Healthcare Cybersecurity

HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center has issued a warning about social engineering and voice phishing (vishing) attacks on the healthcare and public health (HPH) sector.

In cybersecurity terms, social engineering is the manipulation of individuals by malicious actors to further their own aims. It is a broad term that covers many different types of attacks, including phishing, spear phishing, whaling, baiting, vishing, callback phishing, SMS phishing (smishing), deepfake software, and business email compromise (BEC).

In phishing attacks, social engineering techniques are used to trick employees into disclosing sensitive information such as protected health information, login credentials that allow the threat actor to gain a foothold in the network, or installing malware that provides remote access to devices and the networks to which they connect. These attacks may be conducted in mass campaigns or can be highly targeted, with the victims researched and lures crafted for specific individuals.

Phishing is one of the most common types of social engineering attacks, and it is the initial access vector in a large percentage of cyberattacks on the healthcare industry. The 2021 HIMSS Healthcare Cybersecurity Survey suggests phishing was involved in 45% of healthcare security incidents over the past 12 months, followed by ransomware attacks. Ransomware threat actors often use phishing to gain initial access to healthcare networks, and several groups associated with the Conti ransomware operation are now using callback phishing as one of the main ways to gain the access they need to conduct their attacks. Callback phishing was first used by the Ryuk ransomware gang in the BazarCall campaigns, where victims were tricked into installing BazarLoader malware that provided remote access to their networks. Ryuk rebranded as Conti, and three breakaway groups started using these callback phishing techniques again in March 2021.

Callback phishing is a hybrid form of phishing where initial contact is made via email and social engineering is used to trick people into calling the provided telephone number. The lure used in these attacks is often a warning about an impending invoice, subscription expiry, or the end of a free trial, with charges incurred if no action is taken. Initial contact is made via email, but no hyperlinks or email attachments are used, only a phone number is provided. Email security solutions often do not flag these emails as malicious and are unable to check if a telephone number is malicious or legitimate.

According to cybersecurity firm Agari, phishing volumes increased by 6% from Q1 2022 to Q2, 2022, whereas hybrid phishing attacks (including callback phishing) increased by 625%. According to the IBM Security X-Force team, in Q4, 2021, phishing attacks accounted for 42% of attacks, up from 30% the previous quarter.

Vishing attacks are conducted exclusively over the telephone. In September 2020, threat actors impersonated a Michigan health system and called patients to steal their member numbers and PHI, with the caller ID spoofed to make it appear that the call originated from the health system.

Phishing and other types of social engineering attacks are a leading cause of healthcare data breaches and healthcare organizations are particularly vulnerable to these attacks, especially larger organizations where employees are unlikely to know all of their co-workers. These attacks abuse trust, and healthcare employees are naturally trusting and have a desire to help. People also want to look intelligent and not have to seek help. They also do not want to get in trouble so may not report falling for a scam. Healthcare environments are also busy with employees often under time pressure, leading to people taking shortcuts that can open the door to scammers.

Defending against social engineering can be a challenge since the attacks can occur via email, SMS, instant messaging services, social media networks, websites, SMS, and over the phone, and hybrid phishing attacks are unlikely to be detected by traditional cybersecurity solutions. The key to defending against these attacks is to implement multiple layers of defenses, update policies and procedures to close security gaps, and provide regular security awareness training to the workforce.

HC3 suggests the following steps to improve defenses against social engineering attacks:

Improving defenses against social engineering in healthcare. Source: HC3

To protect against hybrid phishing attacks, smishing, and vishing, security awareness training is key.

