Healthcare Cybersecurity

FBI and CISA Issue Warning About BianLian Ransomware and Extortion Group

Posted by HIPAA Journal

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) about the BianLian ransomware and data extortion group.

The BianLian group has been conducting attacks in the United States since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. The BianLian group is a ransomware actor that develops and uses ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid. This year, the group has largely switched to extortion-only attacks where files are not encrypted after exfiltration. These attacks have proven to be effective as the release of stolen data can cause significant damage to an organization’s reputation and legal complications.

The BianLian group primarily gains access to victims’ networks by using Remote Desktop Protocol (RDP) credentials, which may be obtained through brute force attacks to guess weak credentials, purchasing credentials from initial access brokers, or phishing attacks. Once credentials are obtained, the group deploys a custom backdoor specific to each victim, and commercially available remote access tools are downloaded such as TeamViewer, Atera Agent, SplashTop, and AnyDesk. The group uses command-line tools and scripts for network reconnaissance and harvesting more credentials. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.

Tools typically downloaded onto victims’ networks include Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, and PingCastle to aid discovery, along with native Windows tools and Windows Command Shell, with PsExec and RDP with valid accounts used for lateral movement. Once sensitive data has been located, data exfiltration occurs via File Transfer Protocol (FTP), Rclone, or Mega. Once data exfiltration has occurred, threats are issued to publish the stolen data.

The best defense against attacks is to limit the use of RDP and other remote desktop services. Audits should be conducted of all remote access tools on the network to identify installed and currently used software. Any remote access tools that are not currently used should be removed or disabled, and RDP should be locked down. Security software should be used to detect instances of remote access software being loaded in the memory, and logs should be reviewed of remote access software to detect any abnormal use.

Authorized remote access solutions should only be used from within the network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Inbound and outbound connections on common remote access software ports and protocols should be blocked at the network perimeter. Organizations should also disable command-line services and scripting activities and restrict the use of PowerShell on critical systems, and enhanced PowerShell logging should be enabled. Regular audits of administrative accounts should be conducted, time-based access for accounts should be set at the admin level and higher, and the principle of least privilege should be applied.

The cybersecurity alert includes Indicators of Compromise (IOCs), details of the tactics, techniques, and procedures (TTPs) used by the group, and other recommended mitigations.

The post FBI and CISA Issue Warning About BianLian Ransomware and Extortion Group appeared first on HIPAA Journal.

Illumina Sequencing Instruments Affected by Maximum Severity Vulnerability

Posted by HIPAA Journal

Healthcare providers and laboratory personnel have been warned about a maximum severity vulnerability in Illumina Universal Copy Service software used by its DNA sequencing instruments.

The vulnerability affects Illumina products with Illumina Universal Copy Service (UCS) v2.x installed:

  • iScan Controls Software (v4.0.0 and v4.0.5)
  • iSeq 100 (all versions)
  • MiniSeq Control Software (v2.0 and later)
  • MiSeq Control Software (v4.0 RUO Mode)
  • MiSeqDx Operating Software (v4.0.1 and later)
  • NextSeq 500/550 Control Software (v4.0)
  • NextSeq 550Dx Control Software (v4.0 RUO Mode)
  • NextSeq 550Dx Operating Software (v1.0.0 to 1.3.1)
  • NextSeq 550Dx Operating Software (v1.3.3 and later)
  • NextSeq 1000/2000 Control Software (v1.4.1 and prior)
  • NovaSeq 6000 Control Software (v1.7 and prior)
  • NovaSeq Control Software (v1.8)

Affected devices are vulnerable to two flaws, the most serious of which – CVE-2023-1699 – allows binding to an unrestricted IP address. If exploited, a malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remove communications, remotely take control of the affected devices, change device settings, and alter or steal sensitive data. The flaw can be exploited remotely with low attack complexity and has been assigned a CVSS score of 10 out of 10.

The second flaw, tracked as CVE-2023-1966, affects UCS v1.x and v2.0 and is due to unnecessary privileges. A remote attacker could upload and execute code remotely at the operating system level, allowing changes to be made to settings and configurations and sensitive data to be accessed on the affected products. The vulnerability has been assigned a CVSS score of 7.4 out of 10.

