The Health Sector Cybersecurity Coordination Center (HC3) has shared threat intelligence on two sophisticated and aggressive ransomware operations – Blackcat and Royal – which pose a significant threat to the healthcare and public health (HPH) sector.

In 2021 and early 2022 the ransomware threat landscape was dominated by Conti, a large, professional ransomware-as-a-service (RaaS) operation; however, the operation was disbanded in 2022. While the Conti RaaS no longer operates under that name, the members of that group are still active but are now spread across several smaller semi-autonomous and autonomous ransomware groups. These smaller ransomware operations are more agile, harder to track, and attract less attention from law enforcement.

The BlackCat ransomware operation, also known as AlphaV, was first detected in November 2021 and is believed to be the successor to Darkside/BlackMatter ransomware, with the BlackCat admin believed to be a former member of the infamous REvil threat group. BlackCat is a RaaS operation that engages in triple extortion, involving data theft, file encryption, and distributed denial of service (DDoS) attacks on victims. The group leaks stolen data on its data leak site and conducts DDoS attacks when victims fail to pay the ransom or end negotiations. The group primarily targets organizations in the United States.

Unlike some ransomware operations that actively encourage attacks on the healthcare sector, BlackCat has operating rules that prohibit affiliates from conducting attacks on hospitals, medical institutions, and ambulance services, although private clinics and pharmaceutical companies are not off-limits. HC3 has warned that while these operating rules exist, they are not set in stone, and ransomware gangs that have similarly prohibited attacks on healthcare organizations have broken their promises in the past. While the operation is far smaller than Conti, the group has conducted a high number of attacks, with 60 organizations attacked in the first 4 months of operation.

Royal is a more recent addition to the ransomware threat landscape, having first been observed conducting attacks in early 2022. The group is similarly believed to include former Conti members. Initially, Royal used the same encryptor as BlackCat, then switched to its own encryptor in September 2022. Royal is now the most active ransomware operation, having surpassed Lockbit. Royal engages in double extortion tactics involving data theft and file encryption and threatens to publish stolen data if the ransom is not paid. Like Conti, Royal is known to conduct callback phishing attacks to gain initial access to networks. Callback phishing starts with a benign email containing a telephone number, and social engineering techniques are used to convince the victim to call the provided number and grant access to their device.  The group is also known to conduct attacks using an encryptor that masquerades as healthcare patient data software housed on legitimate-looking software download sites. In contrast to BlackCat, the healthcare industry is not off-limits, and several attacks have been conducted on healthcare organizations. Consequently, Royal poses a significant threat to the HPH sector

HC3 has shared detailed information for network defenders on the tactics, techniques, and procedures used by both operations, along with Indicators of Compromise (IoCs), Yara rules, and recommended mitigations.

The post HC3 Shares Intelligence on BlackCat and Royal Ransomware Operations appeared first on HIPAA Journal.

A group of 20 security and risk executives from 20 leading healthcare provider organizations have come together to share their insights and guidance with less well-resourced healthcare organizations to improve information risk management in the healthcare industry, including addressing one of the most urgent healthcare cybersecurity challenges – third-party risk management.

Cyberattacks on vendors have increased sharply with these attacks impacting many healthcare organizations. In 2023, virtually all of the top ten data breaches occurred at vendors. An attack on a vendor can give a threat actor access to the networks and data of many different healthcare organizations, and many vendors have insufficient security measures in place.

A recent survey conducted for the Healthcare and Public Health Sector Coordinating Councils (HSCC) found that healthcare organizations of all sizes are struggling to manage third-party risks, especially small- and medium-sized healthcare organizations, which typically have limited budgets and resources to devote to third-party risk management. The HSCC survey revealed the focus of many third-party risk management programs is new vendors during the onboarding process, with existing vendors often failing to be monitored and assessed. Gartner reports that only 23% of security and risk leaders monitor third parties for cybersecurity exposure in real-time.

The group includes security professionals from leading healthcare organizations such as Amerisource Bergen, Centura Health, CVS, HCA Healthcare, Healthix, Highmark Health, Humana, Premera Blue Cross, St. Lukes Health System, and UPMC, who have created the Health 3rd Party Trust (Health3PT) Initiative, which builds on the Provider Third Party Risk Management (PTPRM) initiative of 2018.

The Health3PT initiative aims to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and gain better visibility into downstream relationships with third parties.

