Healthcare Cybersecurity

Healthcare Ransomware Attacks Increased by 94% in 2021

Posted by HIPAA Journal

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare.

66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks.

According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year.

Paying the ransom may help healthcare organizations recover from ransomware attacks more quickly, but there is no guarantee that paying the ransom will prevent data loss. On average, after paying the ransom, healthcare organizations were only able to recover 65% of encrypted data, down from 69% in 2020. In 2020, 8% of healthcare organizations recovered all of their data after paying the ransom. That figure fell to just 2% in 2021.

While the healthcare industry had the highest percentage of victims paying the ransom for the decryption keys and to prevent the exposure of sensitive data, healthcare had the lowest average ransom amount of $197,000. The global average across all industry sectors was $812,000. The ransom cost was lower in healthcare, but the overall cost of recovery was second-highest, with the total cost of a ransomware attack $1.85 million, which is considerably higher than the global average of $1.4 million.

Even though there is a high risk of suffering a costly ransomware attack, there are relatively low levels of cyber insurance coverage in healthcare. Across all industry sectors, 83% of organizations had cyber insurance. Only 78% of surveyed healthcare organizations said they had a cyber insurance policy. Many cyber insurance providers stipulate that certain baseline security measures must be implemented in order to take out insurance policies, and the level of maturity of cybersecurity programs can have a big impact on the cost of insurance.  97% of healthcare organizations said they had upgraded their cybersecurity defenses to improve their cyber insurance position.

97% of healthcare organizations that had cyber insurance that covered ransomware attacks said the policy paid out, with 47% saying the entire ransom payment was covered by their cyber insurance provider; however, obtaining cyber insurance to cover ransomware attacks is getting much harder due to the extent to which the healthcare industry is being targeted.

The post Healthcare Ransomware Attacks Increased by 94% in 2021 appeared first on HIPAA Journal.

Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center

Posted by HIPAA Journal

Atlassian has released a patch to fix a critical zero-day vulnerability that affects all supported versions of Confluence Server and Data Center. The vulnerability – tracked as CVE-2022-26134 – has a maximum CVSS severity score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to achieve code execution. According to security researchers, exploiting the flaw is trivial, with no user interaction or privileges required.

Last week, cybersecurity firm Volexity detected exploitation of the vulnerability while responding to a security breach. The researchers were able to reproduce the exploit for the flaw and shared details of the vulnerability with Atlassian last week. Volexity reports that in the incident its researchers investigated, the attackers were most likely based in China and exploited the vulnerability to run malicious code and installed webshells such as BEHINDER and China Chopper. The attackers conducted reconnaissance, checked local confluence databases and dumped user tables, altered web access logs to remove traces of exploitation, and wrote additional webshells.

On Friday, Volexity President, Steven Adair, said in a Tweet, “It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”

Over the weekend, proof-of-concept exploits were widely released and exploitation accelerated. On Thursday, GreyNoise CEO, Andrew Morris said 23 IP addresses were attempting to exploit the flaw and by Friday the number had grown to 211.

It is essential for the patch to be applied immediately on Confluence or Data Center servers to prevent exploitation. Atlassian says the following product versions are affected:  7.4.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.15.1, 7.14.2, 7.17.0, 7.4.16, 7.18.0, 7.16.3, 7.13.6, and 7.17.3. Atlassian Cloud sites are unaffected.

Atlassian has fixed the vulnerability in versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. If it is not possible to patch immediately, it is essential to implement the mitigations suggested by Atlassian.

The post Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center appeared first on HIPAA Journal.

Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices

Posted by HIPAA Journal

Five vulnerabilities that require immediate patching have been identified in the Illumina Local Run Manager (LRM), which is used by Illumina In Vitro Diagnostic (IVD) devices and Illumina Researcher Use Only (ROU) instruments. The affected devices are used for clinical diagnostic DNA sequencing and testing for various genetic conditions, and for research use. Four of the vulnerabilities are critical, with three having a maximum CVSS severity score of 10 out of 10.

The vulnerabilities affect the following devices and instruments:

Illumina IVD Devices

  • NextSeq 550Dx: LRM Versions 1.3 to 3.1
  • MiSeq Dx: LRM Versions 1.3 to 3.1

Illumina ROU Devices

  • NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
  • NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
  • MiSeq Instrument: LRM Versions 1.3 to 3.1
  • iSeq 100 Instrument: LRM Versions 1.3 to 3.1
  • MiniSeq Instrument: LRM Versions 1.3 to 3.1

A threat actor could exploit the vulnerabilities remotely, take control of the instruments, and perform any action at the operating system level such as modifying the settings, configurations, software, or data on the instrument. It would also be possible to exploit the vulnerabilities to interact with the connected network through the affected product.

