Healthcare Cybersecurity

HSCC Publishes Coordinated Healthcare Incident Response Plan Template

Posted by Steve Alder

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has published a Coordinated Healthcare Incident Response Plan (CHIRP) that can be used as a template by healthcare organizations to develop a coordinated cybersecurity incident response plan.

Given the frequency of cyberattacks on the healthcare sector and the harm that these incidents can cause, it is vital for healthcare organizations to develop, implement, maintain, and test an incident response plan. In the event of a cyberattack, the incident response plan can be initiated immediately to limit the harm caused and help ensure a rapid recovery.

There are several resources available on the technical response process to a cybersecurity incident, and while these resources provide guidance on the technical aspects of the response, such as detection, containment, response, and recovery, they do not deal with the impact of an attack on patient care and patient safety. Healthcare organizations have emergency plans to ensure business continuity and patient care in the event of IT outages and natural disasters; however, these plans may not be totally effective when responding to a cyberattack.

The new HSCC resource is intended to help address the gaps many healthcare organizations have in their incident response plans. The CHIRP is a tool that can be used as a starting point when developing an effective incident response plan, which can be tailored to meet the needs of each organization. “Healthcare Delivery Organizations have many of the parts and pieces needed to respond to a cybersecurity incident, but guidance is missing on how to tie all of these separate components together. This template seeks to serve as the cog that can be installed in the machine to allow all of the components to run together as a Coordinated Healthcare Incident Response Plan.”

The template is a guiding document that includes sample content to help incident response plan managers understand the purpose of each section when completing their own planning work, which can be replaced as necessary based on the needs of each organization and should be used in conjunction with the HSCC’s Health Industry Cybersecurity Operational Continuity – Cyber Incident (HIC-OCCI) publication.

The template guides plan managers through incident identification, response, IT system recovery, operations and emergency management, communications, and legal and risk management, and has been developed to be easily customized to suit organizations of all types and sizes. The guidance helps healthcare organizations tie together existing business continuity, organizational, and disaster recovery plans, and downtime procedures to ensure an efficient, coordinated response to any cybersecurity incident.

The post HSCC Publishes Coordinated Healthcare Incident Response Plan Template appeared first on HIPAA Journal.

EU Health Sector Cyber Study Confirms Ransomware is the Leading Threat

Posted by Steve Alder

The European Union Agency for Cybersecurity (ENISA) has published the results of its first-ever analysis of the cyber threat landscape of the health sector in the European Union (EU). ENISA mapped healthcare cyber incidents between January 2021 and March 2023 and identified the key targets of attacks, the threat actors behind them, attack trends, and the impact that cyberattacks have on the health sector.

A range of healthcare entities experienced cyberattacks over the two-year study period, including health authorities, bodies and agencies, and pharma firms; however, the majority of attacks targeted healthcare providers (53%), especially hospitals (42%). Over the two years, ENISA analyzed 215 publicly reported cyber incidents in the EU and neighboring countries, 208 of which were cyberattacks on the health sector, and the analysis included 5 reports of identified vulnerabilities (not necessarily exploited), and two warnings of potential cyber activity affecting the health sector. ENISA notes that cyber incidents have remained stable but there appears to have been an increase in attacks in 2023, with 40 incidents analyzed from January to March, compared to 91 incidents in the whole of 2021 and 84 in all of 2022.

46% of total incidents targeted healthcare data and 83% of attacks were financially motivated, driven by the high value of healthcare data. 10% of attacks had an ideological motivation. The most common impact of attacks was data breaches or data theft (43%), followed by disruption of non-healthcare services (26%) and disrupted healthcare services (22%). Throughout the study period, ransomware posed the biggest threat. Ransomware attacks accounted for 53% of incidents and 43% of ransomware attacks included data theft or data breaches. In addition to ransomware being the most common type of incident, the attacks also had the biggest impact on healthcare organizations. Ransomware attacks increased between 2021 and 2022, and look like they have continued to increase in 2023, with the LockBit 3.0, Vice Society, and the BlackCat groups behind the majority of the attacks.

