The Federal Bureau of Investigation (FBI) has Issued a TLP:WHITE Private Industry Notification warning about ongoing cybercriminal campaigns targeting healthcare payment processors that attempt to redirect victim payments to accounts under the control of the attackers.

These attacks use social engineering techniques to obtain the login credentials of healthcare payment processors to allow them to divert payments, such as phishing attacks that spoof support centers. The attackers have used publicly available personally identifiable information to obtain access to files, healthcare portals, payment information, and websites.

The goal of these attacks is to change direct deposit information, which in one attack on a large healthcare company in February 2022, resulted in changes to direct deposit information for a consumer checking account that saw payments totaling $3.1 million redirected to the attacker’s account. The same month, a separate attack occurred that used similar techniques to redirect around $700,000.

In April 2022, a healthcare company with 175 medical providers discovered an attack where an employee had been impersonated and Automated Clearing House (ACH) instructions of one of their payment processing vendors were sent that redirected payments to a cybercriminal’s account, resulting in two payments totaling $840,000 being sent to the attacker’s account.

The FBI says between June 2018 and January 2019 at least 65 healthcare payment processors were targeted in the United States and contact information and banking details were changed to direct payments to attacker-controlled accounts, with one of those attacks seeing payments totaling $1.5 million being lost, with the initial access to a customer account being gained through phishing. The FBI warns that entities involved in the processing and distributing healthcare payments through payment processors remain vulnerable to attacks such as this.

Phishing emails are sent to employees in the financial departments of a targeted healthcare payment processor. A trusted individual is often impersonated, and social engineering techniques are used to trick employees into making changes to bank accounts. Login credentials are stolen in these attacks that allow the attacker to make changes to email exchange server configurations and set up custom rules for accounts of interest.

Employees that have been targeted have reported receiving requests to reset passwords and 2FA phone numbers within a short time frame. The attackers change account credentials to allow persistent access, and the employees who had their accounts hacked report being locked out of their payment processor accounts due to failed password recovery attempts.

The FBI has made several recommendations on how to defend against these attacks and reduce the risk of compromise. These include:

• Ensure endpoint detection software is used on all endpoints, including up-to-date anti-virus and anti-malware solutions
• Conduct regular network security assessments, penetration tests, and vulnerability scans
• Provide training to the workforce to teach employees how to recognize phishing and social engineering attacks, and provide an easy way for them to report suspicious emails – such as an Outlook plugin that allows one-click reporting
• Ensure employees are aware that they must only conduct requests for sensitive information through approved secondary channels
• Set up multi-factor authentication for all accounts, ideally requiring a physical device for authentication – such as a Yubikey – rather than a one-time code sent to a mobile device
• Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
• Implement policies and procedures for changing existing financial information to include verification through an appropriate, established channel
• Ensure all accounts have strong, unique passwords set
• Ensure software is updated and patches are applied promptly to prevent the exploitation of vulnerabilities.

The post FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning about the rising number of vulnerabilities in medical devices. If medical devices are not promptly patched and are running out of date software, malicious actors could exploit vulnerabilities and gain access to sensitive patient data or the networks to which the devices connect. With a foothold in the network, threat actors could conduct attacks that adversely impact the operational functions of healthcare facilities. Medical devices are often used to sustain patients with mild to severe medical conditions and attacks on those devices have the potential to cause serious harm to patients and even result in the loss of life.

The FBI says vulnerabilities in medical devices predominantly stem from device hardware design and device software management. When medical devices are operated in the default configuration, that often provides threat actors with an opportunity to exploit vulnerabilities. Devices with customized software can be difficult to patch, often requiring specialized procedures, which can slow down updates and leave vulnerabilities unaddressed for longer, increasing the window of opportunity for vulnerabilities to be exploited.

Medical devices have been developed to perform specific functions, but security was never a consideration because the devices were not considered to be a security threat. These devices are vulnerable and if exposed to the Internet could provide threat actors with an easy way to gain access to the devices, alter their functionality, or use them as a springboard to launch an attack on an organization.

The FBI cites a recent study that suggests 53% of network-connected medical devices and other IoT devices used in hospitals have known critical vulnerabilities that have not been addressed, with around one-third of healthcare IoT devices having a critical vulnerability that could affect the technical operation or functionality of medical devices. These devices include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, intrathecal pain pumps, and pacemakers.

Another study suggests medical devices have an average of 6.2 vulnerabilities per device, and more than 40% of medical devices that have reached end-of-life are no longer receiving security patches and software upgrades to correct vulnerabilities, but those devices often remain in use despite the security risks involved.

