Healthcare Cybersecurity

Feds Issue Guidance on Responding and Reducing Impact of DDoS Attacks

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently issued guidance for federal and private agencies on the prevention and mitigation of distributed Denial of Service (DDoS) attacks.

These attacks are conducted to overload applications and websites with traffic, thus rendering them inaccessible and preventing legitimate users from accessing that service. A Denial of Service (DoS) attack causes a network resource overload that consumes all hardware, software, and bandwidth, protocol resource overloads consume the available session or connection resources, and application resource overloads use all compute or storage resources.

DDoS attacks are DoS attacks where the traffic comes from multiple devices that are acting together. They can involve huge amounts of traffic and have the potential to cause hardware damage. Botnets – slave armies of malware-infected devices – are commonly used to perform DDoS attacks at scale, and they have become far more common due to the huge increase in IoT devices. The botnets are often rented out to threat actors thus allowing unskilled individuals to conduct DDoS attacks.

These attacks may be short-lived; however, prolonged attacks can significantly disrupt critical services, resulting in extensive remediation costs and substantial reputational damage. These attacks are only concerned with causing disruption and do not involve access being gained to systems or data theft; however, cybercriminal groups are known to conduct DDoS attacks to distract IT teams while an attack is simultaneously conducted on another part of the network. With the attention of security teams focused elsewhere, there is less chance that data exfiltration, malware delivery, or ransomware deployment will be detected. It is therefore vital that any response to a DDoS attack does not result in other security monitoring being neglected.

Preventing and Reducing the Impact of DDoS Attacks

The key to defending against DDoS attacks and reducing their severity is preparation. All critical assets and services that are exposed to the public Internet must be identified, with those applications and services prioritized. Web application firewalls should be implemented to protect the most critical assets, and cybersecurity best practices should be followed, such as hardening servers and patching promptly. Understanding how users connect to the services and identifying any chokepoints can make it easier to implement mitigations to prevent disruption to key staff.

Consider enrolling in a DDoS protection service, ideally, a dedicated DDoS protection service, as those provided by ISPs are not as robust and may not protect against larger attacks. These services allow the source of the attack to be identified and will reroute traffic elsewhere. Managed Service Providers may be able to assist and provide DDoS protection, including providing custom network edge defense services.

Take steps to avoid single points of failure, such as having a high-value asset hosted on a single node. Load balancing across multiple loads is recommended. It is also vital to develop an incident response plan specifically for DDoS attacks. All stakeholders should be aware of their responsibilities through all stages of an attack to ensure a rapid and efficient response is possible. You should also develop a business continuity plan to ensure that business operations can continue in the event of a prolonged attack, and tabletop exercises should be conducted to test those plans.

Steps to Take During an Attack

In the event of a suspected attack, such as when there is network latency, sluggish application performance, unusually high traffic, or the unavailability of websites, technical professionals should be contacted for assistance. Consult your ISP to determine if they have an outage, and learn about the nature of the attack, such as where the traffic is coming from and which applications are being targeted. This will allow you to implement targeted mitigations and work with service providers to get the attack blocked quickly.

While an attack may target a specific application, monitor other network assets, as they may be simultaneously attacked. Specific mitigations for dealing with DDoS attacks are detailed in the MS-ISAC Guide to DDoS Attacks.

Recovering from a DDoS Attack

After an attack, continue to monitor all network assets, learn from the response, and update your incident response plan accordingly to correct any aspects of the response plan that did not run smoothly. You should also ensure you proactively monitor your network and create a baseline of normal activity, as this will allow you to rapidly identify attacks in progress in the future.

The post Feds Issue Guidance on Responding and Reducing Impact of DDoS Attacks appeared first on HIPAA Journal.

Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report

Posted by HIPAA Journal

Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, has recently published a white paper – Cybersecurity is Patient Safety – that highlights the current cybersecurity challenges facing the healthcare industry and suggests several potential policy changes that could help to improve healthcare cybersecurity and better protect all health information, including health data not currently protected under the HIPAA Rules.

Sen. Warner suggests the only way to improve healthcare cybersecurity rapidly is through a collaborative effort involving the public and private sectors, with the federal government providing overall leadership. While further regulation may be necessary, the overall consensus of healthcare industry stakeholders is the best approach is to introduce incentives for improving cybersecurity, rather than mandating cybersecurity improvements with a threat of financial penalties for noncompliance.

