There are many benefits of using AI in healthcare, including the acceleration of drug development and medical image analysis, but the same AI systems that benefit healthcare could also be used for malicious purposes such as malware development. The Health Sector Cybersecurity Coordination Center (HC3) recently published an analyst note summarizing the potential for artificial intelligence tools to be used by hackers for this purpose and evidence is mounting that AI tools are already being abused.

AI systems have evolved to a stage where they can be used to write human-like text with a very high degree of fluency and creativity, including valid computer code. One AI tool that has proven popular in recent weeks is ChatGPT. The OpenAI-developed chatbot is capable of producing human-like text in response to queries and had more than 1 million users in December. The tool has been used for a myriad of purposes, including writing poems, songs, reports, web content, and emails.

In response to the incredible popularity of ChatGPT, security researchers started testing its capabilities to determine how easily the tool could be used for malicious purposes. Multiple security researchers found that despite the terms of use prohibiting the chatbot from being used for potentially harmful purposes, they were able to get it to craft convincing phishing emails, devoid of the spelling mistakes and grammatical errors that are often found in these emails. ChatGPT and other AI tools could be used for phishing and social engineering, opening up these attacks to a much broader range of individuals while also helping to increase the effectiveness of these attacks.

One of the biggest concerns is the use of AI tools to accelerate malware development. Researchers at IBM developed an AI-based tool to demonstrate the potential of AI to be used to power a new breed of malware. The tool, dubbed DeepLocker, incorporates a range of ultra-targeted and evasive attack tools that allow the malware to conceal its intent until it reaches a specific victim. The malicious actions are then unleashed when the AI model identifies the target through indicators like facial recognition, geolocation, and voice recognition.

If you ask ChatGPT to write a phishing email or generate malware, the request will be refused as it violates the terms and conditions, but it is possible to make seemingly innocuous requests and achieve those aims. Researchers at Check Point showed it was possible to create a full infection flow using ChatGPT. They used ChatGPT to craft a convincing phishing email impersonating a hosting company for delivering a malicious payload, used OpenAI’s code-writing system, Codex, to create VBA code to add to an Excel attachment, and also used Codex to create a fully functional reverse shell. “Threat actors with very low technical knowledge — up to zero tech knowledge — could be able to create malicious tools [using ChatGPT]. It could also make the day-to-day operations of sophisticated cybercriminals much more efficient and easier – like creating different parts of the infection chain,” said Sergey Shykevich, Threat Intelligence Group Manager at Check Point.

Hackers are already leveraging OpenAI code to develop malware. One hacker used the OpenAI tool to write a Python multi-layer encryption/decryption script that could be used as ransomware and another created an information-stealer capable of searching for, copying, compressing, and exfiltrating sensitive information. While there are many benefits of AI systems, these tools will inevitably be used for malicious purposes. Currently, the cybersecurity community has yet to develop mitigations or a way to defend against the use of these tools for creating malware, and it may not even be possible to prevent the abuse of these tools.

The post Hackers are Using AI Tools such as ChatGPT for Malware Development appeared first on HIPAA Journal.

An inspection of information security at Tuscaloosa VA Medical Center in Alabama by the VA Office of Inspector General (OIG) uncovered deficiencies in three of the four assessed security control areas. The OIG inspection covered configuration management, contingency planning, security management, and access controls, with deficiencies identified in configuration management, security management, and access controls.

Configuration management controls are required to identify and manage security features for all hardware and software components of an information system. OIG found deficiencies in vulnerability management, flaw remediation, and database scans. The Office of Information and Technology (OIT) routinely scans for vulnerabilities, and while OIG and OIT used the same vulnerability-scanning tools, OIT failed to identify all vulnerabilities. OIG identified 119 critical-risk vulnerabilities that OIT failed to detect. OIG also identified 301 vulnerabilities that had not been mitigated within the required 30- or 60-day windows, with 134 critical-risk vulnerabilities identified on 14% of devices, and 134 high-risk vulnerabilities found on 46% of devices. One of the high-risk vulnerabilities had remained unpatched for seven years.

Several devices were discovered to be missing important security patches, which were available but had not been applied, which placed VA systems at risk of unauthorized access, alteration, or destruction. While database scans are performed every quarter, OIT was only able to provide scans for half of the databases, as it was not possible to reach all databases due to a port-filtering issue. Without those completed scans, OIT would be unaware of security control weaknesses that could impact the security posture of databases.