The vulnerabilities are:

  • CVE-2022-1517 – A remote code execution vulnerability due to the LRM utilizing elevated privileges, which would allow a malicious actor to upload and execute code at the operating system level. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1518 – A directory traversal vulnerability that allows a malicious actor to upload outside the intended directory structure. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1519 – The failure to restrict uploads of dangerous file types. A malicious actor could upload any file type, including executable code that allows for a remote code exploit. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1521 – A lack of authentication or authorization in the default configuration, which would allow a malicious actor to inject, replay, modify, and/or intercept sensitive data. The vulnerability has a CVSS y3 severity score of 9.1 (critical)
  • CVE-2022-1524 – A lack of TLS encryption for the transmission of sensitive information, putting information – including credentials – at risk of interception in a man-in-the-middle attack. The vulnerability has a CVSS v3 severity score of 7.4 (high severity)

The vulnerabilities were reported to Illumina by Pentest, Ltd. Illumina has developed a software patch that will prevent the vulnerabilities from being exploited remotely as an interim fix while a permanent solution is developed for current and future instruments.

The U.S. Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency (CISA) have issued security alerts urging immediate action to be taken to address the vulnerabilities.

The patch for Internet-connected instruments is available here. If the instruments are not connected to the Internet, users should contact Illumina Tech Support.

The post Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices appeared first on HIPAA Journal.

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

Posted by HIPAA Journal

In 2021, Iranian state-sponsored hackers attempted a destructive cyberattack on Boston Children’s Hospital, which the Federal Bureau of Investigation (FBI) was able to successfully block before the hospital’s computer network was damaged. FBI Director Christopher Wray said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.”

Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat.

Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident response plan that includes the FBI. Wray said this incident highlights the risk of high impact cyberattacks by nation-state threat actors from Russia, China, Iran, and North Korea, and said “We cannot let up on China or Iran or criminal syndicates while we’re focused on Russia.”

In November 2021, the FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC) in the UK, and the Australian Cyber Security Centre (ACSC) issued a security alert warning the healthcare sector and operators of critical infrastructure about an Iranian nation-state Advanced Persistent Threat actor who was known to be exploiting Microsoft Exchange and Fortinet vulnerabilities to steal data, conduct ransomware attacks and extort money from victims.

Wray did not specify what type of attack the threat actor was attempting to conduct, only that a cyberattack could have damaged the network, which could have had a devastating impact on the sick children that depend on it. The cyberattack in question appears to have been conducted through an HVAC vendor.

In August 2021, a threat actor contacted Databreaches.net and shared evidence of a successful attack on an HVAC vendor and claimed that they had breached the HVAC vendor’s systems and also had access to the systems of a children’s hospital. It was confirmed that the HVAC vendor in question ENE systems, which provides services to the Harvard-linked hospitals, Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital.

Boston Children’s Hospital is no stranger to cyberattacks. Back in 2014, the hospital suffered a series of attacks that disrupted its systems for more than a week. The attacks were conducted in retaliation for how the hospital handled the case of patient Justina Pelletier, who was involved in a custody battle. The individual behind that attack was apprehended and convicted and was sentenced to 10 years in jail in 2019.

The post FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital appeared first on HIPAA Journal.

BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities

Posted by HIPAA Journal

BD has issued security advisories about two vulnerabilities that affect certain BD Pyxis automated medication dispensing system products and the BD Synapsys microbiology informatics software platform.

BD Pyxis – CVE-2022-22767

According to BD, certain BD Pyxis products have been installed with default credentials and may still operate with those credentials. In some scenarios, the affected products may have been installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types.

If a threat actor were to exploit the vulnerability, it would be possible to gain privileged access to the underlying file system, which would allow access to ePHI or other sensitive information. The vulnerability is tracked as CVE-2022-22767 and has a CVSS v3 base score of 8.8 out of 10 (high severity).

The following products are affected by the vulnerability

  • BD Pyxis ES Anesthesia Station
  • BD Pyxis CIISafe
  • BD Pyxis Logistics
  • BD Pyxis MedBank
  • BD Pyxis MedStation 4000
  • BD Pyxis MedStation ES
  • BD Pyxis MedStation ES Server
  • BD Pyxis ParAssist
  • BD Pyxis Rapid Rx
  • BD Pyxis StockStation
  • BD Pyxis SupplyCenter
  • BD Pyxis SupplyRoller
  • BD Pyxis SupplyStation
  • BD Pyxis SupplyStation EC
  • BD Pyxis SupplyStation RF auxiliary
  • BD Rowa Pouch Packaging Systems

BD said it is working with customers whose domain-joined server(s) credentials require updating and it is strengthening the credential management capabilities of BD Pyxis products.

BD recommends the following compensating controls for users of Pyxis products utilizing default credentials:

  • Restrict physical access to Pyxis products to only authorized personnel
  • Tightly control management of system passwords
  • Monitor and log network traffic attempting to reach the affected products for suspicious activity
  • Isolate affected products in a secure VLAN or behind firewalls and only permit communication with trusted hosts in other networks, when needed

BD Synapsys – CVE-2022-30277

Certain BD Synapsis products are affected by an insufficient session expiration vulnerability, which could potentially allow an unauthorized individual to access, modify, or delete sensitive information such as ePHI, which could potentially result in delayed or incorrect treatment. BD says a physical breach of a vulnerable workstation would be unlikely to lead to the modification of ePHI as the sequence of events has to be conducted in a specific order. The vulnerability is tracked as CVE-2022-30277 and has been assigned a CVSS v3 base score of 5.7 out of 10 (medium severity).

