Healthcare Cybersecurity

Cybersecurity Awareness Month Focuses on 4 Key Behaviors

Posted by HIPAA Journal

October is Cybersecurity Awareness Month – a 19-year collaborative effort between the government and industry to improve awareness of cybersecurity in the United States, led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA).

2022 Cybersecurity Awareness Month – See Yourself in Cyber

The theme of this year’s Cybersecurity Awareness Month is See Yourself in Cyber, where the focus is on the actions that everyone should take to improve cybersecurity. In previous years, the month of October has been divided into four weeks, each of which has a different theme. This year, rather than have a different weekly theme, the focus each week will be on one of four key behaviors that everyone should adopt. Simply practicing these basics of cybersecurity will greatly improve an individual’s and an organization’s security posture.

  1. Enabling multifactor authentication – Improve access controls by adding additional authentication requirements in addition to a password. MFA can prevent access from being granted to accounts using stolen credentials.
  2. Using strong passwords and a password manager – Set strong, unique passwords for all accounts that are resilient to brute force attacks and use a password manager to create those passwords and store them securely in an encrypted password vault.
  3. Updating software – Ensure software is kept up to date and apply patches promptly to correct known vulnerabilities.
  4. Recognizing and reporting phishing – Learn about the signs of phishing, the red flags in emails, text messages, social media posts, and telephone calls that can indicate a phishing attempt, and ensure phishing attempts are reported.

“To build a more resilient nation, everyone—from K through Gray—has a role to play, which is why our theme for this year’s Cybersecurity Awareness Month is ‘See Yourself in Cyber,'” said CISA Director Jen Easterly. “This October, we are taking this message directly to the American people because whether you’re a network defender or anyone with an internet connection, we all have a role to play in strengthening the cybersecurity of our nation.”

Improving Cybersecurity Awareness in Healthcare

Many cyberattacks succeed due to mistakes by employees and a lack of awareness of basic aspects of cybersecurity. According to the 2022 Verizon Data Breach Investigations Report, 82% of data breaches in 2021 involved the human element. Improving security awareness of the workforce by focusing on the above key behaviors will go a long way toward improving security and preventing data breaches.

Security awareness training is a requirement for compliance with the HIPAA Security Rule. The administrative safeguards of the HIPAA Security Rule require all HIPAA-regulated entities to train all workforce members on internal security policies and procedures, with the 45 CFR § 164.308 (a)(5)(i) standard requiring “a security awareness and training program for all members of its workforce (including management).”

HIPAA-regulated entities should adopt a risk-based approach when developing training courses and should teach cybersecurity basics and focus on the most important behaviors that can reduce risk. The HHS’ Office for Civil Rights has issued guidance on aspects of cybersecurity to include in security awareness training programs and raises awareness of important themes in its quarterly cybersecurity newsletters.

“The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” explained OCR in its Q1, 2022 cybersecurity newsletter. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond.” OCR also stressed the need for training to be provided to all members of the workforce, which includes management personnel and senior executives.

Training should be followed up with regular security reminders, which are an addressable specification of the HIPAA Security Rule. Cybersecurity Awareness Month is the ideal time to focus on security reminders and develop a program for delivering these reminders regularly. OCR suggests security reminders can include cybersecurity newsletters, but also phishing simulations to members of the workforce to gauge the effectiveness of the security awareness and training program, and to provide additional, targeted training to employees who are fooled by the simulations. HIPAA-regulated entities should consider implementing a mechanism that allows employees to easily report phishing attempts and suspicious emails to their security teams, such as an email client add-on that allows one-click reporting, and to encourage employees this month to report potential threats.

Multifactor authentication is an effective additional safeguard for improving access controls to prevent stolen credentials from being used to access accounts. This month is the ideal time to accelerate plans to implement multifactor authentication – if MFA has not already been implemented – and to ensure that it is applied to all accounts. Phishing campaigns are being conducted that allow certain types of multifactor authentication to be bypassed. To protect against these MFA bypass attacks, MFA implementation can be made more resilient by using a solution that supports Fast ID (FIDO) v2.0 and certificate-based authentication.

Brute force attacks often succeed due to employees setting weak passwords or reusing passwords on multiple accounts. HIPAA-regulated entities should enforce their password policies, but also make compliance with those policies easier for employees by supplying a business password manager. Password managers can suggest truly random, complex passwords, and greatly improve password security and management.

