Healthcare Cybersecurity

Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks

Posted by HIPAA Journal

A recent study has revealed that more than 20% of healthcare organizations experienced an increase in mortality rate after a significant cyberattack and more than half of surveyed healthcare organizations (57%) said they experienced poorer patient outcomes, with almost half reporting an increase in medical complications.  The most common consequences of the attacks that contributed to poorer patient outcomes were delays to procedures and tests.

The study was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 641 healthcare IT and security practitioners in the United States, with the findings detailed in the report, Cyber Insecurity in Healthcare; The Cost and Impact on Patient Safety and Care.  The findings mirror those of a previous study conducted by the Ponemon Institute in 2021 on behalf of Censinet. That study was conducted on 597 healthcare respondents and one-fifth (22%) said they experienced an increase in their mortality rates following a ransomware attack.

The latest study used a broader definition of cyberattack, which includes the four most common types of attack – cloud compromise, ransomware, business email compromise/phishing, and supply chain, and therefore indicates it is not only ransomware attacks that negatively affect patient outcomes. Ransomware attacks result in file encryption which can take critical IT systems out of action, but oftentimes healthcare organizations are forced to shut down IT systems to contain an attack. The recovery time from a ransomware attack is typically longer than other types of attack, with the survey establishing that ransomware attacks have the biggest impact out of the four most common types of attack. 64% of surveyed healthcare organizations said they experienced delays in medical tests and procedures following a ransomware attack and 59% said the attacks resulted in longer patient stays.

It should be noted that both studies established that there is a correlation between the worst types of cyberattacks and adverse patient outcomes but did not prove causation. Further studies need to be conducted to establish exactly what aspects of the attacks are having the biggest negative impact on patient outcomes and lead to an increase in mortality rate.

“The attacks we analyzed put a significant strain on healthcare organizations’ resources. Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data, and the Internet of Things—which are all seeing increased adoption—further increase the risks to patient data and safety.”

The Proofpoint survey also showed the extent to which healthcare organizations are being attacked. 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months, although the extent to which those attacks were successful is unclear. Cyberattacks on healthcare organizations have a significant financial impact. A previous study, conducted by the Ponemon Institute on behalf of IBM Security, found the average cost of a cyberattack has increased to $4.4 million, with the healthcare industry having the highest breach costs out of all industry sectors, with the average cost of a healthcare data breach rising to $10.1 million.

Healthcare Cybersecurity Challenges and Biggest Security Risks

One of the biggest challenges faced by healthcare organizations is recruiting the necessary talent to defend against attacks, with the lack of in-house expertise rated as a major challenge by 53% of respondents. 46% said they lacked sufficient staffing in cybersecurity and both factors had a negative effect on organizations’ security posture.

Respondents were asked about their biggest security concerns, with one of the main worries being medical device security. On average healthcare organizations have 26,000 medical devices connected to the network, and these were considered a cybersecurity risk by 64% of respondents, yet only 51% of respondents said they included these devices in their cybersecurity strategy.

The biggest perceived vulnerability was cloud compromise, with 75% of respondents saying they were vulnerable to cloud compromise, and 72% saying they were vulnerable to ransomware attacks. 54% of organizations said they had experienced a cloud compromise in the past 2 years, with those organizations experiencing an average of 22 such compromises; however, 64% of organizations said they had taken steps to prepare for and respond to those attacks. 60% of organizations said they were most concerned about ransomware attacks, and 62% said they had taken steps to prevent and respond to ransomware attacks.

71% of organizations said they were vulnerable to supply chain attacks and 64% felt vulnerable to BEC and spoofing/phishing attacks, yet only 44% and 48% said they had documented response plans for these attacks.

