Healthcare Cybersecurity

HC3 Stresses the Importance of Robust Identity and Access Management

Posted by Steve Alder

The Health Sector Cybersecurity Coordination Center (HC3) has highlighted the importance of implementing a robust Identity and Access Management (IAM) program. Identity and access management has become more complex due to an increase in remote working, which was accelerated due to the COVID-19 pandemic and the pressure on organizations to move high-risk transactions online. While the COVID-19 public health emergency has officially been declared over, many organizations have continued to support remote working, with 48% of employees continuing to spend at least some of the week working remotely and 62% of employees believing their employers will support remote working in the future.

While there are benefits from remote working and moving transactions online, doing so considerably increases the attack surface and provides malicious actors with more opportunities to attack an organization. Threat actors actively seek exploitable vulnerabilities in access protocols, software solutions, and organizations’ mitigation capabilities to hide their malicious activities. According to the 2023 Cost of a Data Breach Report from IBM Security, stolen and compromised credentials are the second most common initial access vector. Data breaches that stem from stolen and compromised credentials take longer than any other breach cause to identify and contain, giving threat actors ample time to conduct a range of malicious actions undetected.

Healthcare organizations need to ensure that they have a comprehensive IAM program covering employees, vendors, and customers that allow all parties to build mutual trust when performing transactions in person and remotely, yet it can be challenging to balance robust authentication to establish the real identity of a user without negatively impacting the user experience. Consequently, IAM programs must be well thought-out and IAM policies comprehensively implemented. The policies must cover remote access and vendor, employee, and customer onboarding to ensure that identity is properly identified and users are authenticated before being granted access to systems and services. Once access has been granted, individuals should not be automatically trusted. Identity should be repeatedly reaffirmed to ensure that an individual is the true owner of their previously determined identity.

Malicious insiders pose a considerable risk and controls need to be implemented to deal with the threat. Data breaches caused by malicious insiders are the costliest type of breach, according to IBM Security, and these breaches often result in considerable harm. Criminals make contact with healthcare employees and convince them to misuse their access to internal systems to steal sensitive data or conduct destructive attacks, such as abusing their access rights to install ransomware.

Mitigating insider threats can be a challenge for healthcare organizations. It requires collaboration between leaders and administrators involved with all stages of hiring and employment processes and the creation of a multi-disciplinary team that collaborates along all business lines to prevent and mitigate insider threats, combining monitoring, surveilling, investigating, escalating, and incident response and remediation.

Processes should include rigorous identity verification and background checks pre-employment and analysis of behavior during employment to identify any changes compared to an established baseline, ideally involving automated monitoring that can flag any anomalous behavior rapidly. Policies should also be implemented covering post-employment, to ensure that all equipment is recovered and access rights and accounts are immediately terminated

“By implementing and designing an IAM security framework and technologies which tie your governance and subsequent policy rules into a centrally managed identity and access system, the ability of your organization to prevent and detect insider threats will be greatly enhanced,” explained HC3 in its recent analyst note.

The post HC3 Stresses the Importance of Robust Identity and Access Management appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

Posted by Steve Alder

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Patch Released for Actively Exploited Citrix NetScaler Zero Day Vulnerability

Posted by Steve Alder

Citrix has released patches to fix three vulnerabilities that affect the Netscaler Application Delivery Controller (ADC) and NetScaler Gateway appliances – formerly Citrix ADC/Citrix Gateway – including an actively exploited zero day bug that is being actively exploited in the wild.

The solutions are used by healthcare organizations for remote access and improving the performance, security, and resiliency of application delivery, including electronic medical records. The extent to which the vulnerability is being exploited has not been confirmed by Citrix; however, security researchers expect the vulnerability to be widely exploited now the vulnerability has been announced as vulnerabilities in Citrix appliances are targeted by hackers of all skill levels.

The critical flaw is tracked as CVE-2023-3519 and has been assigned a CVSS v3.1 severity score of 9.8 out of 10. Successful exploitation of the flaw would allow a remote, unauthenticated attacker to execute code on a vulnerable appliance. The vulnerability can be exploited if the appliance is running a vulnerable version and is configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (AAA server).