A significant percentage of the study period covered the COVID-19 pandemic era, during which the healthcare sector was one of the prime targets for malicious actors. The pandemic was linked to the increase in ransomware attacks; however, there was also an increase in data leak incidents. While data leak incidents did occur due to malicious activity, they were also commonly caused by poor security practices and misconfigurations. Healthcare organizations struggled to adapt to a new way of working during the pandemic and cybersecurity was often neglected due to pressing operational needs.

Toward the end of the study, geopolitical developments triggered an increase in hacktivist incidents, most commonly DDoS attacks on healthcare providers by pro-Russian hacktivist groups such as KillNet that aimed to disrupt healthcare services in retaliation for support for Ukraine. These attacks are expected to continue for at least as long as the Russia-Ukraine war continues, although the impact of these attacks is relatively low.

Cyberattacks on the healthcare sector have a financial cost; however, it is difficult to accurately assess the cost of attacks. A 2022 ENISA NIS Investment study suggests the median cost of a major security incident is €300,000 ($328,870); however, the biggest concern is patient safety, as the attacks often result in a delay to triage and treatment, and data breaches have the potential to affect the well-being of patients.

Despite the extent to which ransomware was used in attacks, 27% of healthcare organizations did not have a dedicated ransomware defense program. The study also revealed a lack of security awareness training for non-IT staff, with only 40% of original equipment suppliers providing security awareness training to non-IT staff. As is the case on the opposite side of the Atlantic, risk analysis failures were common. A separate survey conducted by the NIS cooperation group found virtually all healthcare organizations (95%) found risk analyses a challenge, with 46% admitting to never having performed one.

Poor patch management practices are being increasingly exploited in healthcare cyberattacks. 4% of confirmed data leaks/data breaches in 2021 and 2022 exploited vulnerabilities to gain access to healthcare networks or took advantage of system misconfigurations, and 80% of healthcare organizations that were interviewed said more than 61% of their security incidents were due to vulnerabilities.

The high percentage of organizations experiencing challenges with risk analyses and the high number never having conducted one make this one of the key areas to address to improve resilience to cyberattacks. ENISA also says key priorities should be creating offline encrypted backups of mission-critical data, providing security awareness training for all staff, conducting regular vulnerability scans and promptly patching vulnerabilities, improving authentication practices, ensuring basic cyber incident response plans are created, maintained, and exercised, and getting senior management to commit to improving cybersecurity.

The post EU Health Sector Cyber Study Confirms Ransomware is the Leading Threat appeared first on HIPAA Journal.

Progress Software Patches Another Critical Flaw in MOVEit Transfer

Posted by Steve Alder

Progress Software has released a service pack to address three recently disclosed vulnerabilities in its MOVEit Transfer software, one of which is rated critical and can be exploited remotely by an unauthenticated user.  According to Progress Software, the vulnerability – CVE-2023-36934 – is a SQL injection flaw that, if exploited, would allow an unauthorized individual to gain access to the MOVEit Transfer database.

A second SQL injection vulnerability has been fixed that could also be exploited to gain access to the MOVEit Transfer database, resulting in modification or disclosure of MOVEit database content. The vulnerability, CVE-2023-36932, is rated high-severity as the attacker would need to be authenticated. The third vulnerability is tracked as CVE-2023-36933 and is also a high-severity flaw. The vulnerability could be exploited to invoke a method that results in an unhandled exception, which would cause the application to terminate unexpectedly.

None of the three vulnerabilities are believed to have been exploited in the wild nor had any proof-of-concept exploits been released at the time of the release of the latest security updates; however, prompt patching is strongly recommended. A vulnerability disclosed in May 2023 – CVE-2023-34362 – was exploited by the Clop ransomware group which allowed the theft of customer data from the MOVEit Transfer database. Following the exploitation of that flaw, Progress Software conducted an audit and found other critical severity flaws, which were also recently patched.

