A recent study has confirmed that healthcare cyberattacks not only cause disruption at the organization that experiences an attack but also at emergency departments at neighboring hospitals, where patients face longer wait times due to increased patient numbers which place a strain on resources.

The study involved a retroactive analysis of two academic emergency departments operated by a healthcare delivery organization (HDO) in San Diego, which were in the vicinity of an unrelated HDO that experienced a ransomware attack. The researchers looked at adult and pediatric patient volume, emergency medical services diversion data, and emergency department stroke care metrics for four weeks prior to the attack, during the attack, and four weeks after the attack.

The ransomware attack in question occurred on May 1, 2021, and affected an HDO with 4 acute care hospitals, 19 outpatient facilities, and more than 1,300 combined acute inpatient beds. The attack prevented access to electronic medical records and imaging systems and affected the HDO’s telehealth capabilities. Staff were forced to use pen and paper to record patient information and emergency traffic was redirected to unaffected facilities. The attack caused disruption for 4 weeks, and around 150,000 patient records were compromised.

An attack on one hospital will often see patient numbers increase at neighboring hospitals, and the increased volume of patients and resource constraints impact time-sensitive care for health conditions such as acute stroke. The researchers found there were significant disruptions to services at the neighboring healthcare facilities, even though they were not targeted or directly affected by the ransomware attack. Compared to the period before the attack, there was a 15.1% increase in the daily mean emergency department census, a 35.2% increase in mean ambulance arrivals, a 6.7% increase in mean admissions, a 127.8% increase in patients leaving without being seen, a 50.4% increase in visits where patients left against medical advice, and a 47.6% increase in median waiting room times.

The researchers chose acute stroke care as an example of a time-sensitive, resource-intensive, technologically dependent, and potentially lifesaving set of complex actions and decisions, that required a readily available multidisciplinary team working in close coordination. The researchers observed a 74.6% increase in stroke code activations and a 113.6% increase in confirmed strokes compared to the pre-attack phase.

Since a ransomware attack on one hospital impacts other non-targeted healthcare facilities, the researchers suggest that ransomware and other cyberattacks should be classed as regional disasters. The researchers report no significant difference in door–to–CT scan or acute stroke treatment times, but suggest the disruptions due to ransomware attacks could easily lead to negative patient outcomes. “These findings support the need for coordinated regional cyber disaster planning, further study on the potential patient care effects of cyberattacks, and continued work to build technical health care systems resilient to cyberattacks such as ransomware,” wrong the researchers, who also suggest this should be made a national priority given the increase in cyberattacks on healthcare organizations in recent years.

The study – Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US – was conducted by Christian Dameff, MD, MS, Jeffrey Tully, MD, and Theodore C. Chan MD, and was published in JAMA Open Network.

The post Cyberattacks on Hospitals Cause Significant Disruption at Neighboring Healthcare Facilities appeared first on HIPAA Journal.

CommonSpirit Health has provided an updated estimate on the cost of its October 2022 ransomware attack, which is expected to increase to $160 million. The ransomware attack was detected by CommonSpirit Health on October 2, 2022, forcing systems to be taken offline. The attack affected over 100 current and former CommonSpirit facilities in 13 states. The forensic investigation determined hackers first gained access to its network on September 16, 2022, and were ejected on October 3, 2022. The attackers stole data from two file servers, although they did not gain access to its medical record system. The stolen files contained the protected health information of almost 624,000 patients.

CommonSpirit Health operates 143 hospitals and around 2,300 other healthcare facilities in 22 states and is the second-largest non-profit health system in the United States. CommonSpirt’s first quarter results show total revenues from the 3 months to March 31, 2023, of $8.3 billion, and $25.6 billion for the 9 months to March 31. In the first quarter of 2023, CommonSpirit reported $648 million in operating losses and $1.1 million in losses for the 9 months to March 31. Net losses of $231 million and $445 million were reported for the 3- and 9-month periods due to improved investment returns. CommonSpirit said the ransomware attack did not have any impact on the current quarter’s operating results.

The ransomware attack was initially estimated to cost around $150 million, but a further $10 million in costs has been added to that figure. The increased cost factors in lost revenues due to business interruption, costs incurred remediating the ransomware attack, and other business-related expenses. In a call with investors, CommonSpirit explained that most of the $160 million is expected to be recovered from underwriters, although recovery of the costs is expected to take some time. CommonSpirit also confirmed in its quarterly report that it is facing a class action lawsuit over the ransomware attack and data breach. The lawsuit was filed in December 2022 in the U.S. District Court for the Northern District of Illinois and alleges negligence due to the failure to implement reasonable and appropriate security measures to protect patient data. The lawsuit seeks damages for the plaintiff and class exceeding $5 million, injunctive relief, and legal costs.