Defending Against Healthcare Cyberattacks

Cyberattacks on the healthcare industry are increasing in number and sophistication. The key to protecting against these attacks is a defense in depth approach with multiple overlapping layers of protection. It is also important to have a documented and practiced incident response plan in place for each major type of attack. The lack of preparedness for responding to cyberattacks can put patient safety at risk. Having an incident response plan in place, where all individuals involved in the response know their roles and responsibilities can shorten the recovery time considerably, which limits the negative impact on patients and reduces the financial cost. Having consultants and cybersecurity firms in place that fully understand an organization’s infrastructure is a huge advantage and ensures the fastest possible response in the event of a successful attack.

While cyberattacks can be sophisticated, they often start with a social engineering or phishing attack. The importance of employee education cannot be overstated. All employees should be made aware of the importance of good cyber hygiene and what that entails, and they should be trained on how to recognize social engineering and phishing attacks. Providing regular cybersecurity awareness training to employees and testing with phishing simulations can significantly reduce risk over time.

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” said Ryan Witt, healthcare cybersecurity leader, Proofpoint. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

The post Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks appeared first on HIPAA Journal.

OIG Calls for Greater Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN).

The OPTN is a national system for allocating and distributing donor organs to individuals in need of organ transplants. The OPTN is a public-private partnership that links all professionals that are involved in the donation and transplantation system which is administered by the United Network for Organ Sharing (UNOS). UNOS is a nonprofit that is responsible for managing systems that contain the personal and medical information of organ donors, candidates for transplants, and transplant recipients.

The IT systems supporting the OPTN ensure the rapid matching of donated organs with patients awaiting organ donation. There is a very short window of opportunity for providing donated organizations to recipients, which can be just a matter of hours or days. The IT systems that support the OPTN are essential for ensuring that process is efficient, and require the confidentiality, integrity, and availability of data to be maintained at all times. The Department of Health and Human Services has designated the OPTN a High-Value Asset.

If hackers were to breach the OPTN systems, they could be disrupted which could prevent organs from being matched, which could be a life and death matter. The OPTN has been criticized for the outdated IT systems that are in use and the lack of technical capabilities to upgrade those IT systems and make them secure and fit for purpose. While UNOS maintains that security controls are in place to ensure the confidentiality, integrity, and availability of data in IT systems, there is concern that vulnerabilities may exist that could be exploited by malicious actors.

Prior to 2018, the OPTN contract did not include any cybersecurity requirements and standards because the HRSA did not feel it could compel compliance, and prior to 2018, the HRSA only conducted limited oversight of OPTN cybersecurity. The HRSA modified the contract with UNOS in 2018 to require FISMA and NIST cybersecurity guidelines to be followed, and oversight of the OPTN was increased, including ensuring there was appropriate monitoring of compliance with FISMA and NIST standards.

OIG conducted an audit to determine whether the HRSA had implemented appropriate cybersecurity controls for the OPTN in line with Federal requirements to ensure the confidentiality, integrity, and availability of donation and transplantation data, and to assess whether there was adequate oversight of UNOS’s implementation of cybersecurity. The OIG review did not include any technical testing, although there were reviews of selected general IT controls to determine if they had been implemented in line with Federal requirements, including the system security plan, risk assessment, access controls, configuration management, system monitoring, flaw remediation, and vulnerability assessments. Reviews were also conducted on two penetration tests of the OPTN.

OIG determined that most of the IT controls had been implemented in accordance with Federal requirements but identified several areas were identified where HRSA could improve oversight of UNOS. OIG found that HRSA lacked adequate oversight procedures for UNOS to ensure that all Federal cybersecurity requirements were being met in a timely and effective manner. For instance, despite NIST giving policy and procedure controls for each security control family the highest priority code, several of UNOS’s policies and procedures either did not exist or were in draft form. Access controls and risk assessment policies and procedures were still in draft form and system monitoring policies and procedures did not exist. There was also a high risk that local site administrators would not deactivate local site user accounts in a timely manner, and were that to happen, it may go undetected by UNOS for up to a year until the next annual user account audit was conducted.

