Healthcare Cybersecurity

Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare

Posted by HIPAA Journal

SonicWall has released a mid-year update to its 2022 Cyber Threat Report, which highlights the global cyberattack trends in 1H 2022. The data for the report was collected from more than 1.1 million global sensors in 215 countries and shows a global fall in ransomware attacks, with notable increases in malware attacks for the first time in 3 years.

Ransomware

SonicWall reports a 23% fall in ransomware attacks globally in 1H 2022, which fell to 236.1 million attempted attacks, continuing the downward trend that has been observed for the previous four quarters. June 2022 saw the lowest number of ransomware hits in the past 23 months. While ransomware attacks are down overall, that is not the case for the healthcare industry, which saw a 328% increase in attacks in 1H 2022.

While the reduction in attacks is certainly good news, it should be noted that the year-to-date figures for ransomware attacks are still higher than they were in all of 2017, 2018, and 2019. In the United States, SonicWall recorded an average of 707 ransomware attempts per customer in the first half of 2022. SonicWall attributes the decrease in attacks to the combination of geopolitical forces, volatile cryptocurrency prices, and an increased government and law-enforcement focus on ransomware gangs.

Malware

Ransomware attacks had increased for two straight years, but malware attacks have been at very low levels, with 2021 seeing malware attacks hit a 7-year low. 1H 2022 has seen a sharp increase in malware attacks, with 11% more attacks than 1H 2021, reaching 2.8 billion in 1H 2022 with an average of 8,240 attempts per customer. There was a marked rise in never-before-seen malware variants in 2022, which increased by 45% from 1H 2021. Cryptojacking has increased by 30% compared to 1H 2021, even with the sharp fall in the value of cryptocurrencies. Cryptjacking attacks in healthcare fell by 87%.

The biggest increase in malware was seen in IoT malware, which increased by 77% increase from 1H 2021 with 57 million detections, which was the highest rate of detection since the attacks started to be tracked by SonicWall. The number of hits in 1H 2022 was only slightly lower than the total hits recorded in all of 2021. IoT attacks in the United States increased by 228% in June and IoT malware attacks in healthcare increased by 123%.

Malicious Files

SonicWall reported in its mid-year 2021 update that there had been a 54% fall in the number of malicious Office files and a 13% drop in malicious PDF files, but the fall in number was short-lived, with this year seeing an increase in malicious file detections. In the first half of 2022, detections of malicious Office files increased by 18%, and malicious PDF file detections increased by 9%. PDF files now account for 18% of malicious file types, with Office files accounting for 10%, with more than 84% of malicious Office files being Excel files. Excel Macro 4.0 (XLM) files are the most common, accounting for 64% of malicious Excel files. Executable files are still the most common malicious file types, accounting for more than one-third of malicious files.

Encrypted Attacks

SonicWall observed a 132% increase in encrypted attacks in 1H 2022, continuing the trend of the past two years. May 2022 was the second highest month for malware over HTTPS ever recorded. Encrypted threats were most prevalent in the United States, and accounted for 41% of the global volume, with a 284% increase over the corresponding period last year. Encrypted attacks in healthcare fell by 6%.

Intrusion Attempts

Intrusion attempts rose by 18% globally in 1H 2022, but the number of malicious intrusions fell by 19%. However, in North America, there was an increase in intrusion attempts but the attacks appear to have peaked in June. Intrusion attempts increased by 39% in healthcare, 46% in government, and 200% in retail. Even with these increases, the 1H 2022 figures are lower than they were in 2021.

The post Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

Posted by HIPAA Journal

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM Security. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020.

The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services.

Summary of 2022 Data Breach Costs

  • Global average cost of a data breach – $4.35 million (+2.6%)
  • Global average cost per record – $164 (+1.9%)
  • Average cost of a U.S. data breach – $9.44 million (+4.3%)
  • Average cost of a healthcare data breach – $10.1 million (+9.4%)
  • Average cost of a ransomware attack – $4.54 million (-1.7%)
  • Average cost where phishing was the initial attack vector $4.91 million
  • Average cost of a $1 million record data breach – $49 million
  • Average cost of 50-60 million record data breach – $387 million

For the first time in at least six years, the biggest component of the data breach costs was detection and escalation, which cost $1.44 million in 2022, up from $1.24 million in 2021. Next was lost business, which cost an average of $1.42 million in 2022, down from $1.59 million in 2022. Post-breach response increased slightly from $1.14 million in 2021 to $1.18 million in 2022, and there was a small increase in notification costs, which rose from $0.27 million in 2021 to $0.31 million in 2022.