It is easy to focus on technical defenses for protecting ePHI and preventing unauthorized access, but the importance of training cannot be overstated. Ensuring all employees are aware of the above key behaviors and are practicing good cyber hygiene will go a long way toward improving the cybersecurity posture of the entire organization.

The post Cybersecurity Awareness Month Focuses on 4 Key Behaviors appeared first on HIPAA Journal.

Zero Day Microsoft Exchange Server Vulnerabilities Being Actively Exploited

Posted by HIPAA Journal

Microsoft was warned that two zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in the wild and has shared mitigations ahead of the vulnerabilities being patched.

The two flaws are being chained together and are being exploited by a Chinese threat actor. The attacks have been limited so far, but the healthcare and public health sector in the United States could potentially be a target.

The flaws affect Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can be exploited for initial access, after which the second vulnerability can be exploited – A Remote Code Execution vulnerability thacked as CVE-2022-41082. The second vulnerability can only be exploited if PowerShell is available to the attacker.

Microsoft has confirmed that the flaws cannot be exploited by an unauthenticated attacker. Both vulnerabilities require authenticated access to a vulnerable Microsoft Exchange Server to be exploited, such as if an attacker had valid stolen credentials. The first vulnerability has been assigned a CVSS severity score of 8.8 out of 10 and the second vulnerability has a CVSS score of 6.3. If the flaws are exploited, a threat actor could deploy a backdoor for persistent access. The attackers have deployed the China Chopper web shell for persistent access in some of the attacks, which suggests the flaws are being exploited by a state-sponsored Chinese hacking group.

Microsoft is it is working on patches for the flaws on an accelerated timeline and has shared mitigations that can be implemented by users of on-premises Microsoft Exchange Servers ahead of the patches being released. Microsoft said it has implemented detection rules for Microsoft Exchange Online and has mitigations in place to protect customers, so Exchange Online customers do not need to take any actions to prevent exploitation of the flaws.

Customers with on-premises Microsoft Exchange Servers can add a blocking rule to ‘IIS Manager -> Default Web Site -> URL Rewrite -> Actions’ which will block the known attack patterns, the details of which have been detailed in the Microsoft Security Response Center blog.

The post Zero Day Microsoft Exchange Server Vulnerabilities Being Actively Exploited appeared first on HIPAA Journal.

Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill

Posted by HIPAA Journal

The U.S Food and Drug Administration (FDA) user fee reauthorization bill passed by the House of Representatives in June included new provisions requiring medical device manufacturers to monitor for and address postmarket cybersecurity vulnerabilities in their devices, ensure medical devices are labeled with a software bill of materials and are capable of receiving patches to ensure cybersecurity for the entire lifecycle of the devices. The bill was passed with a vote of 392-28; however, those cybersecurity requirements have now been stripped out.

The FDA’s authorization to collect fees from the healthcare sector to conduct independent reviews of drugs and medical devices was due to come to an end on September 30, and with time running out, the FDA bowed to pressure from Senate republicans and stripped out the new cybersecurity requirements for medical device manufacturers. Were the FDA’s 5-year authorization not to be renewed, the FDA anticipated only being able to continue with its review activities for around 5 weeks before its money ran out. The FDA reauthorization was included in a temporary spending bill that has now been passed and will keep the FDA and the rest of the Federal government funded through December 16, 2022.

“In June, the House passed a user fee reauthorization package on time with overwhelming bipartisan support. After the House passed its user fee package, bipartisan Energy and Commerce and HELP leaders came to agreement on language to cover many significant policy areas that we wanted included in the Continuing Resolution,” said Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) in a statement. “Unfortunately, Senate Republican leadership blocked these policy agreements from being included.”

U.S. Senators Patty Murray (D-WA) and Richard Burr (R-NC), Chair and Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), issued a statement on the FDA reauthorization. “We are glad to announce an agreement to reauthorize the FDA user fee programs, which will ensure that FDA can continue its important work and will not need to send out pink slips. However, there is more work ahead this Congress to deliver the kinds of reforms families need to see from FDA, from industry, and from our mental health and pandemic preparedness efforts.” The senators confirmed that they are committed to continuing that work, and will be including strong, bipartisan legislation in a robust end-of-year package.