The vulnerabilities were discovered by Illumina and were reported to the Cybersecurity and Infrastructure Agency (CISA). Illumina says it is unaware of any instances of actual or attempted exploitation of the flaws; however, due to the severity of the vulnerabilities and the ease of exploitation, immediate patching is recommended.

On April 5, 2023, Illumina notified customers about the flaw requesting they check for signs of exploitation. A patch has now been released along with a Vulnerability Instructions Guide to help users address the flaw based on the specific configurations of their devices. The U.S. Food and Drug Administration (FDA) recently issued a warning to healthcare providers and laboratory personnel that the vulnerabilities may present risks for patient results and customer networks. Until the patch can be applied, steps should be taken to reduce the risk of exploitation, including minimizing network exposure, ensuring the affected devices are not accessible over the Internet, locating control system networks and remote devices behind firewalls, and only using secure methods to remotely access the devices, such as a Virtual Private Network (VPN).

The post Illumina Sequencing Instruments Affected by Maximum Severity Vulnerability appeared first on HIPAA Journal.

Passwordless Authentication Adoption Increases but Poor Password Practices Persist

Posted by HIPAA Journal

A recent survey of IT decision makers has provided insights on password management practices and has confirmed the increasing adoption of passwordless authentication. This is the third year that the password manager provider, Bitwarden, has conducted its Password Decisions Survey, which this year was conducted by Propeller Insights on 400 America IT decision makers and 2,000 Internet users and revealed their password habits, and attitudes to password security and passwordless authentication technologies.

The survey confirmed that little has changed over the past 12 months, with poor password practices proving difficult to eliminate. Password manager use declined slightly year-over-year, with 84% of IT decision makers saying they use password management software at work, down from 84% in 2022, but up from 77% in 2021. The slight decline may be in part due to a significant data breach at LastPass in 2022. While the password manager was not breached, hackers gained access to an encrypted backup copy of the password vaults of an unspecified number of users.

Despite this, password managers are still widely thought to improve password security and the survey indicates there is considerable demand from employees for password managers, with 79% of Internet users saying they would like their employer to provide one. While 84% of respondents said they use a password manager at work, poor password practices are still common, with 54% of respondents admitting to saving their passwords in a document on their computer (53% in 2022), 45% relying on memory for passwords (42% in 2022), and 29% writing their passwords down (unchanged). 22% of employees claim they have been reusing the same password for more than a decade.

While 66% of IT decision makers said they share passwords securely via a password manager, a significant percentage use less secure methods such as email (41%), shared online documents (38%), chat and messaging apps (30%), verbal disclosures (27%), and written notes (22%). Worryingly, 90% of IT decision makers admitted to reusing passwords in the workplace, down slightly from 92% in 2022. Out of the respondents that do reuse passwords, the extent to which passwords are reused is reducing. 11% reuse passwords on 15+ sites (15% in 2022), 24% use the same password on 10-15 sites (27% in 2022), 36% reuse passwords on 5-10 sites (33% in 2022), and 19% use the same password on 1-5 sites (16% in 2022).

2-factor authentication can significantly improve security and adoption is growing, with 92% of respondents saying they use it in the workplace, up from 88% in 2022. The most common reasons for not implementing 2-FA are believed to be a failure to understand the benefits, a belief that passwords alone provide good enough protection, account hacking is unlikely, and the negative effect the additional authentication on workflows.

Despite the risks of using unauthorized software and hardware (shadow IT), 32% of IT decision makers admitted to using unauthorized devices and software as did 49% of employees. The majority of people who admitted to using shadow IT (73%) said they did so because it helps them work more efficiently. 52% said they still used unauthorized software or hardware when they were unable to get authorization to use it, and 50% just went ahead because of the slow response times for authorization from the IT department.