Vulnerable software versions are detailed below along with the fixed versions of the software:

Affected Version Vulnerabilities Fixed Version
MOVEit Transfer 2020.0.x (12.0.x) and older CVE-2023-36932 (High) & CVE- CVE-2023-36934 (Critical) Upgrade required to a supported MOVEit Transfer version
MOVEit Transfer 2020.1.6 (12.1.6) and later CVE-2023-36932 (High) & CVE- CVE-2023-36934 (Critical) MOVEit Transfer 2020.1.11 (12.1.11) – Service Pack
MOVEit Transfer 2021.0.x (13.0.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2021.0.9 (13.0.9)
MOVEit Transfer 2021.1.x (13.1.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2021.1.7 (13.1.7)
MOVEit Transfer 2022.0.x (14.0.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2022.0.7 (14.0.7)
MOVEit Transfer 2022.1.x (14.1.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2022.1.8 (14.1.8)
MOVEit Transfer 2023.0.x (15.0.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2023.0.4 (15.0.4)

There are different routes for fixing the latest trio of flaws depending on whether the May 2023 patch and remediation steps were applied, details of which are available from Progress Software.  Progress Software has also confirmed that it will be releasing service packs on a monthly basis to make it quicker and easier for system administrators to address security issues in the future.

The post Progress Software Patches Another Critical Flaw in MOVEit Transfer appeared first on HIPAA Journal.

75% of Users Admit Taking Risks with Passwords

Posted by Steve Alder

According to the Verizon Data Breach Investigations Report, 80% of successful data breaches are due to the use of compromised passwords, and while password best practices are widely understood, people are still taking considerable risks and continue to use weak passwords to secure their accounts and fail to follow password best practices.

Common poor password practices include setting passwords that are easy to remember, including dictionary words, memorable dates, and personal information that is easily obtained from social media sites. Passwords are often reused on multiple platforms, which means if a password is guessed or otherwise obtained, all accounts that are protected with that password are at risk. Password reuse on multiple sites is exploited in credential stuffing attacks, where the username and password obtained in a data breach on one platform are used to try to access accounts on unrelated platforms. Passwords are often reused for business and personal accounts, and even when unique passwords are set for each account, they are often just variations of the same password.

A recent survey of 8,000 individuals in the United States, United Kingdom, France, and Germany by Keeper Security showed just how common it is for people to take shortcuts with password security and by doing so put their personal and work accounts at risk.  Almost three-fourths of respondents to the survey admitted to not following industry-recommended password practices, with only 25% of respondents saying they set strong, unique passwords for all of their accounts. 34% of respondents said they use variations of the same password for multiple accounts, and 30% said they set simple passwords for their accounts that are easy to remember, even though they are also easy to guess.

Even individuals who claimed to have a good understanding of password best practices and thought their passwords were well managed still failed to practice good password hygiene. 44% of individuals who thought their passwords were well managed used variations of the same password for different accounts. Overall, 64% of respondents admitted to using weak passwords or variations of the same password for their accounts. More than one-third of respondents said they feel overwhelmed about taking action to improve cybersecurity and 10% of respondents admitted to neglecting password management entirely.

With 80% of data breaches stemming from compromised credentials, and one in five respondents admitting that at least one of their passwords was known to have been compromised in a data breach and was available on the dark web, it is clear that poor password practices are not just a hypothetical risk. They are commonly exploited by threat actors to gain access to accounts and sensitive data.

While more than half (51%) of respondents said they thought cybersecurity was easy to understand, around half of those individuals still practiced poor password practices, suggesting a significant number of individuals either overestimate their knowledge of cybersecurity or are willfully taking risks with passwords. 41% of respondents said they find cybersecurity difficult to understand, but 32% admitted to still taking steps to protect themselves – more than the 25% of people who claim to have a good understanding of cybersecurity and take steps to protect themselves. The survey suggests that individuals who feel overwhelmed by cybersecurity tend to practice poor password hygiene and that the more an individual knows about cybersecurity, the more likely they are to feel overwhelmed.