On average, 52% of the breach costs are incurred in the first year, 29% in the second year, and 19% after two years. In highly regulated industries such as healthcare, a much larger percentage of the costs are incurred later, with 45% of costs in the first year, 31% in year 2, and 24% later than year 2, which was attributed to regulatory and legal costs.

The report explored the different initial attack vectors and found that the most common entry route was the use of stolen credentials, which accounted for 19% of all data breaches, with these data breaches costing an average of $4.5 million. Phishing attacks accounted for 16% of all data breaches, and phishing was the costliest attack vector, with an average data breach cost of $4.91 million, closely followed by business email compromise attacks, which accounted for 6% of all data breaches and cost an average of $4.89 million. Cloud misconfigurations accounted for 15% of data breaches and cost an average of $4.14 million, and vulnerabilities in third-party software accounted for 13% of data breaches and cost an average of $.55 million per breach.

The average time to identify a data breach was 207 days in 2022, down from 212 days in 2021. The average time to contain a data breach was 277 days, down from 287 days in 2021. A shorter data breach lifecycle (time to identify and contain a breach) equates to a lower breach cost. Data breaches with a lifecycle of fewer than 200 days cost 26.5% ($1.12 million) less on average than data breaches with a lifecycle of over 200 days.

One of the most important steps to take to improve security is to adopt zero trust strategies, but only 59% of organizations had adopted zero trust, and almost 80% of critical infrastructure organizations had yet to implement zero-trust strategies. The average breach cost for critical infrastructure organizations without zero trust was $5.4 million, which was $1.17 million more than those that had implemented zero trust strategies.

Cost of Data Breaches by Breach Cause

The average cost of a ransomware attack fell slightly by 1.7% to $4.54 million, not including the cost of the ransom itself. Ransomware attacks increased significantly in 2022 and accounted for 11% of all data breaches, up from 7.8% of data breaches in 2021. Ransomware attacks took 49 days longer to identify and contain than the global average, taking an average of 237 days to identify the intrusion and 89 days to contain the attack. Paying the ransom only saw a $610,000 reduction in data breach costs, on average, not including the amount of the ransom. Since ransom amounts are often high, the report indicates that paying the ransom does not necessarily lower the breach cost. In fact, paying may well increase the cost of the breach.

Around one-fifth of data breaches were the result of supply chain compromises. The average cost of a supply chain compromise was $4.46 million, which was 2.5% higher than the overall average cost of a data breach. It took an average of 235 days to identify the breach and 68 days to contain the breach – 26 days more than the average data breach

45% of data breaches occurred in the cloud, with data breaches in the public cloud costing considerably more than data breaches with a hybrid cloud model. 43% of organizations that experienced a data breach in the cloud were in the early stages of their migration to the cloud and had not started applying security practices to secure their cloud environments. Organizations in the early stages of cloud adoption had data breach costs of an average of $4.53 million, whereas those at a mature stage had average breach costs of $3.87 million.

Data Breach Cost Savings

IMB identified several steps that organizations can take to reduce the financial cost and reputational consequences of a data breach. The main cost-saving elements were:

  • Fully deployed security AI and automation – $3.05 million
  • Incident response team with regularly tested IR plan – $2.66 million
  • Adoption of zero trust – $1.5 million
  • Mature cloud security practices – $720,000
  • Being fully staffed vs insufficiently staffed $550,000
  • Use of extended detection and response (XDR) technologies – 29-day reduction in response time

The post IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million appeared first on HIPAA Journal.

Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Posted by HIPAA Journal

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management.

Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches.

Cyberattacks on vendors serving the healthcare industry have increased in recent years. Rather than attacking an HDO directly, a cyber actor can attack a vendor to gain access to sensitive data or to abuse the privileged access the vendor has to a HDO’s network. For example, a successful intrusion at a managed service provider allows a threat actor to gain access to the networks of all of the company’s clients by abusing the MSP’s privileged access to client systems. This is advantageous for a hacker as it means it is not necessary to hack into the networks of each MSP client individually.

