Healthcare Cybersecurity

Maryland Considers Tougher Penalties for Ransomware Attacks

Posted by HIPAA Journal

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state.

The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock.

Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more.

The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable costs of verifying whether a system has been altered, acquired, damaged, deleted, disrupted, or destroyed.

The penalty for a ransomware attack that results in more than $1,000 in losses would increase to a maximum fine of $100,000 and up to 10 years imprisonment. If the attack results in aggregate losses of less than $1,000, the crime would be a misdemeanor and could result in a fine of up to $25,000 and up to 5 years imprisonment.

Even being in possession of ransomware (for non-research purposes) could result in a hefty fine and prison term, even if no attacks have been conducted. Possession with intent could result in a fine of up to $10,000 and up to 10 years imprisonment.

It would also be possible for a person who has suffered a specific and direct injury as a result of a ransomware attack to bring a civil action against the attacker and for damages to be awarded and the cost of legal action to be recovered.

Ransomware poses a threat to all businesses, but healthcare organizations are especially vulnerable. Ransomware attacks on hospitals not only causes financial losses but could also potentially cause harm to patients. Loss of access to healthcare systems and encryption of patient data can disrupt medical services which could lead to fatalities.

Research conducted at Vanderbilt university in 2017 suggests ransomware attacks on hospitals could potentially result in 2,000 deaths a year. The financial losses can also be considerable. The ransomware attack on Maryland-based Medstar Health in 2016 is believed to have caused more than $30 million in losses.

The post Maryland Considers Tougher Penalties for Ransomware Attacks appeared first on HIPAA Journal.

Free Decryptor for GandCrab Ransomware v5.1 Released

Posted by HIPAA Journal

A free decryptor for GandCrab ransomware has been released that allows victims to recover files encrypted by versions 5.0.4 to 5.1 of the ransomware. Previous decryptors have only worked on version 1, 4, and some of the early version 5 variants.

The new GandCrab ransomware decryptor was developed by the Romanian police with assistance provided by Bitdefender, Europol, and law enforcement agencies in Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, UK, Canada and the United States.

GandCrab ransomware was first used in attacks in January 2018. The first version of the ransomware was somewhat crude and a free decryptor was rapidly developed and released in February. Latter variants were more advanced and more adept at evading detection; however, in October, a second GandCrab ransomware decryptor was released that worked on version 4 of the ransomware.

According to Europol, those decryptors have been downloaded more than 400,000 times and have allowed around 10,000 users to decrypt their files free of charge.

To date, GandCrab ransomware has been used in more than 500,000 attacks, including several on U.S. healthcare providers. Ransom demands vary but are typically in the range of $300 to $6,000, depending on the extent of the attack and the number of devices that have been encrypted.

GandCrab ransomware was the biggest ransomware threat in 2018 is now the most widely used ransomware variant. Part of its success is due to regular updates. When decryptors are developed, new versions are rapidly released. The threat actors behind the ransomware are also rather adept at marketing the ransomware and recruiting affiliates to run ransomware campaigns. GandCrab now dominates the ransomware-as-a-service market.

Multiple threat actors are using the ransomware and various methods are used to infect end users. Spam email campaigns are common, although recently the ransomware has been installed using stolen RDP credentials and through exploitation of vulnerabilities in software and operating systems. Managed service providers (MSPs) have also been targeted and privileged access to clients’ systems has been abused to download the ransomware onto clients’ workstations.

The latest free decryptor for GandCrab ransomware is certainly good news and will help healthcare providers recover files without having to pay the ransom demand. However, version 5.2 of the ransomware is expected to be released soon. The latest decryptor will not work on the new version.

“If you have a security solution, make sure it is up-to-date and has layered defenses against ransomware. The better it is at detection, the lower your chances of infection. Also make sure you are running the latest version of your OS and third-party software,” wrote Bitdefender. “If you don’t have a security solution, get one now. It helps a lot, and it’s way less expensive than a $600 ransom payment.”

The free decryptor for GandCrab ransomware works for versions 1, 4, and most version 5 variants, and can be downloaded from the No More Ransom website.

The post Free Decryptor for GandCrab Ransomware v5.1 Released appeared first on HIPAA Journal.

Data Access and Sharing Risks Identified at National Institutes of Health

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world.

The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff.

While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made.

OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with any of those recommendations.

OIG also recommended that mechanisms should be implemented to ensure that its data security policies remain current and reflect the rapidly changing threat landscape and that security awareness training and security plans should be made a requirement.

NIH concurred with those recommendations but did not agree to implement controls to ensure that training and security plan requirements are fulfilled. NIH explained that it had already established a working group to address risks and vulnerabilities to the confidentiality of intellectual property and protect the integrity of the peer review process.

