Healthcare Cybersecurity

Multiple Vulnerabilities Identified in Contec Health Vital Signs Patient Monitors

Posted by HIPAA Journal

Five vulnerabilities have been identified in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor. Successful exploitation of the vulnerabilities could allow a threat actor to conduct a denial-of-service attack, access a root shell, make configuration changes, modify firmware, and cause the monitor to display incorrect information.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory about the vulnerabilities but said Contec Health did not respond to its requests, so healthcare providers that use the affected monitors should contact Contec Health directly for information on how to mitigate the vulnerabilities.

The most serious vulnerability – CVE-2022-38100 – has a CVSS v3 severity score of 7.5 and can be exploited remotely by a threat actor with access to the network. Successful exploitation of the vulnerability would cause the device to fail. The flaw can be exploited by sending malformed network data to the device via a specially formatted UDP request. The device would crash and require a reboot. The attack could be conducted simultaneously on all vulnerable devices connected to the network in a mass denial-of-service attack.

The device has improper access controls that can be exploited, albeit by a threat actor with physical access to the device. A USB device could be plugged in and malicious firmware could be uploaded to permanently change the functionality of the device. No authentication is required to perform the firmware upgrade. The flaw is tracked as CVE-2022-36385 and has a CVSS severity score of 6.8.

The device does not correctly sanitize the SSID name of a new Wi-Fi access point – CVE-2022-3027. If an SSID with a malicious name is created, such as one with non-standard characters, when the device attempts to connect to the Wi-Fi access point, the flaw could be exploited to write files to the device and cause the device to display incorrect information. The flaw has been assigned a CVSS severity score of 5.7.

The device has hard-coded credentials, which would allow a threat actor with physical access to the device to gain privileged access and steal patient information and change the device parameters. The flaw is tracked as CVE-2022-38069 and has a CVSS severity score of 4.3. Active debug code has not been stripped out – CVE-2022-38453 – which makes it easier for a threat actor to reverse engineer sensitive code and identify additional vulnerabilities.

The following steps are recommended to reduce the risk of exploitation of the vulnerabilities:

  • Disabling UART functionality at the CPU level
  • Enforcing unique device authentication before granting access to the terminal / bootloader
  • Where possible, enforcing secure boot.
  • Tamper stickers on the device casing to indicate when a device has been opened

Users should also restrict access to the devices, minimize network exposure, locate the devices behind firewalls, and use a secure method to connect to the device if remote access is required, such as a VPN.

The vulnerabilities were discovered by researchers at Level Nine.

The post Multiple Vulnerabilities Identified in Contec Health Vital Signs Patient Monitors appeared first on HIPAA Journal.

Healthcare Organizations Warned About Evil Corp. Cybercrime Syndicate

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health sector (HPH) about one of the most capable and aggressive cybercrime syndicates currently in operation – Evil Corp. The group operates out of Russia and has been operational since at least 2009 and is responsible for the infamous Dridex banking Trojan and several other ransomware and malware variants, including BitPaymer, Hades, Phoenixlocker, WastedLocker, SocGholish, GameOver Zeus, and JabberZeus. Evil Corp’s malware and ransomware variants have been used in many cyberattacks on the HPH sector, one of the most well-known being the BitPaymer ransomware attack on the National Health Service (NHS) Lanarkshire Board in Scotland in 2017.

Evil Corp’s primary modus operandi in recent years is conducting digital extortion attacks, including the use of ransomware, and the theft of sensitive information. HC3 warns that Evil Corp may conduct attacks at the request of the Russian government, including attacks that steal intellectual property, and members of the group are known to cooperate with the Russian intelligence agencies. The group has access to several third-party malware strains, including the TrickBot and Emotet Trojans, and has links to major ransomware and cybercriminal operations worldwide.

Evil Corp has been the subject of multiple law enforcement operations. The leader of Evil Corp, Maksim Yakubets, was indicted by a Federal grand jury in 2019 and was charged with conspiracy, computer hacking, wire fraud, and bank fraud related to the distribution of Bugat malware, the predecessor of Dridex. In addition to running the operation, Yakubets interfaces with the Russian government and is known to have been tasked with projects on behalf of the Russin FSB. Several other high-ranking members of the group have also been identified and are currently being sought by the FBI and other law enforcement agencies.

The group is heavily reliant on money mules for receiving payments extorted from its victims, and at least 8 Moscow-based individuals are known to have served as financial facilitators for the group and are involved in moving the profits from the attacks in a way to prevent the money being traced by law enforcement.

