Healthcare Cybersecurity

SEC Postpones Final Rule on Cyber Incident Disclosures

Posted by Steve Alder

The Securities and Exchange Commission (SEC) was due to issue a final rule that would implement new regulatory requirements for publicly traded companies to disclose material cyber breaches in their regulatory filings within 4 days of the discovery of a breach. The decision has now been delayed until at least October 2023. A draft rule was proposed in March 2022 to improve transparency about cybersecurity incidents at publicly traded companies. The proposed rule called for publicly traded companies to ensure that investors are made aware of any material cybersecurity incidents and disclose information about cybersecurity governance, the level of board expertise in dealing with cybersecurity incidents, and the involvement of upper management in cyber risk. A new rule was also proposed for investment advisers, registered investment companies, and business development companies in February 2022 that requires them to develop, implement, and maintain written cybersecurity policies and procedures to address cybersecurity risks.

Regulatory changes to force publicly traded companies to disclose cyber incidents were seen to be necessary as many were choosing not to disclose these incidents to avoid potential lawsuits and minimize reputational harm. Only one-quarter of ransomware attacks are reported to public authorities, as the reporting of cyber incidents is voluntary. The proposed rules were subject to two comment periods, and more than 175 comments have been submitted in response to the proposed cyber rules.  The final rule was expected to be published as early as April 3, 2023; however, the SEC has now stated in a recent update to its rulemaking agenda that its new cyber rules will not be published until at least October 2023. The SEC did not provide a reason for the delay; however, there has been considerable pushback on the proposed rules.

While there has been broad support for the new cyber requirements for improving transparency, the devil is in the detail, especially the 4-day reporting requirement, which many commenters believe would hinder the ability of public companies to stop, investigate, remediate, and defend against cybersecurity incidents. The cybersecurity firm, Rapid7, warned that the 4-day disclosure deadline would mean companies that suffer security incidents would be forced to publicly disclose the incidents before they had been fully contained, and that would tip off hackers and make the companies more vulnerable and could lead to greater harm to investors. Rapid7 requested companies be allowed to delay reporting until a cyber incident has been fully remediated before being required to report the incident.

The U.S. Chamber of Commerce said the SEC is attempting to micromanage corporate cybersecurity programs and the proposed rule would not necessarily protect investors. The SEC was criticized for the 4-day reporting period as it did not give companies sufficient time to evaluate the severity of security incidents. The requirement to disclose whether the board has cybersecurity expertise was also criticized as it could lead to unwieldy and unwanted outcomes, such as giving investors a false level of confidence in the ability of a company to deal with the security incident. In its comments, the Chamber of Commerce said it would be difficult even for NIST to pinpoint what constitutes expertise or experience in cybersecurity that would earn widespread agreement among industry professionals.

The post SEC Postpones Final Rule on Cyber Incident Disclosures appeared first on HIPAA Journal.

May 2023 Healthcare Data Breach Report

Posted by Steve Alder

May 2023 was a particularly bad month for healthcare data breaches. 75 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in May. May – along with October 2022 – was the second-worst-ever month for healthcare data breaches, only beaten by the 95 breaches that were reported in September 2020. Month-over-month there was a 44% increase in reported data breaches and May’s total was well over the 12-month average of 58 data breaches a month.

Healthcare Data Breaches in the Past 12 Months - May 2023

May was also one of the worst-ever months in terms of the number of breached records, which increased by 330% month-over-month to an astonishing 19,044,544 breached records. Over the past 12 months, the average number of records breached each month is 6,104,761 and the median is 5,889,562 records. 46.52 of the breached records in May came from one incident, which exposed the records of almost 8.9 million individuals, and 90.45% of the breached records came from just three security incidents. More healthcare records have been breached in the first 5 months of 2023 (36,437,539 records) than in all of 2020 (29,298,012 records).

