Healthcare Cybersecurity

How Can Healthcare Organizations Prevent Phishing Attacks?

Posted by HIPAA Journal

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information.

Phishing on an Industrial Scale

More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years.

Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’ credentials. Many of those websites also have an SSL certificate, so they appear to users to be secure websites. A website starting with HTTPS is no guarantee that it is not being used for phishing.

Study Provides Insight into Phishing Tactics

While phishers often use their own domains to phish for credentials, a recent report from Duo Security showed legitimate websites are increasingly being compromised and loaded with phishing kits. The study identified more than 3,200 unique fishing kits spread across 66,000 URLs. These phishing kits are being traded on underground marketplaces and sold to accomplished phishers and wannabe cybercriminals. 16% of those URLs were on HTTPS websites.

Duo Security notes that persistence is maintained by creating a .htaccess file that blocks the IP addresses of threat intelligence gathering firms to prevent detection. The Webroot report also highlighted an increase in the use of benign domains for phishing.

The phishing kits are typically loaded into the wp-content, wp-includes, and wp-admin paths of WordPress sites, and the signin, images, js, home, myaccount, and css folders on other sites. Organizations should monitor for file changes in those directories to ensure their sites are not hijacked by phishers. Strong passwords should also be used along with non-standard usernames and rate limiting on login attempts to improve resilience against brute force attacks.

How to Prevent Phishing Attacks

Unfortunately, there is no single solution that will allow organizations to prevent phishing attacks, although it is possible to reduce risk to an acceptable level. In the healthcare industry, phishing defenses are a requirement of HIPAA and steps must be taken to reduce risk to a reasonable and acceptable level. The failure to address the risk from phishing can result in financial penalties for noncompliance.

Defenses should include a combination of technological solutions to prevent the delivery of phishing emails and to block access to phishing URLs. Employees must also receive regular training to help them identify phishing emails.

As OCR pointed out in its July Cybersecurity newsletter, HIPAA (45 C.F.R. § 164.308(a)(5)(i)) requires organizations to provide regular security awareness training to employees to help prevent phishing attacks. OCR explained that “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”

Due to the increased use of HTTPS, it is no longer sufficient for users to check that the site is secure to avoid phishing scams. While a site starting with HTTPS does give an indication that the site is secure, it is important that end users do not automatically trust those websites and let their guard down. Just because a website has an SSL certificate it does not mean it can be trusted. Users should also be told to pay particular attention to the domain name to make sure that they are visiting their intended website, and always to exercise caution before deciding to disclose any login credentials.

Even with security awareness training, employees cannot be expected to recognize all phishing attempts. Phishers are developing increasingly sophisticated phishing emails that are barely distinguishable from genuine emails. Websites are harder to identify as malicious, emails are well written and convincing, and corporate branding and logos are often used to fool end users. Technological solutions are therefore required to reduce the number of emails that reach inboxes, and to prevent users from visiting malicious links when they do.

A spam filtering solution is essential for reducing the volume of emails that are delivered. Organizations should also consider using a web filtering solution that can block access to known phishing websites. The most effective real-time URL filtering solutions do not rely on blacklists and banned IP addresses to block attacks. Blacklists still have their uses and can prevent phishing attacks, but phishing websites are typically only active for a few hours – Before the sites are identified as malicious and added to blacklists. A range of additional detection mechanisms are required to block phishing websites. Due to the increase in phishing sites on secure websites, web filters should be able to decrypt, scan, and re-encrypt web traffic.

Healthcare organizations should also sign up to threat intelligence services to receive alerts about industry-specific attacks. To avoid being swamped with irrelevant threat information, services should be tailored to ensure only treat information relevant to each organization is received.

The post How Can Healthcare Organizations Prevent Phishing Attacks? appeared first on HIPAA Journal.

When Should You Promote HIPAA Awareness?

Posted by HIPAA Journal

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place?

HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI.

Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices.

The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur.

Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology.

HIPAA Training Cannot be a One-Time Event

The provision of training at the start of an employment contract is essential, but training cannot be a one-time event. It is important to ensure employees do not forget about their responsibilities, so retraining is necessary and a requirement for continued HIPAA compliance.

HIPAA does not specify how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be conducted ‘regularly.’ The industry best practice is for retraining to take place annually.

The HIPAA Privacy Rule Administrative requirements, detailed in 45 CFR § 164.530, require all members of the workforce to receive training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to conduct their work duties and functions within the covered entity. One training program therefore does not fit all. HIPAA training for the IT department is likely to be different to training provided to administrative workers. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.

The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.

While it is important to provide training for HIPAA compliance and security awareness, it is also important to ensure that training has been understood, that it is remembered, and to ensure HIPAA Rules are followed on a day to day basis. It therefore recommended that you promote HIPAA awareness throughout the year.

