Healthcare Cybersecurity

Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare

The Health 3rd Party Trust Initiative (Health3PT) has published the findings of a recent survey of HIPAA-covered entities and their business associates that explored the current state of third-party cyber risk management in healthcare and identified some of the key challenges faced by HIPAA-regulated entities.

Supply chain vendors and service providers introduce risks that need to be identified, managed, and reduced to a low and acceptable level; however, the methods used to manage third-party risks are often burdensome and inadequate. According to the survey, which was conducted on 59 HIPAA-covered entities and 128 business associates, significant resources and money are committed to managing third-party risk but 68% of covered entities and 79% of business associates say third-party risk management (TPRM) processes are inefficient and 60% of HIPAA-covered entities and 72% of business associates think TPRM is not effective at preventing data breaches.

55% of healthcare organizations have experienced a data breach in the past year through a third party, and 90% of the most significant healthcare data breaches in 2022 occurred at business associates of HIPAA-covered entities. The average cost of those data breaches was more than $10 million per incident. According to Health3PT, there are significant blind spots in organizations’ third-party information security management programs. These are caused by organizations and vendors handling assessments differently and, in many cases, relying on manual processes.

Many organizations lack the necessary resources to follow up on vendor risk management efforts, and while vendors provide assurances that information security controls have been implemented, they do not consistently demonstrate that appropriate controls are in place. One of the main problems is covered entities and business associates relying on outdated TPRM approaches which result in inconsistent and unclear risk management outcomes. TPRM processes at many healthcare organizations have not changed for decades and were not particularly effective even when they were introduced as they were adopted from other verticals and never properly matched the needs of healthcare organizations. These processes have also failed to maintain pace with advances in technology, such as the use of the cloud.

The biggest challenge for covered entities is keeping pace with the volume of security assessments. Due to the number of vendors used by healthcare organizations, vendor audit fatigue often sets in. Healthcare organizations are receiving a high volume of security questionnaires from vendors but they do not have the necessary IT resources to deal with the questionnaires they receive, which means third-party vendors are not properly evaluated and risks fail to be properly addressed. Other key challenges were getting vendors to address deficiencies, the turnaround time for assessments, obtaining transparent assurances from vendors to satisfy requests the first time around, and keeping up with changing threats and risks associated with vendors.

The biggest challenges for business associates were customers’ willingness to accept a validated assessment in lieu of questionnaires, handling the variability of questionnaires and audits, and the time allowed to provide quality responses and evidence to requesting customers. Covered entities and business associates both admitted to feeling overwhelmed with TPRM processes and felt current processes are effective at preventing data breaches. Covered entities and business associates both expressed a desire to improve TPRM efficiency through improved collaboration, standardization, and automation.

Third parties pose major risks to healthcare organizations and there is considerable potential for those risks to compromise privacy and patient safety. Some of the main shortcomings with TPRM are the lack of an overarching methodology for risk-tiering vendors, overreliance on verbose contract terms, inconsistent questionnaires and validation of the information collected, limited follow-ups on the resolution of identified security gaps, and limited organization-wide insight into vendor security risk.

To help address these shortcomings, Health3PT has shared best practices in its Recommended Practices & Implementation Guide which helps covered entities and business associates improve TPRM efficiency and effectiveness. “Establishing and adopting these more effective and efficient TPRM processes will transition TPRM in healthcare from a superficial check-the-box exercise that exposes organizations to unnecessary risks to more robust, collaborative information protection programs that ultimately will benefit all participants across the healthcare community,” explained Health 3PT.

The post Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare appeared first on HIPAA Journal.

Patches Released to Fix Actively Exploited Flaw in Ivanti Endpoint Mobile Manager

Ivanti has released patches to fix a maximum-severity zero-day vulnerability in its Endpoint Mobile Manager (EPMM) mobile device management solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35078 and is an authentication bypass vulnerability with a CVSS score of 10. Successful exploitation of the vulnerability will allow an unauthorized user to access restricted functionality or resources of the application, gain access to sensitive user data, and potentially make limited changes to the server.

Ivanti said the vulnerability affects all supported versions of its EPMM solution (11.10, 11.9, and 11.8) as well as older versions, although the patches have only been released for supported versions. Evidence has been found that indicates the vulnerability has already been exploited in attacks, although the extent to which the vulnerability is being exploited is unclear. The Norwegian government is believed to be one of the victims. Hackers allegedly exploited the flaw to compromise 12 government ministries in the country.

According to security researcher Kevin Beaumont, the flaw is very easy to exploit, and given the severity of the flaw and known active exploitation, immediate patching is strongly recommended. Beaumont recommended that anyone still using an unsupported version that has reached end-of-life should switch off the appliance until an upgrade to a supported version is possible. The updated EPMM versions with the patch applied are EPMM 11.8.11, 11.9.11, and 11.10.02. More than 2,000 MobileIron user portals are exposed to the Internet and are potentially able to be exploited, most of which are located in the United States.