The removal of the cybersecurity requirements is a disappointment but not surprising. Healthcare organizations should not wait for regulatory changes and should ensure that they proactively identify and address vulnerabilities in medical devices to ensure the security of their networks, confidentiality of data, and patient safety.

The post Medical Device Cybersecurity Requirements Stripped from FDA Reauthorization Bill appeared first on HIPAA Journal.

Healthcare Industry Warned About Risk Posed by APT41 Threat Group

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about the Chinese state-sponsored threat actor tracked as APT41. The group has been active since at least 2012 and has a history of targeting the healthcare sector, as well as education, high-tech, media, retail, software, pharma, telecoms, video games, travel services, and virtual currencies, with companies in the United States frequently targeted.

The group is known to conduct spear phishing, watering hole, and supply chain attacks, and frequently deploys backdoors to give persistent access to victims’ networks. Recently the threat group has been observed using SQL injection for the initial attack and Cobalt strike beacons, which are uploaded in small chunks. The group gains access to networks and gathers intelligence that can be used in future attacks and steals industry-specific information.

Once initial access is gained, the group escalates privileges, performs internal reconnaissance using compromised credentials, moves laterally within networks using Remote Desktop Protocol (RDP), stolen credentials, adds admin groups, and brute forces utilities. The group uses public and private malware and maintains persistence through backdoors. The group is known to use the BLACK COFFEE reverse shell, China Chopper web shell, Cobalt Strike, Gh0st Rat and PlugX remote access tools, Mimikatz for credential theft, and the ShadowPad backdoor. Data of interest are added to a RAR file for exfiltration, and the group covers its tracks by deleting evidence of compromise.

APT41 – also known as Double Dragon, Barium, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie – conducted targeted campaigns on the healthcare sector in 2014, 2015, 2016, 2018, 2019, and 2020. Initially, the group was interested in IT and medical device software companies but has also targeted biotech firms and US cancer research facilities. In the attacks on cancer research facilities, the group exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to gain access to networks and deployed EVILNUGGET malware.

In one of the more recent campaigns targeting healthcare organizations between January 2020 and March 2020, the group targeted Citrix, Cisco, and Zoho endpoints, exploiting the CVE-2019-19781 Citrix directory traversal vulnerability, and the CVE-2020-10189 Zoho remote code execution vulnerability. At least 75 organizations were targeted in the campaign.

In 2021 and 2022, the group conducted two zero-day attacks on the Animal Health Reporting Diagnostic System (USAHERDS) web-based application and successfully compromised at least six US state governments. The attacks are thought to have involved exploitation of the Log4j remote code execution vulnerability (CVE-2022-44228) and the zero-day hard-coded credentials vulnerability, CVE-2021-44207, which allowed the group to bypass authentication.

Members of the group were named in two separate indictments in 2019 and 2020 concerning their involvement in computer intrusions at 100 companies globally; however, the group remains highly active, and the indictments do not appear to have slowed down the group’s operations. The group is a key player in helping to make China’s 14th Five-Year Plan a success and achieve major scientific and technological advances in new generation artificial intelligence, quantum information, integrated circuits/semiconductors, neuroscience and brain-inspired research, genetics and biotechnology, clinical medicine and health, and deep sea, deep space, and polar exploration. The group is considered to be a significant threat to the healthcare and pharmaceutical industries in the United States.

The post Healthcare Industry Warned About Risk Posed by APT41 Threat Group appeared first on HIPAA Journal.

Vulnerability Identified in Medtronic MiniMed 600 Series Insulin Pumps

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued a warning about a recently discovered vulnerability that affects certain Medtronic insulin pumps. The flaw could be exploited by a malicious actor to manipulate patients’ insulin doses, resulting in too much or too little insulin being delivered.

The vulnerability affects the following Medtronic NGP 600 Series Insulin Pumps and their accessory components:

  • MiniMed 620G: MMT-1710
  • MiniMed 630G: MMT-1715, MMT-1754, MMT-1755
  • MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, MMT-1752
  • MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, MMT-1782

The flaw exists in the communication protocol used by the pump system to pair with other system components. Successful exploitation of the flaw would allow a threat actor to slow or stop insulin delivery or trigger an unintended insulin bolus. The vulnerability cannot be exploited remotely by a threat actor over the Internet but could be exploited within wireless signal proximity to the patient and device. The vulnerability is tracked as CVE-2022-32537 and has a CVSS severity score of 4.8 out of 10 (medium severity).