The healthcare industry is under attack from cybercriminals and nation-state threat actors and cyberattacks and data breaches are increasing at unacceptable levels. In 2021, 45 million Americans had their sensitive personal and healthcare exposed or stolen in healthcare industry cyberattacks. More must be done to improve resilience and deal with the increasing threats. “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” said Senator Warner. “Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models.”

The white paper suggests several areas where policies could be changed to improve cybersecurity in the healthcare industry.

Improve Federal Leadership

The Department of Health and Human Services (HHS) is the Sector Risk Management Agency (SRMA) for the healthcare industry, but within the HHS agencies such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), and the Food and Drug Administration (FDA) have their own jurisdictions and cybersecurity policies. The white paper explains that there is a lack of overall leadership and suggests a senior leader should be appointed, who should be “empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”

Modernize HIPAA

HIPAA was enacted in 1996, and the HIPAA Privacy and Security Rules have been in place for two decades, and while updates have been made to the HIPAA Rules, they fail to fully address emerging threats to the confidentiality, integrity, and availability of healthcare data. The current focus is on protecting the healthcare data collected, stored, and transmitted by HIPAA-regulated entities, but the same information is collected, stored, and transmitted by entities that are not bound by the HIPAA Rules. It has been suggested that more sensitive healthcare data is now being collected by health apps than is collected and stored by HIPAA-regulated entities, yet this data is largely unregulated. The white paper suggests Congress should direct the HHS to update HIPAA and expand the definition of covered entities and stipulate the allowable uses and disclosures of health data by entities that are not currently classed as HIPAA-regulated entities, to address the gap between HIPAA and the FTC Health Breach Notification Rule.

Develop a Healthcare-Specific Cybersecurity Framework

The National Institute of Standards and Technology (NIST) has released its Framework for Improving Critical Infrastructure Cybersecurity, and while that work has been commended, many healthcare industry stakeholders want more detailed guidance from NIST that is specific to the healthcare industry and have called for NIST develop a consensus-based healthcare-specific cybersecurity framework.

Improve Security Incident Preparedness and Response

The HHS recently stressed in its October Cybersecurity newsletter the importance of security incident preparedness and planning, as cyberattacks are inevitable in the lifespan of a healthcare organization. More needs to be done to encourage healthcare organizations to prepare for attacks. The HHS could direct healthcare facilities to consider cyberattacks to be equivalent to natural disasters such as hurricanes and earthquakes, including mandating training of hospital staff to use analog equipment and legacy systems, and to establish a disaster relief program for victims of cyberattacks.

Incentivize Healthcare Providers to Replace Legacy Systems

Legacy systems are still extensively used in the healthcare industry, despite software and operating systems reaching end-of-life and having support withdrawn. Legacy systems are a security risk, yet healthcare organizations continue to use them as they continue to function and the cost of replacing them is too high. Incentives should be offered to phase out these legacy systems, such as a program similar to the 2009 Car Allowance Rebate System (CARS) that encouraged people to trade in their old vehicles.

Improve Medical Device Cybersecurity

There is considerable concern about the cybersecurity of medical devices and a need for minimum standards of security to be maintained and good cyber hygiene practices followed. There is a need for all software and devices to be supplied with a software bill of materials (SBOMs), and for security requirements to be required during pre-market approval, as proposed by the PATCH Act. The white paper also suggests restrictions could be imposed on the sale of medical devices that have software that has reached end-of-life and is no longer supported, and for healthcare organizations to be incentivized to invest in systems for tracking medical equipment.

Address the Current Cybersecurity Talent Shortage

There is currently a global shortage of cybersecurity professionals that is unlikely to be resolved in the short to medium term. Healthcare organizations struggle to recruit the necessary talent and many cybersecurity positions in healthcare remain unfilled. The white paper suggests one way to address the shortage would be for Congress to create a workforce development program and to incentivize individuals to take on cybersecurity positions in healthcare, such as offering student loan forgiveness for cybersecurity professionals who commit to serving in rural communities, similar to the National Health Service Corps Loan Repayment Program.

Reduce the Cost of Cyber Insurance

Cyber insurance is becoming increasingly expensive and there is an extensive and burdensome application process. The white paper suggests a federal reinsurance program could be introduced to cover plans that require minimum cyber hygiene standards to be maintained, which could help the industry achieve minimum cyber hygiene standards without government mandates. The program would standardize coverage elements and provide incentives for insurance companies to adopt them. This could lower overall risks, which could help to reduce the cost of insurance.

