 uses Azure AD for authentication with Exchange Online; however, several protocols (e.g. POP3, IMAP, and SMTP) used for authentication with Exchange Online do not support modern authentication mechanisms such as MFA. Without MFA, accounts will only be secured by a password, which will greatly increase the attack surface.

CISA suggests several best practices to adopt to ensure that migrating to Office 365 does not result in the lowering of an organization’s security posture:

  • Implement multi-factor authentication – It is the best mitigation technique to protect against credential theft via phishing attacks
  • Ensure audit logging is configured in the Security and Compliance Center
  • Ensure mailbox auditing is activated for each user
  • Ensure Azure AD is correctly configured prior to migrating users to Office 365
  • Ensure legacy email protocols are disabled or are limited to specific users

The post DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations appeared first on HIPAA Journal.

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Posted by HIPAA Journal

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice.

32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment, the international hacking scheme saw Wang and other members of the hacking group conduct highly sophisticated cyberattacks on businesses starting in February 2014. Those attacks continued until at least January 2015.

The attacks started by sending spear phishing emails to employees of the targeted businesses. Those emails contained hyperlinks to a malicious website. When the links were clicked, they triggered the download of a file containing a malware downloader. When the file was executed, a backdoor was installed in the system that gave the hackers access to the business network through a server controlled by the hackers. Wang has been accused of registering two domains that were used for the spear phishing attack and for communicating with the malware.

After gaining access business networks, the hackers moved laterally searching for information of interest, in some cases waiting months before proceeding with the attack. In the case of the attack on Anthem, its systems were accessed on multiple occasions between October and November 2014. The aim was to find sensitive business information and the personally identifiable information of its plan members, according to the indictment.

Once sensitive data had been identified, it was combined into encrypted archive files and was exfiltrated through a variety of computers to destinations in China. The vast quantities of data were exfiltrated from Anthem on multiple occasions in January 2015. After data was exfiltrated, the hackers deleted the archive files in an attempt to avoid detection. The attacks on the other businesses were linked to Wang via the two domains used in the Anthem attack.

The FBI was able to launch an investigation promptly as a result of the attacked companies reporting the breaches to the FBI, and along with their continued cooperation with the investigation, the FBI was able to successfully identify the individuals behind the cyberattacks.

The speed at which Anthem notified the FBI about the attack was a key factor in being able to determine who was responsible for the breach. FBI Special Agent in Charge Grant Mendenhall said “[This] should serve as an example to other organizations that might find themselves in a similar situation.”

Assistant Attorney General Benczkowski said “The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

The post Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records appeared first on HIPAA Journal.