Advanced technical knowledge is required to exploit the vulnerability, the flaw can only be exploited when the pump is being paired with other system components, and the attacker must be in close proximity to the pump, which limits the potential for exploitation. The FDA says it is unaware of any cases where the vulnerability has been exploited.

Medtronic has issued an urgent medical device correction warning about the vulnerability and has urged all users of the affected insulin pumps to take action to prevent exploitation of the flaw. In their default configuration, all of the above Medtronic NGP 600 Series Insulin Pumps are affected.

To prevent exploitation, Medtronic advises all users to turn off the Remote Bolus feature on the pump if it is turned on, and users should not conduct any connection linking of devices in public places. Users are advised to keep their pumps and connected system components within their control at all times, to be attentive to pump notifications, alarms, and alerts, to disconnect the USB device from the computer when it is not being used to download pump data, and never to confirm remote connection requests or any other remote actions unless they are personally initiated or have been initiated by their care partner.

Further information on mitigations can be found in Medtronic’s urgent medical device correction notice.

The post Vulnerability Identified in Medtronic MiniMed 600 Series Insulin Pumps appeared first on HIPAA Journal.

Monkeypox Phishing Campaign Targets Healthcare Providers

Posted by HIPAA Journal

A warning has been issued to the healthcare and public health (HPH) sector about an ongoing Monkeypox phishing campaign targeting U.S. healthcare providers that attempts to steal Outlook, Office 365, and other email credentials.

Monkeypox is a highly contagious viral disease caused by a virus from the same family as smallpox. According to the Centers for Disease Control and Prevention (CDC), there have been almost 66,000 cases diagnosed globally in the current outbreak, and more than 25,100 cases in the United States. California, New York, Florida, Texas, and Georgia are the worst affected states, with the cases mostly confined to the LBGTQ+ community.

Malicious actors often piggyback on major news stories and use these themes to conduct convincing phishing campaigns. Campaigns using monkeypox lures were therefore inevitable, and they are likely to continue and increase in line with the rising numbers of cases. Monkeypox and COVID-19-related phishing campaigns have a high success rate as there is considerable interest in the outbreak and concern about infections.

The Health Sector Cybersecurity Coordination Center (HC3) warns that these emails may be sent from the email account of an HPH-related entity that has previously been compromised, or from a non-HPH-related entity. When a phishing email is sent from a trusted email account it increases the probability of the email being opened.

The emails claim to offer important information about the current monkeypox outbreak in the United States and have the subject line, “Data from (Victim Organization Abbreviation): “Important read about -Monkey Pox– (Victim Organization) (Reference Number).” The message body includes the text, “Please see the attached important read about “Monkey Pox” for your reference. It is a good read; thought I’d share with you. Stay safe.”

The emails have a PDF file attachment named, “MPV Update_070722F.pdf” although other names may also be used. The attached file includes a malicious hyperlink that directs the recipient to a Lark Docs site, which has an Adobe Cloud theme and offers a secure fax document from Xerox Scanner to download. If the user attempts to download the file they will be directed to another website, where the user is told they must enter their valid email credentials in order to view the file. If those credentials are entered, they will be harvested and used by the threat actor to remotely access the user’s email account.

Monkeypox phishing website used to harvest email credentials. Source HC3

In addition to raising awareness of the monkeypox phishing campaign, healthcare organizations should be providing regular security awareness training to the workforce covering security best practices, such as the importance of setting long, complex passwords for all accounts, not clicking links or opening attachments in unsolicited emails, and to only download files from trusted publishers. Security awareness training should cover the phishing and social engineering techniques commonly used by threat actors, and it is recommended to also conduct phishing simulations on the workforce. Phishing simulations have been proven to significantly reduce susceptibility to phishing attempts.

Some employees will still click links and open attachments even with training, so it is important to ensure that technical measures are implemented to protect against phishing, such as spam filters to block phishing emails, web filters to block malicious websites, and multifactor authentication for email accounts to prevent unauthorized access to accounts using stolen credentials.

The post Monkeypox Phishing Campaign Targets Healthcare Providers appeared first on HIPAA Journal.