Senator Warner is seeking feedback on the white paper from businesses, advocacy groups, researchers, and individuals. Comments should be submitted no later than December 1, 2022.

The post Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report appeared first on HIPAA Journal.

President Biden Declares November as Critical Infrastructure Security and Resilience Month

Posted by HIPAA Journal

The White House has issued a proclamation from President Biden declaring November as Critical Infrastructure Security and Resilience Month – A month dedicated to raising awareness of the need to improve critical infrastructure and strengthening the resilience of critical infrastructure against physical and cyber threats.

President Biden has recommitted to improving and fortifying critical infrastructure, “by building better roads, bridges, and ports; fortifying our information technology and cybersecurity across sectors, including election systems; safeguarding our food and water sources; moving to clean energy; and strengthening all other critical infrastructure sectors,” and by doing so will lay the foundation for long-term security and prosperity.

One of the main focus areas is improving defenses and shielding critical infrastructure against malicious cyber activity. President Biden has confirmed his administration will be establishing clear international rules of the road as they relate to cyberspace. In the United States, most critical infrastructure is owned and operated by private companies. Federal agencies have been working closely with critical infrastructure owners and operators to improve resilience to cyberattacks.

As part of this effort, CISA has recently published a set of cybersecurity performance goals for critical infrastructure organizations to guide their cybersecurity efforts to help them achieve minimum standards for cybersecurity. President Biden has also “reinvigorated the National Infrastructure Advisory Council to advise on how to reduce physical and cyber risks and improve the security and resilience of our Nation’s critical infrastructure sectors.”

CISA is encouraging all critical infrastructure organizations to take steps to improve resilience to cyber threats this November. CISA urges all organizations to strengthen their security plans by gaining a better understanding of the unique risks to their organization and systems, conducting exercises of preparedness plans and updating them with the latest techniques and tactics, focusing on ways risk can be reduced and resilience built on physical and cyber fronts, and considering ways to embed resilience as a foundational design feature when upgrading or building new critical infrastructure.

The post President Biden Declares November as Critical Infrastructure Security and Resilience Month appeared first on HIPAA Journal.

CISA Urges Organizations to Implement Phishing-Resistant Multifactor Authentication

Posted by HIPAA Journal

MFA is one of the most important measures to take to prevent unauthorized account access; however, it does not provide complete protection and some forms of MFA can be circumvented. Any form of MFA is better than none at all, but for maximum protection, organizations should implement phishing-resistant MFA, especially in industries such as healthcare that are extensively targeted by malicious cyber actors.

Multifactor authentication requires more than just a password to be provided before account access is granted, with the additional authentication being something a person has (physical device, one-time code) or something they are (fingerprint, voice print, etc.). In the event of a password being stolen in a phishing attack or being guessed using brute force tactics, it makes it much harder for a threat actor to access the account.

Phishing campaigns are now being conducted that use phishing kits with reverse proxies that allow threat actors to steal login credentials, MFA codes, and session cookies to circumvent MFA protection. Some forms of MFA are also susceptible to push bombing, Signaling System 7 (SS7) protocol vulnerabilities, and SIM Swap attacks.

CISA is urging all organizations to implement phishing-resistant multifactor authentication – the gold standard for MFA – or, if that is not possible, to implement number matching MFA. CISA has produced two fact sheets offering guidance for organizations on implementing phishing-resistant MFA and number matching MFA. The latter does not provide as strong protection as phishing-resistant MFA; however, it is suitable as an interim measure for any organization that is currently using mobile push-notification-based MFA and cannot yet switch to phishing-resistant MFA. Number matching helps prevent push bombing, by requiring users to enter a number from the identity platform into the app to approve the authentication request.

FIDO/WebAuthn authentication is the most widely available form of phishing-resistant MFA and is supported by major web browsers, OSs, and smartphones. WebAuthn works with the related FIDO2 standard to provide a phishing-resistant authenticator, such as a physical token connected to a device via USB or NFC, or can be embedded into laptops or mobile devices as platform authenticators. FIDO authentication also supports other forms of authentication such as biometrics and PIN codes.

As an alternative, public key infrastructure (PKI)-based MFA can be implemented. While this form of MFA is less widely available but may be better suited for large organizations. Guidance is offered in the fact sheets on implementing both forms of MFA, including how to prioritize the implementation phases and some of the stumbling blocks organizations can encounter, with advice on how to overcome them.

The post CISA Urges Organizations to Implement Phishing-Resistant Multifactor Authentication appeared first on HIPAA Journal.