Due to the number of malware and ransomware variants used by Evil Group, they employ a wide range of tactics, techniques, and procedures in their attacks. They also have extensive technical capabilities, both in-house and through associations with other cybercriminal operations. One of the main methods used to gain initial access to victims’ networks is phishing. The group is also known to use legitimate security tools and living-of-the-land techniques to evade security solutions and operate undetected, including publicly available tools such as Cobalt Strike, Covenant, Donut, Kodiac, MimiKatz, PowerShell Empire, and PowerSploit, along with many self-developed tools.

Due to the extensive range of malware and ransomware variants and custom tools used by the group, multiple defensive measures and mitigations are required to detect and block attacks. HC3 has listed several resources in the alert to help network defenders improve their defenses, along with indicators of compromise, Yara rules, and other defensive information.

The post Healthcare Organizations Warned About Evil Corp. Cybercrime Syndicate appeared first on HIPAA Journal.

HC3 Sounds Alarm Over Data Theft and Extortion Attacks by Karakurt Threat Actors

Posted by HIPAA Journal

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the Healthcare and Public Health Sector (HPH) about a relatively new ransom threat group called Karakurt, which is known to have conducted hacking and extortion attacks on the HPH sector. These attacks are similar to attacks conducted by ransomware gangs, but the group doesn’t bother encrypting data, just steals data and issues a demand to prevent its release. The group is thought to be either a breakaway group from the Conti ransomware gang or has ties to the prolific ransomware group.

Karakurt, aka Karakurt Team/Karakurt Lair, conducted its first attacks in late 2021 and is known to have conducted attacks on at least four organizations in the HPH sector: A hospital, healthcare provider, assisted living facility, and dental firm. HC3 did not disclose the names of the healthcare organizations that have been targeted so far, but one is Methodist McKinney Hospital in Texas. That attack was detected by the hospital in June, which confirmed that files containing sensitive patient information had been exfiltrated in the attack. Karakurt is pressuring the hospital into paying the ransom by threatening to publish 367 GB of stolen data.

That attack is in line with the modus operandi of the group, which gains access to networks, searches for valuable data, exfiltrates the data, and then issues a ransom demand along with threats to publish the data if the ransom is not paid. Those tactics are now common with ransomware gangs, but Karakurt victims have reported extensive harassment following the attacks. In addition to putting pressure on the victim to pay, the group also harasses business partners, employees, and clients via email and phone calls to get them to also pile on the pressure on the victim to pay up to prevent the release of their data to the public. Samples of the stolen data are often sent as “proof of life” to confirm data theft has occurred. The ransom demands issued by the group can be considerable. Victims have reported being issued demands of between $25,000 to $13,000,000 in Bitcoin.

Once access to victims’ networks has been gained, the Karakurt threat actors deploy Cobalt Strike beacons to enumerate the network, use Mimikatz to obtain credentials, and persistent remote control is achieved using AnyDesk software. Situation-dependent tools are used for privilege escalation and lateral movement. The threat actors are known to take their time scanning and conducting reconnaissance, with a dwell time of up to two months. When data has been identified, 7zip is used to compress files, which are exfiltrated to cloud storage services such as rclone and Mega.nz using open source applications and File Transfer Protocol (FTP) services such as Filezilla. In some of the attacks, huge volumes of data have been stolen, including entire network-connected shared drives in volumes exceeding 1 TB.

Initial access to victims’ networks is primarily gained by purchasing stolen credentials from partners in the cybercrime community and buying access to compromised networks from initial access brokers. Vulnerabilities are also known to have been exploited, phishing has been used, and Remote Desktop Protocol exploited.

Indicators of Compromise and mitigations have been shared in the HC3 alert.

The post HC3 Sounds Alarm Over Data Theft and Extortion Attacks by Karakurt Threat Actors appeared first on HIPAA Journal.

HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center has issued a warning about social engineering and voice phishing (vishing) attacks on the healthcare and public health (HPH) sector.

In cybersecurity terms, social engineering is the manipulation of individuals by malicious actors to further their own aims. It is a broad term that covers many different types of attacks, including phishing, spear phishing, whaling, baiting, vishing, callback phishing, SMS phishing (smishing), deepfake software, and business email compromise (BEC).

In phishing attacks, social engineering techniques are used to trick employees into disclosing sensitive information such as protected health information, login credentials that allow the threat actor to gain a foothold in the network, or installing malware that provides remote access to devices and the networks to which they connect. These attacks may be conducted in mass campaigns or can be highly targeted, with the victims researched and lures crafted for specific individuals.