Currently, the methods used to manage third-party risk are time-consuming, cumbersome, and inadequate, with no standardized set of practices to follow. Vendors can use vastly different methods for risk management, and often conduct processes manually, which can result in blind spots on risk. Across the industry, there is inadequate follow-through on the remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place.

One of the primary goals of Health3PT is to develop a set of common practices for healthcare organizations to adopt to manage vendor risk, with the group planning to develop risk management tools and methodologies that can be easily adopted by organizations of all sizes. Initially, the group plans to benchmark the current state of the industry, and this will be one of the first deliverables from the group in Q1, 2023.

“Managing third-party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health, and Health3PT member.

Health3PT will create a standardized and measurable standard for assessing third parties quickly and efficiently, which will serve as the cornerstone of third-party risk management programs across the entire healthcare ecosystem to better protect against the increasing number of supply chain attacks. Health3PT also plans to form working groups and will host a summit for vendors, stakeholders, and assessor organizations to collect and share ideas.

“It’s clear that [third-party risk management] is broken in the healthcare industry. We need to come together as an industry to establish a sustainable approach to third-party risk management. The common process of sending and receiving self-attested proprietary questionnaires is inefficient and potentially unreliable,” John Chow, CISO for Healthix, Inc., and Health3PT member. “We need a practical pathway to supplier assurances that are reliable and not self-attested, have inadequate controls or overburdening for the risk posed. The lack of standardization today results in vendor confusion due to the different question sets and requirements, resulting in confusion, frustration, and eventually…lack of response.”

The post Leading Healthcare CISOs Join Forces to Solve Third Party Risk Management Challenges appeared first on HIPAA Journal.

Healthcare organizations can put a host of cybersecurity measures in place to secure their networks and prevent direct attacks by malicious actors, but significant challenges are faced securing the supply chain. Healthcare organizations use vendors to provide services that cannot be handled in-house, and while they provide important services they also create risks that need to be effectively managed. Vendors often require privileged access to networks to perform their functions, which means an attack on a vendor can allow a threat actor to gain access to a healthcare organization’s network through the backdoor.

Cybercriminals have been increasingly attacking healthcare vendors because they are a much less secure part of the supply chain and in 2022, many of the largest healthcare data breaches reported involved vendors. Shields Health Care Group, which provides medical imaging services to more than 50 healthcare facilities, suffered a breach of more than 2 million records, Professional Finance Company, which provides a debt collection service to healthcare organizations, suffered a breach affecting many of its clients and exposed the data of 1.91 million patients, there was also an attack on the electronic medical record vendor, Eye Care Leaders, that affected at least 41 eye care providers and more than 3.6 million patients, to name but a few. While efforts need to continue to secure healthcare networks from direct attacks, urgent action is required to secure the supply chain.

A recent survey conducted by the Ponemon Institute on behalf of the Healthcare and Public Health Sector Coordinating Councils (HSCC) explored the current state of supply chain risk in healthcare and confirmed that a great deal needs to be done, with many healthcare organizations found to experience significant challenges in securing their supply chains. The survey, which was conducted on 400 U.S. healthcare organizations, confirmed that there continues to be significant capability and budget gaps between large and small healthcare organizations when it comes to managing and reducing supply chain risk, but organizations of all sizes are failing at the basics of supply chain risk management.

To accurately measure and address risk, healthcare organizations must have a full inventory of all suppliers that they use, yet the survey revealed that only 20% of the 400 surveyed organizations had a complete inventory of all of their suppliers, and smaller healthcare organizations were three times more likely to have no inventory at all. One common approach taken by healthcare organizations is to focus their supply chain risk management programs on new vendors as they are onboarded, yet they fail to assess and manage risk for their existing suppliers, which was the case for almost half (46%) of surveyed organizations. 35% of surveyed organizations were not evaluating supplier risks related to patient outcomes, with smaller healthcare organizations twice as likely to have this gap than larger organizations, and only 41% of organizations had integrated their cyber risk programs with their procurement and contracting teams. Smaller healthcare organizations were found to lack the budgetary resources to properly manage supply chain risk, with 57% of smaller organizations having supply chain risk management budgets of $500,000 or less, compared to 51% of large organizations that had supply chain risk management budgets of between $1 million and $5 million.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) includes supply chain risk management practices that can – and should – be adopted – but doing so can be a challenge for small- and medium-sized healthcare organizations.  To make supply chain risk management more straightforward, the HSCC has tailored this resource and developed a free toolkit (HICSCRiM) specifically for small to mid-sized healthcare organizations which typically have more limited budgets and resources for managing supply chain risk.