The post Patches Released to Fix Actively Exploited Flaw in Ivanti Endpoint Mobile Manager appeared first on HIPAA Journal.

June 2023 Saw Massive Spike in Ransomware Activity

A recent analysis of ransomware activity by NCC Group’s Global Threat Intelligence team shows a major spike in cyberattacks by ransomware groups in June, with attacks occurring at 221% the level of June 2022 with 434 recorded attacks in the month.

NCC Group tracks ransomware attacks and data theft/extortion attempts by ransomware groups and reports that the massive increase was mostly driven by the Clop ransomware group’s mass exploitation of a zero-day vulnerability – CVE-2023-34362 – in Progress Software’s MOVEit Transfer file transfer solution. The ransomware remediation firm Coveware estimates the Clop group generated between $75 million and $100 million in profit from those attacks, which directly impacted more than 1,000 companies and indirectly affected a great deal more.

According to NCC Group, the Clop group was responsible for 21% of all recorded attacks in June, with attacks continuing to be conducted in high numbers by LockBit 3.0 affiliates, which accounted for 14% of attacks, although this was a reduction from the 21% of attacks the previous month. Several new ransomware groups have emerged that started to conduct attacks at relatively low levels in May, but one of those groups – 8base – has rapidly increased activity and conducted at least 40 attacks in June – 9% of the month’s total. Two other new groups – Rhysida and Darkrace – conducted 26 attacks in June (6%). The most targeted sectors in June were industrials (33%), consumer cyclicals (12%), and technology (9%), with North America the most targeted region with 51% of the attacks.

While attacks have increased significantly, the percentage of victims that are choosing to pay the ransom has fallen considerably. Coveware reports that ransom payments have fallen to a record low, with just 34% of victims paying ransoms in Q2, 2023, down from more than 75% in Q1, 2019. With ransom payments continuing to decline, cybercriminal groups have been forced to increase their ransom demands. In Q2, 2023, the average ransom payment increased by 126% from Q1, 2023, to $740,000 and the median payment increased by 20% to $190,424. Coveware says the attacks by the Clop group have driven the increase. While relatively few companies chose to pay the ransom to recover the data stolen in the MOVEit attacks, those that did pay paid very high ransom payments.

Coveware attributes the record low to the compounding effects of companies continuing to invest in security, continuity assets, and incident response training, but warns that the fall in revenue is forcing ransomware gangs to evolve their attack and extortion tactics, such as the switch from encryption to pure extortion by the Clop group. While this attack method is quicker and quieter, without the disruption caused by encryption, the percentage of victims paying the ransom is much lower; however, these attacks may prove to be more profitable for ransomware gangs. Encryption attacks require more time and resources, with teams of individuals involved in the different stages of the attacks and those individuals need to be paid, which decreases the profit.

Coveware’s report separates extortion and encryption attacks. Its data indicates BlackCat and Black Basta are the dominant encryption groups, each accounting for 15.5% of attacks in Q2. Royal accounted for 10.1% of attacks, followed by LockBit 3.0 (6.2%), Akira (5.4%), and Silent Ransom and Cactus each with a 3.1% share. Coveware reports that sophisticated affiliates of ransomware groups that have previously been using ransomware variants such as Dharma and Phobos are increasingly conducting attacks using 8base, hence the increase in attacks. In Q2, 2023, phishing was the most common initial access vector followed by RDP compromise and software vulnerabilities. Professional Services was the most targeted sector (15.5%) followed by healthcare (14%), materials (11.6%), and the public sector (10.1%).

The post June 2023 Saw Massive Spike in Ransomware Activity appeared first on HIPAA Journal.

HC3 Stresses the Importance of Robust Identity and Access Management

The Health Sector Cybersecurity Coordination Center (HC3) has highlighted the importance of implementing a robust Identity and Access Management (IAM) program. Identity and access management has become more complex due to an increase in remote working, which was accelerated due to the COVID-19 pandemic and the pressure on organizations to move high-risk transactions online. While the COVID-19 public health emergency has officially been declared over, many organizations have continued to support remote working, with 48% of employees continuing to spend at least some of the week working remotely and 62% of employees believing their employers will support remote working in the future.

While there are benefits from remote working and moving transactions online, doing so considerably increases the attack surface and provides malicious actors with more opportunities to attack an organization. Threat actors actively seek exploitable vulnerabilities in access protocols, software solutions, and organizations’ mitigation capabilities to hide their malicious activities. According to the 2023 Cost of a Data Breach Report from IBM Security, stolen and compromised credentials are the second most common initial access vector. Data breaches that stem from stolen and compromised credentials take longer than any other breach cause to identify and contain, giving threat actors ample time to conduct a range of malicious actions undetected.