“Without finalized, written policies and procedures, there is a high risk that UNOS staff may not fully understand or perform as intended their roles and responsibilities as they pertain to certain cybersecurity controls, or that the OPTN will not comply with NIST controls as required by the FISMA,” said OIG in the report. “A lack of finalized, written policies and procedures could result in essential cybersecurity controls not being implemented properly or at all.”

OIG has recommended HRSA improve its oversight to ensure that the OPTN contractor is complying with all Federal cybersecurity requirements and does so in a timely manner. HRSA said it had ensured that most of the cybersecurity controls assessed by OIG had been implemented by UNOS, and that it has taken actions to strengthen oversight and controls, including appointing an OPTN Information System Security Officer to oversee the contractor’s cybersecurity efforts. Action has also been taken to finalize all policies and procedures in draft form, POAMs have been created to ensure the timely disabling and removal of inactive user accounts, and HRSA has ensured UNOS has implemented 2-factor authentication for all users.

The post OIG Calls for Greater Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network appeared first on HIPAA Journal.

Health-ISAC Publishes Guidance for CISOs on Implementing Zero Trust Security Architectures

Posted by HIPAA Journal

Health-ISAC has published a white paper that serves as a guide for healthcare CISOs looking to implement zero trust security architectures.

The traditional security approach is akin to a castle and moat, where perimeter defenses are established to keep unauthorized individuals out. While this security approach has served organizations well in the past, it is not effective in the cloud where there is no perimeter to defend. Further, the threat landscape is rapidly changing, and malicious actors are successfully breaching perimeter defenses with increasing frequency. Once the perimeter defenses are breached, threat actors can move laterally within networks undetected and are free to perform a wide range of malicious activities.

A zero trust security approach continues to provide protection should a malicious actor gain access to internal networks. It makes lateral movement much more difficult and can greatly reduce the harm that can be caused. Zero trust means never trust, always verify. All traffic between devices and systems is untrusted and requires authentication, authorization, and continuous monitoring.

With zero trust there is no single cybersecurity solution to implement. “Implementing a zero trust architecture is not as simple as going to one vendor and picking a solution off the shelf. There are several components that need to be integrated together to create a holistic zero trust architecture,” explains Health-ISAC in the guidance. Those components include identity and access management, a cloud security gateway, data security, network security, workload and application security, and device security.

Following President Biden’s 2021 Executive Order, federal agencies have been implementing zero trust strategies, but zero trust is not easy to implement and it can be particularly challenging for healthcare organizations.  Two of the biggest challenges in healthcare come from the widespread use of IoT-enabled devices.

IoT-enabled devices include defibrillators, nebulizers, oxygen pumps, and patient monitors, which transfer data from patients to workstations for monitoring. These devices all need to be given a unique identity, an accurate and up-to-date inventory of the devices must be maintained, and the devices must be configured to communicate through encrypted channels.

Secondly, in healthcare, employees are often on the move and access devices in multiple locations, and often carry portable devices to perform documentation. Implementing the fine-grained authorization and multifactor authentication that are necessary for zero trust can be a huge challenge and may require additional components and configuration changes.

To help healthcare organizations overcome the zero trust security challenges, Health-ISAC recently published a white paper that serves as a guide for healthcare CISOs on how to implement zero trust architectures.

The guidance explains what zero trust security means and explains how zero trust involves an identity-centric approach to cybersecurity involving granular authorization and prioritizes multi-factor authentication, the principle of least privilege, with all subjects, assets, and workflows requiring specific authentication and authorization.

The new guidance document builds on the advice published by Health-ISAC in 2020 – An H-ISAC Framework for CISOs to Manage Identity – and applies zero trust principles for securing all communications, monitoring the integrity and security of assets, granting access on a per session basis, creating policy-based authorization based on contextual information, and adding devices to the target system and resources. The guidance details the steps that healthcare CISOs need to take to start implementing zero trust infrastructures.

The post Health-ISAC Publishes Guidance for CISOs on Implementing Zero Trust Security Architectures appeared first on HIPAA Journal.