  • Regular security awareness training should be provided – multiple times a year. Consider modular CBT training courses to fit training into busy healthcare workflows
  • Keep employees abreast of the latest campaigns targeting the sector, including the latest health-related themes such as COVID-19 and Monkeypox
  • Instruct employees to confirm receipt of an email from a known sender via a trusted communication method or contact
  • Secure VoIP servers and look for evidence of existing compromise (such as web shells for persistence)
  • Block malicious domains and other indicators associated with campaigns
  • Consider switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification to mitigate MFA fatigue
  • Conduct phishing simulation exercises on the workforce, including hybrid phishing simulations

Further information:

HC3 Analyst Note – Vishing Attacks on the Rise

HC3 – Impact of Social Engineering on Healthcare Organizations

The post HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives

Posted by HIPAA Journal

There has been a marked increase in the number of healthcare organizations that have implemented zero trust initiatives, according to the 2022 State of Zero Trust Security report from Okta. In 2022, 58% of surveyed organizations said they had or have started implementing zero trust initiatives, up 21 percentage points from the 37% last year. Further, 96% of all healthcare respondents said they either had or are planning to implement zero trust within the next 12 to 18 months, up from 91% last year.

The traditional approach to security sees devices and applications within the network perimeter trusted, as they are behind the protection of perimeter defenses; however, that approach does not work well in the cloud, where there is no perimeter to defend. The philosophy of zero trust is, “never trust, always verify”. Zero trust assumes that every device and account could be malicious, regardless of whether it is inside or outside the network perimeter. With zero trust, all devices, accounts, applications, and connections are subject to robust authentication checks, the principle of least privilege is enforced, and there is comprehensive security monitoring.

“Zero Trust is a solid guiding principle, but getting there is a complex proposition, requiring multiple deeply integrated best-of-breed solutions working seamlessly together,” explained Okta in the report. “Every company has a different starting situation, different resources, and different priorities, leading to unique journeys to reach the same destination—true Zero Trust security.”

Zero Trust Adoption in Healthcare

There has been a significant increase in medical and IoT devices, applications, and cloud-based resources, which has significantly increased the attack surface, and this has made it much harder for security teams to defend against cyberattacks using traditional security approaches. Zero trust offers a solution and the majority of healthcare organizations that have not yet implemented zero trust initiatives say they have a plan in place to implement zero trust within the next 6 to 12 months.

98% of healthcare respondents said identity plays a meaningful role in their zero trust strategy, with 72% rating it important and 27% rating it critical, with the most pressing projects being extending Single Sign-on for employees and securing access to APIs. Currently, only 6% of healthcare respondents said they have context-based access policies in place, but 40% said they will be rolling these out within the next 12-18 months, with all healthcare respondents planning to extend SSO, MFA, or both to SaaS apps, internal apps, and servers in the coming 12-18 months.

The most critical factors for controlling and improving access to internal resources were device trust, geographic location, and trusted IP address, followed by time of day or working hours-based access, and whether the resource trying to be accessed is highly sensitive. Healthcare organizations are also transitioning away from password-based authentication. Password use fell from 94% of healthcare organizations in 2021 to 85% in 2022, with push authentication adoption increasing from 16% in 2021 to more than 40% in 2022.

“Adoption of a Zero Trust framework provides a methodology that makes it easier for organizations to continually assess their security posture and the relative maturity of their model, and pinpoint the right security solutions to accelerate their progress at every phase of their journeys,” explained Okta. However, there are challenges for healthcare organizations, and the biggest one is the current talent and skill shortage. “In light of the talent/skill shortage faced around the world, organizations need to find solutions that help them progress along their Zero Trust journeys without creating the need for additional budgets, headcount, or training resources,” suggests Okta. “They need to find solutions that integrate with their existing security ecosystems to extract the most value.”

The post 58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives appeared first on HIPAA Journal.

Cyberspace Solarium Commission Co-Chairs Call for HHS to Improve Threat Information Sharing with HPH Sector

Posted by HIPAA Journal

Senator Angus S. King Jr. (I-ME) and Congressman Mike Gallagher (R-WI), Co-Chairs of the Cyberspace Solarium Commission, have written to HHS Secretary, Xavier Becerra, to voice their concerns about the lack of sharing of actionable threat information with industry partners to help the health and public health sector (HPH) address current cybersecurity gaps.

In the letter, the lawmakers explained that the COVID-19 pandemic revealed some of the systemic challenges facing the HPH sector, and during that time when healthcare workers were dealing with exacerbated workforce challenges, cybercriminals and nation-state threat actors targeted the HPH sector and ransomware attacks skyrocketed.