Training tends to try to hammer home the message that it is vital to create a strong, unique password for each account, yet fails to provide individuals with the tools they need to adopt good password practices in a manageable way. Since most people have huge numbers of accounts to secure, they need to remember dozens or hundreds of unique passwords, and that simply isn’t possible without taking shortcuts. The simple solution is to provide a password manager that can be used to generate strong and unique passwords, store them securely, and auto-fill them when they are needed or implement a single-sign-on solution that only requires users to set one strong and unique password.

Since it is difficult to eliminate poor password practices entirely, multifactor authentication should also be implemented to ensure that if a password is guessed or otherwise obtained, by itself it will not grant access. The HHS’ Office for Civil Rights recently stressed the importance of multifactor authentication in its June Cybersecurity Newsletter.

The post 75% of Users Admit Taking Risks with Passwords appeared first on HIPAA Journal.

More Than 300,000 Fortinet Firewalls Still Vulnerable to Critical FortiOS RCE Vulnerability

Posted by Steve Alder

On June 12, 2023, Fortinet disclosed a critical remote code execution vulnerability in its FortiOS firmware. The heap buffer overflow issue was assigned a CVSS v3 base score of 9.8 out of 10 and could be remotely exploited on Fortinet firewalls that have the SSL VPN interface exposed to the Internet.

Last month, Fortinet warned that the vulnerability – CVE-2023-27997 – had already been exploited in limited attacks, so immediate patching was strongly recommended. Fortinet fixed the vulnerability in firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 and urged all users to update the firmware as soon as possible to prevent exploitation. A workaround was also recommended for users that are unable to immediately update the firmware, which involves disabling the SSL VPN.

It has now been a month since the firmware updates were released and patching appears to have been slow. Cybersecurity firm Bishop Fox reports that more than 300,000 FortiGate firewall appliances remain vulnerable and have yet to have the firmware updated. Bishop Fox conducted a Shodan scan to identify FortiGate firewalls that had an exposed SSL VPN interface. The researchers identified 489,337 appliances with an exposed SSL VPN interface and only 153,414 of those appliances had been updated to a version of the firmware not vulnerable to the CVE-2023-27997 flaw. Bishop Fox researchers then used an exploit to demonstrate the seriousness of the vulnerability. The exploit “smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary and opens an interactive shell,” said the researchers.

The researchers also discovered that many of the FortiGate appliances were running FortiOS version 6, for which support was withdrawn in September 2022. CVE-2023-27997 is not the only critical vulnerability to affect FortiOS 6. Several other critical flaws have been identified in that version of the firmware, some of which have proof-of-concept (PoC) exploit code in the public domain.

All organizations that use FortiGate firewalls should check the firmware version and upgrade immediately if a vulnerable version is being used or apply the workaround. If the vulnerability is exploited, a threat actor could gain full control of the firewall, remotely execute malicious code, steal sensitive data, and gain the network access they require to conduct ransomware attacks.

The post More Than 300,000 Fortinet Firewalls Still Vulnerable to Critical FortiOS RCE Vulnerability appeared first on HIPAA Journal.

Cybersecurity Agencies Warn of TrueBot Malware Campaign Targeting U.S. and Canadian Orgs

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) warning about a TrueBot malware campaign targeting organizations in the United States and Canada.

TrueBot is a downloader/botnet malware that establishes a connection with its command-and-control server, collects information on compromised systems, and is used for launching more extensive attacks on compromised networks. TrueBot is used by multiple threat actors including FIN11 and the Silence group. FIN11 has been using TrueBot malware to deploy Clop ransomware on victims’ networks. FIN11 installs TrueBot, then uses the malware to deliver the FlawedGrace Remote Access Trojan (RAT), which is used to escalate privileges and maintain persistence. FIN11 has also been observed deploying Cobalt Strike beacons.