OIG maintained that the findings of its auditors were accurate and the recommendations were valid. Detailed information on potential actions that could be taken to address its findings and recommendations was provided to NIH. OIG recommended that if NIH decides not to strengthen its controls that the decision should be documented in line with Federal regulations and guidance.

The post Data Access and Sharing Risks Identified at National Institutes of Health appeared first on HIPAA Journal.

Healthcare Email Fraud Attacks Have Increased 473% in 2 Years

Posted by HIPAA Journal

A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years.

Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013.

These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack.

The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare.

For the report, Proofpoint analyzed more than 160 billion emails sent by organizations in 150 countries between Q1, 2017 and Q4, 2018. 473% more healthcare email fraud attacks were conducted in Q4, 2018 than Q1, 2017.

Healthcare organizations were targeted in an average of 96 email fraud attacks every quarter. 53% of healthcare organizations were attacked more often and experienced between 200% and 600% more attacks. Within targeted healthcare organizations, an average of 65 staff members were attacked in Q4, 2018. None of the healthcare organizations studied experienced a decrease in email fraud attacks over the period of study.

On average, 15 healthcare staff members were spoofed in the attacks with 49% of organizations attacked using at least 5 identities. Over three quarters of healthcare organizations had more than 5 employees targeted in the attacks. The median number was 23. Most employees were targeted due to their role within the company.

95% of targeted healthcare organizations experienced attacks using their own trusted domain and 100% of attacked organizations had their domain spoofed in attacks on their business partners and patients. Proofpoint rated 45% of all emails sent from healthcare domains as suspicious in Q4, 2018, 65% of which were sent internally to employees, 42% to patients, and 15% to business partners.

Proofpoint analyzed email fraud attack in multiple industry sectors. Healthcare was the only industry where there was a correlation between company size and the number of attacks, with larger organizations being targeted much more often than smaller healthcare organizations.

The most commonly used categories of subject line in the emails were ‘Payment’, ‘Request’, and ‘Urgent.’ Blank subject lines were also common. The emails were mostly sent during business hours, Monday to Friday. 70% of messages were sent between 7am and 1pm.

33% of emails were sent from free-to-use email accounts such those offered by Gmail, AOL, Inbox, RR, and Comcast, with the display name changed.

In addition to spoofing a healthcare domain, lookalike domains are often used – Those with misspellings, transposed letters, or additional characters added to the domain name. 67% of healthcare organizations experienced attacks using lookalike domains.

Protecting against email fraud attacks requires multi-layered defenses. Staff should receive training and taught to look for the signs of a possible email fraud attack. Email fraud attack simulations can also help to reinforce training and identify weak links – Individuals who require further training.

DMARC should be adopted to prevent impostors from spoofing domains and healthcare organizations should consider buying and parking variants of their domain. Domains similar to those used by healthcare organizations should be monitored as they may be registered by fraudsters and email filters should be configured to reject messages sent from those risky domains.

The post Healthcare Email Fraud Attacks Have Increased 473% in 2 Years appeared first on HIPAA Journal.

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Posted by HIPAA Journal

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Posted by HIPAA Journal

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps.

166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018.

This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident.

In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations.

The most common actors implicated in security incidents were online scam artists (28%) and negligent insiders (20%). Online scam artists used tactics such as phishing, spear phishing, whaling, and business email compromise to gain access to healthcare networks and data. Online scam artists often impersonate senior leaders in an organization and make requests for sensitive data and fraudulent wire transfers.

Threat actors use a variety of methods to gain access to healthcare networks and patient data, although a high percentage of security breaches in the past 12 months involved email. 59% of respondents said email was a main source of compromise. Human error was rated as a main source of compromise by 25% of respondents and was the second main cause of security incidents.

HIMSS said it is not surprising that so many healthcare organizations have experienced phishing attacks. Phishing attacks are easy to conduct, they are inexpensive, can be highly targeted, and they have a high success rate. Email accounts contain a trove of sensitive information such as financial data, the personal and health information of patients, technical data, and business information.

Even though email is one of the most common attack vectors, many healthcare organizations are not doing enough to reduce the risk of attacks. The HIMSS Cybersecurity Survey revealed 18% of healthcare organizations are not conducting phishing simulations on their employees to reinforce security awareness training and identify weak links.

While email security can be improved, there is concern that by making it harder for email attacks to succeed, healthcare organizations will encourage threat actors to look for alternative methods of compromise. It is therefore important for security leaders to diligently monitor other potential areas of compromise.

The most common ways that human error leads to the exposure of patient data is posting patient data on public facing websites, accidental data leaks, and simple errors.