They suggest cyber threat actors recognized that the HPH sector was more likely than other victims to pay the ransom demands to protect patient safety and the large amounts of sensitive patient data stored by healthcare providers have made them targets for criminals and nation-state hackers. The lawmakers praised the efforts the White House and the HHS have put into improving cybersecurity in the HPH sector but are concerned about “The lack of robust and timely sharing of actionable threat information with industry partners.” They suggest there is a need to dramatically scale up the Department’s capabilities and resources due to the exponential growth of cyber threats, and that it is essential to prioritize addressing the HPH sector’s cybersecurity gaps.

King and Gallagher have requested a briefing from the Secretary of the HHS to share the status of the department’s efforts to strengthen its capabilities and operationalize collaboration with organizations throughout the HPH sector and say it is only possible to conduct effective oversight if they understand the challenges that the HHS and the HPH sector are facing.

Specifically, they have requested

  • Information on the current organizational structure, roles, and responsibilities that the HHS employs to support HPH cybersecurity and serve as the Sector Risk Management Agency (SRMA) for the entire HPH.
  • The current authorities the HHS has to improve the cybersecurity of the HPH sector
  • The resources, including personnel and budget, the HHS requires to serve as an effective SRMA
  • The interagency coordination structures utilized to support the HHS’s efforts and the cybersecurity efforts of the HPH sector, the successes achieved, and the challenges faced.

The lawmakers have also requested an unclassified threat briefing from the HHS on current cybersecurity risks to the HPH sector.

The post Cyberspace Solarium Commission Co-Chairs Call for HHS to Improve Threat Information Sharing with HPH Sector appeared first on HIPAA Journal.

Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access

Posted by HIPAA Journal

Multiple ransomware groups have adopted the BazarCall callback phishing technique to gain initial access to victims’ networks, including threat actors that have targeted the healthcare sector.

BazarCall is a type of callback phishing, where organizations are targeted and sent ‘phishing’ emails that request a call to a telephone number to resolve an important issue. As with standard phishing campaigns, there is urgency – If no action is taken, there will be bad consequences. The telephone number provided is manned by the threat actor, who is well versed in social engineering techniques and will attempt to trick the caller into taking actions that will give the threat actor access to the victims’ network. That action could be to visit a malicious website or download a malicious file.

In the BazarCall campaign, the targeted individual is told in the email that a subscription or free trial is coming to an end and it will auto-renew at a cost. In order to cancel the subscription, the user must call the number provided. If the call is made, the threat actor will attempt to get the user to initiate a Zoho Remote Desktop Control session, which it is claimed is necessary to cancel the subscription. Zoho is legitimate business software; however, in this case, it is used for malicious purposes. While the user converses with the threat actor that answers the call, a second member of the team will use the remote access session to silently weaponize legitimate tools that can be used for an extensive compromise of the victim’s network.

BazarCall was first utilized by the Ryuk ransomware operation in 2020/2021. Ryuk was disbanded and reformed as Conti, and both were prolific ransomware-as-a-service operations. The campaigns were identified by security researchers at AdvIntel, who have tied the campaigns to three cybercriminal groups that broke away from the Conti ransomware operation before it shut down.

According to AdvIntel, BazarCall started to be used by the Conti ransomware gang in March 2022, and in April, a new ransomware group – Silent Ransom – broke away from the Conti operation and adopted the BazarCall technique for initial access. The technique was refined and a second threat group – Quantum – broke away from Conti and started using its own version of BazarCall. In June, a third group – Roy/Zeon – broke away from Conti and started using its own version of BazarCall.

Each threat group impersonates different companies in the initial emails, such as Duolingo, MasterClass, Oracle, HelloFresh, CrowdStrike, RemotePC, Standard Notes, and many more. The lures used vary but generally relate to an upcoming payment due to the end of a subscription or trial period, with the brands impersonated related to the industry being targeted.

