The White House has published a roadmap for implementing President Biden’s March 2023 National Cybersecurity Strategy to ensure transparency and a continued path for coordination. The National Cybersecurity Strategy Implementation Plan (NCSIP) includes more than 65 federal initiatives that aim to improve resilience against cyber threats and disrupt cyber threat operations, and changes how the United States allocates roles, responsibilities, and resources in cyberspace.

Two major shifts include ensuring that the biggest, most capable, and best-positioned entities in both the public and private sectors assume a greater share of the burden for mitigating cyber risk and increasing the incentives to favor long-term investments in cybersecurity. The initiatives are based on five pillars and aim to achieve 27 strategic objectives. The first pillar is concerned with defending critical infrastructure against cyberattacks that are increasing in number and sophistication. Cybersecurity requirements will be established to support national security and public safety across all critical infrastructure sectors, including healthcare. Public-private collaboration will be scaled to drive the development and adoption of secure-by-design and secure-by-default technology, Federal defenses will be modernized, and the Federal incident response plans and processes will be updated.

The second pillar is concerned with the disruption and dismantling of threat actors’ infrastructure. The initiatives include increasing the speed and scale of intelligence sharing and victim notification, the prevention of abuse of U.S. infrastructure, countering cybercrime, and disrupting ransomware. The third pillar is concerned with shaping market forces to drive security and resilience, including initiatives to drive the development of secure IoT devices, shifting liability for insecure software products and services, using grants and other incentives to ensure built-in security, and exploring the need for a Federal cyber insurance backstop for catastrophic cyber events.

The fourth pillar concerns investment in a cyber-resilient future, including securing the technical foundation of the internet, improving federal research and development in cybersecurity, preparing for a post-quantum computing future, and developing a national strategy for strengthening the cyber workforce. The fifth pillar involves forging international partnerships to pursue shared cybersecurity goals, including building coalitions to counter digital threats, strengthening the capabilities of international partners, expanding the ability of the U.S. to assist allies and partners achieve shared goals, and securing global supply chains for information, communications, and operational technology products and services.

The plan will be spearheaded by 18 Federal agencies, with the Office of the National Cyber Director (ONCD) coordinating all activities under the plan. Several of the initiatives are already underway and some have already been completed ahead of schedule.

The post White House Publishes National Cybersecurity Strategy Implementation Plan appeared first on HIPAA Journal.

There has been a sizeable fall in revenues from cryptocurrency-related crimes in the first half of 2023, with scammers seeing a 77% reduction in revenues from the same period in 2022, amassing a little over $1 billion in the first half of the year compared to $3.3 billion in the first half of 2022. While this is certainly good news, ransomware-related cryptocurrency payments increased significantly in H1 2023, and if the trend continues in the second half of the year, ransomware revenues could eclipse those of 2022. At the current rate, transactions related to ransomware attacks can be expected to reach $899 million by the end of the year, only trailing 2021 – a record-breaking year, where $939.9 million in payments were made following ransomware attacks.

The mid-year analysis from Chainalysis shows a 65% decline in cryptocurrency transfers to known darknet marketplaces, scam sites, and fraud shops compared to the same period last year, with high-risk exchanges and mixers also experiencing a notable decline, down 42% on this time last year. The fall has been attributed, in part, to the disappearance of two major investment scam campaigns, VidiLook and Chia Tai Tianqing Pharmaceutical Financial Management.

The same cannot be said of ransomware-related transfers, which are up at least $175.8 million from H1 2022, with at least $449.1 million paid in ransom payments up to the end of June 2023. Chainalysis attributes the increase to a combination of a return to big game hunting – targeting large organizations with deep pockets – using ransomware strains such as BlackBasta, BlackCat, and Cl0p, and an increase in attacks on smaller entities using ransomware variants such as Dharma and Phobos. The average/median payment size for Dharma was $265/$275 and $1,719/$300 for Phobos, compared to BlackBasta $762,634/$147,106, BlackCat $1,504,579/$305,585 and Cl0p $1,730,486/$1.946,335.

While the attacks on smaller entities yield much lower payments, the attacks are much easier to conduct since smaller firms lack the cybersecurity resources of larger firms.  These smaller attacks tend to be conducted by ransomware affiliates using spray-and-pray tactics, rather than targeted attacks. Since the ransom demands are relatively low, payment is more likely to be made; however, there has been a trend of non-payment of ransoms, especially at larger firms. Chainalysis suggests the non-payment trend could be prompting attackers to issue very high demands for payment in their big game hunting attacks due to the high percentage of firms choosing not to pay ransoms.