The other two high-severity vulnerabilities are not believed to have been exploited at the time of the announcement. They are a cross-site scripting vulnerability – CVE-2023-3466 – which has a CVSS severity score of 8.3. The vulnerability can be exploited if the victim accesses an attacker-controlled link in a browser while on a network with connectivity to the NetScaler IP. The other vulnerability – CVE-2023-3467 – is a privilege escalation flaw with a CVSS score of 8.0. Exploitation allows privilege escalation to root administrator (nsroot). An attacker could exploit the flaw with authenticated access to NSIP or SNIP with management interface access.

The vulnerabilities have been fixed in the following Netscaler ADC and NetScaler Gateway versions:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Customers that are still using version 12.1 have been advised to upgrade to a supported version, as version 12.1 has reached end-of-life.

The post Patch Released for Actively Exploited Citrix NetScaler Zero Day Vulnerability appeared first on HIPAA Journal.

Generative AI Tool Without Ethical Restrictions Offered on Hacking Forums

Posted by Steve Alder

Generative AI tools such as ChatGPT and Google Bard have restrictions in place to prevent abuse by malicious actors; however, security researchers have demonstrated these control measures can be bypassed and there is considerable chatter on hacking forums about how the ethics filters of tools such as ChatGPT can be circumvented to get the AI tools to write phishing emails and malware code. While inputs can be crafted to generate malicious outputs, there is now a much easier way to use generative AI for malicious purposes.

Research conducted by SlashNext has uncovered an alternative AI tool that is being offered on hacking forums. The tool, WormGPT, has no restrictions in place and can easily be used by malicious actors to craft convincing phishing emails and business email compromise (BEC) attacks. The tool is billed as a blackhat alternative to ChatGPT which has been specifically trained to provide malicious output.

Without the restrictions of ChatGPT and Bard, users are free to craft phishing emails and BEC scams with convincing lures and perfect grammar. The emails created using this tool can be easily customized to tailor attacks to specific organizations and emails can be crafted with little effort or technical skill and there is no language barrier, allowing attacks to be conducted by virtually anyone at speed and scale.

WormGPT is based on the GPT-J language model and includes an impressive range of features, such as chat memory retention, unlimited character support, and code formatting capabilities. The developers claim to have trained the algorithm on a diverse array of data sources and concentrated on malware-related data. SlashNext researchers put the tool to the test and instructed it to generate an email to pressure an account manager into paying a fraudulent invoice. “The results were unsettling,” wrote the researchers. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

Researchers have demonstrated that AI-based tools are far better than humans at creating phishing and other scam emails and the emails have a high success rate. It is therefore vital for organizations to take steps to improve their defenses against AI-enabled attacks. This week, the Health Sector Cybersecurity Coordination Center (HC3) published a brief explaining the benefits of AI, how the technology can easily be abused by malicious actors, and provided recommendations for healthcare organizations to improve their defenses against AI-enabled attacks. SlashNext recommends developing extensive training programs for cybersecurity personnel on how to detect and block AI-enabled attacks and educating all employees on phishing and BEC threats. While detecting AI-generated malicious emails can be difficult even for advanced security solutions, flagging emails that originate from outside the organization will alert employees about potential threats. SlashNext also recommends flagging emails that contain specific keywords often used in phishing and BEC attacks.

The post Generative AI Tool Without Ethical Restrictions Offered on Hacking Forums appeared first on HIPAA Journal.

BD Warns of Vulnerabilities in its Alaris Guardrails Suite MX Infusion Pumps

Posted by Steve Alder

Becton, Dickinson, and Co. and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories about 8 recently identified vulnerabilities in BD Alaris Guardrails Suite MX, which could be exploited by malicious actors to gain access to sensitive data and impact the availability of devices. The flaws were identified by BD during routine internal security testing and were shared with CISA, the FDA, and Information Sharing and Analysis Organizations (ISAOs) under its responsible disclosure policy. BD performed risk assessments and determined that while there is a potential safety impact, the risks associated with all 8 of the vulnerabilities can be effectively mitigated by implementing the recommended control measures.