The increasing cost of data breaches and the rate that they are occurring has prompted organizations to seek cyber insurance. 75% of surveyed IT decision makers said they have cyber insurance policies, but insurers are demanding proof of security measures before they agree to provide insurance policies. 65% of IT decision makers said they had to demonstrate they provided security awareness training to employees, had multifactor authentication (64%), used a password manager (61%), had an incident response plan (50%), had adequate data backup processes (48%), and demonstrate they were patching regularly (28%). Only 3% of organizations were not required to provide any proof that these measures were in place.

Concern about password security and the number of password-related data breaches are driving the adoption of passwordless technology such as biometrics, passkeys, and security keys. 41% of respondents believe passwordless authentication provides better security, 24% say it improves the user experience, 17% say it reduces the burden on the IT department, and 19% believe it improves productivity. 57% of U.S. respondents said they were excited about passwordless technology, with 49% saying they have either deployed the technology or are planning to, although out of those that have started to adopt passwordless authentication, 87% have yet to roll it out across the entire organization. Out of the organizations that have adopted the technology, 51% use biometrics, facial recognition, fingerprint, or voiceprints, and 31% use a physical item such as a security key or FIDO auth.

One of the major reasons for reluctance to use passwordless technology such as fingerprints, voice prints, and face IDs is fear that it would be used against them, which was a concern for 36% of respondents that have yet to adopt the technology. 55% of respondents said they prefer to rely on memory for passwords, even though people that rely on memory tend to create much weaker passwords. Remembering passwords also leads to productivity losses. 58% of respondents said they regularly have to reset their passwords because they have forgotten them, with 12% saying it is an everyday occurrence.

The post Passwordless Authentication Adoption Increases but Poor Password Practices Persist appeared first on HIPAA Journal.

HC3: Ransomware Groups are Exploiting GoAnywhere and PaperCut Vulnerabilities

Posted by HIPAA Journal

The Health Sector Cybersecurity and Coordination Center (HC3) has issued a fresh ransomware warning to the healthcare and public health (HPH) sector following a spate of attacks on the HPH sector in April by the Clop and LockBit ransomware groups.

HC3 has issued multiple alerts about the Clop and LockBit ransomware-as-a-service groups which have conducted multiple attacks on the healthcare sector. Clop was behind the attacks on Fortra’s GoAnywhere MFT solution in January/February 2023 and the 2022 attacks on the Accellion File Transfer Application (FTA), both of which exploited zero-day vulnerabilities in those solutions. The latest alert about LockBit was issued in December 2022 following multiple attacks on HPH sector organizations.

The Clop group exploited the GoAnywhere MFT vulnerability (CVE-2023-0669) and stole data from around 130 organizations, and both groups have been observed exploiting two other recently disclosed vulnerabilities – CVE-2023-27350 and CVE-2023-27351 – which are authentication bypass vulnerabilities in the widely used print management software, PaperCut MF/NG. Those two vulnerabilities were disclosed by the developer on April 19, 2023, and were corrected in PaperCut versions 20.1.7, 21.2.11, and 22.0.9 and later.

On April 26, 2023, Microsoft announced that a threat actor known as Lace Tempest was exploiting the PaperCut flaws and that the activity overlapped with the FIN11 and TA505 threat groups,  both of which have ties to Clop. After exploiting the vulnerabilities, TrueBot malware was deployed, which is known to be used by the Clop ransomware operation. LockBit ransomware was deployed in some of the attacks.

Network defenders have been advised to promptly patch their servers by updating to the latest versions of PaperCut. If that is not possible, there is a recommended workaround, which involves blocking all traffic to the web management port (9191) from external IP addresses on edge devices and blocking all traffic to default port 9191 on the server’s firewall. Users of Fortra’s GoAnywhere MFT solution should rotate the Master Encryption Key, reset all credentials, review audit logs, and delete suspicious administrator and user accounts.

Further recommended mitigations against attacks by Clop, LockBit, and other cybercriminal groups are detailed in the HC3 alert.

The post HC3: Ransomware Groups are Exploiting GoAnywhere and PaperCut Vulnerabilities appeared first on HIPAA Journal.

