Healthcare Cybersecurity

Most Common Malware Strains in 2021

Posted by HIPAA Journal

The U.S. Cybersecurity and Infrastructure Security Agency has published a list of the top malware strains identified in 2021. Malware is used by threat actors to compromise devices, giving them a backdoor into devices and networks for performing a range of nefarious activities. Malware can also be destructive and be used to sabotage systems, such as wipers that delete all data in systems. The rise in the value of cryptocurrencies has seen an increase in the use of cryptocurrency miners, which hijack the resources of systems for mining cryptocurrencies. Malware such as worms are able to not just compromise one device, but also self-propagate and infect all other vulnerable devices on a network.

In recent years there has been a major increase in the use of ransomware. Ransomware encrypts files on targeted systems to prevent data access, and a ransom demand is issued for the keys to unlock the encryption. Most ransomware variants also support data exfiltration, and files are stolen prior to encryption. The ransom must then be paid not just to decrypt files, but also to prevent the publication or sale of the stolen data. While ransomware is a type of malware, it is common for threat actors to use malware such as Remote Access Trojans (RATs) to gain initial access to networks, and for the access to be sold to ransomware gangs.

Malware is installed using a variety of attack vectors. Malware is commonly delivered via email, through the exploitation of vulnerabilities in Remote Desktop Protocol, and by exploiting known vulnerabilities in software. Initial access to accounts may be gained using brute force tactics to guess weak credentials. With such a variety of attack vectors, there is no single cybersecurity measure that can be used to block all malware infections. It should also be noted that while antivirus software can detect malware based on malware signatures in the definition lists of the software, it cannot block malware unless there is such a signature in the definition list. Many different variants of malware are released, and small tweaks can be all that are required to evade antivirus solutions.

In 2021, remote access Trojans, banking Trojans, information stealers, and malware were the most common types of malware used in attacks. The top malware strains in 2021 were:

  1. Agent Tesla – Information stealer
  2. AZORult – Information stealer
  3. Formbook – Information stealer
  4. Ursnif – Banking Trojan and information stealer
  5. LokiBot – Trojan information stealer
  6. MOUSEISLAND – Ransomware dropper
  7. NanoCore – Information stealer
  8. Qakbot – Banking Trojan, commonly used for reconnaissance and data exfiltration, and delivering additional malware payloads
  9. Remcos – Remote management and pen testing tool used to create a backdoor in victims’’ systems
  10. TrickBot – Banking Trojan cum botnet cum malware dropper
  11. GootLoader – Malware loader

These malware strains have been used in attacks for several years and have evolved to make them more evasive and provide them with new capabilities. Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot have all been used for more than 5 years, while Qakbot and Ursnif have been in use for more than a decade.

In addition to providing access to victims’ systems to the malware gangs, Qakbot and TrickBot are malware droppers and have been extensively used to give access to systems to ransomware gangs such as Conti. The Conti gang is known to have conducted at least 450 ransomware attacks in the first half of 2021. Throughout 2021, the malware strains Formbook, Agent Tesla, and Remcos have been extensively distributed in phishing emails, taking advantage of the pandemic and using COVID-19-themed lures.

Mitigations

CISA has provided a list of recommended mitigations for blocking malware threats and reducing the impact of successful attacks, the most important of which are to update software and patch promptly, enforce multifactor authentication, secure and monitor RDP and other potentially risky services, and provide end user security awareness training.

The post Most Common Malware Strains in 2021 appeared first on HIPAA Journal.

55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year

Posted by HIPAA Journal

Cyberattacks on businesses have been increasing year over year across all industry sectors, and there has been an increase in cyberattacks involving third parties. From the point of view of a cyber threat actor, it makes more sense to attack a vendor such as a managed service provider, as if the attack is successful, the threat actor will be able to gain access to the networks of the company’s clients. Already in 2022, there have been several major cyberattacks on vendors used by healthcare organizations, one of which impacted 650 of the company’s HIPAA-covered entity clients.

SecureLink, a provider of access management solutions for businesses, has recently explored how businesses are managing the risk associated with providing vendors with privileged access to their systems and has identified areas where the risks are not being effectively managed, even though efforts are being made to improve cybersecurity.

For SecureLink’s latest report, The State of Cybersecurity and Third-Party Remote Access Risk, the company surveyed 600 U.S. companies across a range of industry sectors, including healthcare, to learn more about their cybersecurity practices and how they are managing third-party risk.

55% of healthcare organizations that responded to the survey said they had experienced a third-party data breach in the last 12 months, which was the second highest percentage of all industry sectors, beaten only by the financial sector where 58% of companies had experienced a third-party data breach. Both of these industry sectors rely heavily on third parties, and those third parties have access to sensitive data that is of high value to cybercriminals.

65% of healthcare organizations said they did not feel that their IT systems are making third-party security and access a top priority, and across all industry sectors, 50% of companies said managing third-party security is overwhelming and a drain on internal resources.

Organizations had a budget of $365 million for IT in 2021, of which $78.5 million of which is spent on cybersecurity – Around 21.5% of the IT budget, yet despite the investment in cybersecurity, 54% of organizations experienced a data breach in the past 12 months. 52% of respondents said there had been an increase in cyberattacks compared to the previous year, and the number of third-party attacks increased from 44% to 49%.

The survey confirmed that organizations are starting to understand how to keep their systems and data safe; however, the number of cyberattacks is increasing and so is the sophistication of those attacks. The result is little headway has been made, with many organizations struggling to innovate their cybersecurity as fast as other aspects of their operations.