TrueBot is usually installed via phishing attacks using malicious attachments; however, newer versions of the malware are also being delivered by exploiting a remote code execution vulnerability in the Netwrix Auditor application – CVE-2022-31199. Successful exploitation of the vulnerability allows a malicious actor to execute arbitrary code with SYSTEM privileges, allowing the deployment of TrueBot malware at scale within a compromised environment. The cybersecurity authorities report that phishing emails with malicious hyperlinks are being used in addition to the exploitation of the Netwrix Auditor vulnerability to deliver TrueBot malware.

Immediate patching of the CVE-2022-31199 vulnerability is strongly recommended if the Netwrix IT system auditing software is in use. To protect against phishing attacks, email security solutions are recommended along with phishing-resistant multifactor authentication. Organizations are also encouraged to search for the published Indicators of Compromise (IoCs) detailed in the alert and to immediately apply the recommended incident responses and mitigation measures if the IoCs are detected.

The post Cybersecurity Agencies Warn of TrueBot Malware Campaign Targeting U.S. and Canadian Orgs appeared first on HIPAA Journal.

Editorial: The Importance of Identity and Access Management (IAM) in Healthcare

Posted by Steve Alder

Identity and access management in healthcare is a best practice for ensuring employees, vendors, contractors, and subcontractors are provided with appropriate access to the technology resources and data they need to perform their required duties and policies, procedures, and technology are in place to prevent unauthorized individuals from accessing resources and sensitive data.

Identity and access management consists of administrative, technical, and physical safeguards to keep resources and data locked down, with access to resources and data granted based on job role, authority, and responsibility. Identity and access management, in short, is about providing the right people with access to the right resources and data, at the right time, for the right reasons, while preventing unauthorized access at all times.

For a business with a small staff and few third-party vendors, identity and access management is straightforward. With few individuals requiring access to systems and data, ensuring everyone has access to the systems and data they need and nothing more is a relatively simple process. In healthcare, identity and access management is much more complicated. Access must be granted to a wide range of devices, including desktops, laptops, smartphones, routers, controllers, and a wide range of medical devices. Healthcare organizations typically use a wide variety of vendors, all of whom require access to systems and data, and there is often a high staff turnover, making it difficult to onboard and offboard in a timely manner.

To add to the problem, hackers are actively targeting healthcare organizations due to the value of the data they hold. Healthcare organizations are also heavily reliant on data and IT systems to support healthcare operations and ensure patient safety, making the sector an ideal target for ransomware gangs. The extent to which these attacks are succeeding highlights the difficulty healthcare organizations have with securing their systems and preventing unauthorized access.

The increase in data breaches due to hacking. Data Source: HHS’ OCR Breach Portal.

Overview of Identity and Access Management

Identity and access management covers five key areas: Policy, identity management, access management, security, and monitoring. An identity and access management policy is required which determines who has access to systems and data and who has the authority to alter the functionality of IT systems. The policy must also cover onboarding and offboarding employees, vendors, and applications, and the actions that must be logged and monitored.

Identity management is a set of processes for establishing the identity of a person or device when they first make contact and for any subsequent interactions. Access management involves authentication and dictates the actions that a user is permitted to perform, with security controls implemented to prevent unauthorized access. Finally, logging is required to record system activity and data interactions to allow investigations of unauthorized activity, with logs routinely monitored and alerts generated and investigated in response to anomalous behavior.

Principles of Identity and Access Management in Healthcare

There are five key principles of identity and access management: Identification, authentication, authorization, access governance, and logging/monitoring of access and user activity.

Identification

All users – employees, vendors, contractors & subcontractors – and devices and applications that require access to systems and data must be identified and their true identities established. Identification is concerned with establishing the digital identity of a user, device, or system, which is usually achieved with a unique username/IP address.

