The U.S Food and Drug Administration (FDA) user fee reauthorization bill passed by the House of Representatives in June included new provisions requiring medical device manufacturers to monitor for and address postmarket cybersecurity vulnerabilities in their devices, ensure medical devices are labeled with a software bill of materials and are capable of receiving patches to ensure cybersecurity for the entire lifecycle of the devices. The bill was passed with a vote of 392-28; however, those cybersecurity requirements have now been stripped out.

The FDA’s authorization to collect fees from the healthcare sector to conduct independent reviews of drugs and medical devices was due to come to an end on September 30, and with time running out, the FDA bowed to pressure from Senate republicans and stripped out the new cybersecurity requirements for medical device manufacturers. Were the FDA’s 5-year authorization not to be renewed, the FDA anticipated only being able to continue with its review activities for around 5 weeks before its money ran out. The FDA reauthorization was included in a temporary spending bill that has now been passed and will keep the FDA and the rest of the Federal government funded through December 16, 2022.

“In June, the House passed a user fee reauthorization package on time with overwhelming bipartisan support. After the House passed its user fee package, bipartisan Energy and Commerce and HELP leaders came to agreement on language to cover many significant policy areas that we wanted included in the Continuing Resolution,” said Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) in a statement. “Unfortunately, Senate Republican leadership blocked these policy agreements from being included.”

U.S. Senators Patty Murray (D-WA) and Richard Burr (R-NC), Chair and Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), issued a statement on the FDA reauthorization. “We are glad to announce an agreement to reauthorize the FDA user fee programs, which will ensure that FDA can continue its important work and will not need to send out pink slips. However, there is more work ahead this Congress to deliver the kinds of reforms families need to see from FDA, from industry, and from our mental health and pandemic preparedness efforts.” The senators confirmed that they are committed to continuing that work, and will be including strong, bipartisan legislation in a robust end-of-year package.

The removal of the cybersecurity requirements is a disappointment but not surprising. Healthcare organizations should not wait for regulatory changes and should ensure that they proactively identify and address vulnerabilities in medical devices to ensure the security of their networks, confidentiality of data, and patient safety.

The post Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has Issued a TLP:WHITE Private Industry Notification warning about ongoing cybercriminal campaigns targeting healthcare payment processors that attempt to redirect victim payments to accounts under the control of the attackers.

These attacks use social engineering techniques to obtain the login credentials of healthcare payment processors to allow them to divert payments, such as phishing attacks that spoof support centers. The attackers have used publicly available personally identifiable information to obtain access to files, healthcare portals, payment information, and websites.

The goal of these attacks is to change direct deposit information, which in one attack on a large healthcare company in February 2022, resulted in changes to direct deposit information for a consumer checking account that saw payments totaling $3.1 million redirected to the attacker’s account. The same month, a separate attack occurred that used similar techniques to redirect around $700,000.

In April 2022, a healthcare company with 175 medical providers discovered an attack where an employee had been impersonated and Automated Clearing House (ACH) instructions of one of their payment processing vendors were sent that redirected payments to a cybercriminal’s account, resulting in two payments totaling $840,000 being sent to the attacker’s account.

The FBI says between June 2018 and January 2019 at least 65 healthcare payment processors were targeted in the United States and contact information and banking details were changed to direct payments to attacker-controlled accounts, with one of those attacks seeing payments totaling $1.5 million being lost, with the initial access to a customer account being gained through phishing. The FBI warns that entities involved in the processing and distributing healthcare payments through payment processors remain vulnerable to attacks such as this.

Phishing emails are sent to employees in the financial departments of a targeted healthcare payment processor. A trusted individual is often impersonated, and social engineering techniques are used to trick employees into making changes to bank accounts. Login credentials are stolen in these attacks that allow the attacker to make changes to email exchange server configurations and set up custom rules for accounts of interest.

Employees that have been targeted have reported receiving requests to reset passwords and 2FA phone numbers within a short time frame. The attackers change account credentials to allow persistent access, and the employees who had their accounts hacked report being locked out of their payment processor accounts due to failed password recovery attempts.

