Healthcare Cybersecurity

Cybersecurity Agencies Warn of TrueBot Malware Campaign Targeting U.S. and Canadian Orgs

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) warning about a TrueBot malware campaign targeting organizations in the United States and Canada.

TrueBot is a downloader/botnet malware that establishes a connection with its command-and-control server, collects information on compromised systems, and is used for launching more extensive attacks on compromised networks. TrueBot is used by multiple threat actors including FIN11 and the Silence group. FIN11 has been using TrueBot malware to deploy Clop ransomware on victims’ networks. FIN11 installs TrueBot, then uses the malware to deliver the FlawedGrace Remote Access Trojan (RAT), which is used to escalate privileges and maintain persistence. FIN11 has also been observed deploying Cobalt Strike beacons.

TrueBot is usually installed via phishing attacks using malicious attachments; however, newer versions of the malware are also being delivered by exploiting a remote code execution vulnerability in the Netwrix Auditor application – CVE-2022-31199. Successful exploitation of the vulnerability allows a malicious actor to execute arbitrary code with SYSTEM privileges, allowing the deployment of TrueBot malware at scale within a compromised environment. The cybersecurity authorities report that phishing emails with malicious hyperlinks are being used in addition to the exploitation of the Netwrix Auditor vulnerability to deliver TrueBot malware.

Immediate patching of the CVE-2022-31199 vulnerability is strongly recommended if the Netwrix IT system auditing software is in use. To protect against phishing attacks, email security solutions are recommended along with phishing-resistant multifactor authentication. Organizations are also encouraged to search for the published Indicators of Compromise (IoCs) detailed in the alert and to immediately apply the recommended incident responses and mitigation measures if the IoCs are detected.

The post Cybersecurity Agencies Warn of TrueBot Malware Campaign Targeting U.S. and Canadian Orgs appeared first on HIPAA Journal.

Editorial: The Importance of Identity and Access Management (IAM) in Healthcare

Posted by Steve Alder

Identity and access management in healthcare is a best practice for ensuring employees, vendors, contractors, and subcontractors are provided with appropriate access to the technology resources and data they need to perform their required duties and policies, procedures, and technology are in place to prevent unauthorized individuals from accessing resources and sensitive data.

Identity and access management consists of administrative, technical, and physical safeguards to keep resources and data locked down, with access to resources and data granted based on job role, authority, and responsibility. Identity and access management, in short, is about providing the right people with access to the right resources and data, at the right time, for the right reasons, while preventing unauthorized access at all times.

For a business with a small staff and few third-party vendors, identity and access management is straightforward. With few individuals requiring access to systems and data, ensuring everyone has access to the systems and data they need and nothing more is a relatively simple process. In healthcare, identity and access management is much more complicated. Access must be granted to a wide range of devices, including desktops, laptops, smartphones, routers, controllers, and a wide range of medical devices. Healthcare organizations typically use a wide variety of vendors, all of whom require access to systems and data, and there is often a high staff turnover, making it difficult to onboard and offboard in a timely manner.

To add to the problem, hackers are actively targeting healthcare organizations due to the value of the data they hold. Healthcare organizations are also heavily reliant on data and IT systems to support healthcare operations and ensure patient safety, making the sector an ideal target for ransomware gangs. The extent to which these attacks are succeeding highlights the difficulty healthcare organizations have with securing their systems and preventing unauthorized access.

The increase in data breaches due to hacking. Data Source: HHS’ OCR Breach Portal.

Overview of Identity and Access Management

Identity and access management covers five key areas: Policy, identity management, access management, security, and monitoring. An identity and access management policy is required which determines who has access to systems and data and who has the authority to alter the functionality of IT systems. The policy must also cover onboarding and offboarding employees, vendors, and applications, and the actions that must be logged and monitored.

Identity management is a set of processes for establishing the identity of a person or device when they first make contact and for any subsequent interactions. Access management involves authentication and dictates the actions that a user is permitted to perform, with security controls implemented to prevent unauthorized access. Finally, logging is required to record system activity and data interactions to allow investigations of unauthorized activity, with logs routinely monitored and alerts generated and investigated in response to anomalous behavior.

Principles of Identity and Access Management in Healthcare

There are five key principles of identity and access management: Identification, authentication, authorization, access governance, and logging/monitoring of access and user activity.