Records Breached in Healthcare Data Breaches in the Past 12 Months - May 2023

Largest Healthcare Data Breaches in May 2023

23 data breaches of 10,000 or more records were reported to OCR in May, including the two largest healthcare data breaches of 2023. The worst data breach was a LockBit ransomware attack on the HIPAA business associate Managed Care of North America (MCNA) which affected almost 8.9 million individuals. The LockBit gang stole data, threatened to publish the information on its website if the $10 million ransom was not paid, and when it wasn’t, uploaded leaked the stolen data. Almost 6 million records were stolen in a ransomware attack on PharMerica Corporation and its subsidiary BrightSpring Health Services. The Money Message ransomware group exfiltrated 4.7 terabytes of data in the attack and proceeded to upload the stolen data to its data leak site when the ransom was not paid.

A third million+ record data breach resulted in the exposure and potential theft of the protected health information of 2,550,922 Harvard Pilgrim Health Care plan members following a cyberattack on its parent Company, Point32Health, the second largest health insurer in Massachusetts. This was also a ransomware attack with data theft confirmed. Other large data breaches include a hacking incident at the Virginia-based business associate, Credit Control Corporation (345,523 records), and ransomware attacks affecting Onix Group (319,500 records), the Iowa Department of Health and Human Services (233,834 records), and Albany ENT & Allergy Services, PC (224,486 records).

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack (LockBit) – Data theft confirmed
PharMerica Corporation KY Healthcare Provider 5,815,591 Hacking Incident – data theft confirmed
Harvard Pilgrim Health Care MA Health Plan 2,550,922 Ransomware attack – Data theft confirmed
R&B Corporation of Virginia d/b/a Credit Control Corporation VA Business Associate 345,523 Hacking Incident – data theft confirmed
Onix Group PA Business Associate 319,500 Ransomware attack – Data theft confirmed
Iowa Department of Health and Human Services – Iowa Medicaid (Iowa HHS-IM) IA Health Plan 233,834 Ransomware attack (LockBit) on its business associate (MCNA Dental) – Data theft confirmed
Albany ENT & Allergy Services, PC. NY Healthcare Provider 224,486 Ransomware attack (BianLian/RansomHouse) – Data theft confirmed
Uintah Basin Healthcare UT Healthcare Provider 103,974 Hacking Incident
UI Community Home Care, a subsidiary of University of Iowa Health System IA Healthcare Provider 67,897 Cyberattack on subcontractor (ILS) of its business associate (Telligen) – data theft confirmed
University Urology NY Healthcare Provider 56,816 Hacking Incident
Illinois Department of Healthcare and Family Services, Illinois Department of Human Services IL Health Plan 50,839 Hackers compromised the state Application for Benefits Eligibility (ABE) system
New Mexico Department of Health NM Healthcare Provider 49,000 Impermissible disclosure of deceased individuals’ PHI per access request by a journalist
Pioneer Valley Ophthalmic Consultants, PC MA Healthcare Provider 36,275 Malware infection at business associates (Alta Medical Management and ECL Group, LLC)
Brightline, Inc. CA Business Associate 28,975 Hacking of Fortra GoAnywhere MFT solution
Clarke County Hospital IA Healthcare Provider 28,003 Hacking Incident
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 26,561 Hacking Incident
ASAS Health, LLC TX Healthcare Provider 25,527 Hacking Incident
iSpace, Inc. CA Business Associate 24,382 Hacking Incident – data theft confirmed
PillPack LLC NH Healthcare Provider 19,032 Credential stuffing attack allowed customer account access
Solutran MN Business Associate 17,728 Hacking incident
MedInform, Inc. OH Business Associate 14,453 Hacking Incident – data theft confirmed
Catholic Health System NY Healthcare Provider 12,759 hacking incident at business associate (Minimum Data Set Consultants) – data theft confirmed
Northwest Health – La Porte IN Healthcare Provider 10,256 Paper records were removed from locked shredding bins at an old facility

Causes of May 2023 Healthcare Data Breaches

The vast majority of the month’s data breaches were hacking/IT incidents, many of which were ransomware attacks and data theft/extortion attempts. 81.33% of the month’s data breaches (61 incidents) were hacking/IT incidents and those incidents accounted for 99.54% of all breached records. The protected health information of 18,956,101 individuals was exposed or stolen in those incidents. The average data breach size was 310,756 records and the median breach size was 3,833 records. There were 11 data breaches reported as unauthorized access/disclosure incidents, which affected 82,236 individuals. The average breach size was 7,476 records and the median breach size was 1,809 records. Two theft incidents were reported involving a total of 5,632 records and there was one incident involving the improper disposal of 575 paper records.