How to Promote HIPAA Awareness

There is no hard and fast rule for HIPAA retraining and there are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules.

In the case of security awareness training this is especially important. Annual training on HIPAA is a good best practice, but it is important to promote HIPAA awareness with respect to security more frequently. It is a good best practice to provide security awareness training biannually and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be communicated as necessary – new phishing threats for instance. However, care should be taken not to bombard employees with threat information, to avoid employees suffering from alert fatigue.

When HIPAA Retraining Required?

In addition to annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security violation and after a data breach has been experienced.

While the individuals concerned should be retrained, it is a good best practice to take these incidents as a training opportunity for all staff to ensure similar breaches do not occur in the future. If one employee makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements or are making similar mistakes.

The post When Should You Promote HIPAA Awareness? appeared first on HIPAA Journal.

Is G Suite HIPAA Compliant?

Posted by HIPAA Journal

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules?

Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider.

Making G Suite HIPAA Compliant (by default it isn’t)

As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules.

Obtain a BAA from Google

One important requirement of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).

Google first agreed to sign a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained prior to G Suite being used to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are in place, the failure to obtain a BAA would be a HIPAA violation.

Obtaining a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not guarantee compliance with HIPAA Rules.

Configure Access Controls

Before G Suite can be used with any ePHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.

You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.

Set Device Controls

HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.

Not All Google Services are Covered by the BAA

You may want to use certain Google services even if they are not covered by the BAA, but those services cannot be used for storing or communicating PHI. For example, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.

If you do decide to leave these services on, you must ensure that your policies prohibit the use of PHI with these services and that those policies are effectively communicated to all employees. Employees must also receive training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally violated.

What Services in G Suite are HIPAA Compliant?

At the time of writing, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used with PHI:

  • Gmail (Not free Gmail accounts)
  • Calendar
  • Drive
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Hangouts (Chat messaging only)
  • Google Cloud Search
  • Vault

Google Drive

In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet> drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.

Gmail

Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.

G Suite HIPAA Compliance is the Responsibility of Users

Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to ensure that the requirements of HIPAA are satisfied.

Google help healthcare organziations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.

The post Is G Suite HIPAA Compliant? appeared first on HIPAA Journal.

New Study Reveals Lack of Phishing Awareness and Data Security Training

Posted by HIPAA Journal

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia.

For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks.

When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is.

Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know what ransomware was, compared to 28% of male workers. 31% of respondents said they did not know what ransomware was prior to taking part in staff training sessions.

The survey revealed security awareness training was lacking at many businesses. 30% of office workers said they did not receive regular training on how to deal with cyber threats. Even though the threat level has risen significantly in the past two years, many businesses have not responded. The 2015 data vulnerability report shows 72% of companies regularly communicated cyber threat information to employees and provided regular training, but in 2017 little has changed. Only 70% of companies provide regular training and threat information to employees. 11% of companies offered no security training whatsoever.

The recently published Global State of Security Survey by Pricewaterhouse Coopers, which was conducted globally on 9,500 executives in 122 countries, suggests the percentage of companies that do not provide security awareness training may well be far higher – 48% of respondents to that survey said they have no employee security awareness training program in place.

Many Employees Pay Ransoms Personally

One of the most interesting insights into ransomware attacks on businesses from the Intermedia study was many employees are so embarrassed and concerned about installing ransomware that they pay the ransom demand out of their own pocket.

Out of the office workers that had experienced a ransomware attack, 59% personally paid the ransom. 37% said the ransom was paid by their employer. The average ransom payment was $1,400. The ransom was typically paid quickly in the hope that data could be restored before anyone else found out about the attack.

While employees were not asked whether they would be made to pay the ransom by their employers, paying the ransom quickly to prevent anyone discovering the attack is unlikely to work. Even when the ransom is paid, businesses still experience considerable downtime. The same study also indicates one in five ransom payments will not see viable decryption keys provided by the attackers.

The post New Study Reveals Lack of Phishing Awareness and Data Security Training appeared first on HIPAA Journal.

HIMSS Draws Attention to Five Current Cybersecurity Threats

Posted by HIPAA Journal

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information.

Wi-Fi Attacks

Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks.

BadRabbit Ransomware

Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption rather than for financial gain. The attacks are now known to use NSA exploits that were also used in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied promptly. It is also essential for that backups are regularly performed. Backups should be stored securely on at least two different media, with one copy stored securely offsite on an air-gapped device.