Identification

All users – employees, vendors, contractors & subcontractors – and devices and applications that require access to systems and data must be identified and their true identities established. Identification is concerned with establishing the digital identity of a user, device, or system, which is usually achieved with a unique username/IP address.

Authentication

When a user or device has been identified, it is necessary to authenticate to prove that the user or device is what it claims to be. This is commonly achieved with a unique password associated with the username or device. Since usernames and passwords can be guessed or obtained, additional forms of authentication are required.

Authorization

Once the identity of a user has been established and authentication has occurred, they will be provided with conditional access to systems and data. Each user and device will need to be authorized to perform certain actions, access data, or administer the system, with authorization based on the principle of least privilege. Permissions should be set to the minimum necessary level required by that user to perform their duties.

Access Governance

Access governance relates to the policies and procedures for assigning, managing, and revoking access and ensuring the correct permissions are set for each user, device, or application, with users managed through a central user repository.

Logging and Monitoring

Logs of access and system activity must be generated and monitored regularly to identify unauthorized access and anomalous behavior that could indicate compromise or unauthorized access.

Common Identity and Access Weaknesses in Healthcare

Malicious actors view the healthcare industry as an easy target and commonly exploit identity and access weaknesses to gain a foothold in healthcare networks, move laterally, steal data, and conduct highly damaging attacks that severely disrupt operations and put patient safety at risk. While many sectors face similar challenges with identity and access management, a combination of factors makes effective management particularly challenging in healthcare, and vulnerabilities are commonly introduced that can be easily exploited. Across the healthcare sector, there are common weaknesses that are frequently exploited by malicious insiders and cyber threat actors, the most common of which are highlighted below.

Poor identity and access management

There is a lack of assurance that an individual or entity that seeks access is who they claim to be at many healthcare organizations. In healthcare, employees, contractors, and others require access to networks, applications, and data, there are regular changes to roles and responsibilities, and often a high staff turnover, which makes identity and access management a significant challenge, and all too often there is a lack of monitoring resulting in compromises and unauthorized access going undetected.

Role-based access control (RBAC) is commonly used by healthcare organizations as it is easier to manage access rights when users are bundled together based on their roles. This reduces the number of access policies and makes management easier since different roles require access to similar resources; however, this approach can result in users being given access to resources that do not need, with controls far less stringent than they need to be. This is especially important regarding access to PHI. Each year, many snooping incidents are reported where employees have been able to access patient records when there is no legitimate work reason for the access, with investigations revealing unauthorized access has been occurring for months or years.

Healthcare organizations need to keep on top of access rights and ensure that permissions are appropriate to roles and responsibilities, with strong identity and access management, especially for privileged accounts. Access controls should be implemented based on the principle of least privilege and there should be consistent implementation of policies across the entire organization, with regular audits conducted to ensure employees and third-party vendors have the correct access rights. The failure to terminate access promptly when contracts end or employees change roles or find new employment puts healthcare data and systems at risk.

The annual HIMSS healthcare cybersecurity surveys have shown that a large percentage of healthcare organizations are not implementing identity and access management across the organization, resulting in security vulnerabilities that can easily be exploited to gain access to systems and data. Identity and access management (IAM) software eliminates the complexity of identity and access management and allows controls to be set to ensure secure access is granted to employees and devices while making it difficult for unauthorized individuals to gain access to sensitive resources.

Slow Migration to Zero Trust

Strong identity and access management is necessary to restrict access to systems and data; however, healthcare organizations should be working toward implementing a zero-trust security framework. The traditional security approach is based on protecting the perimeter, essentially trusting anyone or anything that is inside that perimeter; however, the increase in the use of cloud infrastructure means there is no longer a clearly defined perimeter to protect. A zero-trust approach assumes that the network has been compromised, and ensures that if there is a security breach, an attacker does not have free rein over everything inside the network perimeter.  Zero trust involves a constant process of authentication, authorization, and validation before access is granted to applications and data. There is no doubt that zero trust is the future of healthcare security and can prevent malicious actors from gaining access to healthcare networks and data and limit the harm that can be caused when attacks succeed; however, adoption of zero trust has been slow in the healthcare industry.

Poor password practices

HIPAA-covered entities should do more than comply with HIPAA password requirements, which only call for HIPAA-regulated entities to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed,” along with procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.