When third-party vendors are used, the attack surface is increased significantly, and managing and reducing risk can be a challenge. While third-party vendors are used in all industry sectors, third-party vendor security risks are most prevalent in the healthcare sector. The CSA suggests that this is due to the lack of automation, extensive use of digital applications and medical devices, and the lack of fully deployed critical vendor management controls. Since healthcare organizations tend to use a large number of vendors, conducting comprehensive and accurate risk assessments for all vendors and implementing critical vendor management controls can be a very time-consuming and costly process.

“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group. “This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies.”

If an HDO chooses to use a third-party vendor, it is essential that effective monitoring controls are implemented, but it is clear from the number of third-party or vendor-related data breaches that many healthcare organizations struggle to identify, protect, detect, respond to, and recover from these incidents, which suggests the current approaches for assessing and managing vendor risks are failing. These failures can have a major financial impact, not just in terms of the breach mitigation costs, but HDOs also face the risk of regulatory fines from the HHS’ Office for Civil Rights and state Attorneys General and there is also significant potential for long-lasting reputation damage.

The CSA makes several suggestions in the paper, including adopting the NIST Cybersecurity Framework for monitoring, measuring, and tracking third-party risk. The NIST Framework is mostly concerned with cybersecurity, but the same principles can also be applied for measuring other types of risk. The core functions of the framework are identify, protect, detect, respond, and recover. Using the framework, HDOs can identify risks, understand what data is provided to each, prioritize vendors based on the level of risk, implement safeguards to protect critical services, ensure monitoring controls are implemented to detect security incidents, and a plan is developed for responding to and mitigating any security breach.

“The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential,” said Michael Roza, a contributor to the paper.

The post Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations appeared first on HIPAA Journal.

HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued guidance to help healthcare organizations protect against web application attacks.

Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient monitoring, online pharmacies, dental CAD systems, inventory management, and more. These applications are accessed through a standard web browser, however, in contrast to most websites, the user is required to authenticate to the application.

Web application attacks are conducted by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting vulnerabilities in web applications have been increasing and web application attacks are now the number one healthcare attack vector, according to the 2022 Verizon Data Breach Investigations Report.

Web application attacks most commonly target internet-facing web servers and commonly leverage stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. Web application attacks include cross-site scripting (XSS), SQL injection (SQLi), path traversal, local file inclusion, cross-site request forgery (CSRF), and XML external entity (XXE). These attacks are conducted to gain access to sensitive data, to access applications and networks for espionage, or for extortion, such as ransomware attacks. The May 2021 ransomware attack on Scripps Health used a web application attack as the initial attack vector. The attack saw the EHR system and patient portal taken out of action for several weeks.

Distributed Denial of Service attacks on web applications may be conducted to deny access to the application. Comcast Business reports that in 2021, the healthcare sector was the industry most affected by DDoS attacks on web applications, with attacks increasing in response to the COVID-19 pandemic, vaccine availability, and school openings. DDoS attacks are commonly conducted as a smokescreen. While IT teams fight to resolve the DDoS attack, their attention is elsewhere and malware is deployed on the network. DDoS attacks are also conducted by hacktivists. A Major DDoS attack was conducted on Boston Children’s Hospital in April 2014 over the course of a week by a hacker in response to a child custody issue. In that attack, individuals were prevented from accessing the appointment scheduling system, fundraising site, and patient portal.

Like all software-based solutions, web applications may contain vulnerabilities that could potentially be exploited remotely by threat actors to gain access to the applications themselves or the underlying infrastructure and databases. When developing web applications, it is important to follow web application security best practices and design the applications to continue to function as expected when they come under attack and to prevent access to assets by potentially malicious agents. Secure development practices can help to prevent vulnerabilities from being introduced, and security measures should be implemented throughout the software development lifecycle to ensure that design-level flaws and implementation-level vulnerabilities are addressed.

HC3 has suggested several mitigations to protect against web application attacks and limit the harm that can be caused. These include

  • Automated vulnerability scanning and security testing
  • Web application firewalls for blocking malicious traffic
  • Secure development testing
  • CAPTCHA and login limits
  • Multifactor authentication
  • Logon monitoring
  • Screening for compromised credentials

Healthcare organizations should also refer to the Health Industry Cybersecurity Practices (HICP), established under the HHS 405(d) program, for mitigating vulnerabilities in web applications, and web application developers should refer to the OWASP Top 10, which is a standard awareness document detailing the most critical security risks to web applications.