Causes of May 2023 Healthcare Data Breaches

Unsurprisingly given the large number of hacking incidents, 57 data breaches involved electronic protected health information stored on network servers. There were also 9 data breaches involving electronic protected health information in email accounts.

Location of Breached PHI in May 2023 Healthcare Data Breaches

Where Did the Breaches Occur?

When data breaches occur at business associates of HIPAA-regulated entities, they are either reported by the business associate, the HIPAA-regulated entity, or a combination of the two, depending on the terms of their business associate agreements. In May, 36 breaches were reported by healthcare providers, 25 by business associates, and 14 by health plans; however, those figures do not accurately reflect where the data breaches occurred. The pie charts below show where the data breaches occurred rather than the entity that reported the data breach, along with the number of records that were exposed or impermissibly disclosed in those data breaches.

May 2023 Healthcare Data Breaches - HIPAA-regulated Entities

Records Breached at HIPAA-regulated entities - May 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states. While Massachusetts tops the list with 15 data breaches reported, 13 of those breaches were the same incident. Alvaria, Inc. submitted a separate breach report to OCR for each of its affected healthcare clients. As such, California and New York were the worst affected states with 7 breaches each.

State Number of Reported Data Breaches
Massachusetts 15
California & New York 7
Connecticut, Iowa & Ohio 4
Illinois, New Jersey & Philadelphia 3
Alaska, Indiana, Missouri & Texas 2
Arizona, Arkansas, Georgia, Kansas, Kentucky, Michigan, Minnesota, New Hampshire, New Mexico, Oklahoma, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia & Wisconsin 1

Click here to view more detailed healthcare data breach statistics.

HIPAA Enforcement Activity in May 2023

After two months with no HIPAA enforcement actions, there was a flurry of enforcement activity in May over HIPAA compliance failures. Two financial penalties were imposed by OCR to resolve HIPAA violations, two enforcement actions were announced by state attorneys general, and the Federal Trade Commission (FTC) announced an enforcement action against a non-HIPAA-regulated entity for the impermissible disclosure of consumer health information.

In May, OCR announced its 44th financial penalty under its HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. David Mente, MA, LPC, a Pittsburgh-based counselor, was fined $15,000 for failing to provide a father with the medical records of his minor children, despite the father making two requests for the records and OCR providing technical assistance after the first complaint was filed.

Between January 2020 and June 2023, OCR imposed 61 financial penalties on HIPAA-regulated entities to resolve potential violations of the HIPAA Rules, 69% of which were for HIPAA Right of Access violations.  We are now starting to see more financial penalties imposed for other violations. May’s other HIPAA settlement involved a financial penalty of $350,000 for MedEvolve Inc., a Little Rock, AR-based business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. MedEvolve had misconfigured an FTP server which exposed the electronic protected health information of 230,572 individuals. OCR investigated and determined that in addition to the impermissible disclosure, MedEvolve had failed to conduct a comprehensive, accurate, and organization-wide risk analysis and had not entered into a business associate agreement with a subcontractor.

The New York Attorney General agreed to a settlement to resolve violations of HIPAA and state laws that were discovered during an investigation of Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp. The medical management company was investigated after reporting a ransomware attack and data breach that impacted 1.2 million individuals. The hackers gained access to its network by exploiting a vulnerability that had not been patched, despite the patch being available for 22 months. Practicefirst was determined to have violated HIPAA and state laws through patch management failures, security testing failures, and not implementing encryption. The case was settled for $550,000.