Many healthcare data breaches result from the failure of users to set strong, unique passwords for their accounts, password reuse across multiple platforms, and password sharing. User-generated passwords can often be brute forced with ease, password reuse exposes organizations to credential stuffing attacks, and password sharing violates HIPAA as it is not possible to track user activity.

Robust password policies should be set and enforced, but shortcuts can easily be taken by employees. One solution is to use a password manager, which solves the problem of creating strong passwords and employees having to remember them. Password managers have a secure password generator that can be used to generate truly random strings of characters that are resistant to brute force attacks and stores them securely in an encrypted vault.

One authentication solution that should be considered is single sign-on (SSO), which allows access to be carefully controlled without disrupting workflows, while helping to eliminate some of the security weaknesses associated with passwords. Rather than having to log in to multiple systems, each of which requires a different login, the user authenticates once, and all subsequent logins occur using a security token or a physical device. SSO solutions also offer centralized access logs that can help with monitoring for unauthorized access.

Reliance on single-factor rather than multifactor authentication

It is telling that one of the most commonly cited improvements to security following a healthcare data breach is the implementation of multi-factor authentication across the organization when the proactive implementation of MFA could have prevented the data breach. Multifactor authentication is one of the most important defenses against phishing, which continues to be a leading cause of healthcare data breaches, yet multifactor adoption in healthcare lags other sectors.

Multifactor authentication requires additional means of authentication other than a password for verifying a user’s identity. The authentication process requires something a person knows (a password) in combination with something a person has (a physical device or token) or something inherent to the user (a fingerprint, face recognition, or biometric data). While any type of multifactor authentication is better than single-factor authentication, an increasing number of phishing attacks are exploiting weak multifactor authentication controls. The gold standard is phishing-resistant MFA, such as FIDO/WebAuthn authentication. Regardless of which method is used, multifactor authentication needs to be implemented consistently across the entire organization.

Failure to secure third-party vendor access

Hackers may attack healthcare organizations directly but it is now increasingly common for malicious actors to exploit security weaknesses to gain access to vendor networks, through which they can abuse remote access tools to gain access to healthcare organizations’ networks. Supply chain attacks allow access to be gained to multiple healthcare networks via an attack on a single vendor. While it is important to restrict employee access using the principle of least privilege, the same applies to vendor access. Vendor access needs to be closely monitored, yet around half of healthcare organizations do not routinely monitor vendor access.

Insufficient logging and monitoring

Many healthcare organizations discover their systems have been breached several weeks or months after the network has been compromised, with the intrusion only detected when ransomware is used to encrypt files. Log management and intrusion detection solutions identify anomalies that could indicate a system compromise, and generate alerts when suspicious activity is detected, allowing investigations to be conducted to identify unauthorized access quickly, thus minimizing the harm that is caused.

I have already touched on insider breaches from an access rights perspective, which can be minimized with the right access policies and effective user management; however, one of the biggest failures comes from a lack of logging and monitoring of access. There have been insider breaches where employees have snooped on patient records for years before the unauthorized access is detected due to access logs not being routinely monitored. The key to effective monitoring is automation. IT solutions should be used that constantly monitor for unauthorized access, can distinguish between proper and improper access to ePHI, and generate alerts when suspicious activity is detected.

HIPAA and Identity and Access Management

Effective identity and access management is a fundamental part of healthcare cybersecurity and compliance with the HIPAA Rules. The HIPAA Privacy Rule – 45 C.F.R. § 164.514(h) – has a standard concerning the verification of identity and the authority of a person to have access to PHI, while the technical safeguards of the HIPAA Security Rule – 45 CFR 164.312(d) – require regulated entities to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. The Security Rule also has a standard for access control and tracking user activity – 45 C.F.R § 164.312(a)(1), and 45 C.F.R § 164.312(b) requires audit controls for recording and monitoring activity in information systems.

The HIPAA Security Rule does not stipulate specific authentication solutions that should be used for identity and access management; instead, the measures should be informed by the entity’s risk analysis and should sufficiently reduce risks to the confidentiality, integrity, and availability of ePHI. The HHS’ Office for Civil Rights drew attention to authentication in its June 2023 Cybersecurity Newsletter and pointed out that authentication measures should reflect the level of risk. “Different touchpoints for authentication throughout a regulated entity’s organization may present different levels of risk, thus requiring the implementation of authentication solutions appropriate to sufficiently reduce risk at those various touchpoints,” explained OCR. “For example, remote access to a regulated entity’s information systems and ePHI may present a greater risk than access in person, thus stronger authentication processes (e.g., multi-factor authentication) may be necessary when permitting or expanding remote access to reduce such risks sufficiently.” OCR suggests following the advice of CISA, and implementing, as a minimum, multifactor authentication solutions on Internet-facing systems, such as email, remote desktop applications, and Virtual Private Networks (VPNs).