“The healthcare supply chain team is under an increasing amount of pressure to move quickly while managing a multitude of risks during the procurement process,” said Ed Gaudet, CEO, and Founder of Censinet and HSCC Supply Chain Cybersecurity Task Group Member. “As cyberattacks like ransomware become more sophisticated, this survey hammers home the urgent need for automation and actionable risk insights to help supply chain leaders effectively manage inventory, cyber risk, fraud, and supplier redundancy.”

The post Healthcare Organizations Failing to Assess and Mitigate Supply Chain Risks appeared first on HIPAA Journal.

Healthcare ransomware attacks have at least doubled in the past 5 years, data recovery from backups has decreased, and it is now common for data to be stolen and publicly released following a successful attack, according to a new analysis recently published in the JAMA Health Forum.

Healthcare ransomware attacks can be difficult to accurately track, as ransomware is not always specified in breach reports and press releases, and ransomware gangs typically do not publicly disclose their attacks when ransoms are paid, which makes it difficult to determine the extent to which attacks are increasing or decreasing. With more detailed reporting of cyberattacks, legislators would have accurate data to inform their policy decisions.

The data for the analysis was collected from the Tracking Healthcare Ransomware Events and Traits (THREAT) database, which includes data collected from a variety of sources such as the HHS’ Office for Civil Rights breach portal, HackNotice, press releases from victims, media reports, and dark web monitoring. The researchers accept that due to the lack of accurate reporting, the number of attacks has likely been underestimated, with omissions most likely due to the reporting of ransomware attacks as malware incidents, with no mention of ransom demands. These attacks could naturally not be included in the data. Even so, the researchers believe their database is the most accurate record of healthcare ransomware attacks. “To be missing from the THREAT database, a ransomware attack would have needed to go unreported to HHS OCR, remain undetected by HackNotice web crawler surveillance and monitoring of dark web forums, and have received no press coverage in local news or health care trade publications,” explained the researchers.

The analysis revealed there were 374 documented ransomware attacks on healthcare organizations between 2016 and 2021, with those attacks involving the personal or protected health information of at least 41,987,751 individuals. Attacks more than doubled from 43 in 2016 to 93 in 2021, and there was an 11-fold increase in impacted records, from around 1.3 million records in 2016 to around 16.5 million records in 2021. It should be noted that there was no data available on the extent to which PHI exposure occurred in more than one-fifth of attacks (22.5%).

Out of the 374 confirmed ransomware attacks, only 20.6% of healthcare organizations said they were able to restore data from backups, and in 15.8% of attacks, at least some of the stolen data were posted publicly on the clear web or on dark net data leak sites. It should be noted that the double-extortion ransomware trend where data are stolen prior to file encryption only started in 2020.

While ransomware attacks are often attempted on hospitals and large health systems, clinics suffered the most ransomware attacks, followed by hospitals, other delivery organization types, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post–acute care organizations. As HIPAA Journal has previously reported, the breach reporting requirements of the HIPAA Breach Notification Rule are frequently violated, with many breached organizations unable to issue notifications about ransomware attacks within the 60-day reporting deadline. The analysis revealed late reporting in 54.3% of attacks.

The impact of these attacks on patients is often difficult to determine. The researchers were unable to determine the extent to which ransomware disruptions affected patients seeking care during an attack but found evidence that care delivery operations were disrupted in 44.4% of attacks. The disruption continued for at least 2 weeks in 8.6% of attacks, most commonly due to IT system downtime, canceled appointments, and ambulance diversion. This disruption to care threatens patient safety and outcomes.

The researchers concluded that ransomware attacks on healthcare organizations have increased in both sophistication and frequency, with attacks now more likely to affect multiple facilities, prevent access to patient data, disrupt healthcare delivery, and expose patient data. The researchers have called for policymakers to focus their efforts on the specific needs of healthcare organizations due to the implications on the quality and safety of patient care.

The post Study Identifies Healthcare Ransomware Attack Trends appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has shared information on the Clop (Cl0p) ransomware-as-a-service operation, the affiliates of which are known to conduct attacks on the healthcare and public health (HPH) sector.