The 8 vulnerabilities affect the BD Alaris System v12.1.3 and earlier versions and include 1 high-severity, 5 medium-severity, and 2 low-severity vulnerabilities. BD said no evidence has been found to indicate any of the vulnerabilities have been exploited to date; however, there is a low attack complexity so the recommended steps should be taken to reduce the risk of exploitation.

The most serious vulnerability – CVE-2023-30563 (CVSS 8.2) – is a cross-site scripting issue due to improper neutralization of input during web page generation. A malicious actor could exploit the flaw to upload a malicious file to the BD Alaris Systems Manager user import function and hijack a session.

CVE-2023-30564 (CVSS 6.9) is a cross-site scripting vulnerability due to the failure of the Alaris Systems Manager to perform input validation during the device import function, and could be exploited to load a malicious payload and therefore has an impact beyond Systems Manager; however, an attacker would need to be on an adjacent network to exploit the vulnerability.

CVE-2023-30560 (CVSS 6.8) is due to a lack of authentication for PCU configuration which has a high impact to confidentiality, integrity, and availability; however, exploitation is only possible with physical access to the BD Alaris PCU. Successful exploitation would allow the configuration to be modified without authentication.

CVE-2023-30562 (CVSS 6.7) is due to a lack of dataset integrity checking and allows a GRE dataset file within Systems Manager to be tampered with and distributed to PCUs. An attacker would need to be on an adjacent network to exploit the flaw and would need generalized permissions.

CVE-2023-30561 (CVSS 6.1) is due to a lack of cryptographic security of IUI Bus. A threat actor with physical access could potentially read and modify data if a specifically crafted device was attached during infusion.

CVE-2023-30559 (CVSS 5.2) is due to the wireless card firmware being improperly signed, which allows the card to be modified. The flaw could only be exploited with physical access to the BD Alaris PCU.

The two low-severity flaws are a CQI data sniffing issue – CVE-2023-30565 (CVSS 3.5) – that could expose infusion data, and a lack of input validation within Apache Log4Net Calculation Services – CVE-2018-1285 (CVSS 3.0) – which could be exploited to execute malicious commands.

BD has suggested several mitigating and compensating controls in its alert to reduce the potential for exploitation to a low and acceptable level.

The post BD Warns of Vulnerabilities in its Alaris Guardrails Suite MX Infusion Pumps appeared first on HIPAA Journal.

HC3 Shares Tips for Defending Against AI-Enhanced Cyberattacks

Posted by Steve Alder

Generative Artificial Intelligence (AI) tools such as ChatGPT can be used as virtual assistants, for customer support, quickly retrieving and summarizing information, and automating repetitive administrative tasks. As such they have tremendous potential in many industries, including healthcare. While there are considerable advantages to AI-based tools, they can also be misused by malicious actors, and there is growing evidence that cyber actors are using these tools to speed up and scale their attacks.

This week, the HHS Health Sector Cybersecurity Coordination Center (HC3) published a brief on AI, the threat AI-powered tools pose to the health sector, and mitigations healthcare organizations can implement to ensure their security strategies evolve to deal with AI-based threats. Tools such as ChatGPT have controls in place to prevent abuse by malicious actors; however, it is possible to circumvent those protections with ease. Artificial Intelligence tools are already being used by malicious actors to accelerate malware and ransomware development and create more complex code that is capable of evading security solutions. AI tools are being used to automate attacks, exploit unpatched vulnerabilities more rapidly, perform deeper reconnaissance of targets, and develop hard-to-detect phishing emails and impersonation attacks.

HC3 demonstrated the ease at which tools such as ChatGPT can be leveraged by malicious actors by creating phishing email templates with perfect spelling and grammar along with convincing lures to trick recipients into opening malicious attachments or clicking hyperlinks to malicious web pages. The emails can easily be customized for highly targeted attacks and customization can be automated for conducting attacks at scale.

Threat actors can also use ChatGPT to write valid malware code. HC3 provides an example of how Hyas created malware code based on leaked BlackMamba code to create malware that is able to repeatedly mutate to evade security solutions. The researchers posed as legitimate security researchers to get around OpenAI’s ethics filters to create the code. AI-based tools such as ChatGPT can be used by threat actors with little technical skill to create malware, opening up attacks to a much broader range of cybercriminals while helping sophisticated cybercriminals automate the creation of different parts of the infection chain.