A multi-state investigation of the vision care provider, EyeMed Vision Care, over a 2.1 million-record data breach was settled with the state attorneys general in Oregon, New Jersey, Florida, and Pennsylvania. A hacker gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, and Social Security numbers. The investigation revealed there had been several data security failures, including a lack of administrative, technical, and physical safeguards, in violation of HIPAA and state laws. The case was settled for $2.5 million.

The FTC has started actively policing the FTC Act and Health Breach Notification Rule and announced its third enforcement action of the year in May. Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, was alleged to have shared the health data of app users with third parties without user consent, in violation of the FTC Act, and failed to issue notifications, in violation of the Health Breach Notification Rule. Easy Healthcare agreed to settle the case and paid a $200,000 financial penalty.

The post May 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center

Posted by Steve Alder

An alarm has been sounded about a relatively unknown threat group called TimisoaraHackerTeam following a recent attack on a U.S. medical facility. TimisoaraHackerTeam is believed to be a financially motivated threat group, which in contrast to many cybercriminal and ransomware groups, has no qualms about attacking the healthcare and public health (HPH) sector and appears to actively target HPH sector organizations, mainly conducting attacks on large organizations. The group was first identified in July 2018 but has largely stayed under the radar.

According to the Healthcare Sector Cybersecurity Coordination Center (HC3), which issued the alert on June 16, the group has resurfaced and conducted a June 2023 ransomware attack on a U.S. cancer center which rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients.

The group has exploited known vulnerabilities to gain initial access to HPH sector networks, then escalates privileges, moves laterally, and encrypts files. The group uses Microsoft’s native disk encryption tool, BitLocker, along with Jetico’s BestCrypt, rather than custom ransomware. This allows the group to encrypt files without being detected by security solutions. Previous attacks that have been loosely attributed to TimisoaraHackerTeam include an attack on a French hospital in April 2021 which involved similar living-off-the-land tactics, and an attack on Hillel Yaffe Medical Center in Israel, which resulted in the cancellation of non-elective procedures and forced the medical center to switch to alternative systems to continue to provide patient care.

According to the cybersecurity firm Varonis, the attack on Hillel Yaffe Medical Center in Israel is thought to have involved the exploitation of a known and unpatched vulnerability in the Pulse Secure VPN, with the hackers then using living-off-the-land techniques for the next stages of the attack to evade security solutions. Varonis says reports of attacks by TimisoaraHackerTeam mostly date to 2018, and while it is possible that the group has resurfaced, the DeepBlueMagic threat group may be an evolution of TimisoaraHackerTeam or DeepBlueMagic may have simply adopted the same tactics as TimisoaraHackerTeam. The same tactics have also been used by hackers in China, with those attacks attributed to an Advanced Persistent Threat Group that is tracked as APT41, although it is unclear to what extent, if any, these threat actors are linked.

In addition to exploiting Pulse Secure VPN vulnerabilities, TimisoaraHackerTeam has targeted vulnerabilities in Microsoft Exchange Server and Fortinet firewalls and uses poorly configured Remote Desktop Protocol to move laterally within networks. The recent attack on the cancer center serves as a warning that the group is still active, and that network defenders should take steps to improve monitoring and protect their networks from attacks. Further details on the group and its tactics, techniques, and procedures can be found in the HC3 HPH Sector Cybersecurity Notification.

The post TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center appeared first on HIPAA Journal.

Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required

Posted by Steve Alder

Progress Software has issued a warning about another vulnerability in its MOVEit Transfer file transfer software, an exploit for which is in the public domain. The announcement comes as the Clop ransomware group starts to name companies that were attacked by exploiting a separate zero-day bug in May, and CISA confirms the victims include several federal agencies.

The CVE for the latest vulnerability is still pending and there is no CVSS severity score at present; however, this is a critical vulnerability and a Proof-of-Concept (PoC) exploit for the new zero-day flaw has been shared by a security researcher on Twitter, although at the time of release, code execution is not believed to have been achieved. The attacks by the Clop gang demonstrate that MOVEit vulnerabilities can be weaponized and exploited in mass attacks, so mitigations should be implemented immediately and patches applied as soon they are released.