Clop ransomware was first detected in February 2019 and is the successor to CryptoMix ransomware. The group is highly active and was apparently unaffected by the arrest of six operators of the ransomware in 2021, with activity continuing despite the arrests. The group was active throughout 2022, with one month seeing the group conduct attacks on 21 organizations.  The group typically targets organizations with annual revenues in excess of $10 million, which allows large ransom payments, to be demanded although attacks have been conducted on smaller healthcare organizations such as doctors’ and dentists’ offices with revenues over $5 million.

The group uses double extortion tactics, where sensitive data are stolen prior to file encryption and a ransom payment is necessary to prevent the publication of the stolen data and to obtain the keys to decrypt files. Some attacks linked to the group have only involved data theft and extortion. The group follows through on its threats to publish stolen data when the ransom is not paid, as was the case with the attack on the pharmaceutical giant ExecuPharm, where emails, financial records, documents, and database backups were posted on the group’s leak site.

The group works with several other cybercriminal groups, including the financially-motivated threat group tracked as FIN11. A threat group with ties to the Clop ransomware group was behind a series of attacks that exploited a vulnerability in the Accellion File Transfer Appliance (FTA) in December 2020. Several healthcare providers were affected and had sensitive data leaked.

The tactics, techniques, and procedures used by affiliates of the Clop ransomware gang are highly varied and are constantly changing. Initial access is known to have been gained to victims’ networks through phishing, remote desktop compromise, credential abuse, and the exploitation of unpatched vulnerabilities. In late 2022, several attacks were conducted using TrueBot malware to gain initial access to networks.

The group has a good understanding of healthcare IT systems and workflows which has helped the threat actor to conduct several successful attacks on the HPH sector. In 2022, the group allegedly started having difficulties collecting ransom payments which led to a change in tactics. Intercepted communications between group members revealed it had started targeting medical practices that offer telehealth services. In these attacks, the affiliates register as new patients online and request telehealth consultations. Emails are then sent ahead of the appointments with file attachments masquerading as medical images that contain malicious code, in the hope that the files will be opened ahead of the arranged appointments.

The Clop ransomware gang is highly capable, well-funded, and prolific, and is considered to pose a significant threat to the HPH sector.

The post HPH Sector Warned About Clop Ransomware-as-a-Service Operation appeared first on HIPAA Journal.

Vulnerabilities have been discovered in Citrix solutions, Netgear routers, and Zoho ManageEngine products that require immediate patching. One of the Citrix vulnerabilities is being actively exploited by an APT actor, and it is likely that attempts will be made to exploit the Netgear and Zoho flaws on unpatched devices.

Citrix Gateway and Citrix ADC Vulnerabilities Being Actively Exploited

In mid-December, organizations that use the Citrix Gateway remote access and/or Citrix ADC load balancing solutions were advised to urgently update to the latest software versions to fix two critical vulnerabilities, CVE-2022-27510 and CVE-2022-27518. Both the National Security Agency (NSA) and the Health Sector Cybersecurity Coordination Center (HC3) issued security alerts about the flaws, one of which is known to have been exploited by a Chinese APT actor to achieve remote code execution on vulnerable servers.

Despite active exploitation, a concerning number of servers remain vulnerable to the flaw, most of which are located in the United States, according to a recent scan by Fox-IT. Since at least one of the vulnerabilities has been actively targeted for several weeks, any organizations that have not yet upgraded to the latest version should do so immediately and also check for potential compromise, per the NSA and HC3 security advisories.

Critical Zoho ManageEngine Vulnerability Requires Immediate Patching

Zoho is urging all users of its ManageEngine Password Manager Pro, PAM360, and Access Manager Plus solutions to update the software to the latest version as soon as possible to fix a critical SQL injection vulnerability. The vulnerability, CVE-2022-47523, could be exploited by an adversary to gain unauthenticated access to the backend database and execute custom queries.

The patches, which were released in late December, add proper validation and escaping special characters to prevent exploitation of the flaw. Users should upgrade to Password Manager Pro v12210, PAM360 v 5801, and Access Manager Plus v4309.

ManageEngine vulnerabilities have previously been targeted by nation-state threat actors, with a 2021 vulnerability suspected of being exploited on Internet-facing servers by a Chinese APT actor, according to a security advisory from CISA and the FBI, so exploitation of the recently disclosed flaw can be expected. Around 11,000 servers are running the affected solutions and will be vulnerable if not updated to the latest versions.