The post HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks

Posted by HIPAA Journal

A recent Phishing by Industry Benchmarking Report has confirmed that providing security awareness training to the workforce significantly reduces susceptibility to phishing attacks. The benchmarking study was conducted by KnowBe4 to determine how effective security awareness training is at reducing susceptibility to phishing attacks. For the report, KnowBe4 analyzed data from more than 9.5 million users across 19 industry sectors, over 30,000 organizations, and 23.4 million simulated phishing emails. The study was conducted on small 22,558 organizations with 1-249 employees, 5,876 mid-sized organizations with between 250 and 999 employees, and 1,709 large organizations with 1,000 or more employees.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches in 2021 involved a human element, confirming that people play a major role in security incidents and data breaches. Cybercriminals continue to target the human element as it provides an easy way of gaining access to business networks, and one of the main whys that employees are targeted is through phishing, which has continued to increase year over year.

Technology exists to block phishing attacks, and while products such as spam filters, antivirus software, and web filters are effective and will block a substantial number of threats, some threats will bypass those defenses and will reach employees. Many organizations fail to invest adequately in security awareness training and intervention, even though it is just as important as technology.

For the study, KnowBe4 established a baseline against which the effect of security awareness training could be measured, which the company calls the phish-prone percentage (PPP). The baseline PPP is the percentage of employees who clicked on simulated phishing emails prior to any security awareness training being provided. Training was then provided to employees and the PPP was recalculated after 90 days and after one year of continuous training.

Across all industry sectors and organization sizes, the average baseline PPP was 32.4%, which was one point higher than in 2021. The baseline in small healthcare and pharmaceutical organizations (32.5%) was second worst out of all industry sectors behind education (32.7%). The PPP was second worst in mid-sized organizations (36.6%) behind the hospitality sector (39.4%), and fourth worst in large organizations with a PPP of 45%.

When the phishing test was repeated 90 days after the provision of training, the PPP had dropped to 19.7% at small healthcare and pharmaceutical organizations, 19.1% at mid-sized organizations, and 17.2% at large organizations – Percentage drops of 12.8, 17.5, and 27.8 respectively. Across all industry sectors, the PPP fell from 32.4% to 17.6%. These figures clearly demonstrate the benefits of providing security awareness training to employees and that training provides a fast return on investment.

The third phase of the study involved a repeat of the phishing test after a year of ongoing training and saw the average PPP across all industry sectors and organization sizes drop from 32.4% to 5%. The healthcare and pharmaceutical sector saw the PPP drop to 4.1% in small organizations, 5.1% in mid-sized organizations, and 5.9% in large organizations. That equates to an 87% improvement in small healthcare and pharmaceutical organizations, an 86% improvement in mid-sized organizations, and an 87% improvement in large organizations.

“As with any significant change, it takes time to break old habits and create new ones, “explained KnowBe4 in the report. “Once these new habits are formed, however, they become the new normal, part of the organizational culture, and influence how others behave, especially new hires who look to others to see what is socially and culturally acceptable in the organization.”

KnowBe4 also pointed out that in order to favorably change overall security behaviors, security awareness training programs need to have a clearly defined and communicated mandate, a strong alignment with organizational security policies, an active connection to overall security culture, and full support of executives. “Without consistent and enthusiastic executive support, raising security awareness within an organization is certain to fail.”

The post Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks appeared first on HIPAA Journal.

Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years

Posted by HIPAA Journal

The Cyber Safety Review Board (CSRB), established by President Biden in February 2022, has published a report on the Log4j vulnerability – CVE-2021-44228 – and associated vulnerabilities that were discovered in late 2021. The vulnerabilities affect the open source Java-based logging tool, Log4j, and, according to CSRB, they are endemic and are likely to be present in many systems for years to come.

The Log4j vulnerability can be exploited remotely to achieve code execution on vulnerable systems and was assigned a maximum CVSS severity score of 10 out of 10. According to the report, the vulnerabilities are among the most serious to be discovered in recent years.

The CSRB includes 15 cybersecurity leaders from the private sector and government and has been tasked with conducting reviews of major cybersecurity events and making recommendations for improving public and private sector cybersecurity. The Log4J vulnerability report is the first to be published by the CSRB since its formation.