The post Return to Big Game Hunting Sees Ransomware Revenues Soar appeared first on HIPAA Journal.

A recent inspection of the Northern Arizona VA Healthcare System by the Department of Veterans Affairs Office of Inspector General (OIG) found deficiencies in all three security control areas that were investigated – configuration management, security management, and access controls.

The Northern Arizona VA Healthcare System includes the Bob Stump Department of Veteran Affairs Medical Center in Prescott and 11 clinics in the state and serves approximately 33,000 veterans. The inspection was performed as the Northern Arizona VA Healthcare System had not previously been visited as part of a Federal Information Security Modernization Act of 2014 (FISMA) audit.

The inspection revealed the Northern Arizona VA Healthcare System had deficiencies in four configuration management controls – vulnerability management, flaw remediation, unsupported components, and baseline configurations. While the VA has a vulnerability management program, the inspectors identified vulnerabilities that the Office of Information and Technology (OIT) had failed to identify, even though the same scanning tools were used. Many of those vulnerabilities were rated critical or high severity.

Several devices were found to be missing security patches. Patches were available to address the critical and high-severity flaws but they had not been applied, leaving the devices at risk of unauthorized access, alteration, or destruction. Components continued to be used despite reaching end-of-life. For instance, 71 of the 80 healthcare system network switches were using operating systems that were no longer supported by the vendor, which means security patches are no longer issued. Consequently, weaknesses and vulnerabilities would not be addressed and could be exploited by malicious actors. Baseline configurations were identified that deviated from the OIT baseline. For instance, a local database had multiple vulnerabilities as a result of baseline configurations that deviated from the OIT baseline. If the OIT baseline configuration is not used, OIT would be unaware of any weaknesses impacting the database.

One deficiency was identified in security management – continuous monitoring of the inventory. The inspectors found almost twice the number of devices on the network than were identified in the VA’s cybersecurity management service for workflow automation and continuous monitoring (eMASS). While OIT had an inventory of devices that contained most of the networked devices, the inventory was not routinely updated in eMASS. As a result of the failure to update the inventory, management was making risk decisions based on inaccurate system information.

The inspectors also found 7 deficiencies in access controls: physical access, video surveillance, environmental controls, equipment installation, emergency power, fire protection controls, and water detection. For instance, the healthcare system had an automated physical access control system where employees use badges to enter buildings and rooms, but it had not been fully deployed, with staff often using keys for access. While key inventories are required every 6 months, they had not been conducted in more than two years due to locksmith turnover and the failure to accurately track key distribution.

The OIG made 11 recommendations, 6 to the assistant secretary for information and technology and chief information officer and five to the Northern Arizona VA Healthcare System director.  VA IT management and the Northern Arizona VA Healthcare System director concurred with all of the recommendations. The recommendations include implementing an effective vulnerability management program, ensuring vulnerabilities are remediated within established time frames, transitioning unmanaged databases to the VA Enterprise Cloud, ensuring all network devices maintain vendor support, implementing an improved inventory process, ensuring network infrastructure is properly installed, and ensuring physical access controls are implemented.

While the findings of the audit were specific to the Northern Arizona VA Healthcare System, similar vulnerabilities are likely to exist in other VA healthcare systems. The OIG recommends all VA healthcare systems review the findings of the inspection and implement the same recommendations if similar security deficiencies are identified.

The post Multiple Security Vulnerabilities Identified at Arizona VA Healthcare System appeared first on HIPAA Journal.

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has published a Coordinated Healthcare Incident Response Plan (CHIRP) that can be used as a template by healthcare organizations to develop a coordinated cybersecurity incident response plan.

Given the frequency of cyberattacks on the healthcare sector and the harm that these incidents can cause, it is vital for healthcare organizations to develop, implement, maintain, and test an incident response plan. In the event of a cyberattack, the incident response plan can be initiated immediately to limit the harm caused and help ensure a rapid recovery.