Multiple Vulnerabilities Identified in Contec Health Vital Signs Patient Monitors

Posted by HIPAA Journal

Five vulnerabilities have been identified in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor. Successful exploitation of the vulnerabilities could allow a threat actor to conduct a denial-of-service attack, access a root shell, make configuration changes, modify firmware, and cause the monitor to display incorrect information.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory about the vulnerabilities but said Contec Health did not respond to its requests, so healthcare providers that use the affected monitors should contact Contec Health directly for information on how to mitigate the vulnerabilities.

The most serious vulnerability – CVE-2022-38100 – has a CVSS v3 severity score of 7.5 and can be exploited remotely by a threat actor with access to the network. Successful exploitation of the vulnerability would cause the device to fail. The flaw can be exploited by sending malformed network data to the device via a specially formatted UDP request. The device would crash and require a reboot. The attack could be conducted simultaneously on all vulnerable devices connected to the network in a mass denial-of-service attack.

The device has improper access controls that can be exploited, albeit by a threat actor with physical access to the device. A USB device could be plugged in and malicious firmware could be uploaded to permanently change the functionality of the device. No authentication is required to perform the firmware upgrade. The flaw is tracked as CVE-2022-36385 and has a CVSS severity score of 6.8.

The device does not correctly sanitize the SSID name of a new Wi-Fi access point – CVE-2022-3027. If an SSID with a malicious name is created, such as one with non-standard characters, when the device attempts to connect to the Wi-Fi access point, the flaw could be exploited to write files to the device and cause the device to display incorrect information. The flaw has been assigned a CVSS severity score of 5.7.

The device has hard-coded credentials, which would allow a threat actor with physical access to the device to gain privileged access and steal patient information and change the device parameters. The flaw is tracked as CVE-2022-38069 and has a CVSS severity score of 4.3. Active debug code has not been stripped out – CVE-2022-38453 – which makes it easier for a threat actor to reverse engineer sensitive code and identify additional vulnerabilities.

The following steps are recommended to reduce the risk of exploitation of the vulnerabilities:

  • Disabling UART functionality at the CPU level
  • Enforcing unique device authentication before granting access to the terminal / bootloader
  • Where possible, enforcing secure boot.
  • Tamper stickers on the device casing to indicate when a device has been opened

Users should also restrict access to the devices, minimize network exposure, locate the devices behind firewalls, and use a secure method to connect to the device if remote access is required, such as a VPN.

The vulnerabilities were discovered by researchers at Level Nine.

The post Multiple Vulnerabilities Identified in Contec Health Vital Signs Patient Monitors appeared first on HIPAA Journal.

Healthcare Organizations Warned About Evil Corp. Cybercrime Syndicate

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health sector (HPH) about one of the most capable and aggressive cybercrime syndicates currently in operation – Evil Corp. The group operates out of Russia and has been operational since at least 2009 and is responsible for the infamous Dridex banking Trojan and several other ransomware and malware variants, including BitPaymer, Hades, Phoenixlocker, WastedLocker, SocGholish, GameOver Zeus, and JabberZeus. Evil Corp’s malware and ransomware variants have been used in many cyberattacks on the HPH sector, one of the most well-known being the BitPaymer ransomware attack on the National Health Service (NHS) Lanarkshire Board in Scotland in 2017.

Evil Corp’s primary modus operandi in recent years is conducting digital extortion attacks, including the use of ransomware, and the theft of sensitive information. HC3 warns that Evil Corp may conduct attacks at the request of the Russian government, including attacks that steal intellectual property, and members of the group are known to cooperate with the Russian intelligence agencies. The group has access to several third-party malware strains, including the TrickBot and Emotet Trojans, and has links to major ransomware and cybercriminal operations worldwide.