HIMSS explained that it is imperative to educate key stakeholders on IT best practices and to ensure those practices are adopted. Significant security incidents caused by insider negligence were commonly the result of lapses in security practices and protocols.

HIMSS suggests that additional security awareness training should be provided to all employees, not just those involved in security operations and management. Individuals in security teams should also be given additional training on current and emerging threats along with regular training to ensure they know how to handle and mitigate security threats.

Email attacks and the continued use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the security of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, despite the security risks that those legacy systems introduce.

While it is encouraging to see that 96% of organizations conduct risk assessments, only 37% of respondents said they conduct comprehensive risk assessments. Only 58% assess risks related to their organization’s website, 50% assess third party risks, and just 47% assess risks associated with medical devices.

HIMSS suggests cybersecurity professionals should be empowered to drive change throughout the organization. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in response to the growing threat of attacks, healthcare organizations are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).

The post HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns appeared first on HIPAA Journal.

Vulnerabilities Identified in IDenticard PremiSys Access Control System

Posted by HIPAA Journal

ICS-CERT has issued an alert about three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software prior to version 4.1 are affected by the vulnerabilities.

Successful exploitation of the vulnerabilities could result in full access being gained to the system with administrative privileges, theft of sensitive information contained in backups, and access being gained to credentials. The vulnerabilities could be exploited remotely and require a low level of skill to exploit. Details of the vulnerabilities have been publicly disclosed.

The highest severity vulnerability CVE-2019-3906 concerns hard-coded credentials which allow full admin access to the PremiSys WCF Service endpoint. If successfully exploited, and attacker could obtain full access to the system with administrative privileges. The vulnerability has been assigned a CVS v3 base score of 8.8.

User credentials and other sensitive information stored in the system are encrypted; however, a weak method of encryption has been used which could potentially be cracked resulting in the exposure and theft of information. The vulnerability (CVE-2019-3907) has been assigned a CVS v3 base score of 7.5.

Backup files are stored by the system as encrypted zip files; however, the password required to unlock the backups is hard-coded and cannot be changed. Potentially an attacker could gain access to the backup files and view/steal information. The vulnerability (CVE-2019-3908) has been assigned a CVS v3 base score of 7.5.

Tenable’s Jimi Sebree discovered and reported the vulnerabilities.

IDenticard has corrected the hard-coded credentials vulnerability (CVE-2019-3906). Users should update to version 4.1 of the software to correct the flaw. IDenticard is currently working on a fix for the other two flaws. A software update correcting those flaws is expected to be released in February 2019.

As an interim mitigation, NCCIC recommends restricting and monitoring access to Port 9003/TCP, locating the system behind a firewall, and ensuring the access control system is not accessible over the Internet. If remote access is necessary, secure methods should be used for access, such as an up to date VPN.

The post Vulnerabilities Identified in IDenticard PremiSys Access Control System appeared first on HIPAA Journal.

New Cybersecurity Framework for Medical Devices Issued by HSCC

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

The post New Cybersecurity Framework for Medical Devices Issued by HSCC appeared first on HIPAA Journal.

Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities

Posted by HIPAA Journal

Nine vulnerabilities have been identified in Stryker Medical Beds. The vulnerabilities could be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames.

The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices.

The nine vulnerabilities are summarized below:

  • CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake.
  • CVE-2017-13078: Reinstallation of group key in the four-way handshake.
  • CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake.
  • CVE-2017-13080: Reinstallation of group key in the group key handshake.
  • CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake.
  • CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake.
  • CVE-2017-13086: Reinstallation of Tunneled Direct-Link Setup Peer Key in the Tunneled Direct-Link Setup handshake.
  • CVE-2017-13087: Reinstallation of the Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.
  • CVE-2017-13088: Reinstallation of the Integrity Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.

The group of vulnerabilities have collectively been assigned a CVSS v3 base score of 6.8 – Medium severity. The flaws were identified by Mathy Vanhoef of imec-DistriNet, KU Leuven and reported to the National Cybersecurity & Communications Integration Center (NCCIC).

Mitigations

Software updates have been released by Stryker to mitigate the vulnerabilities:

  • Users of Gateway 2.0 should upgrade to software version 5212-400-905_3.5.002.01
  • Users of Gateway 3.0 should upgrade to software version 5212-500-905_4.3.001.01

No patch is available for Gateway 1.0.

Additional measures can also be taken to reduce the risk of exploitation of the vulnerabilities. These include disabling iBed functionality if it is not being used, operating the products on a separate VLAN, and applying updates that include the KRACK patch to wireless access points.

The post Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities appeared first on HIPAA Journal.