Conclusion

Healthcare cybersecurity starts with effective identity and access management. HIPAA-regulated entities should ensure they develop, implement, and maintain effective identity and access policies, implement strong authentication processes, and take steps to address password weaknesses, taking advantage of the latest cybersecurity solutions to automate authentication and access policies as far as possible. Proper access governance is essential, including monitoring logs to identify potential compromises and unauthorized access to PHI by insiders.

With so many competing priorities, investment in cybersecurity often falls far short of what is required; however, with hacking incidents continuing to increase and ransomware attacks impacting patient care, cybersecurity is at last being viewed as not just an IT issue, but a critical patient safety issue that warrants appropriate investment.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: The Importance of Identity and Access Management (IAM) in Healthcare appeared first on HIPAA Journal.

Critical RCE Vulnerability Identified in Medtronic Paceart Optima System

Posted by Steve Alder

A critical vulnerability has been identified in the Medtronic Paceart Optima System, which is used to compile and manage patients’ cardiac data. The vulnerability is tracked as CVE-2023-31222 and is due to the deserialization of untrusted data. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The vulnerability affects all versions of Paceart Optima up to and including version 1.11 and can be exploited remotely by an unauthorized user by sending specially crafted messages to the Paceart Optima system. Successful exploitation of the flaw would allow an attacker to remotely execute arbitrary code and gain a foothold for network penetration. The flaw could also be exploited to trigger a denial-of-service condition resulting in the Paceart Optima system becoming slow and unresponsive, preventing healthcare delivery organizations from using the system.

The flaw can only be exploited if the Paceart Messaging Service is enabled in the Paceart Optima system, which is an optional service. An immediate mitigation to prevent the flaw from being exploited is to disable that service on the Application Server. Medtronic has provided instructions for manually disabling the Paceart Messaging Service on the Application Server and disabling message queuing on the Application Server, which will fully mitigate the vulnerability. Medtronic should be contacted for mitigation advice if a healthcare delivery organization is running a combined Application Server and Integration Server.

Medtronic has fixed the vulnerability in v1.12, and healthcare organizations should contact Medtronic to schedule the update; however, the recommended mitigation steps should be followed to prevent exploitation until the update is installed. Medtronic said the vulnerability was discovered during routine monitoring and there have been no detected instances of the vulnerability being exploited.

CISA recommends additional defensive measures to improve security and reduce the risk of exploitation of vulnerabilities. These include minimizing network exposure and ensuring control systems are not accessible from the Internet, locating control system networks and devices behind firewalls, and only using secure methods for remote access, such as VPNs.

The post Critical RCE Vulnerability Identified in Medtronic Paceart Optima System appeared first on HIPAA Journal.

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.

CISA Publishes Guidance on Securing Cloud Services

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published guidance that details security and resilience best practices to adopt when utilizing cloud services. The new guidance can be followed by all organizations; however, the guidance is of particular importance for federal agencies and critical infrastructure entities. Cybercriminals and advanced persistent threat actors are increasingly targeting supply chains to attack federal government networks and critical infrastructure, and many attacks now target cloud-based environments. The latest guidance can be used by federal agencies, critical infrastructure entities, and others to secure cloud business application environments and protect information created, accessed, shared, and stored in those environments.

The guidance was developed under CISA’s Secure Cloud Business Applications (SCuBA) project, which was established and funded through the American Rescue Plan Act of 2021. The aim of the project is to develop consistent, effective, modern, and manageable security configurations that will help secure agency information assets stored within cloud environments. The first resources to be published under this project are an Extensible Visibility Reference Framework (eVRF) Guidebook that can be used to identify visibility data, mitigate threats, understand the extent to which specific products and services provide visibility data, and identify potential visibility gaps. The eVRF is accompanied by a Technical Reference Architecture (TRA) document that can be used when adopting technology for cloud deployment, solutions, secure architecture, and zero trust frameworks.

“The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” said CISA Executive Assistant for Cybersecurity, Eric Goldstein.

CISA has also confirmed that it is working on new guidance that will include recommended cybersecurity configurations for specific products, which will be released over the coming months.