Healthcare organizations need to ensure that they have a comprehensive IAM program covering employees, vendors, and customers that allow all parties to build mutual trust when performing transactions in person and remotely, yet it can be challenging to balance robust authentication to establish the real identity of a user without negatively impacting the user experience. Consequently, IAM programs must be well thought-out and IAM policies comprehensively implemented. The policies must cover remote access and vendor, employee, and customer onboarding to ensure that identity is properly identified and users are authenticated before being granted access to systems and services. Once access has been granted, individuals should not be automatically trusted. Identity should be repeatedly reaffirmed to ensure that an individual is the true owner of their previously determined identity.

Malicious insiders pose a considerable risk and controls need to be implemented to deal with the threat. Data breaches caused by malicious insiders are the costliest type of breach, according to IBM Security, and these breaches often result in considerable harm. Criminals make contact with healthcare employees and convince them to misuse their access to internal systems to steal sensitive data or conduct destructive attacks, such as abusing their access rights to install ransomware.

Mitigating insider threats can be a challenge for healthcare organizations. It requires collaboration between leaders and administrators involved with all stages of hiring and employment processes and the creation of a multi-disciplinary team that collaborates along all business lines to prevent and mitigate insider threats, combining monitoring, surveilling, investigating, escalating, and incident response and remediation.

Processes should include rigorous identity verification and background checks pre-employment and analysis of behavior during employment to identify any changes compared to an established baseline, ideally involving automated monitoring that can flag any anomalous behavior rapidly. Policies should also be implemented covering post-employment, to ensure that all equipment is recovered and access rights and accounts are immediately terminated

“By implementing and designing an IAM security framework and technologies which tie your governance and subsequent policy rules into a centrally managed identity and access system, the ability of your organization to prevent and detect insider threats will be greatly enhanced,” explained HC3 in its recent analyst note.

The post HC3 Stresses the Importance of Robust Identity and Access Management appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Patch Released for Actively Exploited Citrix NetScaler Zero Day Vulnerability

Citrix has released patches to fix three vulnerabilities that affect the Netscaler Application Delivery Controller (ADC) and NetScaler Gateway appliances – formerly Citrix ADC/Citrix Gateway – including an actively exploited zero day bug that is being actively exploited in the wild.

The solutions are used by healthcare organizations for remote access and improving the performance, security, and resiliency of application delivery, including electronic medical records. The extent to which the vulnerability is being exploited has not been confirmed by Citrix; however, security researchers expect the vulnerability to be widely exploited now the vulnerability has been announced as vulnerabilities in Citrix appliances are targeted by hackers of all skill levels.

The critical flaw is tracked as CVE-2023-3519 and has been assigned a CVSS v3.1 severity score of 9.8 out of 10. Successful exploitation of the flaw would allow a remote, unauthenticated attacker to execute code on a vulnerable appliance. The vulnerability can be exploited if the appliance is running a vulnerable version and is configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (AAA server).

The other two high-severity vulnerabilities are not believed to have been exploited at the time of the announcement. They are a cross-site scripting vulnerability – CVE-2023-3466 – which has a CVSS severity score of 8.3. The vulnerability can be exploited if the victim accesses an attacker-controlled link in a browser while on a network with connectivity to the NetScaler IP. The other vulnerability – CVE-2023-3467 – is a privilege escalation flaw with a CVSS score of 8.0. Exploitation allows privilege escalation to root administrator (nsroot). An attacker could exploit the flaw with authenticated access to NSIP or SNIP with management interface access.

The vulnerabilities have been fixed in the following Netscaler ADC and NetScaler Gateway versions:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Customers that are still using version 12.1 have been advised to upgrade to a supported version, as version 12.1 has reached end-of-life.

The post Patch Released for Actively Exploited Citrix NetScaler Zero Day Vulnerability appeared first on HIPAA Journal.

Generative AI Tool Without Ethical Restrictions Offered on Hacking Forums

Generative AI tools such as ChatGPT and Google Bard have restrictions in place to prevent abuse by malicious actors; however, security researchers have demonstrated these control measures can be bypassed and there is considerable chatter on hacking forums about how the ethics filters of tools such as ChatGPT can be circumvented to get the AI tools to write phishing emails and malware code. While inputs can be crafted to generate malicious outputs, there is now a much easier way to use generative AI for malicious purposes.

Research conducted by SlashNext has uncovered an alternative AI tool that is being offered on hacking forums. The tool, WormGPT, has no restrictions in place and can easily be used by malicious actors to craft convincing phishing emails and business email compromise (BEC) attacks. The tool is billed as a blackhat alternative to ChatGPT which has been specifically trained to provide malicious output.