High-Severity Vulnerability Identified in Netgear Routers

Netgear has issued a security advisory about a high-severity pre-authentication buffer overflow vulnerability affecting several models of its routers, which could be exploited by an adversary to trigger a denial-of-service condition. The vulnerability is tracked as PSV-2019-0104 and has a CVSS v3 severity score of 7.4.

The vulnerability affects the company’s RAX40, RAX35, R6400v2, R6400v3, R6900P, R7000P, R7000, R7960P, and R8000P routers. Users should update the firmware as soon as possible to prevent exploitation of the flaws. The updated firmware versions are:

• RAX40 + RAX35 – Version 1.0.2.60
• R6400v2 + R6700v3 – Version 1.0.4.122
• R6900P + R7000P – Version 1.3.3.152
• R7000 – Version 1.0.11.136
• R7960P + R8000P – Version 1.4.4.94

The post Urgent Patching Required to Fix Critical Citrix, Netgear, and Zoho ManageEngine Vulnerabilities appeared first on HIPAA Journal.

Ransomware attacks continue to be conducted on healthcare organizations in high numbers but determining the extent to which healthcare organizations are being targeted by ransomware gangs is a challenge. Victims of ransomware attacks do not always report the incidents as involving ransomware, and ransomware gangs do not publicly disclose attacks when ransoms are paid.

The nature of the attacks conducted by ransomware gangs is also changing, with some ransomware gangs opting to conduct extortion-only attacks, where sensitive data is exfiltrated from networks and a ransom demand is issued to prevent its publication or sale, but malware is not used to encrypt files. The decision whether or not to encrypt appears to be taken on an attack-by-attack basis.

The cybersecurity firm Emsisoft tracks ransomware attacks and produces annual reports that provide insights into the extent to which ransomware is used in cyberattacks, but Emsisoft admits that it is difficult to produce reliable statistics. This year’s report shows more than 200 large organizations in the United States have been attacked in the government, education, and healthcare verticals. Attacks in the education sector have remained fairly consistent over the past 4 years with between 84 and 89 attacks conducted each year, as has the number of attacks on state and local governments – 105 in 2022 with an average of 102 attacks a year.

Compiling meaningful data on attacks on healthcare organizations has been particularly challenging as while there are reporting requirements under HIPAA, it is not necessary to disclose the exact nature of the attacks or release details. For this reason, and due to the volume of reports, for the 2022 report, Emsisoft did not compile data for healthcare organizations and instead focused on hospitals and multi-hospital health systems.

For the report, Emsisoft’s researchers compiled data from public breach notices, reports, dark web data leak sites, and from third-party intelligence, with its data confirming that at least 105 counties, 45 school districts, 44 universities, and 25 healthcare providers suffered ransomware attacks in 2022. The true figure is likely to be significantly higher due to the lack of detailed reporting.

Across all ransomware attacks and verticals, hackers stole data prior to using encryption in around half of the attacks, but data theft was much more common in ransomware attacks on hospitals. Out of the 24 confirmed attacks on hospitals, data theft occurred in 17 of those attacks (68%). Due to the lack of accurate data released by healthcare organizations and their business associates, it is not possible to definitively determine whether ransomware attacks have plateaued, are increasing, or declining. What is clear is that the healthcare sector continues to be targeted and a great many patients have been affected by the attacks.

Several of the attacks were conducted on multi-hospital health systems, with 290 hospitals across the country potentially affected by the attacks. That includes the 150 hospitals operated by CommonSpirit Health, which recently confirmed that the protected health information of 623,774 patients was compromised in the attack. CommonSpirit Health has recently confirmed that only a small number of the hospitals it operates were affected.

These attacks often result in the theft of patient data, which can negatively affect patients and put them at risk of identity theft and fraud, but the most serious consequences are to patient health. Studies have been conducted that indicate an increase in mortality following a ransomware attack and a negative impact on patient outcomes due to delays in receiving test results, postponed appointments, and canceled surgeries. While no deaths have been attributed to ransomware attacks, patient outcomes are affected by the delays in receiving treatment. Emsisoft draws attention to one attack that resulted in a computer system used for calculating medication doses being taken offline, which caused a 3-year-old patient to be given a massive overdose of pain medication.

The post 290 Hospitals Potentially Affected by Ransomware Attacks in 2022 appeared first on HIPAA Journal.