AdvIntel says that while the Silent Ransom group was the first threat group to resurrect the BazarCall phishing tactic, seeing the success, efficiency, and targeting capabilities of the tactic, other threat groups have begun using the reversed phishing campaign as a base and developing the attack vector into their own. “This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on,” warn the researchers.

Defending against callback phishing emails can be difficult to the lack of malicious content in the initial phishing emails, which means they are unlikely to be flagged as malicious by email security solutions. The best defense to prevent the attacks is to ensure that callback phishing is covered in security awareness training and to include examples of callback phishing in internal phishing simulations.

The post Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access appeared first on HIPAA Journal.

Healthcare Providers Targeted in Evernote Phishing Campaign

Posted by HIPAA Journal

A malicious phishing campaign has been identified that is targeting healthcare providers. The emails have an Evernote-themed lure to trick recipients into downloading a Trojan file that generates a login prompt to steal credentials.

The Health Information Cybersecurity Coordination Center (HC3) has recently issued an alert about the campaign which has targeted several healthcare providers in the United States.  Malicious emails are sent to targeted organizations that contain a malicious link to an Evernote-themed website. The emails are personalized and the lures used in the phishing emails may vary; however, the emails seen by HC3 have the subject line “[Organization Name] [Date] Business Review” and have a Secure Message theme.

Evernote Phishing Campaign

Evernote Phishing Campaign. Source: HC3

The link included in the email directs the user to the Evernote site, where they are prompted to download an HTML file – called message (3).html. The file includes JavaScript code that renders an Adobe or Microsoft-themed page that attempts to harvest Outlook, IONOS, AOL, or other credentials.

The credentials obtained in phishing campaigns such as this can give cyber threat actors access to email accounts, which can contain significant amounts of sensitive data, including protected health information. Compromised email accounts can be used to conduct phishing attacks internally and can give threat actors the foothold they need to conduct more extensive attacks on the organization. Many ransomware attacks start with phishing emails.

Protecting against phishing attacks requires a combination of measures, including email security solutions for blocking phishing emails, web filters for preventing access to malicious websites where malware is downloaded, and antivirus software for identifying Trojans and other malicious code. It is also important to provide regular security awareness training to the workforce on the risks of phishing and train employees on how to recognize phishing emails.

Further information on this phishing campaign, along with other recommended mitigations, can be found in the HC3 security alert.

The post Healthcare Providers Targeted in Evernote Phishing Campaign appeared first on HIPAA Journal.

CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations

Posted by HIPAA Journal

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin ransomware-as-a-service (RaaS) operation, which has extensively targeted organizations in the healthcare and medical industries.

Zeppelin ransomware, a variant of Vega malware, has been used in attacks on critical infrastructure organizations since 2019. The threat actors have been observed using a variety of vectors to gain initial access to victims’ networks, especially the exploitation of Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks use a combination of malicious links and attachments containing malicious macros.

The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks, identify data of interest, including backups and cloud storage services, and exfiltrate sensitive data. A ransom demand is then issued, usually in Bitcoin, with the demand ranging from several thousand dollars to more than a million.

The FBI has observed several attacks where the malware has been executed multiple times, which means victims have multiple IDs and file extensions and require several different decryption keys to recover their files, which adds to the complexity of recovery from an attack.

CISA and the FBI have shared Indicators of Compromise (IoCs) and Yara rules to help network defenders identify attacks in progress and block attacks before file encryption. Mitigations have also been shared to reduce the risk of compromise, which include:

  • Developing and managing password policies for all accounts in accordance with the latest standards published by the National Institute for Standards and Technology (NIST)
  • Developing a robust backup plan for all data – Create multiple backups of data and servers, store those backups in separate, segmented, and secure locations, encrypt backups, and test backups to make sure file recovery is possible
  • Implementing multifactor authentication for all services, especially webmail, VPNs, and accounts used to access critical systems.
  • Ensuring all software and firmware are kept up to date
  • Installing antivirus software on all hosts and regularly updating the software
  • Conducting regular audits of all user accounts with admin privileges
  • Applying the principle of least privilege
  • Implementing time-based controls for admin-level accounts and higher
  • Disabling all unused ports
  • Disabling hyperlinks in received emails and adding a banner to all emails from external sources
  • Disabling command-line and scripting activities and permissions to prevent lateral movement.