There are several resources available on the technical response process to a cybersecurity incident, and while these resources provide guidance on the technical aspects of the response, such as detection, containment, response, and recovery, they do not deal with the impact of an attack on patient care and patient safety. Healthcare organizations have emergency plans to ensure business continuity and patient care in the event of IT outages and natural disasters; however, these plans may not be totally effective when responding to a cyberattack.

The new HSCC resource is intended to help address the gaps many healthcare organizations have in their incident response plans. The CHIRP is a tool that can be used as a starting point when developing an effective incident response plan, which can be tailored to meet the needs of each organization. “Healthcare Delivery Organizations have many of the parts and pieces needed to respond to a cybersecurity incident, but guidance is missing on how to tie all of these separate components together. This template seeks to serve as the cog that can be installed in the machine to allow all of the components to run together as a Coordinated Healthcare Incident Response Plan.”

The template is a guiding document that includes sample content to help incident response plan managers understand the purpose of each section when completing their own planning work, which can be replaced as necessary based on the needs of each organization and should be used in conjunction with the HSCC’s Health Industry Cybersecurity Operational Continuity – Cyber Incident (HIC-OCCI) publication.

The template guides plan managers through incident identification, response, IT system recovery, operations and emergency management, communications, and legal and risk management, and has been developed to be easily customized to suit organizations of all types and sizes. The guidance helps healthcare organizations tie together existing business continuity, organizational, and disaster recovery plans, and downtime procedures to ensure an efficient, coordinated response to any cybersecurity incident.

The post HSCC Publishes Coordinated Healthcare Incident Response Plan Template appeared first on HIPAA Journal.

The European Union Agency for Cybersecurity (ENISA) has published the results of its first-ever analysis of the cyber threat landscape of the health sector in the European Union (EU). ENISA mapped healthcare cyber incidents between January 2021 and March 2023 and identified the key targets of attacks, the threat actors behind them, attack trends, and the impact that cyberattacks have on the health sector.

A range of healthcare entities experienced cyberattacks over the two-year study period, including health authorities, bodies and agencies, and pharma firms; however, the majority of attacks targeted healthcare providers (53%), especially hospitals (42%). Over the two years, ENISA analyzed 215 publicly reported cyber incidents in the EU and neighboring countries, 208 of which were cyberattacks on the health sector, and the analysis included 5 reports of identified vulnerabilities (not necessarily exploited), and two warnings of potential cyber activity affecting the health sector. ENISA notes that cyber incidents have remained stable but there appears to have been an increase in attacks in 2023, with 40 incidents analyzed from January to March, compared to 91 incidents in the whole of 2021 and 84 in all of 2022.

46% of total incidents targeted healthcare data and 83% of attacks were financially motivated, driven by the high value of healthcare data. 10% of attacks had an ideological motivation. The most common impact of attacks was data breaches or data theft (43%), followed by disruption of non-healthcare services (26%) and disrupted healthcare services (22%). Throughout the study period, ransomware posed the biggest threat. Ransomware attacks accounted for 53% of incidents and 43% of ransomware attacks included data theft or data breaches. In addition to ransomware being the most common type of incident, the attacks also had the biggest impact on healthcare organizations. Ransomware attacks increased between 2021 and 2022, and look like they have continued to increase in 2023, with the LockBit 3.0, Vice Society, and the BlackCat groups behind the majority of the attacks.

A significant percentage of the study period covered the COVID-19 pandemic era, during which the healthcare sector was one of the prime targets for malicious actors. The pandemic was linked to the increase in ransomware attacks; however, there was also an increase in data leak incidents. While data leak incidents did occur due to malicious activity, they were also commonly caused by poor security practices and misconfigurations. Healthcare organizations struggled to adapt to a new way of working during the pandemic and cybersecurity was often neglected due to pressing operational needs.

Toward the end of the study, geopolitical developments triggered an increase in hacktivist incidents, most commonly DDoS attacks on healthcare providers by pro-Russian hacktivist groups such as KillNet that aimed to disrupt healthcare services in retaliation for support for Ukraine. These attacks are expected to continue for at least as long as the Russia-Ukraine war continues, although the impact of these attacks is relatively low.

Cyberattacks on the healthcare sector have a financial cost; however, it is difficult to accurately assess the cost of attacks. A 2022 ENISA NIS Investment study suggests the median cost of a major security incident is €300,000 ($328,870); however, the biggest concern is patient safety, as the attacks often result in a delay to triage and treatment, and data breaches have the potential to affect the well-being of patients.

