Healthcare Cybersecurity

2017 has seen a 62% Increase in Ransomware Attacks

Posted by HIPAA Journal

Reported ransomware attacks in 2017 are already up 62% year on year, according to a new report from anti-malware firm Malwarebytes, with a month of 2017 still to go.

Criminal gangs and opportunistic cybercriminals – termed the New Mafia by Malwarebytes – have embraced ransomware as a quick and easy way to make money and sabotage businesses. Since September 2015, there has been a 1988.6% increase in ransomware attacks and there is no sign that attacks will slow down, especially due to the ease at which attacks can be conducted using ransomware-as-a-service.

Malwarebytes notes that the true number of attacks is likely to be far higher. Many businesses attempt to conceal ransomware attacks due to the reputational damage that can be caused. Attacks are not reported and ransom demands are quietly paid to quickly regain access to data.

It is not only ransomware attacks that have increased. The average number of monthly cyberattacks on businesses have risen by 23% year over year, according to the report. That is on top of a 96% increase in cyberattacks on businesses the previous year.

In the United States, only 21% of surveyed businesses said they have experienced no cyberattacks in the past 12 months. Malwarebytes notes that many of those businesses could be unaware that attacks have taken place and that there could be considerable knowledge gaps within organizations.

In the report, Malwarebytes points out that there are considerable discrepancies between various surveys, citing on PwC report that indicated 74% of business stakeholders believed they had not experienced a cyberattack in the past year, while the Malwarebytes survey, which was conducted on IT managers, CIOs, and CISOs, suggests the number of companies that have escaped a cyberattack in the past 12 months is far lower. Cyberattacks are occurring, but they are not being communicated to the C-suite leading to an underestimation of the threat level.

Some businesses have been extensively targeted. 41% of businesses experienced between 1 and 5 attacks, 10% had between 6 and 10 attacks, 5% experienced between 11 and 20 attacks and 22% have had 20 or more cyberattacks in the past year.

Even though the threat of cyberattacks is now at an all time high, many businesses are underestimating the threat and are failing to implement sufficient defenses to prevent attacks. Awareness of cybercrime needs to improve, businesses must accurately assess the likelihood of an attack occurring, and the C-suite should be more involved to ensure sufficient funds are allocated to cybersecurity to mitigate the threat. Malwarebytes suggests cybercrime must be elevated from a tech issue to a business-critical consideration, considering the damage that these cyberattacks can cause.

By improving collective awareness of the threats, sharing knowledge rather than trying to conceal attacks, and being proactive and implementing robust defenses it is possible for businesses to fight back and make it much harder for cybercriminals.

The post 2017 has seen a 62% Increase in Ransomware Attacks appeared first on HIPAA Journal.

Is GoToMeeting HIPAA Compliant?

Posted by HIPAA Journal

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules?

GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations.

In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA.

Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance.

It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant manner. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is configured correctly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the information, and that when information is disclosed, the minimum necessary standard applies.

How secure is GoToMeeting? Is GoToMeeting HIPAA compliant?

Is GoToMeeting HIPAA Compliant?

In order to consider GoToMeeting HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.

To protect data in transit, GoToMeeting employs full end-to-end data encryption. All transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.

Protecting data in transit is only one element of HIPAA compliance. If PHI is to be transmitted – via email, secure text messages, or conferencing solutions – there must be audit controls. An audit trail must be maintained allowing activity relating to PHI to be examined. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.

Controls must also be present that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full control over who can join the meetings.

Each user that wishes to join a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically logged off after a period of inactivity, which can be set by the meeting organizer.

GoToMeeting also confirms on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”

While the technical safeguards meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service providers prior to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.

So, is GoToMeeting HIPAA-compliant? Provided HIPAA-covered entities and business associates enter into a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant manner.

However, as GoToMeeting explains, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”

The post Is GoToMeeting HIPAA Compliant? appeared first on HIPAA Journal.

Second Draft of the Revised NIST Cybersecurity Framework Published

Posted by HIPAA Journal

The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions.

Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries.

The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices.

Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve usability of the Framework. Those comments were taken on board and incorporated in the first revised draft of the Framework which was published in January 2017. The latest draft includes several refinements that take into account feedback received on the first draft of the revised Framework.

Several changes have been made in version 1.1 of the NIST CSF to meet the requirements of the Cybersecurity Enhancement Act of 2014, which led to the creation of the NIST CSF. The first version of the NIST CSF failed to address all of the requirements, although the latest update brings the NIST CSF closer to meeting all of its initial goals.

The latest version of the Framework clarifies some of the language relating to cybersecurity measurement, further guidance is included on improving supply chain security, and changes have been made to incorporate mitigating risk of IoT devices and operational technology.

NIST has also issued an update to its Roadmap for Improving Critical Infrastructure Security which details several topics that will be considered for upcoming revisions of the Framework and details of future planned activities.

Adoption of the Framework is voluntary for most organizations, which can choose an appropriate implementation tier to suit their cybersecurity risk management practices. However, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made adoption of the Framework mandatory for all federal agencies.

Comments on the second draft of the revised NIST Cybersecurity Framework are being accepted until January 19, 2018. The final version of version 1.1 of the Cybersecurity Framework is expected to be released in Spring 2018.

The post Second Draft of the Revised NIST Cybersecurity Framework Published appeared first on HIPAA Journal.

Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered

Posted by HIPAA Journal

New vulnerabilities that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit.

The vulnerabilities exist in certain digital Smart pens and IV infusion pumps. The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients.

Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records.

Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate privileges to gain administrator access. Once administrative rights were gained, and the encryption was defeated, Harit was able to access the backend servers used by the healthcare organization and view sensitive information on patients of several doctors who used the smart pens. The vendors of the smart pens were notified of the flaws and patches have now been released to correct the vulnerability.

Harit also discovered a so far unpatched vulnerability in an IV infusion pump which could be exploited to administer lethal doses of drugs to patients, potentially on all IV pumps used at a particular hospital. Far from being a complex and expensive hack, it was possible with a device that could be purchased for just $7. That device allowed Harit to interface with the pump, read its configuration data, and the access point to which the device connected.

It was possible to set up a fake access point to connect to the device and collect sensitive data on the patient, including the master drug list and doses of drugs to be administered. Harit claims it would be possible to write malware that could attack all IV infusion pumps used by a hospital.

Fortunately, for the vulnerabilities to be exploited, physical access to the devices would be required.

Harit will not disclose the names of the companies or devices affected, but will present the findings on the vulnerabilities at Black Hat Europe later this week.

The post Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered appeared first on HIPAA Journal.

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

Posted by HIPAA Journal

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI.

When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end.

If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of both.

In its November cybersecurity newsletter, OCR has drawn attention to the risk of these types of insider threats and explains the importance of implementing effective identity and access management policies.

When an employee is terminated or quits, access to PHI must be terminated immediately, preferably before the individual has left the building. There are several ways that access to PHI can be terminated, although most commonly this is achieved by deleting user accounts.

While the employee’s account must be terminated, covered entities must also ensure that other accounts that the employee had access to are secured. Passwords for administrative or privileged accounts should also be changed.

In addition to terminating user accounts to prevent unauthorized accessing of electronic protected health information, OCR reminds covered entities and business associates of the need to also terminate physical access to facilities and health records. Keys and keycards must be returned, users should be removed from access lists, security codes should be changed, and ID cards returned.

If an employee has been issued with a laptop, mobile phone, or other electronic device, they must be recovered. If there is a BYOD policy and employees have been allowed to use their own devices to access or store ePHI, personal devices must be purged.

Since employees may have access to multiple accounts, logs should be created whenever access to PHI or systems is granted, privileges are increased, or equipment is issued. The logs can be used to make sure all accounts are secured and all equipment can be retrieved.

OCR suggests developing a set of standard procedures that can be applied and followed whenever an employee or other workforce member quits or is terminated. A checklist is a good way to ensure that nothing is missed.