The post CommonSpirit Health Says Ransomware Attack Likely to Cost $160 Million appeared first on HIPAA Journal.

New bipartisan legislation has recently been introduced to help address the current shortage of cybersecurity skills at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act was introduced by Sen. Gary Peters (D-MI), chair of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Josh Hawley (R-MO), committee member.

Cyberattacks on healthcare organizations have increased significantly over the past few years. These attacks cause considerable disruption to patient care and can put lives at risk and while health systems have increased investment in cybersecurity, many small and rural hospitals lack the necessary resources and struggle to hire skilled cybersecurity professionals. At a recent Senate Homeland Security and Governmental Affairs Committee hearing, cybersecurity experts testified about the current healthcare cybersecurity challenges. Kate Pierce, former CIO and CISO at North County Hospital in Vermont and executive at Fortified Health Security said cybercriminals have shifted their focus and are now actively targeting small and rural hospitals. Large health systems have implemented advanced cybersecurity measures and employ large cybersecurity teams to manage their sophisticated defenses, but there is a large disparity in cybersecurity spending at small and rural hospitals, which tend to have much weaker defenses.

“A basic security measure like 24/7 monitoring of systems is “pie-in-the-sky” for these organizations,” explained Pierce at the hearing. “Despite all the guidance, recommendations and services provided over the past few years by HSCC, 405(d), H-ISAC, CISA, and other organizations, I have found that the vast majority of small and rural hospitals are unaware of these resources, and too overwhelmed to take advantage of these valuable tools.”

The Rural Hospital Cybersecurity Enhancement Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities that provide inpatient and outpatient care services in non-urbanized areas. The strategy should include public-private partnerships, the development of curricula and training resources, and policy recommendations. The bill requires the Director of CISA to create instructional materials for rural hospitals to train staff on fundamental cybersecurity measures, and for the Department of Homeland Security to report annually to congressional committees on updates to the strategy and any programs that have been implemented.

“Ransomware attacks against hospitals and health care systems that compromise sensitive medical information and disrupt patient care must be stopped. Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches,” said Senator Peters. “This bipartisan legislation will require the federal government to ensure our most vulnerable health care providers have the necessary tools to protect patient information and provide lifesaving care even as criminal hackers continue to target their networks.”

The post Bipartisan Legislation Introduced to Address Rural Hospital Cybersecurity Skill Gaps appeared first on HIPAA Journal.

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) about the BianLian ransomware and data extortion group.

The BianLian group has been conducting attacks in the United States since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. The BianLian group is a ransomware actor that develops and uses ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid. This year, the group has largely switched to extortion-only attacks where files are not encrypted after exfiltration. These attacks have proven to be effective as the release of stolen data can cause significant damage to an organization’s reputation and legal complications.

The BianLian group primarily gains access to victims’ networks by using Remote Desktop Protocol (RDP) credentials, which may be obtained through brute force attacks to guess weak credentials, purchasing credentials from initial access brokers, or phishing attacks. Once credentials are obtained, the group deploys a custom backdoor specific to each victim, and commercially available remote access tools are downloaded such as TeamViewer, Atera Agent, SplashTop, and AnyDesk. The group uses command-line tools and scripts for network reconnaissance and harvesting more credentials. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.

Tools typically downloaded onto victims’ networks include Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, and PingCastle to aid discovery, along with native Windows tools and Windows Command Shell, with PsExec and RDP with valid accounts used for lateral movement. Once sensitive data has been located, data exfiltration occurs via File Transfer Protocol (FTP), Rclone, or Mega. Once data exfiltration has occurred, threats are issued to publish the stolen data.

The best defense against attacks is to limit the use of RDP and other remote desktop services. Audits should be conducted of all remote access tools on the network to identify installed and currently used software. Any remote access tools that are not currently used should be removed or disabled, and RDP should be locked down. Security software should be used to detect instances of remote access software being loaded in the memory, and logs should be reviewed of remote access software to detect any abnormal use.

Authorized remote access solutions should only be used from within the network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Inbound and outbound connections on common remote access software ports and protocols should be blocked at the network perimeter. Organizations should also disable command-line services and scripting activities and restrict the use of PowerShell on critical systems, and enhanced PowerShell logging should be enabled. Regular audits of administrative accounts should be conducted, time-based access for accounts should be set at the admin level and higher, and the principle of least privilege should be applied.

The cybersecurity alert includes Indicators of Compromise (IOCs), details of the tactics, techniques, and procedures (TTPs) used by the group, and other recommended mitigations.

The post FBI and CISA Issue Warning About BianLian Ransomware and Extortion Group appeared first on HIPAA Journal.

Healthcare providers and laboratory personnel have been warned about a maximum severity vulnerability in Illumina Universal Copy Service software used by its DNA sequencing instruments.