OpenSSL Downgrades Bug Severity to High and Releases Patches

Posted by HIPAA Journal

Last week, the OpenSSL Project announced a patch would be released on November 1, 2022, to address a critical OpenSLL vulnerability, the details of which were being kept secret to prevent exploitation of the flaw ahead of the patch being released. The news of the vulnerability caused considerable concern amongst the open source community and beyond due to the extent to which  OpenSLL is used – It is extensively used to encrypt communication channels and HTTPS connections, so the implications of such a flaw are enormous.

The news of a critical flaw existing brought back memories of the Heartbleed Bug (CVE-2014-0160) which was exploited to read the memory of systems including servers and routers to eavesdrop on communications. It is now 8 years since that patch was released and there are still 240, 000 publicly accessible servers that remain vulnerable to Heartbleed.

The latest vulnerability affects versions 3.0 to 3.06 of OpenSLL. Version 3 was only released a year ago, so usage of the latest version is limited; however, the vulnerability still has the potential to be extremely serious and has been a major cause of concern. “The short answer is you should be worried,” said Yotam Perkal, Director of Vulnerability Research at Rezilion. As for how worried you should be, Perkal said, “that depends how many vulnerable instances of OpenSSL3.x you have in your environment and do you have the ability to accurately detect them so that you could apply the patch once it’s out.” For many organizations, the answer to the latter will be no. This is why it took so long for the Heartbleed bug to be patched.

The OpenSSL Project announced that the patch for the vulnerability would be released between 13:00 and 1700 UTC on November 1, 2022.

Not One But Two Vulnerabilities

The OpenSSL Project has now confirmed that the vulnerability is not one issue, but two. The two flaws are being tracked as CVE-2022-3602 and CVE-2022-3786, although there is some good news. The severity of the flaws has been downgraded from critical to high severity, and exploiting the flaws would be difficult and require a high level of technical skill.

CVE-2022-3602 is a 4-byte stack buffer overflow that, if exploited, could cause a crash or potentially lead to remote code execution. CVE-2022-3786 is a buffer overflow issue that could be exploited using malicious email addresses in a denial-of-service attack.

The OpenSSL Project said that at the time of releasing the patches, it was not aware of any working exploit in the public domain that would allow remote code execution and that no evidence has been found to indicate either vulnerability has been exploited to date.

The Health Sector Cybersecurity Coordination Center issued an alert about the flaw soon after the OpenSSL Project announced a patch was due for release, warning that exploitation of the flaw was very likely, and may start almost immediately after the publication of the patch. Even though the severity of the flaws is reduced, exploitation is still possible, so prompt patching is recommended if OpenSSL 3.0-3.0.6 has been used. Fortunately, the vulnerable versions of OpenSSL have yet to be heavily deployed in production – Currently, between 7,000 and 16,000 systems are exposed to the Internet and are running vulnerable OpenSSL versions.

Exploitation of the bugs would require a high level of technical skill, which limits the potential for exploitation. Researcher Marcus Hutchins said that while one of the flaws could theoretically lead to RCE, it would be extremely unlikely for the flaw to be exploited and lead to RCE.

That said, OpenSSL warns that “OpenSSL is distributed as source code, we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack, and therefore remote code execution may still be possible on some platforms.”

A list of products confirmed to be affected by the OpenSSL vulnerabilities is being maintained here.

Akamai has released YARA Rules and OSQuery queries that can be used to detect vulnerable instances.

The post OpenSSL Downgrades Bug Severity to High and Releases Patches appeared first on HIPAA Journal.

Patch Due for Release on November 1, 2022 to Fix Critical OpenSLL Vulnerability

Posted by HIPAA Journal

A warning has been issued to the healthcare and public health sector about a critical vulnerability in the OpenSSL software library. OpenSLL is an open source cryptographic library that is used by most operating systems and applications for implementing Transport Layer Security for secure Internet communications, including connections to websites and web applications.

The OpenSSL project team says the vulnerability affects OpenSSL versions 3.0 to 3.0.6, but does not affect OpenSSL 1.1.1 or LibreSSL. Details about the exact nature of the vulnerability have yet to be disclosed to limit the potential for exploitation. Further information about the vulnerability is expected to be released along with the patch, which will be applied in OpenSLL version 3.0.7. At present, no CVE code has been assigned.