Security management controls were assessed, and OIG found one deficiency: several plans of actions and milestones were discovered to be missing or lacked sufficient details to be actionable. Four access control deficiencies were identified related to network segmentation, audit and monitoring controls, environmental controls, and emergency power. Network segmentation is required for medical devices and special-purpose systems, which should be placed on isolated networks for protection. Several network segments that contained medical and special-purpose systems did not have network segmentation controls in place. 19 network segments containing 221 medical devices and special-purpose systems did not have access control lists applied, which allowed any user to access those devices. Logs need to be monitored to evaluate the effectiveness of security controls, recognize attacks, and investigate during or after any attacks. Half of the databases supporting the Tuscaloosa VAMC were found to be missing. The missing logs were for the databases that had not been subjected to vulnerability scanning.

Several communication rooms were found to lack temperature or humidity controls, which could have a significant adverse impact on the availability of systems, and uninterruptible power supplies were also discovered to be missing, which means infrastructure equipment would cease to function during power fluctuations or outages, resulting in interruption of data flow and disruption of access to network resources.

OIG made 8 recommendations to address the deficiencies, 6 to the assistant secretary for information and technology and chief information officer related to the security issues and 2 to the Tuscaloosa VAMC director, who must ensure communication rooms have adequate environmental controls and uninterruptible power supplies for infrastructure equipment.

The post Vulnerability Management and Remediation Deficiencies Identified at Alabama VA Medical Center appeared first on HIPAA Journal.

While it is difficult to obtain accurate data on the number of ransomware attacks being conducted on healthcare organizations, the available data suggest there has been a decline in attacks across all industry sectors compared to the high number of attacks reported in 2021. Emsisoft recently reported that attacks are leveling off or declining in the industry sectors it tracks, and now a new survey appears to confirm that decline.

The survey was conducted by Censuswide on behalf of Delinea on 300 IT decision-makers across a broad range of industries in the United States, with the responses suggesting there has been a 60% decline in attacks between 2021 and 2022. In 2021, the survey revealed 64% of organizations had experienced a ransomware attack in the past 12 months, compared to 25% of organizations in 2022.

Ransomware attacks have been reported by small and large healthcare organizations, with the Hive ransomware group known to target smaller medical practices that provide telehealth services, but ransomware gangs appear to still favor attacks on larger organizations, with the Delinea survey revealing 56% of organizations that suffered a ransomware attack in the past 12 months had 100 or more employees.

In 2021, the Conti ransomware operation was the major ransomware player, but in early 2022 the group was disbanded, with its members moving to smaller ransomware operations. While these groups are conducting many attacks, Delinea suggests the shutdown of this large ransomware operation may explain, in part, the decline in attacks. According to GuidePoint Security, there was a 53% decline in attacks by the two main ransomware gangs – Conti and LockBit – last year, yet overall attacks only decreased by around 7%.

Another suggested reason for the decline in attacks is ransomware-preventing security controls are proving to be effective at thwarting attacks. It should also be noted that several ransomware gangs have also started conducting extortion-only attacks, where data are stolen and threats are issued to publish data if the ransom is not paid, but file encryption does not occur. While these attacks are conducted by ransomware gangs, they may not be classed as ransomware attacks, and this could be reflected in the survey data.

In 2022, messages between members of the Hive ransomware gang were intercepted that suggested the group was not having problems compromising organizations but was struggling to force attacked organizations to pay up. The Delinea survey confirmed that fewer organizations are paying up, with 68% of organizations saying they paid the ransom following an attack in 2022 compared to 82% in 2021. The survey also confirmed some of the negative consequences of ransomware attacks, with 56% of companies saying they lost revenue as a result of a successful ransomware attack, with 50% of companies saying they lost customers, although fewer organizations than last year said they suffered reputational damage as a result of an attack – 51% in 2021 compared to 43% in 2022.

Attitudes to ransomware attacks also appear to be changing. In 2021, 88% of organizations said they believed it should be illegal to pay a ransom to cybercriminals following a ransomware attack, but in 2022, 63% of surveyed companies felt that way and believed they should have the choice about whether or not to pay for the keys to recover their data and prevent data exposure.