Authentication

When a user or device has been identified, it is necessary to authenticate to prove that the user or device is what it claims to be. This is commonly achieved with a unique password associated with the username or device. Since usernames and passwords can be guessed or obtained, additional forms of authentication are required.

Authorization

Once the identity of a user has been established and authentication has occurred, they will be provided with conditional access to systems and data. Each user and device will need to be authorized to perform certain actions, access data, or administer the system, with authorization based on the principle of least privilege. Permissions should be set to the minimum necessary level required by that user to perform their duties.

Access Governance

Access governance relates to the policies and procedures for assigning, managing, and revoking access and ensuring the correct permissions are set for each user, device, or application, with users managed through a central user repository.

Logging and Monitoring

Logs of access and system activity must be generated and monitored regularly to identify unauthorized access and anomalous behavior that could indicate compromise or unauthorized access.

Common Identity and Access Weaknesses in Healthcare

Malicious actors view the healthcare industry as an easy target and commonly exploit identity and access weaknesses to gain a foothold in healthcare networks, move laterally, steal data, and conduct highly damaging attacks that severely disrupt operations and put patient safety at risk. While many sectors face similar challenges with identity and access management, a combination of factors makes effective management particularly challenging in healthcare, and vulnerabilities are commonly introduced that can be easily exploited. Across the healthcare sector, there are common weaknesses that are frequently exploited by malicious insiders and cyber threat actors, the most common of which are highlighted below.

Poor identity and access management

There is a lack of assurance that an individual or entity that seeks access is who they claim to be at many healthcare organizations. In healthcare, employees, contractors, and others require access to networks, applications, and data, there are regular changes to roles and responsibilities, and often a high staff turnover, which makes identity and access management a significant challenge, and all too often there is a lack of monitoring resulting in compromises and unauthorized access going undetected.

Role-based access control (RBAC) is commonly used by healthcare organizations as it is easier to manage access rights when users are bundled together based on their roles. This reduces the number of access policies and makes management easier since different roles require access to similar resources; however, this approach can result in users being given access to resources that do not need, with controls far less stringent than they need to be. This is especially important regarding access to PHI. Each year, many snooping incidents are reported where employees have been able to access patient records when there is no legitimate work reason for the access, with investigations revealing unauthorized access has been occurring for months or years.

Healthcare organizations need to keep on top of access rights and ensure that permissions are appropriate to roles and responsibilities, with strong identity and access management, especially for privileged accounts. Access controls should be implemented based on the principle of least privilege and there should be consistent implementation of policies across the entire organization, with regular audits conducted to ensure employees and third-party vendors have the correct access rights. The failure to terminate access promptly when contracts end or employees change roles or find new employment puts healthcare data and systems at risk.

The annual HIMSS healthcare cybersecurity surveys have shown that a large percentage of healthcare organizations are not implementing identity and access management across the organization, resulting in security vulnerabilities that can easily be exploited to gain access to systems and data. Identity and access management (IAM) software eliminates the complexity of identity and access management and allows controls to be set to ensure secure access is granted to employees and devices while making it difficult for unauthorized individuals to gain access to sensitive resources.

Slow Migration to Zero Trust

Strong identity and access management is necessary to restrict access to systems and data; however, healthcare organizations should be working toward implementing a zero-trust security framework. The traditional security approach is based on protecting the perimeter, essentially trusting anyone or anything that is inside that perimeter; however, the increase in the use of cloud infrastructure means there is no longer a clearly defined perimeter to protect. A zero-trust approach assumes that the network has been compromised, and ensures that if there is a security breach, an attacker does not have free rein over everything inside the network perimeter.  Zero trust involves a constant process of authentication, authorization, and validation before access is granted to applications and data. There is no doubt that zero trust is the future of healthcare security and can prevent malicious actors from gaining access to healthcare networks and data and limit the harm that can be caused when attacks succeed; however, adoption of zero trust has been slow in the healthcare industry.