Phishing is one of the most common types of social engineering attacks, and it is the initial access vector in a large percentage of cyberattacks on the healthcare industry. The 2021 HIMSS Healthcare Cybersecurity Survey suggests phishing was involved in 45% of healthcare security incidents over the past 12 months, followed by ransomware attacks. Ransomware threat actors often use phishing to gain initial access to healthcare networks, and several groups associated with the Conti ransomware operation are now using callback phishing as one of the main ways to gain the access they need to conduct their attacks. Callback phishing was first used by the Ryuk ransomware gang in the BazarCall campaigns, where victims were tricked into installing BazarLoader malware that provided remote access to their networks. Ryuk rebranded as Conti, and three breakaway groups started using these callback phishing techniques again in March 2021.

Callback phishing is a hybrid form of phishing where initial contact is made via email and social engineering is used to trick people into calling the provided telephone number. The lure used in these attacks is often a warning about an impending invoice, subscription expiry, or the end of a free trial, with charges incurred if no action is taken. Initial contact is made via email, but no hyperlinks or email attachments are used, only a phone number is provided. Email security solutions often do not flag these emails as malicious and are unable to check if a telephone number is malicious or legitimate.

According to cybersecurity firm Agari, phishing volumes increased by 6% from Q1 2022 to Q2, 2022, whereas hybrid phishing attacks (including callback phishing) increased by 625%. According to the IBM Security X-Force team, in Q4, 2021, phishing attacks accounted for 42% of attacks, up from 30% the previous quarter.

Vishing attacks are conducted exclusively over the telephone. In September 2020, threat actors impersonated a Michigan health system and called patients to steal their member numbers and PHI, with the caller ID spoofed to make it appear that the call originated from the health system.

Phishing and other types of social engineering attacks are a leading cause of healthcare data breaches and healthcare organizations are particularly vulnerable to these attacks, especially larger organizations where employees are unlikely to know all of their co-workers. These attacks abuse trust, and healthcare employees are naturally trusting and have a desire to help. People also want to look intelligent and not have to seek help. They also do not want to get in trouble so may not report falling for a scam. Healthcare environments are also busy with employees often under time pressure, leading to people taking shortcuts that can open the door to scammers.

Defending against social engineering can be a challenge since the attacks can occur via email, SMS, instant messaging services, social media networks, websites, SMS, and over the phone, and hybrid phishing attacks are unlikely to be detected by traditional cybersecurity solutions. The key to defending against these attacks is to implement multiple layers of defenses, update policies and procedures to close security gaps, and provide regular security awareness training to the workforce.

HC3 suggests the following steps to improve defenses against social engineering attacks:

Improving defenses against social engineering in healthcare. Source: HC3

To protect against hybrid phishing attacks, smishing, and vishing, security awareness training is key.

  • Regular security awareness training should be provided – multiple times a year. Consider modular CBT training courses to fit training into busy healthcare workflows
  • Keep employees abreast of the latest campaigns targeting the sector, including the latest health-related themes such as COVID-19 and Monkeypox
  • Instruct employees to confirm receipt of an email from a known sender via a trusted communication method or contact
  • Secure VoIP servers and look for evidence of existing compromise (such as web shells for persistence)
  • Block malicious domains and other indicators associated with campaigns
  • Consider switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification to mitigate MFA fatigue
  • Conduct phishing simulation exercises on the workforce, including hybrid phishing simulations

Further information:

HC3 Analyst Note – Vishing Attacks on the Rise

HC3 – Impact of Social Engineering on Healthcare Organizations

The post HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives

Posted by HIPAA Journal

There has been a marked increase in the number of healthcare organizations that have implemented zero trust initiatives, according to the 2022 State of Zero Trust Security report from Okta. In 2022, 58% of surveyed organizations said they had or have started implementing zero trust initiatives, up 21 percentage points from the 37% last year. Further, 96% of all healthcare respondents said they either had or are planning to implement zero trust within the next 12 to 18 months, up from 91% last year.

The traditional approach to security sees devices and applications within the network perimeter trusted, as they are behind the protection of perimeter defenses; however, that approach does not work well in the cloud, where there is no perimeter to defend. The philosophy of zero trust is, “never trust, always verify”. Zero trust assumes that every device and account could be malicious, regardless of whether it is inside or outside the network perimeter. With zero trust, all devices, accounts, applications, and connections are subject to robust authentication checks, the principle of least privilege is enforced, and there is comprehensive security monitoring.