Organizations Face Increased Scrutiny of Health Data Breaches

Posted by HIPAA Journal

Healthcare hacking incidents are increasing, there are new regulatory requirements and compliance initiatives due to Dobbs and Pixel use, and lawsuits against healthcare organizations over privacy violations are soaring. HIPAA-regulated entities and other organizations that operate in the healthcare space are now facing increased scrutiny of their data security practices and compliance programs, and the coming 12 months will likely see an increase in enforcement actions and lawsuits over privacy violations.

The recently published BakerHostetler Data Security Incident Response Report (DSIR) draws attention to these issues and provides insights into the threat landscape to help organizations determine how to prioritize their efforts and investments. The report, now in its 9th year, was based on 1,160 security incidents managed by BakerHostetler’s Digital Assets and Data Management Practice Group in 2022.

After a surge in ransomware attacks in 2021, 2022 saw a reduction in attacks; however, there was a surge in ransomware activity toward the end of the year and that surge has continued in 2023. That surge has coincided with increases in ransom demands, paid ransoms, and ransomware recovery times.  In 2022, the average ransom demand and payment increased in 6 out of the 8 industries tracked. In healthcare, the average ransom demand was $3,257,688 (median: $1,475,000) in 2022, and the average payment increased by 78% to $1,562,141 (median: $500,000). Across all industry sectors, paid ransoms increased by 15% to $600,688.

Network intrusions also increased and were the most common type of security incident, accounting for almost half of all data incidents covered in the report. BakerHostetler notes that companies have been getting better at detecting and containing these incidents, with dwell time decreasing from an average of 66 days in 2021 to 39 days in 2022. The time taken for containment fell from 4 days to 3 days, and investigation time decreased from 41 days in 2021 to 36 days in 2022.

The increase in hacking and ransomware attacks has prompted companies to invest more heavily in cybersecurity, and while security defenses have been enhanced, cybercriminals have found new ways of circumventing those defenses and attacking systems. Techniques that have proven successful in 2022 include MFA bombing, social engineering, SEO poisoning, and EDR-evading malware.

The cost of cyberattacks increased significantly in 2022, with forensic investigation costs increasing by 20% from last year in addition to increases in the cost of business disruption, data reviews, notification, and indemnity claims. Legal costs from data breaches have also increased significantly as it is now common for multiple lawsuits to be filed in response to data breaches.

Data breaches of 10,001 to 500,000 records see an average of 12-13 lawsuits filed and lawsuits are even being filed for smaller data breaches, with breaches of less than 1,000 records typically seeing 4 lawsuits filed. According to BakerHostetler, lawsuits have doubled since last year and we are now at a stage where legal action is almost a certainty following a data breach. There have been increases in lawsuits for violations of state privacy laws, and with a further 4 states enacting new privacy legislation in 2022 and one more due to introduce a new privacy law in 2023, the compliance landscape is becoming more complicated.

In the summer of 2022, a report was published by the Markup/STAT detailing an analysis of the use of pixels (tracking technologies) on hospital websites. These code snippets are typically added to websites to track visitor activity to improve websites and services, but the code also transmits identifiable visitor information to third parties. The extent to which these tools were being used – without the knowledge of website visitors – attracted attention from the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) with both issuing guidance on the use of these tools. OCR and the FTC have confirmed that Pixel-related violations of HIPAA and the FTC Act are now an enforcement priority, with the FTC having already taken action against entities over the use of these tracking tools. Law firms have been quick to sue healthcare organizations over these privacy breaches. More than 50 lawsuits have been filed against healthcare organizations in response to Pixel-related breaches since June 2022 when the report was published.

A further study of the use of Pixels by healthcare organizations suggests almost 99% of US non-federal acute care hospital websites had pixels on their websites that could transmit sensitive data, yet only a handful of healthcare organizations have disclosed Pixel-related data breaches to OCR so far. There could well be a surge in HIPAA enforcement actions by OCR and huge numbers of lawsuits filed in response to these breaches over the coming months.