The reduction in attacks is certainly good news, but it does not mean that they will not increase again. It is therefore concerning that Delinea found investment in ransomware defenses is declining. In 2021, 93% of surveyed organizations said they had allocated funding to combat ransomware attacks, whereas that percentage fell to 68% in 2022. The survey also revealed that only half of the surveyed organizations had implemented best practices to prevent ransomware attacks, such as enforcing password best practices (51%) and multi-factor authentication (50%). There was also a notable decline in the number of companies that had an incident response plan specifically for ransomware attacks, which fell from 94% in 2021 to 71% in 2022.

The post Ransomware Appears to be in Decline, but Don’t Lower your Guard appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has shared threat intelligence on two sophisticated and aggressive ransomware operations – Blackcat and Royal – which pose a significant threat to the healthcare and public health (HPH) sector.

In 2021 and early 2022 the ransomware threat landscape was dominated by Conti, a large, professional ransomware-as-a-service (RaaS) operation; however, the operation was disbanded in 2022. While the Conti RaaS no longer operates under that name, the members of that group are still active but are now spread across several smaller semi-autonomous and autonomous ransomware groups. These smaller ransomware operations are more agile, harder to track, and attract less attention from law enforcement.

The BlackCat ransomware operation, also known as AlphaV, was first detected in November 2021 and is believed to be the successor to Darkside/BlackMatter ransomware, with the BlackCat admin believed to be a former member of the infamous REvil threat group. BlackCat is a RaaS operation that engages in triple extortion, involving data theft, file encryption, and distributed denial of service (DDoS) attacks on victims. The group leaks stolen data on its data leak site and conducts DDoS attacks when victims fail to pay the ransom or end negotiations. The group primarily targets organizations in the United States.

Unlike some ransomware operations that actively encourage attacks on the healthcare sector, BlackCat has operating rules that prohibit affiliates from conducting attacks on hospitals, medical institutions, and ambulance services, although private clinics and pharmaceutical companies are not off-limits. HC3 has warned that while these operating rules exist, they are not set in stone, and ransomware gangs that have similarly prohibited attacks on healthcare organizations have broken their promises in the past. While the operation is far smaller than Conti, the group has conducted a high number of attacks, with 60 organizations attacked in the first 4 months of operation.

Royal is a more recent addition to the ransomware threat landscape, having first been observed conducting attacks in early 2022. The group is similarly believed to include former Conti members. Initially, Royal used the same encryptor as BlackCat, then switched to its own encryptor in September 2022. Royal is now the most active ransomware operation, having surpassed Lockbit. Royal engages in double extortion tactics involving data theft and file encryption and threatens to publish stolen data if the ransom is not paid. Like Conti, Royal is known to conduct callback phishing attacks to gain initial access to networks. Callback phishing starts with a benign email containing a telephone number, and social engineering techniques are used to convince the victim to call the provided number and grant access to their device.  The group is also known to conduct attacks using an encryptor that masquerades as healthcare patient data software housed on legitimate-looking software download sites. In contrast to BlackCat, the healthcare industry is not off-limits, and several attacks have been conducted on healthcare organizations. Consequently, Royal poses a significant threat to the HPH sector

HC3 has shared detailed information for network defenders on the tactics, techniques, and procedures used by both operations, along with Indicators of Compromise (IoCs), Yara rules, and recommended mitigations.

The post HC3 Shares Intelligence on BlackCat and Royal Ransomware Operations appeared first on HIPAA Journal.

A group of 20 security and risk executives from 20 leading healthcare provider organizations have come together to share their insights and guidance with less well-resourced healthcare organizations to improve information risk management in the healthcare industry, including addressing one of the most urgent healthcare cybersecurity challenges – third-party risk management.

Cyberattacks on vendors have increased sharply with these attacks impacting many healthcare organizations. In 2023, virtually all of the top ten data breaches occurred at vendors. An attack on a vendor can give a threat actor access to the networks and data of many different healthcare organizations, and many vendors have insufficient security measures in place.

A recent survey conducted for the Healthcare and Public Health Sector Coordinating Councils (HSCC) found that healthcare organizations of all sizes are struggling to manage third-party risks, especially small- and medium-sized healthcare organizations, which typically have limited budgets and resources to devote to third-party risk management. The HSCC survey revealed the focus of many third-party risk management programs is new vendors during the onboarding process, with existing vendors often failing to be monitored and assessed. Gartner reports that only 23% of security and risk leaders monitor third parties for cybersecurity exposure in real-time.

The group includes security professionals from leading healthcare organizations such as Amerisource Bergen, Centura Health, CVS, HCA Healthcare, Healthix, Highmark Health, Humana, Premera Blue Cross, St. Lukes Health System, and UPMC, who have created the Health 3rd Party Trust (Health3PT) Initiative, which builds on the Provider Third Party Risk Management (PTPRM) initiative of 2018.