Unpatched and outdated medical devices provide cyberattack opportunities, so it is vital that vulnerabilities are addressed and risk is reduced to a low and acceptable level. The FBI has made several recommendations for improving the security of medical devices:

• Ensure endpoint protection measures are implemented including antivirus software and endpoint detection and response (XDR) solutions
• Use encryption for sensitive data
• Change all default passwords and set complex, unique passwords, and limit the number of logins per user
• Ensure an accurate inventory is maintained of all devices, including the patching status, software version, and any vendor-developed software components used by the devices
• Develop a plan for replacing medical and IoT devices prior to reaching end-of-life
• Ensure vulnerabilities are promptly patched on all medical devices
• Conduct routine vulnerability scans before installing any new device onto the operating network
• Train employees to help mitigate human risks, including teaching employees how to identify and report threats, the attacks that target employees such as social engineering and phishing, and add banners to emails that come from external sources.

The FBI alert – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the full recommendations for mitigating vulnerabilities can be viewed on this link.

The post FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks appeared first on HIPAA Journal.

A recent study has revealed that more than 20% of healthcare organizations experienced an increase in mortality rate after a significant cyberattack and more than half of surveyed healthcare organizations (57%) said they experienced poorer patient outcomes, with almost half reporting an increase in medical complications.  The most common consequences of the attacks that contributed to poorer patient outcomes were delays to procedures and tests.

The study was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 641 healthcare IT and security practitioners in the United States, with the findings detailed in the report, Cyber Insecurity in Healthcare; The Cost and Impact on Patient Safety and Care.  The findings mirror those of a previous study conducted by the Ponemon Institute in 2021 on behalf of Censinet. That study was conducted on 597 healthcare respondents and one-fifth (22%) said they experienced an increase in their mortality rates following a ransomware attack.

The latest study used a broader definition of cyberattack, which includes the four most common types of attack – cloud compromise, ransomware, business email compromise/phishing, and supply chain, and therefore indicates it is not only ransomware attacks that negatively affect patient outcomes. Ransomware attacks result in file encryption which can take critical IT systems out of action, but oftentimes healthcare organizations are forced to shut down IT systems to contain an attack. The recovery time from a ransomware attack is typically longer than other types of attack, with the survey establishing that ransomware attacks have the biggest impact out of the four most common types of attack. 64% of surveyed healthcare organizations said they experienced delays in medical tests and procedures following a ransomware attack and 59% said the attacks resulted in longer patient stays.

It should be noted that both studies established that there is a correlation between the worst types of cyberattacks and adverse patient outcomes but did not prove causation. Further studies need to be conducted to establish exactly what aspects of the attacks are having the biggest negative impact on patient outcomes and lead to an increase in mortality rate.

“The attacks we analyzed put a significant strain on healthcare organizations’ resources. Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data, and the Internet of Things—which are all seeing increased adoption—further increase the risks to patient data and safety.”

The Proofpoint survey also showed the extent to which healthcare organizations are being attacked. 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months, although the extent to which those attacks were successful is unclear. Cyberattacks on healthcare organizations have a significant financial impact. A previous study, conducted by the Ponemon Institute on behalf of IBM Security, found the average cost of a cyberattack has increased to $4.4 million, with the healthcare industry having the highest breach costs out of all industry sectors, with the average cost of a healthcare data breach rising to $10.1 million.

Healthcare Cybersecurity Challenges and Biggest Security Risks

One of the biggest challenges faced by healthcare organizations is recruiting the necessary talent to defend against attacks, with the lack of in-house expertise rated as a major challenge by 53% of respondents. 46% said they lacked sufficient staffing in cybersecurity and both factors had a negative effect on organizations’ security posture.

Respondents were asked about their biggest security concerns, with one of the main worries being medical device security. On average healthcare organizations have 26,000 medical devices connected to the network, and these were considered a cybersecurity risk by 64% of respondents, yet only 51% of respondents said they included these devices in their cybersecurity strategy.

The biggest perceived vulnerability was cloud compromise, with 75% of respondents saying they were vulnerable to cloud compromise, and 72% saying they were vulnerable to ransomware attacks. 54% of organizations said they had experienced a cloud compromise in the past 2 years, with those organizations experiencing an average of 22 such compromises; however, 64% of organizations said they had taken steps to prepare for and respond to those attacks. 60% of organizations said they were most concerned about ransomware attacks, and 62% said they had taken steps to prevent and respond to ransomware attacks.

71% of organizations said they were vulnerable to supply chain attacks and 64% felt vulnerable to BEC and spoofing/phishing attacks, yet only 44% and 48% said they had documented response plans for these attacks.

Defending Against Healthcare Cyberattacks

Cyberattacks on the healthcare industry are increasing in number and sophistication. The key to protecting against these attacks is a defense in depth approach with multiple overlapping layers of protection. It is also important to have a documented and practiced incident response plan in place for each major type of attack. The lack of preparedness for responding to cyberattacks can put patient safety at risk. Having an incident response plan in place, where all individuals involved in the response know their roles and responsibilities can shorten the recovery time considerably, which limits the negative impact on patients and reduces the financial cost. Having consultants and cybersecurity firms in place that fully understand an organization’s infrastructure is a huge advantage and ensures the fastest possible response in the event of a successful attack.