Identity and access management policies will only be effective if they are followed 100% of the time. To ensure that is the case, covered entities and business associates should consider conducting audits to confirm procedures are being followed. Audits should also include checking user logs to ensure former employees are not continuing to access systems and data after their employment has been terminated.

Further tips to prevent unauthorized accessing of PHI and ePHI by former employees can be found on this link.

The post Effective Identity and Access Management Policies Help Prevent Insider Data Breaches appeared first on HIPAA Journal.

Apple Releases Patch to Fix Serious MacOS High Sierra Vulnerability

Posted by HIPAA Journal

Earlier this week, Apple discovered an embarrassing flaw in MacOS High Sierra that allows anyone with access to the device, and potentially remote users, to gain access as a root user without a password. The flaw only affects devices running High Sierra version 10.13.1. MacOS Sierra 10.12.6 and earlier versions are unaffected.

The High Sierra vulnerability was discovered by a Turkish software developer, who disclosed the flaw on Twitter in a Tweet to @AppleSupport. Lemi Orhan Ergin discovered that it was possible to login to a Mac running the latest High Sierra version of its operating system with the user name ‘root’ without the need for a password. Simply adding root as the username and clicking login several times allowed an unauthenticated user to login using the root account.

Within 24 hours to the tweet being sent, Apple issued a patch to fix the High Sierra vulnerability, which is available via the App Store app. The vulnerability is a logic error in the validation of credentials., which is tracked as CVE-2017-13872.

While the flaw could be exploited by a local user, remote exploitation is also possible if the device has been infected with malware. If screen sharing is enabled, a remote user that has already gained access to the network could potentially exploit the flaw and gain root privileges.

Apple has issued an apology to customers for the error. An Apple spokesperson said, “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.” Apple has urged users to apply the patch – Security Update 2017-001 – as soon as possible.

Apple will be installing the patch automatically today. Users should check to make sure the patch has been applied, using the steps detailed below:

  1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
  2. Type: what /usr/libexec/opendirectoryd and press Return.
  3. If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
    opendirectoryd-483.1.5 on macOS High Sierra 10.13
    opendirectoryd-483.20.7 on macOS High Sierra 10.13.1

The post Apple Releases Patch to Fix Serious MacOS High Sierra Vulnerability appeared first on HIPAA Journal.

Survey Reveals Poor State of Email Security in Healthcare

Posted by HIPAA Journal

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard.

The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security.

For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network.

The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC.

Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting patients from phishing attacks spoofing their domains. NH-ISC reports that only 30% of its members have adopted DMARC.

The impersonation of domains is a common tactic employed by phishers to fool victims into believing emails have been sent by trusted organizations. The healthcare industry is at the highest risk of being targeted by fraudulent email, according to the report. Over the past 6 months, 92% of healthcare domains have been targeted by phishers and scammers using fraudulent email. 57% of all emails sent from healthcare organizations are fraudulent or unauthenticated.

DMARC has been widely adopted in industry, although the healthcare industry lags behind. The same is true of federal agencies, which have been slow to implement the email security standard. Last month, the U.S Department of Homeland Security addressed this by issuing a Binding Operational Directive, which required all federal agencies to implement DMARC within 90 days.

The healthcare industry is being urged to do the same. NH-ISAC is already encouraging its members to adopt DMARC, while the GCA has launched a ‘90-Days to DMARC’ challenge, which commences on December 1. Under the challenge, GCA will be releasing guidance, conducting webinars, and making resources available to help healthcare organizations plan, implement, analyze, and adjust DMARC.

“GCA is challenging organizations in all sectors to follow the path set forward by DHS. We applaud NH-ISAC for calling upon its members to implement DMARC,” said Phil Reitinger, President and CEO of GCA.

Jim Routh, CSO, Aetna, said “The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members.”

“Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications,” said Patrick Peterson, founder and executive chairman of Agari.

The post Survey Reveals Poor State of Email Security in Healthcare appeared first on HIPAA Journal.

NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks

Posted by HIPAA Journal

In May this year, the hackers behind WannaCry ransomware exploited vulnerabilities in the UK’s National Health Service (NHS) systems and installed their malicious payload, causing considerable disruption to services at several NHS Trusts.

More than 50 NHS Trusts were affected by the WannaCry ransomware attacks, resulting in appointments being cancelled and operations being postponed. There was widespread disruption while the malware attack was mitigated. Had the kill switch not been found and flipped, the fallout would have been far worse.

600 GP surgeries were impacted by the attacks, five hospitals were forced to divert ambulances to other hospitals, and more than 19,500 appointments were cancelled as a result of the WannaCry. The attacks affected 1% of all devices and diagnostic equipment used by the NHS.

The WannaCry ransomware attacks prompted the government to launch an independent investigation into the state of cybersecurity at the NHS. Last month, the National Audit Office (NAO) released its report which confirmed the extent of disruption and the poor state of cybersecurity.

The post-mortem after the attack revealed outdated and unsupported operating systems were still in use in many NHS trusts, and basic security measures to prevent attacks had not been implemented. According to the report, multiple warnings had been issued about the risk of cybercriminals exploiting vulnerabilities, but it took the WannaCry attack before action was taken.

Amyas Morse, Chief of the NAO, said the WannaCry attacks were “relatively unsophisticated”, and that the attacks could have easily been prevented with basic cybersecurity measures. Morse issued a warning, saying, “The Department [of Health] and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

There is currently a funding crisis at the NHS, although even so, the importance of improving cybersecurity defences has seen £20 million set aside to fund a cybersecurity unit to improve digital defences. Part of that fund will pay for ethical hackers who will conduct penetration tests to find exploitable vulnerabilities before they are found and exploited by cybercriminals. This proactive approach to cybersecurity should allow future cyberattacks to be prevented, ensuring security weaknesses are found and addressed rapidly.

The initial pen testing will be conducted on NHS Digital’s systems to ensure its cybersecurity defences are sufficiently robust, before the team of ethical hackers turn their attention to NHS Trusts and hospitals.

NHS Digital, which has tendered for the contract, also plans to create a national cybersecurity monitoring and alerting service covering the entire health system in the UK. The new system will provide near real-time alerts on the latest threats, allowing rapid action to be taken by hospitals and Trusts to secure systems when new vulnerabilities and threats are identified.

The post NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks appeared first on HIPAA Journal.

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

Posted by HIPAA Journal

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks.

The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks.

While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.

Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations.

Last week, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, wrote to the HHS, explaining one of the main problems with new technologies is a lack of understanding of their hardware, software, and components.

In the letter, Walden explained, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden explained, the NotPetya and WannaCry ransomware attacks proved that to be the case. Those attacks leveraged a vulnerability in Windows Server Message Block (SMBv1), and following the attacks, healthcare organizations were scrambling to determine which technologies within their networks leveraged SMBv1 to allow them to mitigate risk. That task was made all the more difficult, as information on technologies that leveraged SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper attacks are just two examples. It was the same situation for the SamSam ransomware attacks that leveraged a vulnerability in JBoss, while in 2015, vulnerabilities in the Telnet protocol were discovered. Telnet was used in many medical devices, although the devices that used Telnet was not abundantly clear.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” wrote Walden.

Walden pointed out that the Cybersecurity Task Force has called for a Bill of Materials as a possible solution to the problem. The Bill of Materials would exist for all medical technologies, which detail all the components, software, hardware and protocols used, and any known risks associated with those components. Such a Bill of Materials would make it much easier for healthcare organizations to make security decisions, and mitigate risk when new vulnerabilities are identified.

Having a Bill of Materials for all technologies would not completely protect the healthcare industry, but Walden explains it is a “common sense step” to improving cybersecurity in the industry as a whole.

The HHS has been urged to convene a sector-wide effort to develop a plan for the creation and deployment of BOMs. Walden called for a plan of action be provided by the HHS no later than December 15, 2017.

The post HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security appeared first on HIPAA Journal.