August 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third successive month, the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights has fallen, with 49 breaches of 500 or more records reported in August– well below the 12-month average of 58 breaches per month. The 25.75% percentage decrease from July 2022 was accompanied by a significant reduction in breached records, which dropped almost 30% month over month.

healthcare data breaches in the past 12 months

Across the 45 data breaches, 3,741,385 healthcare records were exposed or impermissibly disclosed – well below the 5,135,953 records that were breached in August 2021, although slightly more than the 12-month average of 3,382,815 breached healthcare records per month.

Breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in August 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in August 2022, which have been summarized in the table below. It should be noted that the exact nature of the data breach is not always reported by the breached entity, such as if ransomware was used to encrypt files.

As the table below shows, the largest reported data breach of the month occurred at Novant Health and was due to the use of the third-party JavaScript code snippet – Meta Pixel on the healthcare provider’s website. The code snippet is used on websites to track visitor activity but can send PHI to Meta (Facebook), which can then be used to serve targeted ads. Novant Health said there had been a misconfiguration that saw the code added behind the login on the patient portal.

So far, Novant Health is the only healthcare provider to report such a breach, even though investigations have revealed many other healthcare organizations have used the code snippet on their websites, several of which added the code to their patient portals. Multiple lawsuits have been filed over these privacy breaches.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Business Associate Present
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Electronic Medical Record Unauthorized disclosure to Meta through Meta Pixel code snippet on website
Practice Resources, LLC NY Business Associate 942,138 Network Server Ransomware attack
Warner Norcross and Judd, LLP MI Business Associate 255,160 Network Server Hacking and data theft incident
California Department of Corrections and Rehabilitation CA Healthcare Provider 236,000 Network Server Hacking incident
Conifer Revenue Cycle Solutions, LLC TX Business Associate 134,948 Email Hacking of Microsoft 365 Environment
Common Ground Healthcare Cooperative WI Health Plan 133,714 Network Server Ransomware attack on a business associate (OneTouchPoint)
Methodist McKinney Hospital TX Healthcare Provider 110,244 Network Server Hacking and data theft incident
First Choice Community Health Care, Inc. NM Healthcare Provider 101,541 Network Server Hacking incident
Onyx Technology LLC MD Business Associate 96,814 Network Server Hacking incident
EmergeOrtho NC Healthcare Provider 68,661 Network Server Ransomware attack
Lamoille Health Partners VT Healthcare Provider 59,381 Network Server Ransomware attack
Henderson & Walton Women’s Center, P.C. AL Healthcare Provider 34,306 Email Hacking incident
St. Luke’s Health System, Ltd. ID Healthcare Provider 31,573 Network Server Hacking incident at billing vendor
San Diego American Indian Health Center CA Healthcare Provider 27,367 Network Server Hacking and data theft incident
Rock County Human Services Department WI Healthcare Provider 25,610 Email Unauthorized access to email accounts
NorthStar HealthCare Consulting LLC GA Business Associate 18,354 Email Unauthorized access to email accounts
Methodist Craig Ranch Surgical Center TX Healthcare Provider 15,157 Network Server Hacking and data theft incident (Methodist McKinney)
Valley Baptist Medical Center – Harlingen TX Healthcare Provider 11,137 Network Server Ransomware attack (Practice Resources)

Causes of August 2022 Data Breaches

The above table shows hacking incidents continue to be a major problem for the healthcare industry, with ransomware often used in the attacks. There has been a growing trend for attackers to conduct data theft and extortion attacks, without using ransomware. While the consequences for patients may still be severe, the failure to encrypt files causes less disruption; however, a recent study by Proofpoint suggests that patient safety issues are still experienced after cyberattacks when ransomware is not used. Around 22% of healthcare providers reported seeing an increase in mortality rate following a major cyberattack and 57% reported poorer patient outcomes.

Healthcare organizations are vulnerable to email attacks, with phishing attacks a common cause of data breaches. There has also been an increase in the use of reverse proxies in attacks, which allow threat actors to steal credentials and bypass multifactor authentication to gain access to Microsoft (Office) 365 environments.

Causes of August 2022 Healthcare Data Breaches

35 of the month’s breaches (71.4%) were attributed to hacking/IT incidents and involved the exposure or theft of 2,337,485 healthcare records – 62.48% of the month’s reported breached records. The mean breach size was 66,785 records and the median breach size was 7,496 records.