Evil Corp has been the subject of multiple law enforcement operations. The leader of Evil Corp, Maksim Yakubets, was indicted by a Federal grand jury in 2019 and was charged with conspiracy, computer hacking, wire fraud, and bank fraud related to the distribution of Bugat malware, the predecessor of Dridex. In addition to running the operation, Yakubets interfaces with the Russian government and is known to have been tasked with projects on behalf of the Russin FSB. Several other high-ranking members of the group have also been identified and are currently being sought by the FBI and other law enforcement agencies.

The group is heavily reliant on money mules for receiving payments extorted from its victims, and at least 8 Moscow-based individuals are known to have served as financial facilitators for the group and are involved in moving the profits from the attacks in a way to prevent the money being traced by law enforcement.

Due to the number of malware and ransomware variants used by Evil Group, they employ a wide range of tactics, techniques, and procedures in their attacks. They also have extensive technical capabilities, both in-house and through associations with other cybercriminal operations. One of the main methods used to gain initial access to victims’ networks is phishing. The group is also known to use legitimate security tools and living-of-the-land techniques to evade security solutions and operate undetected, including publicly available tools such as Cobalt Strike, Covenant, Donut, Kodiac, MimiKatz, PowerShell Empire, and PowerSploit, along with many self-developed tools.

Due to the extensive range of malware and ransomware variants and custom tools used by the group, multiple defensive measures and mitigations are required to detect and block attacks. HC3 has listed several resources in the alert to help network defenders improve their defenses, along with indicators of compromise, Yara rules, and other defensive information.

The post Healthcare Organizations Warned About Evil Corp. Cybercrime Syndicate appeared first on HIPAA Journal.

HC3 Sounds Alarm Over Data Theft and Extortion Attacks by Karakurt Threat Actors

Posted by HIPAA Journal

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the Healthcare and Public Health Sector (HPH) about a relatively new ransom threat group called Karakurt, which is known to have conducted hacking and extortion attacks on the HPH sector. These attacks are similar to attacks conducted by ransomware gangs, but the group doesn’t bother encrypting data, just steals data and issues a demand to prevent its release. The group is thought to be either a breakaway group from the Conti ransomware gang or has ties to the prolific ransomware group.

Karakurt, aka Karakurt Team/Karakurt Lair, conducted its first attacks in late 2021 and is known to have conducted attacks on at least four organizations in the HPH sector: A hospital, healthcare provider, assisted living facility, and dental firm. HC3 did not disclose the names of the healthcare organizations that have been targeted so far, but one is Methodist McKinney Hospital in Texas. That attack was detected by the hospital in June, which confirmed that files containing sensitive patient information had been exfiltrated in the attack. Karakurt is pressuring the hospital into paying the ransom by threatening to publish 367 GB of stolen data.

That attack is in line with the modus operandi of the group, which gains access to networks, searches for valuable data, exfiltrates the data, and then issues a ransom demand along with threats to publish the data if the ransom is not paid. Those tactics are now common with ransomware gangs, but Karakurt victims have reported extensive harassment following the attacks. In addition to putting pressure on the victim to pay, the group also harasses business partners, employees, and clients via email and phone calls to get them to also pile on the pressure on the victim to pay up to prevent the release of their data to the public. Samples of the stolen data are often sent as “proof of life” to confirm data theft has occurred. The ransom demands issued by the group can be considerable. Victims have reported being issued demands of between $25,000 to $13,000,000 in Bitcoin.

Once access to victims’ networks has been gained, the Karakurt threat actors deploy Cobalt Strike beacons to enumerate the network, use Mimikatz to obtain credentials, and persistent remote control is achieved using AnyDesk software. Situation-dependent tools are used for privilege escalation and lateral movement. The threat actors are known to take their time scanning and conducting reconnaissance, with a dwell time of up to two months. When data has been identified, 7zip is used to compress files, which are exfiltrated to cloud storage services such as rclone and Mega.nz using open source applications and File Transfer Protocol (FTP) services such as Filezilla. In some of the attacks, huge volumes of data have been stolen, including entire network-connected shared drives in volumes exceeding 1 TB.