The Health3PT initiative aims to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and gain better visibility into downstream relationships with third parties.

Currently, the methods used to manage third-party risk are time-consuming, cumbersome, and inadequate, with no standardized set of practices to follow. Vendors can use vastly different methods for risk management, and often conduct processes manually, which can result in blind spots on risk. Across the industry, there is inadequate follow-through on the remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place.

One of the primary goals of Health3PT is to develop a set of common practices for healthcare organizations to adopt to manage vendor risk, with the group planning to develop risk management tools and methodologies that can be easily adopted by organizations of all sizes. Initially, the group plans to benchmark the current state of the industry, and this will be one of the first deliverables from the group in Q1, 2023.

“Managing third-party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health, and Health3PT member.

Health3PT will create a standardized and measurable standard for assessing third parties quickly and efficiently, which will serve as the cornerstone of third-party risk management programs across the entire healthcare ecosystem to better protect against the increasing number of supply chain attacks. Health3PT also plans to form working groups and will host a summit for vendors, stakeholders, and assessor organizations to collect and share ideas.

“It’s clear that [third-party risk management] is broken in the healthcare industry. We need to come together as an industry to establish a sustainable approach to third-party risk management. The common process of sending and receiving self-attested proprietary questionnaires is inefficient and potentially unreliable,” John Chow, CISO for Healthix, Inc., and Health3PT member. “We need a practical pathway to supplier assurances that are reliable and not self-attested, have inadequate controls or overburdening for the risk posed. The lack of standardization today results in vendor confusion due to the different question sets and requirements, resulting in confusion, frustration, and eventually…lack of response.”

The post Leading Healthcare CISOs Join Forces to Solve Third Party Risk Management Challenges appeared first on HIPAA Journal.

Healthcare organizations can put a host of cybersecurity measures in place to secure their networks and prevent direct attacks by malicious actors, but significant challenges are faced securing the supply chain. Healthcare organizations use vendors to provide services that cannot be handled in-house, and while they provide important services they also create risks that need to be effectively managed. Vendors often require privileged access to networks to perform their functions, which means an attack on a vendor can allow a threat actor to gain access to a healthcare organization’s network through the backdoor.

Cybercriminals have been increasingly attacking healthcare vendors because they are a much less secure part of the supply chain and in 2022, many of the largest healthcare data breaches reported involved vendors. Shields Health Care Group, which provides medical imaging services to more than 50 healthcare facilities, suffered a breach of more than 2 million records, Professional Finance Company, which provides a debt collection service to healthcare organizations, suffered a breach affecting many of its clients and exposed the data of 1.91 million patients, there was also an attack on the electronic medical record vendor, Eye Care Leaders, that affected at least 41 eye care providers and more than 3.6 million patients, to name but a few. While efforts need to continue to secure healthcare networks from direct attacks, urgent action is required to secure the supply chain.

A recent survey conducted by the Ponemon Institute on behalf of the Healthcare and Public Health Sector Coordinating Councils (HSCC) explored the current state of supply chain risk in healthcare and confirmed that a great deal needs to be done, with many healthcare organizations found to experience significant challenges in securing their supply chains. The survey, which was conducted on 400 U.S. healthcare organizations, confirmed that there continues to be significant capability and budget gaps between large and small healthcare organizations when it comes to managing and reducing supply chain risk, but organizations of all sizes are failing at the basics of supply chain risk management.

To accurately measure and address risk, healthcare organizations must have a full inventory of all suppliers that they use, yet the survey revealed that only 20% of the 400 surveyed organizations had a complete inventory of all of their suppliers, and smaller healthcare organizations were three times more likely to have no inventory at all. One common approach taken by healthcare organizations is to focus their supply chain risk management programs on new vendors as they are onboarded, yet they fail to assess and manage risk for their existing suppliers, which was the case for almost half (46%) of surveyed organizations. 35% of surveyed organizations were not evaluating supplier risks related to patient outcomes, with smaller healthcare organizations twice as likely to have this gap than larger organizations, and only 41% of organizations had integrated their cyber risk programs with their procurement and contracting teams. Smaller healthcare organizations were found to lack the budgetary resources to properly manage supply chain risk, with 57% of smaller organizations having supply chain risk management budgets of $500,000 or less, compared to 51% of large organizations that had supply chain risk management budgets of between $1 million and $5 million.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) includes supply chain risk management practices that can – and should – be adopted – but doing so can be a challenge for small- and medium-sized healthcare organizations.  To make supply chain risk management more straightforward, the HSCC has tailored this resource and developed a free toolkit (HICSCRiM) specifically for small to mid-sized healthcare organizations which typically have more limited budgets and resources for managing supply chain risk.