Poor password practices

HIPAA-covered entities should do more than comply with HIPAA password requirements, which only call for HIPAA-regulated entities to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed,” along with procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.

Many healthcare data breaches result from the failure of users to set strong, unique passwords for their accounts, password reuse across multiple platforms, and password sharing. User-generated passwords can often be brute forced with ease, password reuse exposes organizations to credential stuffing attacks, and password sharing violates HIPAA as it is not possible to track user activity.

Robust password policies should be set and enforced, but shortcuts can easily be taken by employees. One solution is to use a password manager, which solves the problem of creating strong passwords and employees having to remember them. Password managers have a secure password generator that can be used to generate truly random strings of characters that are resistant to brute force attacks and stores them securely in an encrypted vault.

One authentication solution that should be considered is single sign-on (SSO), which allows access to be carefully controlled without disrupting workflows, while helping to eliminate some of the security weaknesses associated with passwords. Rather than having to log in to multiple systems, each of which requires a different login, the user authenticates once, and all subsequent logins occur using a security token or a physical device. SSO solutions also offer centralized access logs that can help with monitoring for unauthorized access.

Reliance on single-factor rather than multifactor authentication

It is telling that one of the most commonly cited improvements to security following a healthcare data breach is the implementation of multi-factor authentication across the organization when the proactive implementation of MFA could have prevented the data breach. Multifactor authentication is one of the most important defenses against phishing, which continues to be a leading cause of healthcare data breaches, yet multifactor adoption in healthcare lags other sectors.

Multifactor authentication requires additional means of authentication other than a password for verifying a user’s identity. The authentication process requires something a person knows (a password) in combination with something a person has (a physical device or token) or something inherent to the user (a fingerprint, face recognition, or biometric data). While any type of multifactor authentication is better than single-factor authentication, an increasing number of phishing attacks are exploiting weak multifactor authentication controls. The gold standard is phishing-resistant MFA, such as FIDO/WebAuthn authentication. Regardless of which method is used, multifactor authentication needs to be implemented consistently across the entire organization.

Failure to secure third-party vendor access

Hackers may attack healthcare organizations directly but it is now increasingly common for malicious actors to exploit security weaknesses to gain access to vendor networks, through which they can abuse remote access tools to gain access to healthcare organizations’ networks. Supply chain attacks allow access to be gained to multiple healthcare networks via an attack on a single vendor. While it is important to restrict employee access using the principle of least privilege, the same applies to vendor access. Vendor access needs to be closely monitored, yet around half of healthcare organizations do not routinely monitor vendor access.

Insufficient logging and monitoring

Many healthcare organizations discover their systems have been breached several weeks or months after the network has been compromised, with the intrusion only detected when ransomware is used to encrypt files. Log management and intrusion detection solutions identify anomalies that could indicate a system compromise, and generate alerts when suspicious activity is detected, allowing investigations to be conducted to identify unauthorized access quickly, thus minimizing the harm that is caused.

I have already touched on insider breaches from an access rights perspective, which can be minimized with the right access policies and effective user management; however, one of the biggest failures comes from a lack of logging and monitoring of access. There have been insider breaches where employees have snooped on patient records for years before the unauthorized access is detected due to access logs not being routinely monitored. The key to effective monitoring is automation. IT solutions should be used that constantly monitor for unauthorized access, can distinguish between proper and improper access to ePHI, and generate alerts when suspicious activity is detected.

HIPAA and Identity and Access Management

Effective identity and access management is a fundamental part of healthcare cybersecurity and compliance with the HIPAA Rules. The HIPAA Privacy Rule – 45 C.F.R. § 164.514(h) – has a standard concerning the verification of identity and the authority of a person to have access to PHI, while the technical safeguards of the HIPAA Security Rule – 45 CFR 164.312(d) – require regulated entities to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. The Security Rule also has a standard for access control and tracking user activity – 45 C.F.R § 164.312(a)(1), and 45 C.F.R § 164.312(b) requires audit controls for recording and monitoring activity in information systems.