While vulnerabilities have been announced by the OpenSLL project team in the past, critical vulnerabilities are very rare. A critical vulnerability is one that affects common configurations and is likely to be exploited. In 2014, OpenSLL discovered a critical vulnerability dubbed Heartbleed, which could be exploited to obtain passwords or encryption keys. The flaw allowed anyone on the Internet to read the memory of systems that used vulnerable OpenSLL versions. The bug was rapidly exploited by threat actors to eavesdrop on communications, steal data directly from services and users, and to impersonate services and users. Because OpenSLL is so extensively used, the severity of such a vulnerability is enormous. Patching every instance where OpenSSL has been used could take considerable time.

The Health Sector Cybersecurity Coordination Center (HC3) explained in a cybersecurity alert that threat actors are likely to attempt to exploit the vulnerability at large scale, and warns that exploitation may begin very soon after the patch is released. Cybercriminal and nation-state threat actors are likely to immediately begin reverse engineering the patch as soon as it is released to determine the technical details of the vulnerability to allow an exploit to be developed.

HC3 urges all HPH sector organizations to treat this vulnerability with the highest priority and ensure the patch is applied rapidly. In order for that to happen, it will be necessary to find all instances where OpenSSL has been used. OpenSSL Project team says the patch will be released between 13:00 and 1700 UTC on November 1, 2022.

The post Patch Due for Release on November 1, 2022 to Fix Critical OpenSLL Vulnerability appeared first on HIPAA Journal.

CISA Publishes Voluntary Cybersecurity Performance Goals for Critical Infrastructure Organizations

Posted by HIPAA Journal

A set of cross-sector Cybersecurity Performance Goals (CPGs) have been published by the Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure organizations to adopt a minimum cybersecurity standard and better protect their networks and systems from attacks that threaten their ability to operate.

In response to the May 2021 ransomware attacks on the oil pipeline system operator, Colonial Pipeline, and the food processing firm JBS, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity. As part of that initiative, President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems on July 28, 2021, which called for CISA to publish a baseline set of CPGs with the aim of improving the cybersecurity of all critical infrastructure in the United States on which Americans depend.

According to CISA, the CPGs are “a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.” The CPGs were developed from existing cybersecurity frameworks and guidance, and in response to real-world threats and the tactics techniques, and procedures that CISA and its partners have observed nation-state and cybercriminal hacking groups using. CISA Director Jen Easterly said the CPGs were “informed by extensive input from experts across sectors, public and private, domestic and international, the CPGs reflect some of the best thinking gleaned from across the cybersecurity community.”

In the United States, the majority of critical infrastructure is owned and maintained by the private sector, which is resistant to cybersecurity regulation. Consequently, it is not mandatory for the CPGs to be adopted by critical infrastructure owners and operators. Compliance is voluntary, although strongly recommended.

The CPGs are unique from other control frameworks, as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation. They are intended to help critical infrastructure organizations, especially small- and medium-sized organizations, accelerate their cybersecurity plans and rapidly improve resilience to cyberattacks. The CPGs are not a comprehensive set of practices for developing an effective cybersecurity program. They are a set of prioritized security practices that have proven risk-reduction value, which can be implemented by all critical infrastructure organizations to address the most pressing risks and vulnerabilities that are known to be exploited by malicious actors.

The CPGs cover account security, device security, data security, governance and training, vulnerability management, supply chain and third-party risk management, and response and recovery, and have been written to be easy to understand and communicate to non-technical audiences, including senior business leadership.

The best practices include important cybersecurity measures such as credential management, password management, asset inventories, disabling macros, security log collection and monitoring, data encryption, multifactor authentication, and basic and OT cybersecurity training.

The Biden Administration has stressed that the CPGs are voluntary and there are no reporting requirements. You can view the CPGs here (PDF).

The post CISA Publishes Voluntary Cybersecurity Performance Goals for Critical Infrastructure Organizations appeared first on HIPAA Journal.

CISA Director Encourages All Organizations to Adopt FIDO Authentication

Posted by HIPAA Journal

In a recent blog post, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) explained that for Cybersecurity Awareness Month she has been traveling the country promoting cybersecurity best practices, explaining the steps that everyone can take to stay safe online, and stressing the importance of enabling multi-factor authentication on email accounts, bank accounts, social media accounts, and any other accounts that contain sensitive data. “Enabling multi-factor authentication is the single most important thing Americans can do to stay safe online,” said Easterly.