There are also likely to be enforcement actions against HIPAA-regulated entities and non-HIPAA-regulated entities in the healthcare space for privacy violations involving reproductive health information, as both the FTC and OCR have stated that reproductive health information privacy will be an enforcement priority. OCR’s HIPAA Right of Access enforcement initiative is still ongoing, and compliance remains a priority for OCR.

BakerHostetler has also issued a warning about HIPAA compliance for non-healthcare entities, stressing that HIPAA applies to employer-sponsored health plans. There was an increase in data breaches at employer health plans in 2022 and these are likely to come under increased regulatory scrutiny, not just by OCR but also the Department of Labor which is increasingly conducting follow on investigations focusing on the overall cybersecurity posture of these plans. State Attorneys general have also started taking a much more active interest in the activities of healthcare entities, with investigations by state attorneys general into violations of HIPAA and state laws increasing in 2022.

BakerHostetler also identified a major increase in snooping incidents in 2022. These incidents include healthcare employees snooping on healthcare records and attempting to divert controlled substances. The increase confirms how important it is to create and monitor logs of system activity to detect malicious insider activity quickly. BakerHostetler notes that having systems in place that monitor for system activity anomalies is also key to rapidly detecting hacking and ransomware incidents.

“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team. “We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — helps clients decide where to prioritize their efforts.”

The post Organizations Face Increased Scrutiny of Health Data Breaches appeared first on HIPAA Journal.

Healthcare Industry Facing Increased Malware and Ransomware Threats

Posted by HIPAA Journal

Ransomware actors continue to target the U.S. healthcare sector, cybercriminals are increasingly using malware to steal data and provide persistent access to healthcare networks, and legitimate penetration tools are being used to mask malicious activity amongst genuine use of these tools by red teams.

These are some of the findings from the latest Global Threat Intelligence Report from Blackberry, which is based on threats detected by its Cylance Endpoint Security solution over 90 days from December 2022 to February 2023. During that time, Blackberry detected up to 12 cyberattacks per minute and identified a massive increase in unique attacks using new malware samples, which increased by 50% from 1 per minute to 1.5 per minute in the most recent reporting period.

The United States remains the most targeted country, although there has been a change in focus elsewhere, with Brazil now the second most targeted country followed by Canada. The same industry sectors are favored, with financial services, healthcare, and food/staples accounting for 60% of all malware-based attacks. The most commonly detected malware were droppers, downloaders, remote access tools (RATs), and ransomware.

Blackberry detected an increase in cyberattacks using the Agent Tesla RAT, RedLine initial access and information stealer, Emotet downloader, and BlackCat ransomware, all of which have been used in attacks on the healthcare sector. Over the 90 days, BlackBerry detected and blocked 5,246 unique malware samples that had been used in attacks on its healthcare provider clients, with an average of 59 new, unique malware samples blocked each day. Over the 90 days, BlackBerry blocked 93,000 individual attacks on its healthcare clients.

The biggest malware threat faced by the healthcare industry was Emotet. While Emotet started out as a banking Trojan, it is now primarily a botnet-driven malware dropper that is used to deliver a range of malicious payloads for other cybercriminal groups. Emotet is capable of self-propagation and lateral movement and is used to deliver malware and ransomware payloads. The RedLine information stealer was also a top threat to the healthcare sector.

Ransomware gangs continue to pose a major threat, with BlackCat and Royal both aggressively targeting the healthcare sector. BlackCat is believed to include former affiliates of the DarkSide and BlackMatter ransomware operations and has been active since November 2021 and there are indications that attacks are widening. Royal ransomware is a relatively new ransomware group that first appeared in September 2022. The group is thought to include some highly capable and experienced individuals, including members of the now-defunct Conti ransomware operation.

The healthcare industry is being targeted by initial access brokers, who compromise healthcare networks and then sell access to ransomware gangs, with access often gained through credential theft. BlackBerry also detected widespread use of the penetration testing tools Cobalt Strike and Brute Ratel, with malicious use of the former a significant threat to the healthcare sector. Nation-state actors and cybercriminals have been observed using these tools.