The post CISA Publishes Guidance on Securing Cloud Services appeared first on HIPAA Journal.

Healthcare Organizations Warned of Risk of Cyberattacks via SEO Poisoning

Posted by Steve Alder

In a recently published analyst note, the Health Sector Cybersecurity Coordination Center (HC3) draws attention to the practice of SEO poisoning – a tactic often used by malicious actors to trick individuals into disclosing sensitive information or downloading malware.

Phishing is one of the most common ways that malicious cyber actors target individuals to gain initial access to healthcare networks; however, contact may be made with healthcare employees over the Internet. SEO poisoning is a technique used to drive traffic to attacker-controlled websites where instead of distributing links to malicious websites via phishing emails or SMS/instant messaging services, search engine optimization (SEO) techniques are used to get the malicious websites to appear high in the search engine listings for key search terms. The goal is to get the websites to appear in the first few results for specific search terms. The top few results in the search engine listings attract the highest number of clicks and users tend to view the top results as the most relevant and trustworthy, and will often click without checking the URLs. Blackhat SEO tactics are used such as using high numbers of keywords in the page content and meta tags (keyword stuffing), private link networks to increase backlinks to the webpage, and artificially increasing click-through rates to trick search engine algorithms. Cloaking is also commonly used, where search engine crawlers are presented with different content than natural visits to the website via clicked links.

Malicious actors use SEO poisoning to target key search terms used by businesses or healthcare employees, and typosquatting may also be used to trick users into thinking they are on a legitimate website, such as registering domains with misspellings of brand names or substituting letters in domain names with similar-looking numbers or special characters. Typosquatting is also used to catch out careless typists – individuals who accidentally type Goole rather than Google for instance. Typosquatting may also be used to register domains similar to those used by healthcare organizations.

Security awareness training programs often concentrate on teaching employees how to identify phishing attempts, but it is also important to also cover other attack techniques such as SEO poisoning to reduce the risk of employees falling victim to these attacks. Technical measures to prevent these attacks include web filters, which act as a gateway between users and the Internet and block attempts to visit known malicious websites, analyze web content and apply filtering controls before a connection is established, and restrict access to certain categories of websites. HC3 also recommends using digital risk monitoring tools to identify typosquatting, such as tools that scan new domains that are registered to look for similarities with any brands or names.

The post Healthcare Organizations Warned of Risk of Cyberattacks via SEO Poisoning appeared first on HIPAA Journal.

Study Identifies Lack of Preparedness for Ransomware Attacks in Emergency Departments

Posted by Steve Alder

Ransomware attacks on hospitals cause major disruption to healthcare operations over several weeks. During the acute and recovery phases, access is often prevented to electronic health records and critical IT systems which can naturally have an impact on patient care. Ransomware attacks cause disruption to workflows, increase wait times, and slow patient flow, which can increase patient transfers and complication rates and negatively affect patient outcomes. Some studies suggest mortality rates increase following a ransomware attack.

Research on the impact of ransomware attacks on hospitals is limited, with studies often focusing on the technical consequences of ransomware attacks rather than the impact these attacks have on hospital staff, especially in emergency care. A recent qualitative study, Hacking Acute Care: A Qualitative Study on the Health Care Impacts of Ransomware Attacks Against Hospitals, which was recently published in Annals of Emergency Medicine, sought to explore the impact on staff in more detail and identify the challenges faced by healthcare professionals and IT staff during the acute and recovery phase of hospital ransomware attacks.

The researchers explored the effect of several large ransomware attacks on hospitals between 2017 and 2022 and conducted interviews with 9 individuals at hospitals that had suffered ransomware attacks, including emergency department staff and IT professionals. The study confirmed that ransomware attacks cause significant disruption to emergency department workflows and acute care delivery, and indicate the attacks have a detrimental effect on the well-being of healthcare providers. The low number of participants was due to the “profound hesitancy” of hospitals to participate in the study; however, valuable information was obtained from the interviews that allowed the researchers to gain an insight into the impact of the attacks and make recommendations to improve preparedness and limit the adverse impacts on workflows and staff well-being.