The FBI has made several recommendations on how to defend against these attacks and reduce the risk of compromise. These include:

• Ensure endpoint detection software is used on all endpoints, including up-to-date anti-virus and anti-malware solutions
• Conduct regular network security assessments, penetration tests, and vulnerability scans
• Provide training to the workforce to teach employees how to recognize phishing and social engineering attacks, and provide an easy way for them to report suspicious emails – such as an Outlook plugin that allows one-click reporting
• Ensure employees are aware that they must only conduct requests for sensitive information through approved secondary channels
• Set up multi-factor authentication for all accounts, ideally requiring a physical device for authentication – such as a Yubikey – rather than a one-time code sent to a mobile device
• Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
• Implement policies and procedures for changing existing financial information to include verification through an appropriate, established channel
• Ensure all accounts have strong, unique passwords set
• Ensure software is updated and patches are applied promptly to prevent the exploitation of vulnerabilities.

The post FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning about the rising number of vulnerabilities in medical devices. If medical devices are not promptly patched and are running out of date software, malicious actors could exploit vulnerabilities and gain access to sensitive patient data or the networks to which the devices connect. With a foothold in the network, threat actors could conduct attacks that adversely impact the operational functions of healthcare facilities. Medical devices are often used to sustain patients with mild to severe medical conditions and attacks on those devices have the potential to cause serious harm to patients and even result in the loss of life.

The FBI says vulnerabilities in medical devices predominantly stem from device hardware design and device software management. When medical devices are operated in the default configuration, that often provides threat actors with an opportunity to exploit vulnerabilities. Devices with customized software can be difficult to patch, often requiring specialized procedures, which can slow down updates and leave vulnerabilities unaddressed for longer, increasing the window of opportunity for vulnerabilities to be exploited.

Medical devices have been developed to perform specific functions, but security was never a consideration because the devices were not considered to be a security threat. These devices are vulnerable and if exposed to the Internet could provide threat actors with an easy way to gain access to the devices, alter their functionality, or use them as a springboard to launch an attack on an organization.

The FBI cites a recent study that suggests 53% of network-connected medical devices and other IoT devices used in hospitals have known critical vulnerabilities that have not been addressed, with around one-third of healthcare IoT devices having a critical vulnerability that could affect the technical operation or functionality of medical devices. These devices include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, intrathecal pain pumps, and pacemakers.

Another study suggests medical devices have an average of 6.2 vulnerabilities per device, and more than 40% of medical devices that have reached end-of-life are no longer receiving security patches and software upgrades to correct vulnerabilities, but those devices often remain in use despite the security risks involved.

Unpatched and outdated medical devices provide cyberattack opportunities, so it is vital that vulnerabilities are addressed and risk is reduced to a low and acceptable level. The FBI has made several recommendations for improving the security of medical devices:

• Ensure endpoint protection measures are implemented including antivirus software and endpoint detection and response (XDR) solutions
• Use encryption for sensitive data
• Change all default passwords and set complex, unique passwords, and limit the number of logins per user
• Ensure an accurate inventory is maintained of all devices, including the patching status, software version, and any vendor-developed software components used by the devices
• Develop a plan for replacing medical and IoT devices prior to reaching end-of-life
• Ensure vulnerabilities are promptly patched on all medical devices
• Conduct routine vulnerability scans before installing any new device onto the operating network
• Train employees to help mitigate human risks, including teaching employees how to identify and report threats, the attacks that target employees such as social engineering and phishing, and add banners to emails that come from external sources.

The FBI alert – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the full recommendations for mitigating vulnerabilities can be viewed on this link.

The post FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks appeared first on HIPAA Journal.

A recent study has revealed that more than 20% of healthcare organizations experienced an increase in mortality rate after a significant cyberattack and more than half of surveyed healthcare organizations (57%) said they experienced poorer patient outcomes, with almost half reporting an increase in medical complications.  The most common consequences of the attacks that contributed to poorer patient outcomes were delays to procedures and tests.

The study was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 641 healthcare IT and security practitioners in the United States, with the findings detailed in the report, Cyber Insecurity in Healthcare; The Cost and Impact on Patient Safety and Care.  The findings mirror those of a previous study conducted by the Ponemon Institute in 2021 on behalf of Censinet. That study was conducted on 597 healthcare respondents and one-fifth (22%) said they experienced an increase in their mortality rates following a ransomware attack.