The vulnerability affects D Synapsys versions 4.20, 4.20 SR1, and 4.30. The flaw will be addressed in BD Synapsys v4.20 SR2, which will be released this month.

BD has suggested the following compensating controls:

  • Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys.
  • Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys workstations.
  • Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys workstation.
  • Ensure industry standard network security policies and procedures are followed.

BD has alerted CISA, the FDA, and ISACs about the vulnerabilities under its responsible vulnerability disclosure policy.

The post BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities appeared first on HIPAA Journal.

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Posted by HIPAA Journal

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited.

The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”

Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands.

Most email attacks that use attachments for malware delivery require macros to be enabled; however, the vulnerability can be exploited even with macros disabled. The vulnerability is exploited when the attached file is opened. Beaumont also showed that zero-click exploitation is possible if an RTF file is used, as the flaw can be exploited without opening the document via the preview tab in Explorer.

Microsoft said if an attacker successfully exploits the vulnerability, malicious code can be run with the privileges of the calling application. It would allow an attacker to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability can be exploited in all Office versions since 2013, including the current version of Office 365.

The vulnerability was initially reported to Microsoft in April and the flaw was assigned a CVSS score of 7.8 out of 10 (high severity), as Microsoft did not consider the Follina vulnerability to be critical. Microsoft has now issued a workaround and guidance that involves disabling the MSDT URL Protocol until a patch is released. Immediate action is required to prevent the vulnerability from being exploited. Vulnerabilities that can be exploited via Office are rapidly adopted by threat actors, especially when they can be exploited with macros disabled.

Multiple threat actors are known to be exploiting the flaw, including the Chinese threat actor TA413, according to Proofpoint. According to Palo Alto Networks Unit 42 team, “Based on the amount of publicly available information, the ease of use, and the extreme effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your enterprise until a patch is issued to fix the problem.

The post Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled appeared first on HIPAA Journal.

CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog

Posted by HIPAA Journal

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added a further 75 vulnerabilities to its Known Exploited Vulnerability Catalog. The Known Exploited Vulnerability Catalog is a list of vulnerabilities in software and operating systems that are known to be exploited in real-world attacks. The list now includes 737 vulnerabilities.

The latest additions came in three batches that were added on Tuesday (21), Wednesday (20), and Thursday (34). Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to scan for the vulnerabilities and ensure patches are applied or the vulnerabilities are otherwise mitigated within two weeks.

The majority of the vulnerabilities added to the list last week are not new flaws. In most cases, patches were released to address the laws several years ago and in some cases, the vulnerabilities were publicly disclosed 12 years ago. Some of the vulnerabilities affect products that have long since passed end-of-life, such as Adobe Flash Player, Virtual System/Server Administrator (VSA), Microsoft Silverlight, and InfoSphere BigInsights. If those solutions are still installed or in use, the products should be uninstalled or disconnected.

Recent vulnerabilities include the Cisco IOS XR open port vulnerability (CVE-2022-20821), a memory corruption vulnerability in multiple Apple products (CVE-2021-30883), and two vulnerabilities in the Android Kernel – a use-after-free vulnerability (CVE-2021-1048) and a race condition vulnerability (CVE-2021-0920).

The vulnerabilities affect products from the following vendors:  Adobe, Android, Apple, Artifex, Cisco, Google, IBM, Kaseya, Linux, Meta Platforms, Microsoft, Mozilla, Oracle, QNAP, Red Hat, and WebKitGTK.

While BOD 22-01 only applies to FCEB agencies, CISA encourages all organizations to reduce their exposure to cyberattacks by ensuring the vulnerabilities on the Known Exploited Vulnerability Catalog are remediated in a timely manner as part of their vulnerability management practices.

The post CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

Posted by HIPAA Journal

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Posted by HIPAA Journal

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer.

Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services.

In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion impaired medical examinations, treatment, and the care of multiple individuals.

Locker has been indicted on one count of intentionally causing damage to a protected computer. The arraignment has been scheduled for May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. If convicted, Lockner could serve up to 10 years in federal prison.

This case highlights the risks posed by insiders. The recently published 2022 Verizon Data Breach Investigations Report highlights the risk of attacks by external threat actors, which outnumber insider attacks by 4 to 1, but safeguards also need to be implemented to protect against insider threats.

In this case, the alleged access occurred two months after the application for employment was rejected and one month after being terminated from the IT company. When individuals leave employment, voluntarily or if terminated, access rights to systems need to be immediately revoked and scans of systems conducted to identify any malware or backdoors that may have been installed.

There have been multiple cases of disgruntled IT contractors retaining remote access to systems after termination, with one notable case at a law firm seeing a former IT worker installing a backdoor and subsequently accessing the system and intentionally causing damage after leaving employment. In that case, the individual was sentenced to 115 months in federal prison and was ordered to pay $1.7 million in restitution.

The post Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server appeared first on HIPAA Journal.