“Zero Trust is a solid guiding principle, but getting there is a complex proposition, requiring multiple deeply integrated best-of-breed solutions working seamlessly together,” explained Okta in the report. “Every company has a different starting situation, different resources, and different priorities, leading to unique journeys to reach the same destination—true Zero Trust security.”

Zero Trust Adoption in Healthcare

There has been a significant increase in medical and IoT devices, applications, and cloud-based resources, which has significantly increased the attack surface, and this has made it much harder for security teams to defend against cyberattacks using traditional security approaches. Zero trust offers a solution and the majority of healthcare organizations that have not yet implemented zero trust initiatives say they have a plan in place to implement zero trust within the next 6 to 12 months.

98% of healthcare respondents said identity plays a meaningful role in their zero trust strategy, with 72% rating it important and 27% rating it critical, with the most pressing projects being extending Single Sign-on for employees and securing access to APIs. Currently, only 6% of healthcare respondents said they have context-based access policies in place, but 40% said they will be rolling these out within the next 12-18 months, with all healthcare respondents planning to extend SSO, MFA, or both to SaaS apps, internal apps, and servers in the coming 12-18 months.

The most critical factors for controlling and improving access to internal resources were device trust, geographic location, and trusted IP address, followed by time of day or working hours-based access, and whether the resource trying to be accessed is highly sensitive. Healthcare organizations are also transitioning away from password-based authentication. Password use fell from 94% of healthcare organizations in 2021 to 85% in 2022, with push authentication adoption increasing from 16% in 2021 to more than 40% in 2022.

“Adoption of a Zero Trust framework provides a methodology that makes it easier for organizations to continually assess their security posture and the relative maturity of their model, and pinpoint the right security solutions to accelerate their progress at every phase of their journeys,” explained Okta. However, there are challenges for healthcare organizations, and the biggest one is the current talent and skill shortage. “In light of the talent/skill shortage faced around the world, organizations need to find solutions that help them progress along their Zero Trust journeys without creating the need for additional budgets, headcount, or training resources,” suggests Okta. “They need to find solutions that integrate with their existing security ecosystems to extract the most value.”

The post 58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives appeared first on HIPAA Journal.

Cyberspace Solarium Commission Co-Chairs Call for HHS to Improve Threat Information Sharing with HPH Sector

Posted by HIPAA Journal

Senator Angus S. King Jr. (I-ME) and Congressman Mike Gallagher (R-WI), Co-Chairs of the Cyberspace Solarium Commission, have written to HHS Secretary, Xavier Becerra, to voice their concerns about the lack of sharing of actionable threat information with industry partners to help the health and public health sector (HPH) address current cybersecurity gaps.

In the letter, the lawmakers explained that the COVID-19 pandemic revealed some of the systemic challenges facing the HPH sector, and during that time when healthcare workers were dealing with exacerbated workforce challenges, cybercriminals and nation-state threat actors targeted the HPH sector and ransomware attacks skyrocketed.

They suggest cyber threat actors recognized that the HPH sector was more likely than other victims to pay the ransom demands to protect patient safety and the large amounts of sensitive patient data stored by healthcare providers have made them targets for criminals and nation-state hackers. The lawmakers praised the efforts the White House and the HHS have put into improving cybersecurity in the HPH sector but are concerned about “The lack of robust and timely sharing of actionable threat information with industry partners.” They suggest there is a need to dramatically scale up the Department’s capabilities and resources due to the exponential growth of cyber threats, and that it is essential to prioritize addressing the HPH sector’s cybersecurity gaps.

King and Gallagher have requested a briefing from the Secretary of the HHS to share the status of the department’s efforts to strengthen its capabilities and operationalize collaboration with organizations throughout the HPH sector and say it is only possible to conduct effective oversight if they understand the challenges that the HHS and the HPH sector are facing.

Specifically, they have requested

  • Information on the current organizational structure, roles, and responsibilities that the HHS employs to support HPH cybersecurity and serve as the Sector Risk Management Agency (SRMA) for the entire HPH.
  • The current authorities the HHS has to improve the cybersecurity of the HPH sector
  • The resources, including personnel and budget, the HHS requires to serve as an effective SRMA
  • The interagency coordination structures utilized to support the HHS’s efforts and the cybersecurity efforts of the HPH sector, the successes achieved, and the challenges faced.

The lawmakers have also requested an unclassified threat briefing from the HHS on current cybersecurity risks to the HPH sector.

The post Cyberspace Solarium Commission Co-Chairs Call for HHS to Improve Threat Information Sharing with HPH Sector appeared first on HIPAA Journal.

Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access

Posted by HIPAA Journal

Multiple ransomware groups have adopted the BazarCall callback phishing technique to gain initial access to victims’ networks, including threat actors that have targeted the healthcare sector.