The HIPAA Security Rule does not stipulate specific authentication solutions that should be used for identity and access management; instead, the measures should be informed by the entity’s risk analysis and should sufficiently reduce risks to the confidentiality, integrity, and availability of ePHI. The HHS’ Office for Civil Rights drew attention to authentication in its June 2023 Cybersecurity Newsletter and pointed out that authentication measures should reflect the level of risk. “Different touchpoints for authentication throughout a regulated entity’s organization may present different levels of risk, thus requiring the implementation of authentication solutions appropriate to sufficiently reduce risk at those various touchpoints,” explained OCR. “For example, remote access to a regulated entity’s information systems and ePHI may present a greater risk than access in person, thus stronger authentication processes (e.g., multi-factor authentication) may be necessary when permitting or expanding remote access to reduce such risks sufficiently.” OCR suggests following the advice of CISA, and implementing, as a minimum, multifactor authentication solutions on Internet-facing systems, such as email, remote desktop applications, and Virtual Private Networks (VPNs).

Conclusion

Healthcare cybersecurity starts with effective identity and access management. HIPAA-regulated entities should ensure they develop, implement, and maintain effective identity and access policies, implement strong authentication processes, and take steps to address password weaknesses, taking advantage of the latest cybersecurity solutions to automate authentication and access policies as far as possible. Proper access governance is essential, including monitoring logs to identify potential compromises and unauthorized access to PHI by insiders.

With so many competing priorities, investment in cybersecurity often falls far short of what is required; however, with hacking incidents continuing to increase and ransomware attacks impacting patient care, cybersecurity is at last being viewed as not just an IT issue, but a critical patient safety issue that warrants appropriate investment.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: The Importance of Identity and Access Management (IAM) in Healthcare appeared first on HIPAA Journal.

Critical RCE Vulnerability Identified in Medtronic Paceart Optima System

Posted by Steve Alder

A critical vulnerability has been identified in the Medtronic Paceart Optima System, which is used to compile and manage patients’ cardiac data. The vulnerability is tracked as CVE-2023-31222 and is due to the deserialization of untrusted data. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The vulnerability affects all versions of Paceart Optima up to and including version 1.11 and can be exploited remotely by an unauthorized user by sending specially crafted messages to the Paceart Optima system. Successful exploitation of the flaw would allow an attacker to remotely execute arbitrary code and gain a foothold for network penetration. The flaw could also be exploited to trigger a denial-of-service condition resulting in the Paceart Optima system becoming slow and unresponsive, preventing healthcare delivery organizations from using the system.

The flaw can only be exploited if the Paceart Messaging Service is enabled in the Paceart Optima system, which is an optional service. An immediate mitigation to prevent the flaw from being exploited is to disable that service on the Application Server. Medtronic has provided instructions for manually disabling the Paceart Messaging Service on the Application Server and disabling message queuing on the Application Server, which will fully mitigate the vulnerability. Medtronic should be contacted for mitigation advice if a healthcare delivery organization is running a combined Application Server and Integration Server.

Medtronic has fixed the vulnerability in v1.12, and healthcare organizations should contact Medtronic to schedule the update; however, the recommended mitigation steps should be followed to prevent exploitation until the update is installed. Medtronic said the vulnerability was discovered during routine monitoring and there have been no detected instances of the vulnerability being exploited.

CISA recommends additional defensive measures to improve security and reduce the risk of exploitation of vulnerabilities. These include minimizing network exposure and ensuring control systems are not accessible from the Internet, locating control system networks and devices behind firewalls, and only using secure methods for remote access, such as VPNs.

The post Critical RCE Vulnerability Identified in Medtronic Paceart Optima System appeared first on HIPAA Journal.

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.