While cyberattacks can be sophisticated, they often start with a social engineering or phishing attack. The importance of employee education cannot be overstated. All employees should be made aware of the importance of good cyber hygiene and what that entails, and they should be trained on how to recognize social engineering and phishing attacks. Providing regular cybersecurity awareness training to employees and testing with phishing simulations can significantly reduce risk over time.

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” said Ryan Witt, healthcare cybersecurity leader, Proofpoint. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

The post Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks appeared first on HIPAA Journal.

The HHS’ Office of Inspector General (OIG) has called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN).

The OPTN is a national system for allocating and distributing donor organs to individuals in need of organ transplants. The OPTN is a public-private partnership that links all professionals that are involved in the donation and transplantation system which is administered by the United Network for Organ Sharing (UNOS). UNOS is a nonprofit that is responsible for managing systems that contain the personal and medical information of organ donors, candidates for transplants, and transplant recipients.

The IT systems supporting the OPTN ensure the rapid matching of donated organs with patients awaiting organ donation. There is a very short window of opportunity for providing donated organizations to recipients, which can be just a matter of hours or days. The IT systems that support the OPTN are essential for ensuring that process is efficient, and require the confidentiality, integrity, and availability of data to be maintained at all times. The Department of Health and Human Services has designated the OPTN a High-Value Asset.

If hackers were to breach the OPTN systems, they could be disrupted which could prevent organs from being matched, which could be a life and death matter. The OPTN has been criticized for the outdated IT systems that are in use and the lack of technical capabilities to upgrade those IT systems and make them secure and fit for purpose. While UNOS maintains that security controls are in place to ensure the confidentiality, integrity, and availability of data in IT systems, there is concern that vulnerabilities may exist that could be exploited by malicious actors.

Prior to 2018, the OPTN contract did not include any cybersecurity requirements and standards because the HRSA did not feel it could compel compliance, and prior to 2018, the HRSA only conducted limited oversight of OPTN cybersecurity. The HRSA modified the contract with UNOS in 2018 to require FISMA and NIST cybersecurity guidelines to be followed, and oversight of the OPTN was increased, including ensuring there was appropriate monitoring of compliance with FISMA and NIST standards.

OIG conducted an audit to determine whether the HRSA had implemented appropriate cybersecurity controls for the OPTN in line with Federal requirements to ensure the confidentiality, integrity, and availability of donation and transplantation data, and to assess whether there was adequate oversight of UNOS’s implementation of cybersecurity. The OIG review did not include any technical testing, although there were reviews of selected general IT controls to determine if they had been implemented in line with Federal requirements, including the system security plan, risk assessment, access controls, configuration management, system monitoring, flaw remediation, and vulnerability assessments. Reviews were also conducted on two penetration tests of the OPTN.

OIG determined that most of the IT controls had been implemented in accordance with Federal requirements but identified several areas were identified where HRSA could improve oversight of UNOS. OIG found that HRSA lacked adequate oversight procedures for UNOS to ensure that all Federal cybersecurity requirements were being met in a timely and effective manner. For instance, despite NIST giving policy and procedure controls for each security control family the highest priority code, several of UNOS’s policies and procedures either did not exist or were in draft form. Access controls and risk assessment policies and procedures were still in draft form and system monitoring policies and procedures did not exist. There was also a high risk that local site administrators would not deactivate local site user accounts in a timely manner, and were that to happen, it may go undetected by UNOS for up to a year until the next annual user account audit was conducted.

“Without finalized, written policies and procedures, there is a high risk that UNOS staff may not fully understand or perform as intended their roles and responsibilities as they pertain to certain cybersecurity controls, or that the OPTN will not comply with NIST controls as required by the FISMA,” said OIG in the report. “A lack of finalized, written policies and procedures could result in essential cybersecurity controls not being implemented properly or at all.”

OIG has recommended HRSA improve its oversight to ensure that the OPTN contractor is complying with all Federal cybersecurity requirements and does so in a timely manner. HRSA said it had ensured that most of the cybersecurity controls assessed by OIG had been implemented by UNOS, and that it has taken actions to strengthen oversight and controls, including appointing an OPTN Information System Security Officer to oversee the contractor’s cybersecurity efforts. Action has also been taken to finalize all policies and procedures in draft form, POAMs have been created to ensure the timely disabling and removal of inactive user accounts, and HRSA has ensured UNOS has implemented 2-factor authentication for all users.

The post OIG Calls for Greater Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network appeared first on HIPAA Journal.