When multi-factor authentication is enabled, a username and password are no longer sufficient to gain access to an account. An additional factor must be provided before access to the account is granted. This security measure is important, as passwords may be guessed or stolen, and phishing and brute force attacks are increasing. Despite MFA being an important security feature that can prevent unauthorized account access, MFA has still not been widely adopted. Many vendors make multi-factor authentication a consumer choice, rather than making it the default option. Easterly believes vendors should “forcefully nudge” consumers into configuring multi-factor authentication for their accounts.

Easterly suggests vendors should take note of the auto industry campaigns in the late 20th century that encouraged drivers to wear seatbelts and apply similar tactics to increase the adoption of MFA – which she says is the “seatbelt of the information highway.” Vendors should also build MFA into their products at the design stage, rather than MFA being an aftermarket add-on, and ensure that they provide their users with a complete MFA feature set. She also suggests vendors should publish MFA uptake numbers, especially for high-privilege accounts.

In her blog post, Easterly explained that one top vendor has reported that only around one-quarter of its enterprise customers have implemented multi-factor authentication, and more worryingly, only one-third of system administrators have MFA enabled on their accounts. “We can’t improve what we don’t measure,” said Easterly. “Simply put, we need better visibility into MFA adoption.”

Easterly explained that any form of multi-factor authentication is better than no multi-factor authentication; however, not all forms of MFA provide the same level of protection, and some forms of MFA are not resistant to phishing attacks. Recently phishing campaigns have been conducted that are able to bypass traditional forms of MFA such as one-time codes sent to cell phones, push notifications, and authenticator apps. Attacks that are capable of bypassing traditional MFA protections are only likely to increase.

Fortunately, there are alternative forms of MFA that provide far greater protection. “A group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA,” said Easterly. “They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.”

Easterly says FIDO MFA is the gold standard and the only widely available phishing-resistant authentication and urges all CEOs to ensure that FIDO authentication is on their organization’s MFA implementation roadmap.

The post CISA Director Encourages All Organizations to Adopt FIDO Authentication appeared first on HIPAA Journal.

Government Issues Warning to Healthcare Organizations About Daixin Team Extortion and Ransomware Attacks

Posted by HIPAA Journal

A relatively new data extortion and ransomware gang known as Daixin team is actively targeting U.S. healthcare organizations, prompting a warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

Daixin Team first appeared on the radar in June 2022, with the group predominantly conducting data extortion and ransomware attacks on organizations in the health and public health sector (HPH). The attacks have seen data encrypted, prevented access to electronic health records, and caused major disruption to healthcare services, including diagnostics, imaging, and postponed appointments. In the #StopRansomware: Daixin Team – Alert, the observed tactics, techniques, and procedures used by Daixin team have been shared along with indicators of Compromise (IoCs) and several suggested mitigations to make it harder for attacks to succeed.

Daixin Team gains access to healthcare networks, conducts reconnaissance, and identifies and exfiltrates data of interest, which is used as leverage to extort money from victims.  The group seeks to establish communications with victims directly and advises them not to work with ransomware remediation firms. If contact is not made within 5 days of the attack, the group threatens to publicly release the stolen data.

Daixin Team is known to gain access to the networks of victims by exploiting vulnerabilities in VPN servers, often using compromised VPN credentials for accounts that do not have multi-factor authentication enabled. In some attacks, the group has obtained VPN credentials through phishing emails with malicious attachments. Once access is gained, they move laterally within networks using Secure Shell (SSH) and Remote Desktop Protocol (RDP), escalate privileges through credential dumping and pass the hash, exfiltrate data – including using tools such as Rclone and Ngrok – then deploy their ransomware payload, which is believed to be based on publicly-released Babuk Locker ransomware code.

In some attacks, privileged accounts have been used to gain access to VMware vCenter Server, and account passwords have been reset for ESXi servers. SSH was then used to connect to the ESXi servers, where ransomware was deployed.

The FBI, CISA, and the HHS have shared several mitigations that can help healthcare organizations protect against Daixin Team attacks. These measures include:

  • Patching promptly and keeping software up to date
  • Implementing phishing-resistant multi-factor authentication
  • Securing or disabling Remote Desktop Protocol
  • Turning off SSH and network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs)
  • Securing passwords with strong encryption
  • Implementing and enforcing multi-layer network segmentation
  • Limiting access to data through public key infrastructure and digital certificates to authenticate connections to devices
  • Securing ePHI at collection points using encryption
  • Ensuring compliance with the HIPAA Security Rule with respect to ePHI

The post Government Issues Warning to Healthcare Organizations About Daixin Team Extortion and Ransomware Attacks appeared first on HIPAA Journal.