Advanced Persistent Threats

A campaign conducted by an APT group known as Dragonfly has been ongoing since at least May 2017. The APT group is targeting critical infrastructure organizations. The typical attack scenario is to target small networks with relatively poor security, and once access has been gained, to move laterally to major networks with high value assets. While the group has primarily been attacking the energy sector, the healthcare industry is also at risk. Further information on the threat and the indicators of compromise can be found on the US-CERT website.

DDE Attacks

In October, security researchers warned of the risk of Dynamic Data Exchange (DDE) attacks targeting Outlook users. This attack scenario involves the use of calendar invites sent via phishing emails. The invites are sent in Rich Text Format, and opening the invites could potentially result in the installation of malware. Sophos warned of the threat and suggested one possible mitigation is to view emails in plaintext. These attacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should click no when asked to update documents with data from the linked files.

Medical Device Security

HIMSS has drawn attention to the threat of attacks on medical devices, pointing out that these are a soft-spot and typically have poor cybersecurity protections. As was pointed out with the APT critical infrastructure attacks, it is these soft spots that malicious actors look to take advantage of to gain access to networks and data. HIMSS has warned healthcare organizations to heed the advice of analysts, who predict the devices will be targeted with ransomware. Steps should be taken to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.

Medical device security was also the subject of the Office for Civil Rights October cybersecurity newsletter.

While not specifically mentioned in its list of current cybersecurity threats, the threat from phishing is ongoing and remains one of the most serious threats to the confidentiality, integrity, and availability of PHI. The threat can be reduced with anti-phishing defenses such as spam filtering software and with training to improve security awareness.

The post HIMSS Draws Attention to Five Current Cybersecurity Threats appeared first on HIPAA Journal.

Tips for Reducing Mobile Device Security Risks

Posted by HIPAA Journal

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

Posted by HIPAA Journal

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails.

Report Shows Massive Rise in Phishing Attacks Using Malicious URLs

This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months.

Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3.

While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are harvested.

Proofpoint’s analysis shows there was a staggering 600% increase in phishing attacks using malicious URLs in Q3. Compared to 2016, the use of malicious URLs has increased by a staggering 2,200%. The volume of malicious emails has not been that high since 2014.

Locky is Back With a Vengeance

For its report, Proofpoint analyzed more than one billion emails and hundreds of millions of social media posts, and identified and analyzed more than 150 million malware samples.

Out of all of the email threats analyzed, 64% were used to deliver ransomware. At the start of the year, Cerber ransomware was the biggest ransomware threat, having taken over from Locky, but in Q3, Locky came back with a vengeance. Locky ransomware accounted for 55% of all malicious payloads and 86% of all ransomware payloads. There were also notable increases in other ransomware variants, including Philadelphia and Globelmposter.

The second biggest threat was banking Trojans, which accounted for 24% of all malicious payloads. Proofpoint’s report shows the Dridex Trojan has fallen out of favor somewhat, with The Trick now the biggest threat in this category. Downloaders accounted for 6% of malicious emails and information stealers 5%.

In the first half of 2016, exploit kits were being extensively used to deliver malware and ransomware, although exploit kit activity dwindled throughout the year and all but stopped by 2017. However, exploit kit activity is climbing once again, with the Rig the most commonly used exploit kit. Proofpoint notes that rather than just using exploits, the actors behind these EKs are now incorporating social engineering techniques into their campaigns to fool users into downloading malware.

Social media attacks also rose, in particular so called “angler attacks” via Twitter. These attacks involve the registration of bogus support accounts. Twitter is monitored for customers who are experiencing difficulty with software, and when a complaint is made, the user is sent a tweet from the bogus account containing malicious links.

Proofpoint also noted a 12% rise in email fraud in Q3, up 32% from last year, and a notable rise in typosquatting and domain spoofing. The registration of suspicious domains now outnumbers defensive domain registrations by 20 to 1.

The advice to all organizations is to implement robust spam filtering software to block malicious emails, use solutions to block malicious URLS such as web filters, use email authentication to stop domain spoofing, and to take steps to protect brands on social media. The risk from look-alike domains can be greatly reduced with defense domain purchases – registering all similar domains before the typosquatters do.

The post Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017 appeared first on HIPAA Journal.

Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

Posted by HIPAA Journal

A new ransomware threat has been detected – named Bad Rabbit ransomware – that has crippled businesses in Russia, Ukraine, and Europe. While Bad Rabbit ransomware attacks do not appear to have been conducted in the United States so far, healthcare organizations should take steps to block the threat.

There are similarities between Bad Rabbit ransomware and NotPetya, which was used in global attacks in June. Some security researchers believe the new threat is a NotPetya variant, others have suggested it is more closely related to a ransomware variant called HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016.