Initial access to victims’ networks is primarily gained by purchasing stolen credentials from partners in the cybercrime community and buying access to compromised networks from initial access brokers. Vulnerabilities are also known to have been exploited, phishing has been used, and Remote Desktop Protocol exploited.

Indicators of Compromise and mitigations have been shared in the HC3 alert.

The post HC3 Sounds Alarm Over Data Theft and Extortion Attacks by Karakurt Threat Actors appeared first on HIPAA Journal.

HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center has issued a warning about social engineering and voice phishing (vishing) attacks on the healthcare and public health (HPH) sector.

In cybersecurity terms, social engineering is the manipulation of individuals by malicious actors to further their own aims. It is a broad term that covers many different types of attacks, including phishing, spear phishing, whaling, baiting, vishing, callback phishing, SMS phishing (smishing), deepfake software, and business email compromise (BEC).

In phishing attacks, social engineering techniques are used to trick employees into disclosing sensitive information such as protected health information, login credentials that allow the threat actor to gain a foothold in the network, or installing malware that provides remote access to devices and the networks to which they connect. These attacks may be conducted in mass campaigns or can be highly targeted, with the victims researched and lures crafted for specific individuals.

Phishing is one of the most common types of social engineering attacks, and it is the initial access vector in a large percentage of cyberattacks on the healthcare industry. The 2021 HIMSS Healthcare Cybersecurity Survey suggests phishing was involved in 45% of healthcare security incidents over the past 12 months, followed by ransomware attacks. Ransomware threat actors often use phishing to gain initial access to healthcare networks, and several groups associated with the Conti ransomware operation are now using callback phishing as one of the main ways to gain the access they need to conduct their attacks. Callback phishing was first used by the Ryuk ransomware gang in the BazarCall campaigns, where victims were tricked into installing BazarLoader malware that provided remote access to their networks. Ryuk rebranded as Conti, and three breakaway groups started using these callback phishing techniques again in March 2021.

Callback phishing is a hybrid form of phishing where initial contact is made via email and social engineering is used to trick people into calling the provided telephone number. The lure used in these attacks is often a warning about an impending invoice, subscription expiry, or the end of a free trial, with charges incurred if no action is taken. Initial contact is made via email, but no hyperlinks or email attachments are used, only a phone number is provided. Email security solutions often do not flag these emails as malicious and are unable to check if a telephone number is malicious or legitimate.

According to cybersecurity firm Agari, phishing volumes increased by 6% from Q1 2022 to Q2, 2022, whereas hybrid phishing attacks (including callback phishing) increased by 625%. According to the IBM Security X-Force team, in Q4, 2021, phishing attacks accounted for 42% of attacks, up from 30% the previous quarter.

Vishing attacks are conducted exclusively over the telephone. In September 2020, threat actors impersonated a Michigan health system and called patients to steal their member numbers and PHI, with the caller ID spoofed to make it appear that the call originated from the health system.

Phishing and other types of social engineering attacks are a leading cause of healthcare data breaches and healthcare organizations are particularly vulnerable to these attacks, especially larger organizations where employees are unlikely to know all of their co-workers. These attacks abuse trust, and healthcare employees are naturally trusting and have a desire to help. People also want to look intelligent and not have to seek help. They also do not want to get in trouble so may not report falling for a scam. Healthcare environments are also busy with employees often under time pressure, leading to people taking shortcuts that can open the door to scammers.

Defending against social engineering can be a challenge since the attacks can occur via email, SMS, instant messaging services, social media networks, websites, SMS, and over the phone, and hybrid phishing attacks are unlikely to be detected by traditional cybersecurity solutions. The key to defending against these attacks is to implement multiple layers of defenses, update policies and procedures to close security gaps, and provide regular security awareness training to the workforce.

HC3 suggests the following steps to improve defenses against social engineering attacks:

Improving defenses against social engineering in healthcare. Source: HC3

To protect against hybrid phishing attacks, smishing, and vishing, security awareness training is key.