MOVEit Transfer Zero Day Mitigations and Fixes

According to Progress Software, all users must take action to address the latest MOVEit zero day bug. The steps that need to be taken are dependent on whether patches have been applied to fix the zero-day bug (CVE-2023-34362) that was exploited by Clop and patched on May 31, 2023, and a second critical SQL injection vulnerability – CVE-2023-35036 – a patch for which was released on June 9. The May 31 and June 9 patches and remediation steps should be followed first, if they have not been already, then the June 15, 2023, patch can be applied to fix the third zero-day (CVE pending).

If it is not possible to immediately apply the June 15, 2023, patch, users should disable all HTTP and HTTPs traffic to the MOVEit Transfer environment immediately (ports 80 and 443) to prevent unauthorized access. HTTP and HTTPs traffic should not be re-enabled until the June 15, 2023, patch has been applied. While this mitigation will prevent users from being able to log into their accounts via the web user interface, transfers will still be available since the SFTP and FTP/s protocols will continue to work, and admins will still be able to access MOVEit Transfer by connecting to the Windows server via remote desktop, and then navigating to https://localhost/

Details on patching all three vulnerabilities and the mitigation steps are detailed in the latest Progress Software alert.

Progress Software said, “We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized.”

Clop Starts Publishing Victims’ Names on Dark Web Data Leak Site

The Clop gang claimed responsibility for the attacks which exploited the May 2023 vulnerability (CVE-2023-34362), and while the victim count is not known, several hundred companies are understood to have been affected. Clop provided a deadline of June 14, 2023, for payment of the ransom demands, after which the group claimed it would start releasing the stolen data. On Wednesday, names started to be published on its data leak site which include the oil and gas company Shell, the University of Georgia (UGA) and University System of Georgia (USG), UnitedHealthcare Student Resources (UHSR), Putnam Investments, Heidelberger Druck, and Landal Greenpark. Several other companies have confirmed that they were affected although they have yet to be listed on the data leak site. Those companies include Zellis, Boots, Aer Lingus, and the BBC.

CISA Confirms Federal Agencies Impacted

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that several federal agencies were attacked by the Clop gang by exploiting the May 2023 vulnerability and that it is providing support to the agencies that have suffered intrusions. Eric Goldstein, CISA executive assistant director for cybersecurity, confirmed to CNN that it is currently trying to understand the impact of those intrusions. CISA Director, Jen Easterly, said the May 2023 attacks were opportunistic in nature and were not targeted at government agencies, and while Clop is a Russian ransomware group, the attacks are not believed to be connected to the Russian government. “Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” said Easterly. Government agencies known to have been affected include the Energy Department, which confirmed that two entities within the Department have been compromised.

The post Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required appeared first on HIPAA Journal.

Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act

Posted by Steve Alder

The Senate Homeland Security and Governmental Affairs Committee has advanced a bill that seeks to address the current shortage of cybersecurity skills in rural hospitals, which are increasingly targeted by cybercriminals. Rural hospitals do not have the resources available to invest in cybersecurity and struggle to recruit skilled cybersecurity professionals and, as such, are seen as soft targets by cybercriminals.

The Rural Hospital Cybersecurity Enhancement Act, which was introduced by Sen. Josh Hawley (R-MO) and co-sponsored by Sens. Gary Peters (D-MI) and Jon Ossoff (D-GA), calls for the development of a comprehensive rural hospital cybersecurity workforce development strategy to address the current shortage of cybersecurity staff at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act requires the Secretary of the Department of Homeland Security to develop a comprehensive rural hospital cybersecurity workforce development strategy to address the growing need for skilled cybersecurity professionals in rural hospitals within a year of enactment of the act.