Despite the extent to which ransomware was used in attacks, 27% of healthcare organizations did not have a dedicated ransomware defense program. The study also revealed a lack of security awareness training for non-IT staff, with only 40% of original equipment suppliers providing security awareness training to non-IT staff. As is the case on the opposite side of the Atlantic, risk analysis failures were common. A separate survey conducted by the NIS cooperation group found virtually all healthcare organizations (95%) found risk analyses a challenge, with 46% admitting to never having performed one.

Poor patch management practices are being increasingly exploited in healthcare cyberattacks. 4% of confirmed data leaks/data breaches in 2021 and 2022 exploited vulnerabilities to gain access to healthcare networks or took advantage of system misconfigurations, and 80% of healthcare organizations that were interviewed said more than 61% of their security incidents were due to vulnerabilities.

The high percentage of organizations experiencing challenges with risk analyses and the high number never having conducted one make this one of the key areas to address to improve resilience to cyberattacks. ENISA also says key priorities should be creating offline encrypted backups of mission-critical data, providing security awareness training for all staff, conducting regular vulnerability scans and promptly patching vulnerabilities, improving authentication practices, ensuring basic cyber incident response plans are created, maintained, and exercised, and getting senior management to commit to improving cybersecurity.

The post EU Health Sector Cyber Study Confirms Ransomware is the Leading Threat appeared first on HIPAA Journal.

Progress Software has released a service pack to address three recently disclosed vulnerabilities in its MOVEit Transfer software, one of which is rated critical and can be exploited remotely by an unauthenticated user.  According to Progress Software, the vulnerability – CVE-2023-36934 – is a SQL injection flaw that, if exploited, would allow an unauthorized individual to gain access to the MOVEit Transfer database.

A second SQL injection vulnerability has been fixed that could also be exploited to gain access to the MOVEit Transfer database, resulting in modification or disclosure of MOVEit database content. The vulnerability, CVE-2023-36932, is rated high-severity as the attacker would need to be authenticated. The third vulnerability is tracked as CVE-2023-36933 and is also a high-severity flaw. The vulnerability could be exploited to invoke a method that results in an unhandled exception, which would cause the application to terminate unexpectedly.

None of the three vulnerabilities are believed to have been exploited in the wild nor had any proof-of-concept exploits been released at the time of the release of the latest security updates; however, prompt patching is strongly recommended. A vulnerability disclosed in May 2023 – CVE-2023-34362 – was exploited by the Clop ransomware group which allowed the theft of customer data from the MOVEit Transfer database. Following the exploitation of that flaw, Progress Software conducted an audit and found other critical severity flaws, which were also recently patched.

Vulnerable software versions are detailed below along with the fixed versions of the software:

There are different routes for fixing the latest trio of flaws depending on whether the May 2023 patch and remediation steps were applied, details of which are available from Progress Software.  Progress Software has also confirmed that it will be releasing service packs on a monthly basis to make it quicker and easier for system administrators to address security issues in the future.

The post Progress Software Patches Another Critical Flaw in MOVEit Transfer appeared first on HIPAA Journal.

According to the Verizon Data Breach Investigations Report, 80% of successful data breaches are due to the use of compromised passwords, and while password best practices are widely understood, people are still taking considerable risks and continue to use weak passwords to secure their accounts and fail to follow password best practices.

Common poor password practices include setting passwords that are easy to remember, including dictionary words, memorable dates, and personal information that is easily obtained from social media sites. Passwords are often reused on multiple platforms, which means if a password is guessed or otherwise obtained, all accounts that are protected with that password are at risk. Password reuse on multiple sites is exploited in credential stuffing attacks, where the username and password obtained in a data breach on one platform are used to try to access accounts on unrelated platforms. Passwords are often reused for business and personal accounts, and even when unique passwords are set for each account, they are often just variations of the same password.

A recent survey of 8,000 individuals in the United States, United Kingdom, France, and Germany by Keeper Security showed just how common it is for people to take shortcuts with password security and by doing so put their personal and work accounts at risk.  Almost three-fourths of respondents to the survey admitted to not following industry-recommended password practices, with only 25% of respondents saying they set strong, unique passwords for all of their accounts. 34% of respondents said they use variations of the same password for multiple accounts, and 30% said they set simple passwords for their accounts that are easy to remember, even though they are also easy to guess.