Defending against the malicious use of artificial intelligence tools can be a challenge for healthcare organizations. HC3 recommends using the Artificial Intelligence Risk Management Framework from the National Institute of Standards and Technology (NIST), the MITRE Atlas knowledgebase of adversary tactics, techniques, and case studies for machine learning (ML) systems, and adopting AI-based tools for defense, including penetration testing, threat detection, threat analysis, and incident response, and to provide AI training for cybersecurity personnel. It may not be possible to prevent the malicious use of AI by cyber threat actors but AI-educated users and AI-enhanced systems will be much more adept at detecting AI-enhanced threats.

The post HC3 Shares Tips for Defending Against AI-Enhanced Cyberattacks appeared first on HIPAA Journal.

CISA Publishes Factsheet to Help Businesses Securely Transition to Cloud Environments

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that healthcare organizations can use to guide them through the transition from on-premises to cloud and hybrid environments. The fact sheet provides information on the digital tools that can be used to ensure that critical assets are secured and sensitive data is safeguarded. The fact sheet – Free Tools for Cloud Environments – lists open source tools and methods for identifying, detecting, and mitigating threats, vulnerabilities, and anomalies in both cloud and hybrid environments.

Healthcare organizations are actively targeted by cyber threat actors and attacks on cloud-based resources and services are increasing. Cyber threat actors take advantage of organizations that do not possess the proper resources for defending against cyber threats. Successful attacks on poorly defended cloud resources allow threat actors to steal sensitive data and conduct encryption and extortion attacks.

Cloud service platforms and cloud service providers (CSPs) offer a range of security features to help customers protect their assets when operating in cloud environments. These features should be combined with third-party tools, which can help to strengthen security and plug any security gaps, especially for hybrid cloud environments where the responsibility for securing assets is shared by organizations and their CSPs.

CISA recommends creating a design phase that incorporates secure-by-design concepts and strategies and identifies the required security solutions that meet the organization’s needs. There are several free-to-use security solutions and open source tools that can help network defenders identify and detect threats, assess security posture, and map threat actor behavior to the MITRE ATT&CK framework. The factsheet details several PowerShell tools that network defenders and incident responders can use, including Memory Forensic on Cloud from the JPCERT Cybersecurity Center, CSET’s Cybersecurity Evaluation Tool, and CISA’s SCuBAGear, Decider, and Untitled Goose Tool.

These tools can be used to evaluate cybersecurity posture, compare configurations against M365 baseline recommendations, detect malicious activity in Microsoft cloud environments, generate MITRE ATT&CK mapping reports, and build memory forensic environments on AWS. While these tools are not all-encompassing nor endorsed by CISA, they can help healthcare organizations significantly improve their security posture as they transition to the cloud.

The post CISA Publishes Factsheet to Help Businesses Securely Transition to Cloud Environments appeared first on HIPAA Journal.

HIPAA Compliance Guidelines

Posted by Ian

We have compiled these HIPAA Compliance Guidelines because HIPAA rules and regulations can be very confusing for healthcare professionals tasked with ensuring HIPAA compliance at their organization.

HIPAA Compliance Guidelines

Please use the form on this page to arrange to receive a free copy of the HIPAA Guidelines Checklist.

HIPAA Guidelines: Seven Elements For Effective Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2023. Here is a summary of the elements, which we outline in more detail below:

  1. Develop policies and procedures so that day-to-day activities comply with the Privacy Rule.
  2. Designate a Privacy Officer and a Security Officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations, and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

You can also read more about the background and history of the Seven Elements here, although this is not necessary.

Next we go over each element in more detail

Element 1: Why Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered Entities should ensure Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Element 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Element 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

Security Rule training must be even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Element 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Element 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Element 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of additional training is often sufficient to create and maintain a compliant workforce – especially if whole teams have to attend refresher training due to the non-compliance of an individual!

Element 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post HIPAA Compliance Guidelines appeared first on HIPAA Journal.