When developing the cybersecurity workforce development strategy, the Secretary should consider partnerships between rural hospitals, private sector entities, educational institutions, and non-profits to expand cybersecurity education and training programs tailored to the needs of rural hospitals, the development of a cybersecurity curriculum and teaching resources for rural educational institutions, and make recommendations for legislation, rulemaking, and/or guidance for implementing the strategy.

Rural hospitals are operating under increasing financial pressure and lack the necessary funding for cybersecurity. Currently, few rural hospitals have dedicated cybersecurity workers and IT staff are generally in short supply and overworked. Cybersecurity positions in rural hospitals typically have low remuneration, and the lack of funding means individuals who take on cybersecurity roles do not have access to the latest cybersecurity tools that would be at their disposal in other positions. The global shortage of skilled cybersecurity professionals is unlikely to be resolved in the short to medium term, so the aim of the bill is to address the shortage through teaching programs at rural educational institutions and developing rural hospital workforces through education on fundamental aspects of cybersecurity.

Sen. Rand Paul (R-TX) tabled an amendment to the original bill, stipulating that CISA should not ask for additional funds for the proposed measures, and the amended bill will now head to the Senate floor for a vote. The advancement of the Rural Hospital Cybersecurity Enhancement Act occurred a few days after the announcement that a rural hospital in Illinois will permanently close on June 16, 2023, due, in part, to the financial pressures caused by a ransomware attack.

“I am encouraged Congress is taking bipartisan action to shore up the ability of small-town hospitals to defend themselves from cyberattacks,” said Senator Hawley. “We must continue working diligently to improve cybersecurity preparedness in rural hospitals to both protect the sensitive medical and personal data of American patients and defend our national security.”

The post Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act appeared first on HIPAA Journal.

Comprehensive LockBit Ransomware Cybersecurity Advisory Issued by CISA & Partners

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and its international cybersecurity agency partners have issued a cybersecurity advisory about the LockBit ransomware operation, which has extorted $91 million from organizations in the United States since 2020 across 1,700 attacks.

“This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”

The LockBit ransomware-as-a-service operation is the most prolific RaaS group, having listed more victims on its data leak site than any other ransomware operation. LockBit was behind 16% of ransomware attacks on state, local, tribal, and tribunal (SLTT) governments in 2022 and was the most commonly deployed ransomware variant last year. The group has attacked organizations of all sizes, including critical infrastructure entities such as financial services, food & agriculture, education, and healthcare, and 2023 attacks have continued in high numbers.

There are several reasons why LockBit has become the most prolific RaaS operation. Affiliates are recruited to conduct attacks and receive a share of the ransoms they generate, as is the case with other RaaS operations; however, LockBit pays its affiliates faster and provides them with their cut of ransom payments before payment is received by core members of the group. The group has developed an easy-to-use interface for its affiliates which lowers the bar for new affiliates, who require less technical skill to start conducting ransomware attacks than with other ransomware variants. The group also engages in publicity-generating exercises, disparages other RaaS operations, and has even taken steps to discourage individuals from disclosing the identity of the lead member of the group (LockBitSupp) to law enforcement by offering a $1 million bounty on information that could lead to LockBitSupp’s identification.

Due to the large number of affiliates working within the LockBit operation, the tactics, techniques, and procedures (TTPs) used in attacks are diverse so network defenders face significant challenges defending against attacks. The security advisory details the TTPs that CISA, the FBI, and their international cybersecurity partners have observed in LockBit ransomware attacks over the past 3 years, along with a lengthy list of mitigations to help network defenders take proactive steps to improve their defenses against LockBit attacks. The advisory includes around 30 different freeware and open source tools that have been used by LockBit affiliates, 9 CVEs that are known to have been exploited, and more than 40 MITRE ATT&CK techniques for initial access, discovery, credential access, privilege escalation, lateral movement, persistence, defense evasion, collection, command and control, data exfiltration, and execution.

“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, and encouraged all victims of cybercrime to report incidents to their local FBI field office.

The post Comprehensive LockBit Ransomware Cybersecurity Advisory Issued by CISA & Partners appeared first on HIPAA Journal.

Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital

Posted by Steve Alder

Ransomware attacks can cause healthcare facilities to temporarily close and small healthcare practices have made the decision not to reopen after a ransomware attack, but hospitals and health systems are usually financially resilient enough to remediate the attacks and recover, but not St. Margaret’s Health. Like many rural hospitals and health systems, St. Margaret’s Health has been struggling to maintain operations in the face of increasing financial pressures, then fell victim to a ransomware attack that sent it into a downward financial spiral. The attack, in combination with several other factors, resulted in the decision to permanently close its 44-bed Spring Valley location in Illinois. St Margaret’s Health also operates a 49-bed hospital in Peru, IL, which was under a temporary suspension that was announced in January this year. All operations at the two hospitals will permanently end on Friday, June 16, 2023.

The Sisters of Mary of the Presentation founded St. Margaret’s Health in 1903, and in 2021, St. Margaret’s Hospital – Spring Valley and Illinois Valley Community Hospital (IVCH) in Peru consolidated their operations and formed a regional health network run by the SMP Health ministry, with IVCH changing its name to St. Margaret’s Hospital – Peru. St. Margaret’s Health tried to integrate the new hospital into St. Margaret’s Health so that the two hospitals and their associated clinics could continue to provide catholic healthcare in the Illinois valley, but the challenges proved too great. Like many rural hospitals, St. Margaret’s Health has faced increasing financial pressures in recent years, and the COVID-19 pandemic, continuing staff shortages, and the ransomware attack on St. Margaret’s Hospital – Spring Valley’s computer systems in February 2021 proved too much and made it impossible to sustain its ministry. The ransomware attack itself did not trigger the closure, but it did play a key part in the decision to close. The ransomware attack prevented the hospital from submitting claims to insurers, Medicare, and Medicaid for months, piling even more financial pressure on the already struggling St. Margaret’s Health.

Suzanne Stahl, chair of SMP Health, said St. Margaret’s Health has signed a non-binding letter of intent with OSF Healthcare to acquire the Peru campus and related ambulatory facilities, and the proceeds of the sale will be used to pay off a portion of St. Margaret’s debts and will help to ensure that catholic-based healthcare will continue to be provided in the Illinois valley and the surrounding areas. The transition will take some time, and while OSF Healthcare is working to accomplish the purchase as quickly as possible, it is not able to provide a time frame for when care will resume. “The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare,” said Melanie Malooley-Thompson, Mayor of Spring Valley. The closure will mean that patients will be forced to travel much further for emergency room and obstetrics services.

Longstanding pressures on rural hospitals resulted in 136 rural hospital closures between 2010 and 2021, according to a 2022 report from the American Hospital Association, including 19 closures in 2020 alone. Rural hospitals typically have low reimbursement, staff shortages, and low patient volumes, and also had to deal with the COVID-19 pandemic. Cyberattacks are enough to send them over the edge.

Tragically, this is unlikely to be the last ransomware attack that proves too much for a rural hospital. Increasing financial pressure limits the ability of rural hospitals to invest in cybersecurity and they also struggle to attract and retain skilled cybersecurity staff. That makes rural hospitals an easy target for ransomware gangs, which are increasingly targeting these healthcare facilities. Even when rural hospitals are not specifically targeted, they can still fall victim to non-targeted attacks due to the lack of appropriate cybersecurity.

The post Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital appeared first on HIPAA Journal.

HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams

Posted by Steve Alder

The Health Sector Cybersecurity and Coordination Center (HC3) has compiled a profile of the FIN11 threat group (TA505/Lace Tempest/Hive0065) which is known to target organizations in the healthcare and public health (HPH) sector. Historically, FIN11 has conducted phishing campaigns but has now migrated to other attack vectors against companies in North America and Europe. The group is financially motivated and often engages in data theft for extortion, with or without ransomware.