“The healthcare supply chain team is under an increasing amount of pressure to move quickly while managing a multitude of risks during the procurement process,” said Ed Gaudet, CEO, and Founder of Censinet and HSCC Supply Chain Cybersecurity Task Group Member. “As cyberattacks like ransomware become more sophisticated, this survey hammers home the urgent need for automation and actionable risk insights to help supply chain leaders effectively manage inventory, cyber risk, fraud, and supplier redundancy.”

The post Healthcare Organizations Failing to Assess and Mitigate Supply Chain Risks appeared first on HIPAA Journal.

Healthcare ransomware attacks have at least doubled in the past 5 years, data recovery from backups has decreased, and it is now common for data to be stolen and publicly released following a successful attack, according to a new analysis recently published in the JAMA Health Forum.

Healthcare ransomware attacks can be difficult to accurately track, as ransomware is not always specified in breach reports and press releases, and ransomware gangs typically do not publicly disclose their attacks when ransoms are paid, which makes it difficult to determine the extent to which attacks are increasing or decreasing. With more detailed reporting of cyberattacks, legislators would have accurate data to inform their policy decisions.

The data for the analysis was collected from the Tracking Healthcare Ransomware Events and Traits (THREAT) database, which includes data collected from a variety of sources such as the HHS’ Office for Civil Rights breach portal, HackNotice, press releases from victims, media reports, and dark web monitoring. The researchers accept that due to the lack of accurate reporting, the number of attacks has likely been underestimated, with omissions most likely due to the reporting of ransomware attacks as malware incidents, with no mention of ransom demands. These attacks could naturally not be included in the data. Even so, the researchers believe their database is the most accurate record of healthcare ransomware attacks. “To be missing from the THREAT database, a ransomware attack would have needed to go unreported to HHS OCR, remain undetected by HackNotice web crawler surveillance and monitoring of dark web forums, and have received no press coverage in local news or health care trade publications,” explained the researchers.

The analysis revealed there were 374 documented ransomware attacks on healthcare organizations between 2016 and 2021, with those attacks involving the personal or protected health information of at least 41,987,751 individuals. Attacks more than doubled from 43 in 2016 to 93 in 2021, and there was an 11-fold increase in impacted records, from around 1.3 million records in 2016 to around 16.5 million records in 2021. It should be noted that there was no data available on the extent to which PHI exposure occurred in more than one-fifth of attacks (22.5%).

Out of the 374 confirmed ransomware attacks, only 20.6% of healthcare organizations said they were able to restore data from backups, and in 15.8% of attacks, at least some of the stolen data were posted publicly on the clear web or on dark net data leak sites. It should be noted that the double-extortion ransomware trend where data are stolen prior to file encryption only started in 2020.

While ransomware attacks are often attempted on hospitals and large health systems, clinics suffered the most ransomware attacks, followed by hospitals, other delivery organization types, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post–acute care organizations. As HIPAA Journal has previously reported, the breach reporting requirements of the HIPAA Breach Notification Rule are frequently violated, with many breached organizations unable to issue notifications about ransomware attacks within the 60-day reporting deadline. The analysis revealed late reporting in 54.3% of attacks.

The impact of these attacks on patients is often difficult to determine. The researchers were unable to determine the extent to which ransomware disruptions affected patients seeking care during an attack but found evidence that care delivery operations were disrupted in 44.4% of attacks. The disruption continued for at least 2 weeks in 8.6% of attacks, most commonly due to IT system downtime, canceled appointments, and ambulance diversion. This disruption to care threatens patient safety and outcomes.

The researchers concluded that ransomware attacks on healthcare organizations have increased in both sophistication and frequency, with attacks now more likely to affect multiple facilities, prevent access to patient data, disrupt healthcare delivery, and expose patient data. The researchers have called for policymakers to focus their efforts on the specific needs of healthcare organizations due to the implications on the quality and safety of patient care.

The post Study Identifies Healthcare Ransomware Attack Trends appeared first on HIPAA Journal.