In the event of a successful attack, the FBI encourages victims to share information with the FBI, regardless of whether the ransom is paid. Specifically, the FBI requests boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

The post CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations appeared first on HIPAA Journal.

1H 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HC3 Warns About Risks of IoT in Healthcare and Makes Security Recommendations

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center (HC3) has published a security advisory warning the healthcare and public health sector about the risks associated with Internet of Things (IoT) devices along with recommendations for improving the security of IoT devices.

The Internet of Things (IoT) refers to physical devices that have the capability to exchange data or connect to other devices over the Internet. Currently, there are around 7 billion devices that are connected through IoT, and IoT device use is expected to increase to 20 billion devices worldwide by 2025. These devices use sensors to collect data and communicate over the Internet and include a wide range of “smart” appliances such as TVs and washing machines, doorbell cameras, Amazon Echo devices, voice controllers, and wearable devices. IoT devices are used in industrial settings and many medical devices use IoT. While there have been major advances in IoT technology in recent years to make the technology cheaper and more accessible, the main architectural layers have largely remained unchanged and there is growing concern that the devices could provide an easy entry point into healthcare networks.

Risk of Cyberattacks Exploiting Weak IoT Security

There is growing concern over the security of IoT and the risk of cyberattacks exploiting IoT vulnerabilities. These attacks could take the form of distributed Denial of Service (DDoS) attacks, which flood IoT networks with traffic to prevent communications. IoT devices are being targeted by threat actors to add them to botnets for conducting large-scale DDoS attacks on web applications.

Man-in-the-middle attacks can occur, where bad actors eavesdrop on legitimate communications and steal sensitive data or tamper with communications.  Just as with software solutions, vulnerabilities can exist that can be exploited by bad actors to gain unauthorized access to the devices. In healthcare, IoT medical devices could be accessed, the functions of the devices changed to cause harm to patients, or sensitive patient information could be stolen.

While it is a standard security best practice to change default passwords on all devices, IoT devices are often left with factory settings, including default passwords. This makes the devices vulnerable to brute force attacks, which can give threat actors access to the networks to which the devices connect.

If IoT devices are not physically secured, they could be tampered with or have malware installed. The firmware on the devices can be hijacked by forcing the devices to perform updates to download doctored firmware, malicious drivers, or malware.

How to Minimize Risk from IoT Devices in Healthcare

The high rate of adoption of IoT devices in healthcare has widened the attack surface considerably, giving bad actors a much broader range of devices to attack to gain access to healthcare networks. If healthcare organizations have a flat network, where IoT devices, standard IT devices, and operational technology (OT) are all on the same network, gaining access to an IoT device could allow a threat actor to move laterally and access all devices on the network. This is a major security risk, especially considering the relative lack of security on IoT devices.

One of the most important steps to take to improve security is to implement network segmentation to reduce the attack surface. With network segmentation, the network is divided into subnetworks or zones. This can reduce congestion and limit failures, but also limits lateral movement. If an IoT device is compromised, it cannot be used to access other parts of the network.

HC3 makes several other recommendations for reducing the risk from IoT devices.

  • Change default settings – Default settings on routers should be changed along with the privacy and security settings on all IoT devices.
  • Set strong passwords – Default passwords should be changed, and a unique, strong password should be used for all devices to reduce the risk of brute force attacks.
  • Avoid Universal Plug and Play (UPnP) – UPnP can leave office equipment vulnerable to cyberattacks.
  • Update all software and firmware – All software and firmware should be kept up to date. The latest releases have fixes for vulnerabilities and active exploits.
  • Adopt zero trust – Adopt the principle of zero trust, which means nothing is inherently trusted, even if it is within the network. Limit access to resources to the small number of individuals who require access to perform their work duties.

The post HC3 Warns About Risks of IoT in Healthcare and Makes Security Recommendations appeared first on HIPAA Journal.