Even individuals who claimed to have a good understanding of password best practices and thought their passwords were well managed still failed to practice good password hygiene. 44% of individuals who thought their passwords were well managed used variations of the same password for different accounts. Overall, 64% of respondents admitted to using weak passwords or variations of the same password for their accounts. More than one-third of respondents said they feel overwhelmed about taking action to improve cybersecurity and 10% of respondents admitted to neglecting password management entirely.

With 80% of data breaches stemming from compromised credentials, and one in five respondents admitting that at least one of their passwords was known to have been compromised in a data breach and was available on the dark web, it is clear that poor password practices are not just a hypothetical risk. They are commonly exploited by threat actors to gain access to accounts and sensitive data.

While more than half (51%) of respondents said they thought cybersecurity was easy to understand, around half of those individuals still practiced poor password practices, suggesting a significant number of individuals either overestimate their knowledge of cybersecurity or are willfully taking risks with passwords. 41% of respondents said they find cybersecurity difficult to understand, but 32% admitted to still taking steps to protect themselves – more than the 25% of people who claim to have a good understanding of cybersecurity and take steps to protect themselves. The survey suggests that individuals who feel overwhelmed by cybersecurity tend to practice poor password hygiene and that the more an individual knows about cybersecurity, the more likely they are to feel overwhelmed.

Training tends to try to hammer home the message that it is vital to create a strong, unique password for each account, yet fails to provide individuals with the tools they need to adopt good password practices in a manageable way. Since most people have huge numbers of accounts to secure, they need to remember dozens or hundreds of unique passwords, and that simply isn’t possible without taking shortcuts. The simple solution is to provide a password manager that can be used to generate strong and unique passwords, store them securely, and auto-fill them when they are needed or implement a single-sign-on solution that only requires users to set one strong and unique password.

Since it is difficult to eliminate poor password practices entirely, multifactor authentication should also be implemented to ensure that if a password is guessed or otherwise obtained, by itself it will not grant access. The HHS’ Office for Civil Rights recently stressed the importance of multifactor authentication in its June Cybersecurity Newsletter.

The post 75% of Users Admit Taking Risks with Passwords appeared first on HIPAA Journal.

On June 12, 2023, Fortinet disclosed a critical remote code execution vulnerability in its FortiOS firmware. The heap buffer overflow issue was assigned a CVSS v3 base score of 9.8 out of 10 and could be remotely exploited on Fortinet firewalls that have the SSL VPN interface exposed to the Internet.

Last month, Fortinet warned that the vulnerability – CVE-2023-27997 – had already been exploited in limited attacks, so immediate patching was strongly recommended. Fortinet fixed the vulnerability in firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 and urged all users to update the firmware as soon as possible to prevent exploitation. A workaround was also recommended for users that are unable to immediately update the firmware, which involves disabling the SSL VPN.

It has now been a month since the firmware updates were released and patching appears to have been slow. Cybersecurity firm Bishop Fox reports that more than 300,000 FortiGate firewall appliances remain vulnerable and have yet to have the firmware updated. Bishop Fox conducted a Shodan scan to identify FortiGate firewalls that had an exposed SSL VPN interface. The researchers identified 489,337 appliances with an exposed SSL VPN interface and only 153,414 of those appliances had been updated to a version of the firmware not vulnerable to the CVE-2023-27997 flaw. Bishop Fox researchers then used an exploit to demonstrate the seriousness of the vulnerability. The exploit “smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary and opens an interactive shell,” said the researchers.

The researchers also discovered that many of the FortiGate appliances were running FortiOS version 6, for which support was withdrawn in September 2022. CVE-2023-27997 is not the only critical vulnerability to affect FortiOS 6. Several other critical flaws have been identified in that version of the firmware, some of which have proof-of-concept (PoC) exploit code in the public domain.

All organizations that use FortiGate firewalls should check the firmware version and upgrade immediately if a vulnerable version is being used or apply the workaround. If the vulnerability is exploited, a threat actor could gain full control of the firewall, remotely execute malicious code, steal sensitive data, and gain the network access they require to conduct ransomware attacks.

The post More Than 300,000 Fortinet Firewalls Still Vulnerable to Critical FortiOS RCE Vulnerability appeared first on HIPAA Journal.