BlackBerry expects ransomware affiliates to continue to target hospitals and medical organizations for the foreseeable future, especially in countries that support or provide funding to Ukraine, with BlackCat, Royal, and LockBit 3.0 expected to continue to pose a threat to the healthcare sector. Healthcare, along with other critical infrastructure sectors, will likely be targeted by financially motivated as well as politically motivated actors over the coming months and BlackBerry also warns that AI is likely to be increasingly used for attack automation and deep fake attacks. Deep fake attacks have gained significant traction in recent months.

The post Healthcare Industry Facing Increased Malware and Ransomware Threats appeared first on HIPAA Journal.

NIST Releases Discussion Draft of NIST CSF 2.0 Core

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) is in the process of updating the NIST Cybersecurity Framework (CSF) 1.1 and plans to release the complete draft version 2.0 in the summer. A discussion draft has been published that includes updates to the Core elements of the Framework and NIST is seeking concrete suggestions on how the Framework can be improved ahead of the publication of the complete draft. The NIST CSF 2.0 Core covers the outcomes across the 6 Functions, 21 Categories, and 112 Subcategories and includes a sample of potential new CSF 2.0 Informative Examples. The discussion draft is not complete and is preliminary, and has been released to improve transparency and inform the development of the complete draft.

Modifications have been made to the NIST CSF 1.1 to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices. NIST has received comments confirming version 1.1 of the Framework is still effective at addressing cybersecurity risks but felt an update was required to make it easier for organizations to address current risks and future cybersecurity challenges more effectively.

NIST received 92 written responses to its January 2023 CSF 2.0 concept paper, feedback from working sessions and workshops, 134 written responses to its February 2022 NIST Cybersecurity RFI, and suggestions at conferences, webinars, roundtables, and meetings around the world. All feedback has been considered when crafting the update to the Framework.

Specifically, NIST seeks feedback on whether the cybersecurity outcomes detailed in the discussion draft address the current challenges faced by organizations, are aligned with existing cybersecurity practices and resources, and whether the updates address the submitted comments. NIST said suggestions can also be submitted on any aspects of the framework where further improvements can be made, including the content, format, and scope of the implementation examples.

NIST has confirmed that updates will be made to other elements of the Framework and said there is still much work to be done ahead of the planned summer release of the complete draft of NIST CSF 2.0.

The discussion draft can be viewed/downloaded here.

The post NIST Releases Discussion Draft of NIST CSF 2.0 Core appeared first on HIPAA Journal.

Riskiest Connected Medical Devices Revealed

Posted by HIPAA Journal

Through the Internet of Medical Things (IoMT), an array of medical devices have been connected to the Internet, allowing them to be operated, configured, and monitored remotely. These devices can transmit medical data across the Internet to clinicians allowing rapid action to be taken to adjust treatments and data collected from the devices can be automatically fed into electronic medical records. The use of IoMT devices is growing at an extraordinary rate, with the number of devices used by smart hospitals expected to double from 2021 levels to 7 million IoMT devices by 2026.

While Internet-connected medical devices offer important benefits, they also increase the attack surface considerably. Vulnerabilities in IoMT devices are constantly discovered that can potentially be exploited by malicious actors to gain access to the devices and the networks to which the devices connect. According to a 2022 report from the FBI, 53% of digital medical devices and other Internet-connected devices contain at least one unpatched critical vulnerability.

The asset visibility and security company Armis has recently conducted a comprehensive analysis of data collected from medical and IoT devices to identify the riskiest IoMT and IOT devices. The data came from more than 3 billion assets that are tracked through the Armis Asset Intelligence and Security Platform. The analysis revealed the riskiest connected medical devices were nurse call systems, 39% of which had unpatched critical vulnerabilities and 48% had other unpatched vulnerabilities. A critical vulnerability is a flaw that can be exploited in a direct or indirect attack by a malicious actor that will result in decisive or significant effects. If flaws in medical devices are exploited, hackers could gain access to the networks to which the devices connect, steal sensitive data, or alter the functionality of the devices themselves and put patient safety at risk.