  • Regular security awareness training should be provided – multiple times a year. Consider modular CBT training courses to fit training into busy healthcare workflows
  • Keep employees abreast of the latest campaigns targeting the sector, including the latest health-related themes such as COVID-19 and Monkeypox
  • Instruct employees to confirm receipt of an email from a known sender via a trusted communication method or contact
  • Secure VoIP servers and look for evidence of existing compromise (such as web shells for persistence)
  • Block malicious domains and other indicators associated with campaigns
  • Consider switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification to mitigate MFA fatigue
  • Conduct phishing simulation exercises on the workforce, including hybrid phishing simulations

Further information:

HC3 Analyst Note – Vishing Attacks on the Rise

HC3 – Impact of Social Engineering on Healthcare Organizations

The post HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives

Posted by HIPAA Journal

There has been a marked increase in the number of healthcare organizations that have implemented zero trust initiatives, according to the 2022 State of Zero Trust Security report from Okta. In 2022, 58% of surveyed organizations said they had or have started implementing zero trust initiatives, up 21 percentage points from the 37% last year. Further, 96% of all healthcare respondents said they either had or are planning to implement zero trust within the next 12 to 18 months, up from 91% last year.

The traditional approach to security sees devices and applications within the network perimeter trusted, as they are behind the protection of perimeter defenses; however, that approach does not work well in the cloud, where there is no perimeter to defend. The philosophy of zero trust is, “never trust, always verify”. Zero trust assumes that every device and account could be malicious, regardless of whether it is inside or outside the network perimeter. With zero trust, all devices, accounts, applications, and connections are subject to robust authentication checks, the principle of least privilege is enforced, and there is comprehensive security monitoring.

“Zero Trust is a solid guiding principle, but getting there is a complex proposition, requiring multiple deeply integrated best-of-breed solutions working seamlessly together,” explained Okta in the report. “Every company has a different starting situation, different resources, and different priorities, leading to unique journeys to reach the same destination—true Zero Trust security.”

Zero Trust Adoption in Healthcare

There has been a significant increase in medical and IoT devices, applications, and cloud-based resources, which has significantly increased the attack surface, and this has made it much harder for security teams to defend against cyberattacks using traditional security approaches. Zero trust offers a solution and the majority of healthcare organizations that have not yet implemented zero trust initiatives say they have a plan in place to implement zero trust within the next 6 to 12 months.

98% of healthcare respondents said identity plays a meaningful role in their zero trust strategy, with 72% rating it important and 27% rating it critical, with the most pressing projects being extending Single Sign-on for employees and securing access to APIs. Currently, only 6% of healthcare respondents said they have context-based access policies in place, but 40% said they will be rolling these out within the next 12-18 months, with all healthcare respondents planning to extend SSO, MFA, or both to SaaS apps, internal apps, and servers in the coming 12-18 months.

The most critical factors for controlling and improving access to internal resources were device trust, geographic location, and trusted IP address, followed by time of day or working hours-based access, and whether the resource trying to be accessed is highly sensitive. Healthcare organizations are also transitioning away from password-based authentication. Password use fell from 94% of healthcare organizations in 2021 to 85% in 2022, with push authentication adoption increasing from 16% in 2021 to more than 40% in 2022.

“Adoption of a Zero Trust framework provides a methodology that makes it easier for organizations to continually assess their security posture and the relative maturity of their model, and pinpoint the right security solutions to accelerate their progress at every phase of their journeys,” explained Okta. However, there are challenges for healthcare organizations, and the biggest one is the current talent and skill shortage. “In light of the talent/skill shortage faced around the world, organizations need to find solutions that help them progress along their Zero Trust journeys without creating the need for additional budgets, headcount, or training resources,” suggests Okta. “They need to find solutions that integrate with their existing security ecosystems to extract the most value.”

The post 58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives appeared first on HIPAA Journal.