BazarCall is a type of callback phishing, where organizations are targeted and sent ‘phishing’ emails that request a call to a telephone number to resolve an important issue. As with standard phishing campaigns, there is urgency – If no action is taken, there will be bad consequences. The telephone number provided is manned by the threat actor, who is well versed in social engineering techniques and will attempt to trick the caller into taking actions that will give the threat actor access to the victims’ network. That action could be to visit a malicious website or download a malicious file.

In the BazarCall campaign, the targeted individual is told in the email that a subscription or free trial is coming to an end and it will auto-renew at a cost. In order to cancel the subscription, the user must call the number provided. If the call is made, the threat actor will attempt to get the user to initiate a Zoho Remote Desktop Control session, which it is claimed is necessary to cancel the subscription. Zoho is legitimate business software; however, in this case, it is used for malicious purposes. While the user converses with the threat actor that answers the call, a second member of the team will use the remote access session to silently weaponize legitimate tools that can be used for an extensive compromise of the victim’s network.

BazarCall was first utilized by the Ryuk ransomware operation in 2020/2021. Ryuk was disbanded and reformed as Conti, and both were prolific ransomware-as-a-service operations. The campaigns were identified by security researchers at AdvIntel, who have tied the campaigns to three cybercriminal groups that broke away from the Conti ransomware operation before it shut down.

According to AdvIntel, BazarCall started to be used by the Conti ransomware gang in March 2022, and in April, a new ransomware group – Silent Ransom – broke away from the Conti operation and adopted the BazarCall technique for initial access. The technique was refined and a second threat group – Quantum – broke away from Conti and started using its own version of BazarCall. In June, a third group – Roy/Zeon – broke away from Conti and started using its own version of BazarCall.

Each threat group impersonates different companies in the initial emails, such as Duolingo, MasterClass, Oracle, HelloFresh, CrowdStrike, RemotePC, Standard Notes, and many more. The lures used vary but generally relate to an upcoming payment due to the end of a subscription or trial period, with the brands impersonated related to the industry being targeted.

AdvIntel says that while the Silent Ransom group was the first threat group to resurrect the BazarCall phishing tactic, seeing the success, efficiency, and targeting capabilities of the tactic, other threat groups have begun using the reversed phishing campaign as a base and developing the attack vector into their own. “This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on,” warn the researchers.

Defending against callback phishing emails can be difficult to the lack of malicious content in the initial phishing emails, which means they are unlikely to be flagged as malicious by email security solutions. The best defense to prevent the attacks is to ensure that callback phishing is covered in security awareness training and to include examples of callback phishing in internal phishing simulations.

The post Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access appeared first on HIPAA Journal.

Healthcare Providers Targeted in Evernote Phishing Campaign

Posted by HIPAA Journal

A malicious phishing campaign has been identified that is targeting healthcare providers. The emails have an Evernote-themed lure to trick recipients into downloading a Trojan file that generates a login prompt to steal credentials.

The Health Information Cybersecurity Coordination Center (HC3) has recently issued an alert about the campaign which has targeted several healthcare providers in the United States.  Malicious emails are sent to targeted organizations that contain a malicious link to an Evernote-themed website. The emails are personalized and the lures used in the phishing emails may vary; however, the emails seen by HC3 have the subject line “[Organization Name] [Date] Business Review” and have a Secure Message theme.

Evernote Phishing Campaign

Evernote Phishing Campaign. Source: HC3

The link included in the email directs the user to the Evernote site, where they are prompted to download an HTML file – called message (3).html. The file includes JavaScript code that renders an Adobe or Microsoft-themed page that attempts to harvest Outlook, IONOS, AOL, or other credentials.

The credentials obtained in phishing campaigns such as this can give cyber threat actors access to email accounts, which can contain significant amounts of sensitive data, including protected health information. Compromised email accounts can be used to conduct phishing attacks internally and can give threat actors the foothold they need to conduct more extensive attacks on the organization. Many ransomware attacks start with phishing emails.

Protecting against phishing attacks requires a combination of measures, including email security solutions for blocking phishing emails, web filters for preventing access to malicious websites where malware is downloaded, and antivirus software for identifying Trojans and other malicious code. It is also important to provide regular security awareness training to the workforce on the risks of phishing and train employees on how to recognize phishing emails.

Further information on this phishing campaign, along with other recommended mitigations, can be found in the HC3 security alert.

The post Healthcare Providers Targeted in Evernote Phishing Campaign appeared first on HIPAA Journal.