Infusion pumps were the second riskiest connected medical device with 27% of analyzed devices having at least one unpatched critical flaw and 30% having other unpatched vulnerabilities, followed by medication dispensing systems with 4% containing unpatched critical flaws and an astonishing 86% having other unpatched vulnerabilities. Armis notes that 32% of the analyzed medication dispensing systems were running on unsupported Windows versions. Overall, across all connected medical devices, 19% were running on unsupported operating systems, as IoMT devices often have lifespans that exceed the lifespans of the operating systems on which they run.

IoT devices can also introduce considerable risks and provide hackers with an easy opportunity to gain a foothold in healthcare networks. Armis monitors IP cameras in clinical environments and found that 56% have unpatched critical vulnerabilities and 59% had other unpatched vulnerabilities, which makes IP cameras the riskiest IOT devices, followed by printers (37%/30%) and VoIP devices (53%/2%).

Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” said Mohammad Waqas, Principal Solutions Architect for Healthcare at Armis. “Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

The growing number of wireless, Internet- and network-connected devices and increasing cybersecurity threats targeting the healthcare sector prompted the U.S. Food and Drug Administration (FDA) to take action. Manufacturers of medical devices will soon be required to provide information about the cybersecurity of their devices in pre-market submissions as part of a drive to improve medical device cybersecurity. Those requirements include a software bill of materials to allow vulnerable components to be identified and patched, cybersecurity measures to secure the devices and sensitive data, and a plan to issue security updates for the lifespan of the devices.

The post Riskiest Connected Medical Devices Revealed appeared first on HIPAA Journal.

One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols

Posted by HIPAA Journal

A recent Salesforce survey revealed some of the security gaps that exist in healthcare organizations, even those that have a security-first culture. The survey revealed only one-fifth of healthcare organizations enforce their cybersecurity protocols and only two-fifths of healthcare workers look at their security protocols before using new tools or technology.

The Salesforce survey was conducted on April 13, 2023, on 400 healthcare workers in the United States who were asked questions about cybersecurity and policies and procedures at their organizations. 57% of surveyed workers said their job has become more digitized over the past two years, which means more data than ever now needs to be protected. There is a common myth that cybersecurity is the sole responsibility of the IT department; however, a majority of the respondents were aware that cybersecurity is a shared responsibility. 76% of healthcare respondents agreed that it is their responsibility to keep data safe, yet despite being aware of the need to protect data, many workers admitted to not always following cybersecurity best practices.

22% of respondents said their organization does not strictly enforce cybersecurity protocols, and 31% of respondents said they were unsure what they should do in the event of a breach. While more than two-thirds of workers (67%) said they have a security-first culture at work, 31% of respondents said they are not very familiar with their company’s security policies and processes and only 39% of workers check security protocols before trying new tools or technology.

There appears to be a lack of understanding about security risks associated with connected devices such as phones and laptop computers, with only 40% of surveyed workers believing they pose a security risk and 48% thinking their personal devices were as secure as their work devices. 46% of workers said they have accessed work documents on their personal devices. A large number of healthcare workers implicitly trust their work devices, with 61% of workers saying that if something could be accessed on their work device it must be safe.

These are issues that can be tackled through security awareness training, but the message does not appear to be getting through as 70% of respondents said they are given training on how to keep data safe. While an increasing number of organizations understand the importance of providing security awareness training to the workforce, there is room for improvement as those training courses are not proving to be as effective as they should be. Only 54% of respondents said their training was efficient and 19% said training is generic and not relevant to their job.

One-third of workers (33%) said they use the same passwords for their personal and work accounts, 25% of surveyed workers admitted to clicking a suspicious link in an email at work, only 42% of workers report all suspicious emails to their security team, 19% do not always use VPN when conducting work online, and only 39% of workers always use multi-factor authentication.

The survey shows that while healthcare organizations are taking steps to develop a security culture, more needs to be done to get the message across that security best practices must always be followed. Improving the efficiency of training can help to get employees on board, such as implementing a modular training course and tailoring the training for specific roles to ensure it is relevant. The survey also suggests healthcare organizations could do a lot more when it comes to enforcing security policies.

The post One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols appeared first on HIPAA Journal.