The vulnerability affects Illumina products with Illumina Universal Copy Service (UCS) v2.x installed:

• iScan Controls Software (v4.0.0 and v4.0.5)
• iSeq 100 (all versions)
• MiniSeq Control Software (v2.0 and later)
• MiSeq Control Software (v4.0 RUO Mode)
• MiSeqDx Operating Software (v4.0.1 and later)
• NextSeq 500/550 Control Software (v4.0)
• NextSeq 550Dx Control Software (v4.0 RUO Mode)
• NextSeq 550Dx Operating Software (v1.0.0 to 1.3.1)
• NextSeq 550Dx Operating Software (v1.3.3 and later)
• NextSeq 1000/2000 Control Software (v1.4.1 and prior)
• NovaSeq 6000 Control Software (v1.7 and prior)
• NovaSeq Control Software (v1.8)

Affected devices are vulnerable to two flaws, the most serious of which – CVE-2023-1699 – allows binding to an unrestricted IP address. If exploited, a malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remove communications, remotely take control of the affected devices, change device settings, and alter or steal sensitive data. The flaw can be exploited remotely with low attack complexity and has been assigned a CVSS score of 10 out of 10.

The second flaw, tracked as CVE-2023-1966, affects UCS v1.x and v2.0 and is due to unnecessary privileges. A remote attacker could upload and execute code remotely at the operating system level, allowing changes to be made to settings and configurations and sensitive data to be accessed on the affected products. The vulnerability has been assigned a CVSS score of 7.4 out of 10.

The vulnerabilities were discovered by Illumina and were reported to the Cybersecurity and Infrastructure Agency (CISA). Illumina says it is unaware of any instances of actual or attempted exploitation of the flaws; however, due to the severity of the vulnerabilities and the ease of exploitation, immediate patching is recommended.

On April 5, 2023, Illumina notified customers about the flaw requesting they check for signs of exploitation. A patch has now been released along with a Vulnerability Instructions Guide to help users address the flaw based on the specific configurations of their devices. The U.S. Food and Drug Administration (FDA) recently issued a warning to healthcare providers and laboratory personnel that the vulnerabilities may present risks for patient results and customer networks. Until the patch can be applied, steps should be taken to reduce the risk of exploitation, including minimizing network exposure, ensuring the affected devices are not accessible over the Internet, locating control system networks and remote devices behind firewalls, and only using secure methods to remotely access the devices, such as a Virtual Private Network (VPN).

The post Illumina Sequencing Instruments Affected by Maximum Severity Vulnerability appeared first on HIPAA Journal.

The Health Sector Cybersecurity and Coordination Center (HC3) has issued a fresh ransomware warning to the healthcare and public health (HPH) sector following a spate of attacks on the HPH sector in April by the Clop and LockBit ransomware groups.

HC3 has issued multiple alerts about the Clop and LockBit ransomware-as-a-service groups which have conducted multiple attacks on the healthcare sector. Clop was behind the attacks on Fortra’s GoAnywhere MFT solution in January/February 2023 and the 2022 attacks on the Accellion File Transfer Application (FTA), both of which exploited zero-day vulnerabilities in those solutions. The latest alert about LockBit was issued in December 2022 following multiple attacks on HPH sector organizations.

The Clop group exploited the GoAnywhere MFT vulnerability (CVE-2023-0669) and stole data from around 130 organizations, and both groups have been observed exploiting two other recently disclosed vulnerabilities – CVE-2023-27350 and CVE-2023-27351 – which are authentication bypass vulnerabilities in the widely used print management software, PaperCut MF/NG. Those two vulnerabilities were disclosed by the developer on April 19, 2023, and were corrected in PaperCut versions 20.1.7, 21.2.11, and 22.0.9 and later.

On April 26, 2023, Microsoft announced that a threat actor known as Lace Tempest was exploiting the PaperCut flaws and that the activity overlapped with the FIN11 and TA505 threat groups,  both of which have ties to Clop. After exploiting the vulnerabilities, TrueBot malware was deployed, which is known to be used by the Clop ransomware operation. LockBit ransomware was deployed in some of the attacks.

Network defenders have been advised to promptly patch their servers by updating to the latest versions of PaperCut. If that is not possible, there is a recommended workaround, which involves blocking all traffic to the web management port (9191) from external IP addresses on edge devices and blocking all traffic to default port 9191 on the server’s firewall. Users of Fortra’s GoAnywhere MFT solution should rotate the Master Encryption Key, reset all credentials, review audit logs, and delete suspicious administrator and user accounts.

Further recommended mitigations against attacks by Clop, LockBit, and other cybercriminal groups are detailed in the HC3 alert.

The post HC3: Ransomware Groups are Exploiting GoAnywhere and PaperCut Vulnerabilities appeared first on HIPAA Journal.