While hospitals often have incident recovery plans, the study highlighted a lack of preparedness for ransomware attacks within emergency departments and highlighted several challenges that are encountered during the acute and recovery stage of the attacks. The lack of access to digital radiology systems following ransomware attacks made ordering and obtaining diagnostic imaging a challenge. The inability to communicate electronically meant forms had to be carried back and forth to the radiology department and medical images often had to be reviewed in person at the radiology department. Non-clinical staff members were found to serve as runners between the point of care and the radiology department, collecting and delivering imaging results, and due to the disruption, diagnostic imaging had to be reserved for the most urgent situations.

Ransomware attacks will naturally have an adverse impact on hospitals; however, that impact can be minimized with better preparedness.  The researchers recommend temporarily diverting emergency department personnel in the first few hours of an attack to reduce pressure on acute care services and to use reverse triage, where the most seriously injured patients already in the emergency department are transferred to healthcare facilities unaffected by the attack. Patient care protocols should be established for when critical systems are offline and training should be provided to employees on paper-based charting and recording of patient information, and hospitals should ensure that paper charts and diagnostic order forms are on hand for emergencies. The researchers also recommend transparency with hospital staff, patients, and partners to help mitigate cyberattack concerns.

The post Study Identifies Lack of Preparedness for Ransomware Attacks in Emergency Departments appeared first on HIPAA Journal.

PoC Exploit Published for CISCO AnyConnect Secure Vulnerability

Posted by Steve Alder

Proof-of-concept exploit code has been released for a high-severity vulnerability in AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. Users that have yet to apply the patch should do so immediately to prevent exploitation. Unpatched flaws in Cisco Secure Client Software have been targeted by malicious actors in the past.

Cisco Secure Client Software is a remote access solution that allows employees to connect to the network from any location via a Virtual Private Network and is used by IT admins for endpoint management. The vulnerability is tracked as CVE-2023-20178 and has a CVSS base score of 7.8.

The vulnerability affects the client update process and can be exploited by an authenticated, local attacker to elevate privileges to SYSTEM level. The vulnerability is due to improper permissions on a temporary directory created during the update process and can be exploited by abusing a specific function of the Windows installer process. An attack exploiting the vulnerability has low complexity and requires no user interaction. The vulnerability was discovered by security researcher, Filip Dragovic, who reported the flaw to CISCO. He recently published the PoC exploit after successfully testing it on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079.

CISCO says there are no workarounds and patching is the only way to fix the vulnerability and prevent exploitation. A patch to fix the flaw was released on June 13, 2023, and, at the time of release, there had been no detected instances of exploitation. The flaw has been corrected in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

The post PoC Exploit Published for CISCO AnyConnect Secure Vulnerability appeared first on HIPAA Journal.

Critical Vulnerability in VMware Aria Operations for Networks Now Actively Exploited

Posted by Steve Alder

VMware has confirmed that a remote code execution vulnerability in the VMware Aria Operations for Networks (previously vRealize Network Insight) network analytics tool is now being exploited in the wild.  The vulnerability is tracked as CVE-2023-20887, has a CVSS severity score of 9.8, and has been fixed in the latest version of the tool.

A proof-of-concept exploit for the pre-authentication command injection vulnerability was published on June 13, 2023, by security researcher Sina Kheirkhah of Summoning Team. Exploitation of the flaw on unpatched systems started two days later. Researchers at the cybersecurity firm GreyNoise detected mass-scanning activity to identify unpatched systems shortly after the PoC exploit was published. The vulnerability is one of three recently discovered vulnerabilities in VMware Aria Operations for Networks, the other two being another critical flaw – CVE-2023-20888 – and an important flaw – CVE-2023-20889. VMWare released patches to fix all three flaws around two weeks ago. All three were identified by Kheirkhah and were reported to VMWare, although the exploited CVE-2023-20887 flaw had been previously discovered and reported to VMware by an anonymous security researcher.

CVE-2023-20887 can be exploited by a malicious actor with network access to VMware Aria Operations for Networks in a command injection attack that can lead to remote code execution. CVE-2023-20888 can be exploited by a malicious actor with network access to VMware Aria Operations for Networks and allows a deserialization attack, resulting in remote code execution. The third vulnerability can be exploited to perform a command injection attack resulting in information disclosure.

VMware says there are no workarounds. The only way to address the flaws is to update to a fixed version. All VMware Aria Operations Networks 6.x on-prem installations must be patched to prevent exploitation. All three flaws have been fixed in version KB92684.

The post Critical Vulnerability in VMware Aria Operations for Networks Now Actively Exploited appeared first on HIPAA Journal.