Regardless of the source of the code, it spells bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files using a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, changes are made to the Master Boot Record (MBR) further hampering recovery. This new ransomware threat is also capable of spreading rapidly inside a network.

The recent wave of attacks started in Russia and Ukraine on October 24, with attacks also reported in Bulgaria, Germany, Turkey, and Japan. ESET and Kaspersky Lab have analyzed the new ransomware variant and have established that it is being spread by drive-by downloads, with the ransomware masquerading as a Flash Player update.

The actors behind this latest campaign appear to have compromised the websites of several news and media agencies, which are being used to display warnings about an urgent Flash Player update. No exploits are believed to be involved. User interaction is required to download and run the ransomware.

Users that respond to the Flash Player warning download a file named “install_flash_player.exe.” Running that executable will launch the ransomware. After files have been encrypted and the MBR has been altered, the ransomware reboots the infected device and the ransom note is displayed.

The ransom amount is 0.5 Bitcoin ($280) per infected device. Victims must pay the ransom within 40 hours or the ransom will increase. Whether payment of the ransom allows files to be recovered is uncertain.

The ransomware is also spreading within networks via SMB, although no NSA exploits are believed to be used. Instead, the ransomware scans for network shares and uses Mimikatz to harvest credentials. The ransomware also cycles through a list of commonly used usernames and passwords. If the correct credentials are found, a file called infpub.dat is dropped and executed using rundll.exe. This process allows the ransomware to spread quickly within a network.

There have been at least 200 infections as of this morning, including the Kiev Metro, Odessa International Airport in Ukraine, the Ministry of Infrastructure of Ukraine, and the Russian Interfax and Fontanka news agencies.

Indicators of compromise have been released by Kaspersky Lab and ESET.

It is possible to vaccinate devices to prevent Bad Rabbit ransomware attacks. Kaspersky Lab suggestsrestricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat.” Alternatively, create those two files in the C:\\Windows\ directory and remove all permissions on those files for all users.  

The post Bad Rabbit Ransomware Spread Via Fake Flash Player Updates appeared first on HIPAA Journal.

Nuance Communications Urged to Share Details of NotPetya Wiper Attack

Posted by HIPAA Journal

While the healthcare industry was largely unaffected by the NotPetya wiper attacks in June, a HIPAA business associate of many U.S. healthcare organizations was badly affected.

Burlington, MA-based Nuance Communications – a provider of dictation and transcription services – had the NotPetya wiper installed on its system. The attack crippled Nuance, preventing many healthcare organizations from using its services. It took a month for full services to be resumed. Many of the firm’s healthcare clients were prevented from using its services for several days, and in some cases weeks.

While malware and ransomware attacks are usually reportable breaches under HIPAA Rules, Nuance Communications did not report its attack to the Department of Health and Human Services’ Office for Civil Rights. Nuance Communications conducted a risk assessment and determined that the nature of the attack did not warrant a report of the breach to be submitted to OCR.

While NotPetya was initially thought to be ransomware, it was soon determined to be a wiper. The purpose of the attack was not data theft, but sabotage. Nuance communications did not experience a breach of ePHI, therefore the decision was made not to report the attack, although a media notice was issued explaining ePHI was made unavailable as a result of the attack – Nuance was forced to shut down its systems to prevent the spread of the virus.

It is not possible to prevent all cyberattacks, but it is possible to learn from those security breaches and improve controls to ensure similar breaches do not occur in the future. Nuance has certainly learned a lesson, but other healthcare organizations could also benefit if information about the NotPetya wiper attack is shared.

That certainly appears to be the view of the House Committee on Energy and Commerce. Greg Walden, R-Ore., chair of the House Committee on Energy and Commerce, recently wrote to Nuance requesting the House Committee be given a formal briefing on the breach to better understand the nature of the attack, the circumstances surrounding the incident, and the steps that were taken by Nuance to recover from the attack and restore its systems and services.

“While Nuance has announced that impacted services have been fully restored, Nuance’s original infection and its effects adds to the growing list of concerns about the potential consequences of cyber threats to the healthcare sector,” wrote Walden. “It is important, therefore, for the committee to understand the details of this event so we can work together to ensure appropriate lessons are identified and addressed. Learning from this event will not only benefit the healthcare sector, but also the millions of patients who depend on the availability of its products and services.”

The House Committee is seeking further information due to extensive disruption it caused. Walden said, “Nuance’s role as a transcription and dictation provider for a large percentage of the healthcare sector sets its infection and subsequent availability issues apart and raises the possibility of more serious aftereffects for the healthcare sector as a whole.”  Walden has requested the formal briefing take place before November 2, 2017.

The post Nuance Communications Urged to Share Details of NotPetya Wiper Attack appeared first on HIPAA Journal.