Without the restrictions of ChatGPT and Bard, users are free to craft phishing emails and BEC scams with convincing lures and perfect grammar. The emails created using this tool can be easily customized to tailor attacks to specific organizations and emails can be crafted with little effort or technical skill and there is no language barrier, allowing attacks to be conducted by virtually anyone at speed and scale.

WormGPT is based on the GPT-J language model and includes an impressive range of features, such as chat memory retention, unlimited character support, and code formatting capabilities. The developers claim to have trained the algorithm on a diverse array of data sources and concentrated on malware-related data. SlashNext researchers put the tool to the test and instructed it to generate an email to pressure an account manager into paying a fraudulent invoice. “The results were unsettling,” wrote the researchers. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

Researchers have demonstrated that AI-based tools are far better than humans at creating phishing and other scam emails and the emails have a high success rate. It is therefore vital for organizations to take steps to improve their defenses against AI-enabled attacks. This week, the Health Sector Cybersecurity Coordination Center (HC3) published a brief explaining the benefits of AI, how the technology can easily be abused by malicious actors, and provided recommendations for healthcare organizations to improve their defenses against AI-enabled attacks. SlashNext recommends developing extensive training programs for cybersecurity personnel on how to detect and block AI-enabled attacks and educating all employees on phishing and BEC threats. While detecting AI-generated malicious emails can be difficult even for advanced security solutions, flagging emails that originate from outside the organization will alert employees about potential threats. SlashNext also recommends flagging emails that contain specific keywords often used in phishing and BEC attacks.

The post Generative AI Tool Without Ethical Restrictions Offered on Hacking Forums appeared first on HIPAA Journal.

BD Warns of Vulnerabilities in its Alaris Guardrails Suite MX Infusion Pumps

Becton, Dickinson, and Co. and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories about 8 recently identified vulnerabilities in BD Alaris Guardrails Suite MX, which could be exploited by malicious actors to gain access to sensitive data and impact the availability of devices. The flaws were identified by BD during routine internal security testing and were shared with CISA, the FDA, and Information Sharing and Analysis Organizations (ISAOs) under its responsible disclosure policy. BD performed risk assessments and determined that while there is a potential safety impact, the risks associated with all 8 of the vulnerabilities can be effectively mitigated by implementing the recommended control measures.

The 8 vulnerabilities affect the BD Alaris System v12.1.3 and earlier versions and include 1 high-severity, 5 medium-severity, and 2 low-severity vulnerabilities. BD said no evidence has been found to indicate any of the vulnerabilities have been exploited to date; however, there is a low attack complexity so the recommended steps should be taken to reduce the risk of exploitation.

The most serious vulnerability – CVE-2023-30563 (CVSS 8.2) – is a cross-site scripting issue due to improper neutralization of input during web page generation. A malicious actor could exploit the flaw to upload a malicious file to the BD Alaris Systems Manager user import function and hijack a session.

CVE-2023-30564 (CVSS 6.9) is a cross-site scripting vulnerability due to the failure of the Alaris Systems Manager to perform input validation during the device import function, and could be exploited to load a malicious payload and therefore has an impact beyond Systems Manager; however, an attacker would need to be on an adjacent network to exploit the vulnerability.

CVE-2023-30560 (CVSS 6.8) is due to a lack of authentication for PCU configuration which has a high impact to confidentiality, integrity, and availability; however, exploitation is only possible with physical access to the BD Alaris PCU. Successful exploitation would allow the configuration to be modified without authentication.

CVE-2023-30562 (CVSS 6.7) is due to a lack of dataset integrity checking and allows a GRE dataset file within Systems Manager to be tampered with and distributed to PCUs. An attacker would need to be on an adjacent network to exploit the flaw and would need generalized permissions.

CVE-2023-30561 (CVSS 6.1) is due to a lack of cryptographic security of IUI Bus. A threat actor with physical access could potentially read and modify data if a specifically crafted device was attached during infusion.

CVE-2023-30559 (CVSS 5.2) is due to the wireless card firmware being improperly signed, which allows the card to be modified. The flaw could only be exploited with physical access to the BD Alaris PCU.

The two low-severity flaws are a CQI data sniffing issue – CVE-2023-30565 (CVSS 3.5) – that could expose infusion data, and a lack of input validation within Apache Log4Net Calculation Services – CVE-2018-1285 (CVSS 3.0) – which could be exploited to execute malicious commands.

BD has suggested several mitigating and compensating controls in its alert to reduce the potential for exploitation to a low and acceptable level.

The post BD Warns of Vulnerabilities in its Alaris Guardrails Suite MX Infusion Pumps appeared first on HIPAA Journal.