Recent attacks include the exploitation of zero day vulnerabilities in file transfer solutions to gain access to sensitive data, which is stolen and threatened to be released if a ransom is not paid. FIN11 often deploys CLOP ransomware in its attacks, although it is unclear exactly how many CLOP ransomware attacks FIN11 has conducted. The ransom demands in these attacks vary based on the perceived ability of the victim to pay and typically range from a few hundred thousand dollars to $10 million.

FIN11 phishing and spear phishing campaigns have used a combination of malicious attachments and hyperlinks, and fake download pages have been used to trick people into downloading malware. FIN11 is thought to have been involved in the mass exploitation of vulnerabilities in the MOVEit and Accellion FTA file transfer solutions, the PaperCut MF and NG vulnerability in 2023, the Windows ZeroLogon vulnerability in October 2020, and several other vulnerabilities. FIN11 also targeted HPH sector organizations during the COVID-19 pandemic.

FIN11 is known to deploy a range of different malware variants after gaining initial access to networks. In addition to CLOP ransomware, the group has deployed the LEMURLOOT web shell, P2P RAT, FlawedAmmyy and FlawedGrace remote access Trojans, and Cobalt Strike, along with a host of other tools to allow the group to achieve its objectives.

Due to the range of different attack vectors, mitigations are varied and involve strong email security measures, prompt patching of known vulnerabilities, endpoint detection solutions, and active monitoring of security alerts for signs of compromise. HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams, as the group poses a significant threat to the HPH sector.

The post HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams appeared first on HIPAA Journal.

Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability

Posted by Steve Alder

A critical vulnerability in Fortinet’s FortiOS and FortiProxy SSL VPN has potentially already been exploited by malicious actors. The vulnerability, tracked as CVE-2023-27997, is a heap buffer overflow issue in FortiOS and FortiProxy SSL-VPN which can be exploited remotely, pre-authentication, to execute code via malicious requests to vulnerable devices. The flaw can be exploited even if multifactor authentication has been enabled.

Fortinet firewalls and VPNs are widely used and vulnerabilities are actively sought by malicious actors and have been rapidly exploited in the past. A search on the Shodan search engine indicates around 250,000 Fortinet firewalls are accessible over the Internet and the majority of those are thought to be vulnerable. Fortinet said the vulnerability was identified during a code audit conducted in response to a series of attacks exploiting a separate zero-day vulnerability – CVE-2022-42475 – in FortiOS SSL VPN that was disclosed in January. Those attacks were linked to the Chinese state-sponsored threat group, Volt Typhoon, which has been active since mid-2021 and has previously targeted critical infrastructure entities in the United States. Fortinet has not linked exploits of the most recently disclosed vulnerability to Volt Typhoon, but said the threat actor and other threat groups will likely target the vulnerability and that there may already have been limited attacks against government, manufacturing, and critical infrastructure.

Fortinet issued a security advisory on June 12 about the vulnerability, which affects virtually all versions of FortiOS and FortiProxy. Patches have been released to fix the vulnerability and customers have been urged to update their firmware to the latest version. Fortinet said the vulnerability is mitigated if customers are not operating SSL-VPN; however, all users have been recommended to update to the latest firmware version regardless.

While there is only believed to have been limited exploitation of the flaw, now that patches have been released threat actors will compare the new releases with previous firmware versions to work out what has changed and will likely rapidly discover and develop exploits for the vulnerability, so immediate patching is strongly recommended.  All users should ensure they have updated to the following firewall and VPN versions:

FortiOS-6K7K

  • FortiOS-6K7K version 7.0.12 or above
  • FortiOS-6K7K version 6.4.13 or above
  • FortiOS-6K7K version 6.2.15 or above
  • FortiOS-6K7K version 6.0.17 or above

FortiOS

  • FortiOS version 7.4.0 or above
  • FortiOS version 7.2.5 or above
  • FortiOS version 7.0.12 or above
  • FortiOS version 6.4.13 or above
  • FortiOS version 6.2.14 or above
  • FortiOS version 6.0.17 or above

FortiProxy

  • FortiProxy version 7.2.4 or above
  • FortiProxy version 7.0.10 or above

The post Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability appeared first on HIPAA Journal.