“At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”

For the Log4j vulnerability review, the CSRB engaged with almost 80 organizations to gain an understanding of how the vulnerability has been or is still being mitigated, in order to develop actional recommendations to prevent and effectively respond to future incidents such as this.

The report is broken down into three sections, providing factual information on the vulnerability and what happened, the findings and conclusions based on an analysis of the facts, and a list of recommendations. The 19 actionable recommendations are subdivided into four categories: Address the continued risks from theLog4j vulnerabilities; drive existing best practices for security hygiene; build a better software ecosystem; and investments in the future.

One of the most important recommendations is to create and maintain an accurate IT asset inventory, as vulnerabilities cannot be addressed if it is not known where the vulnerabilities exist. It is essential to have a complete software bill of materials (SBOM) that includes all third-party software components and dependencies used in software solutions. One of the biggest problems with addressing the Log4j vulnerabilities is understanding which products were affected. The report also recommends enterprises develop a vulnerability response program and a vulnerability disclosure and handling process and suggests the U.S. government investigate whether a Software Security Risk Assessment Center of Excellence is viable.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers.

The post Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign

Posted by HIPAA Journal

Microsoft has warned of a large-scale phishing campaign targeting Office 365 credentials that bypasses multi-factor authentication (MFA). The campaign is ongoing and more than 10,000 organizations have been targeted by scammers in the past 10 months.

Microsoft reports that one of the phishing runs used emails with HTML file attachments, with the email telling the user about a Microsoft voicemail message that had been received. The HTML file had to be opened to download the message. The HTML file serves as a gatekeeper, ensuring the targeted user was arriving at the URL from a redirect from the original attachment.

The user is redirected to a website that hosts a popular open source phishing kit, which is used to harvest credentials. The user is told that they need to sign in to their Microsoft account to receive the voicemail message and after sign in an email will be sent to the user’s mailbox within an hour with the MP3 voicemail message attached. The user’s email address is auto-filled into the login window and the user only needs to enter their password.

This campaign is referred to as an adversary-in-the-middle (AiTM) phishing attack, as the phishing site sites between the targeted user and the genuine resource they are attempting to log into. Two different Transport Layer Security (TLS) sessions are used, one between the user and the attacker and another between the attacker and the genuine resource.

When credentials are entered on the attacker-controlled site, they are passed to the genuine resource. The response from the genuine resource is passed to the attacker, which is then relayed to the user. In addition to harvesting credentials, session cookies are stolen. The session cookie is injected into the browser to skip the authentication process, which still works even if multi-factor authentication is enabled. The phishing kit automates the entire process.

Source: Microsoft

Once the attacker has access to the user’s Office 365 email, the messages in the account are read to identify potential targets for the next phase of the attack. The attacker then sets up mailbox rules that mark certain messages as read and moves them to the archive folder to prevent the user from detecting their mailbox has been compromised. A business email compromise (BEC) scam is then conducted on the targets.

Message threads are hijacked, and the attacker inserts their own content to attempt to get the targeted individual to make a fraudulent wire transfer to an account under the control of the attacker. Since the emails are replies to previous communications, the recipient is likely to believe they are in a genuine conversation with the account owner, when they are only communicating with the attacker.

Microsoft said it takes as little as five minutes from the theft of credentials and session cookies for the first BEC email to be sent. With all replies to the request being automatically sent to the archive, the attacker can simply check the archive for any replies and does so every few hours. They are also able to identify any further potential targets to conduct BEC scams on. While the account compromise is automated, the BEC attacks appear to be conducted manually. Any emails sent or received are manually deleted from the archive folder and sent folder to avoid detection. BEC attacks such as this can involve fraudulent transfers of thousands or even millions of dollars.

Defending against these attacks requires advanced email security solutions that scan inbound and outbound emails and can also block access to malicious websites – an email security solution and a DNS filter for instance. Microsoft also recommends implementing conditional access policies that restrict account access to specific devices or IP addresses. Microsoft also recommends continuously monitoring emails for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics.

With respect to the MFA bypass, Microsoft stresses that while AiTM attacks can bypass MFA, MFA remains an important security measure and is effective at blocking many threats. Microsoft suggests making MFA implementations “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

The post Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign appeared first on HIPAA Journal.