The latest study used a broader definition of cyberattack, which includes the four most common types of attack – cloud compromise, ransomware, business email compromise/phishing, and supply chain, and therefore indicates it is not only ransomware attacks that negatively affect patient outcomes. Ransomware attacks result in file encryption which can take critical IT systems out of action, but oftentimes healthcare organizations are forced to shut down IT systems to contain an attack. The recovery time from a ransomware attack is typically longer than other types of attack, with the survey establishing that ransomware attacks have the biggest impact out of the four most common types of attack. 64% of surveyed healthcare organizations said they experienced delays in medical tests and procedures following a ransomware attack and 59% said the attacks resulted in longer patient stays.

It should be noted that both studies established that there is a correlation between the worst types of cyberattacks and adverse patient outcomes but did not prove causation. Further studies need to be conducted to establish exactly what aspects of the attacks are having the biggest negative impact on patient outcomes and lead to an increase in mortality rate.

“The attacks we analyzed put a significant strain on healthcare organizations’ resources. Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data, and the Internet of Things—which are all seeing increased adoption—further increase the risks to patient data and safety.”

The Proofpoint survey also showed the extent to which healthcare organizations are being attacked. 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months, although the extent to which those attacks were successful is unclear. Cyberattacks on healthcare organizations have a significant financial impact. A previous study, conducted by the Ponemon Institute on behalf of IBM Security, found the average cost of a cyberattack has increased to $4.4 million, with the healthcare industry having the highest breach costs out of all industry sectors, with the average cost of a healthcare data breach rising to $10.1 million.

Healthcare Cybersecurity Challenges and Biggest Security Risks

One of the biggest challenges faced by healthcare organizations is recruiting the necessary talent to defend against attacks, with the lack of in-house expertise rated as a major challenge by 53% of respondents. 46% said they lacked sufficient staffing in cybersecurity and both factors had a negative effect on organizations’ security posture.

Respondents were asked about their biggest security concerns, with one of the main worries being medical device security. On average healthcare organizations have 26,000 medical devices connected to the network, and these were considered a cybersecurity risk by 64% of respondents, yet only 51% of respondents said they included these devices in their cybersecurity strategy.

The biggest perceived vulnerability was cloud compromise, with 75% of respondents saying they were vulnerable to cloud compromise, and 72% saying they were vulnerable to ransomware attacks. 54% of organizations said they had experienced a cloud compromise in the past 2 years, with those organizations experiencing an average of 22 such compromises; however, 64% of organizations said they had taken steps to prepare for and respond to those attacks. 60% of organizations said they were most concerned about ransomware attacks, and 62% said they had taken steps to prevent and respond to ransomware attacks.

71% of organizations said they were vulnerable to supply chain attacks and 64% felt vulnerable to BEC and spoofing/phishing attacks, yet only 44% and 48% said they had documented response plans for these attacks.

Defending Against Healthcare Cyberattacks

Cyberattacks on the healthcare industry are increasing in number and sophistication. The key to protecting against these attacks is a defense in depth approach with multiple overlapping layers of protection. It is also important to have a documented and practiced incident response plan in place for each major type of attack. The lack of preparedness for responding to cyberattacks can put patient safety at risk. Having an incident response plan in place, where all individuals involved in the response know their roles and responsibilities can shorten the recovery time considerably, which limits the negative impact on patients and reduces the financial cost. Having consultants and cybersecurity firms in place that fully understand an organization’s infrastructure is a huge advantage and ensures the fastest possible response in the event of a successful attack.

While cyberattacks can be sophisticated, they often start with a social engineering or phishing attack. The importance of employee education cannot be overstated. All employees should be made aware of the importance of good cyber hygiene and what that entails, and they should be trained on how to recognize social engineering and phishing attacks. Providing regular cybersecurity awareness training to employees and testing with phishing simulations can significantly reduce risk over time.

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” said Ryan Witt, healthcare cybersecurity leader, Proofpoint. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

The post Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks appeared first on HIPAA Journal.