There were 10 reported unauthorized access/disclosure incidents involving 1,398,595 records – 37.38% of the month’s breached records. The mean breach size was 139,860 records and the median breach size was 1,375 records. 1,362,296 of those records were breached in the Novant Health incident. There were 4 loss/theft incidents (2 losses; 2 theft) involving 5,305 records. The mean breach size was 1,326 records and the median breach size was 1,357 records.

The number of hacking incidents is reflected in the location of breached PHI, as shown in the chart below.

Location of Breached PHI in August

Data Breached by HIPAA Regulated Entity

Health plans were the worst affected HIPAA-regulated entity, with 35 data breaches reported. 9 breaches were reported by business associates, and 5 breaches were reported by health plans. Data breaches are not always reported by business associates directly, with some HIPAA-covered entities choosing to report breaches at their business associates. The chart below takes this into account and shows data breaches based on where they occurred. While 14 data breaches occurred at business associates in August, this is a notable reduction from the previous few months. In July there were 36 data breaches at business associates, and 40 in June.

August 2022 healthcare data breaches - HIPAA-regulated entity type

Geographic Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August by HIPAA-regulated entities in 26 states, with Texas the worst affected with 8 reported data breaches.

State Breaches
Texas 8
North Carolina 4
Arkansas, California, & Michigan 3
Colorado, Florida, Illinois, New York, Vermont, Washington, & Wisconsin 2
Alabama, Arizona, Georgia, Idaho, Indiana, Louisiana, Maryland, Mississippi, New Hampshire, New Jersey, New Mexico, Ohio, Pennsylvania, & Virginia 1

HIPAA Enforcement Activity in August 2022

There was one HIPAA enforcement activity announced by OCR in August, and somewhat unusually given the focus on the HIPAA Right of Access over the past three years, it related to the improper disposal of PHI. Out of the past 25 enforcement actions that have resulted in financial penalties, only 5 have been for non-HIPAA Right of Access violations.

OCR launched an investigation of New England Dermatology and Laser Center after receiving a report on March 11, 2021, about the improper disposal of the PHI of 58,106 patients. In addition to failing to render PHI unreadable and indecipherable, OCR determined there was a failure to maintain appropriate administrative safeguards. The improper disposal of empty specimen containers with patient labels spanned from 2011 to 2021. New England Dermatology and Laser Center agreed to settle the case and paid a $300,640 penalty.

Lisa J Pino stepped down as OCR Director in July 2022 and has now been replaced by Melanie Fontes Rainer. It remains to be seen where she will lead the department regarding the enforcement of HIPAA compliance, although HHS Secretary Xavier Becerra has stated that HIPAA Privacy Rule violations with respect to unauthorized disclosures of PHI related to abortion care and other forms of sexual and reproductive health care will be an enforcement priority of OCR.

The post August 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has Issued a TLP:WHITE Private Industry Notification warning about ongoing cybercriminal campaigns targeting healthcare payment processors that attempt to redirect victim payments to accounts under the control of the attackers.

These attacks use social engineering techniques to obtain the login credentials of healthcare payment processors to allow them to divert payments, such as phishing attacks that spoof support centers. The attackers have used publicly available personally identifiable information to obtain access to files, healthcare portals, payment information, and websites.

The goal of these attacks is to change direct deposit information, which in one attack on a large healthcare company in February 2022, resulted in changes to direct deposit information for a consumer checking account that saw payments totaling $3.1 million redirected to the attacker’s account. The same month, a separate attack occurred that used similar techniques to redirect around $700,000.

In April 2022, a healthcare company with 175 medical providers discovered an attack where an employee had been impersonated and Automated Clearing House (ACH) instructions of one of their payment processing vendors were sent that redirected payments to a cybercriminal’s account, resulting in two payments totaling $840,000 being sent to the attacker’s account.

The FBI says between June 2018 and January 2019 at least 65 healthcare payment processors were targeted in the United States and contact information and banking details were changed to direct payments to attacker-controlled accounts, with one of those attacks seeing payments totaling $1.5 million being lost, with the initial access to a customer account being gained through phishing. The FBI warns that entities involved in the processing and distributing healthcare payments through payment processors remain vulnerable to attacks such as this.

Phishing emails are sent to employees in the financial departments of a targeted healthcare payment processor. A trusted individual is often impersonated, and social engineering techniques are used to trick employees into making changes to bank accounts. Login credentials are stolen in these attacks that allow the attacker to make changes to email exchange server configurations and set up custom rules for accounts of interest.

Employees that have been targeted have reported receiving requests to reset passwords and 2FA phone numbers within a short time frame. The attackers change account credentials to allow persistent access, and the employees who had their accounts hacked report being locked out of their payment processor accounts due to failed password recovery attempts.

The FBI has made several recommendations on how to defend against these attacks and reduce the risk of compromise. These include:

  • Ensure endpoint detection software is used on all endpoints, including up-to-date anti-virus and anti-malware solutions
  • Conduct regular network security assessments, penetration tests, and vulnerability scans
  • Provide training to the workforce to teach employees how to recognize phishing and social engineering attacks, and provide an easy way for them to report suspicious emails – such as an Outlook plugin that allows one-click reporting
  • Ensure employees are aware that they must only conduct requests for sensitive information through approved secondary channels
  • Set up multi-factor authentication for all accounts, ideally requiring a physical device for authentication – such as a Yubikey – rather than a one-time code sent to a mobile device
  • Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
  • Implement policies and procedures for changing existing financial information to include verification through an appropriate, established channel
  • Ensure all accounts have strong, unique passwords set
  • Ensure software is updated and patches are applied promptly to prevent the exploitation of vulnerabilities.

The post FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors appeared first on HIPAA Journal.

FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning about the rising number of vulnerabilities in medical devices. If medical devices are not promptly patched and are running out of date software, malicious actors could exploit vulnerabilities and gain access to sensitive patient data or the networks to which the devices connect. With a foothold in the network, threat actors could conduct attacks that adversely impact the operational functions of healthcare facilities. Medical devices are often used to sustain patients with mild to severe medical conditions and attacks on those devices have the potential to cause serious harm to patients and even result in the loss of life.

The FBI says vulnerabilities in medical devices predominantly stem from device hardware design and device software management. When medical devices are operated in the default configuration, that often provides threat actors with an opportunity to exploit vulnerabilities. Devices with customized software can be difficult to patch, often requiring specialized procedures, which can slow down updates and leave vulnerabilities unaddressed for longer, increasing the window of opportunity for vulnerabilities to be exploited.

Medical devices have been developed to perform specific functions, but security was never a consideration because the devices were not considered to be a security threat. These devices are vulnerable and if exposed to the Internet could provide threat actors with an easy way to gain access to the devices, alter their functionality, or use them as a springboard to launch an attack on an organization.

The FBI cites a recent study that suggests 53% of network-connected medical devices and other IoT devices used in hospitals have known critical vulnerabilities that have not been addressed, with around one-third of healthcare IoT devices having a critical vulnerability that could affect the technical operation or functionality of medical devices. These devices include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, intrathecal pain pumps, and pacemakers.

Another study suggests medical devices have an average of 6.2 vulnerabilities per device, and more than 40% of medical devices that have reached end-of-life are no longer receiving security patches and software upgrades to correct vulnerabilities, but those devices often remain in use despite the security risks involved.

Unpatched and outdated medical devices provide cyberattack opportunities, so it is vital that vulnerabilities are addressed and risk is reduced to a low and acceptable level. The FBI has made several recommendations for improving the security of medical devices:

  • Ensure endpoint protection measures are implemented including antivirus software and endpoint detection and response (XDR) solutions
  • Use encryption for sensitive data
  • Change all default passwords and set complex, unique passwords, and limit the number of logins per user
  • Ensure an accurate inventory is maintained of all devices, including the patching status, software version, and any vendor-developed software components used by the devices
  • Develop a plan for replacing medical and IoT devices prior to reaching end-of-life
  • Ensure vulnerabilities are promptly patched on all medical devices
  • Conduct routine vulnerability scans before installing any new device onto the operating network
  • Train employees to help mitigate human risks, including teaching employees how to identify and report threats, the attacks that target employees such as social engineering and phishing, and add banners to emails that come from external sources.

The FBI alert – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the full recommendations for mitigating vulnerabilities can be viewed on this link.

The post FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks appeared first on HIPAA Journal.