The SecureLink survey indicates organizations are failing to treat third-party vendors relative to the security risk they pose. For example, in 2022, only 49% of organizations had a comprehensive inventory of all third parties that had access to their systems. This is an improvement from the 42% in 2021, but only slightly. There has been a greater percentage increase in organizations that have identified all third parties with access to their most sensitive data, rising from 35% in 2021 to 45% in 2021, but the figure is still worryingly low.

“While there is a statistically significant increase in terms of identifying third parties, that number is hovering under 50% while the reliance on third parties and a remote workforce is trending upwards. And while there is an increase in those measures, organizations are still finding managing third-party access to be overwhelming. All those numbers add up to a major risk point,” said SecureLink.

One of the main problems that organizations face is the complexity of their third-party relationships, which was stated as a problem by 48% of respondents. Added to that is monitoring is often a manual process, which is not a great use of internal resources that are already stretched. The survey revealed only 36% of organizations have automated the process of monitoring third parties. With a lack of monitoring and automation, it is not surprising that 47% of respondents said they are not highly effective at detecting third-party threats.

“The biggest challenge businesses face is having the manpower to manage third-party identities and cyber risk. With more streamlined systems and automated workflows, access is more manageable and less burdensome on employees,” said SecureLink. “Automation and efficiency are key factors in a successful cybersecurity strategy. Using security technology to streamline operations creates efficiency, which in turn, will be more effective in mitigating threats and pulling in/retaining talent to manage cybersecurity.”

The post 55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year appeared first on HIPAA Journal.

Ransom Payment Data Suggests More Victims are Choosing Not to Pay

Posted by HIPAA Journal

The average payment in ransomware attacks increased in Q2, 2022; however, there was a fall in the median payment for the second successive quarter, indicating more victims of ransomware attacks are choosing not to pay up. The data comes from the latest quarterly report from the ransomware remediation firm, Coveware. The average ransom payment in Q2, 2022 was $228,125, which is an 8% increase from the previous quarter. The median ransom payment was $36,360, which is a 51% decrease from Q1, 2022.

According to Coveware, the recent fall in payments indicates the changing profile of attacked companies, with ransomware gangs now tending to focus on attacking mid-market companies. Attacks on large enterprises are costly due to their large budgets for cybersecurity but the potential returns are greater. While ransomware attacks on mid-market firms mean the ransom demands must be smaller, the risks associated with attacks are also lower. Mid-market firms appear to be the sweet spot. The profits are sufficiently high to make the attacks worthwhile, and the ransomware gangs are less likely to face geopolitical pressure and action by law enforcement. Coveware also notes that a trend has been identified where large enterprises are refusing to even engage with ransomware gangs if their initial ransom demand is too large.

When ransomware gangs started exfiltrating data prior to encrypting files the percentage of victims paying ransoms increased, as many victims chose to pay even if they had backups to prevent the sale or public disclosure of the stolen data. In Q2, 2022, 86% of ransomware attacks involved data theft and a threat to release the stolen data publicly. While the payment of the ransom is needed to prevent the publication of stolen data, Coveware notes that it has seen growing evidence that ransomware gangs are not making good on their promise to delete the data, which means the ransom payment was unnecessary.

If a ransomware attack involves data theft, Coveware says payment of the ransom does not mitigate the risk of harm, nor any liability the victim has to protect impacted parties. While some victims might view payment of the ransom as a way to protect against future class action lawsuits, “Paying a ransom is not going to thwart a meritless lawsuit, and there has been no case law to suggest that the risk of a suit happening, or the resulting settlements or damages are mitigated by paying a ransom,” said Coveware. Coveware also suggests that paying the ransom does not limit brand damage, nor does it show that a company has done everything to protect customers or clients. “A far better narrative is to be candid, honest, and contrite. Your impacted constituents will understand that this happens, and will appreciate the transparency.”

Q2, 2022 saw a change in the ransomware landscape following the shutdown of the Conti ransomware operation, which instead is working with smaller ransomware operations. Ransomware attacks are now spread out much more broadly across several smaller operations, with BlackCat having a market share of 16.9%, followed by LockBit 2.0 with 13.2%, Hive with 6.3%, and Quantum, Conti V2, Phobos, Black Basta, and AvosLocker, which each have a market share of around 5%. There appears to be a trend where RaaS affiliates are choosing to spread their attacks across multiple ransomware brands.

As was the case in Q1, 2022, the most popular attack vector is still email phishing, although RDP compromise remains popular. The exploitation of software vulnerabilities and other attack vectors are still used, and Coveware suggests that affiliates are not limiting themselves to one attack vector.

In Q2, 2022, professional services was the most attacked sector, accounting for 21.9% of attacks, followed by the public sector (14.4%), healthcare (10%), and software services (9.4%). There was a slight increase in the number of attacks on healthcare organizations, which is largely due to the Hive ransomware gang expanding its operations. The Hive ransomware gang has no qualms about conducting attacks on the healthcare sector.

The post Ransom Payment Data Suggests More Victims are Choosing Not to Pay appeared first on HIPAA Journal.

Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare

Posted by HIPAA Journal

SonicWall has released a mid-year update to its 2022 Cyber Threat Report, which highlights the global cyberattack trends in 1H 2022. The data for the report was collected from more than 1.1 million global sensors in 215 countries and shows a global fall in ransomware attacks, with notable increases in malware attacks for the first time in 3 years.

Ransomware

SonicWall reports a 23% fall in ransomware attacks globally in 1H 2022, which fell to 236.1 million attempted attacks, continuing the downward trend that has been observed for the previous four quarters. June 2022 saw the lowest number of ransomware hits in the past 23 months. While ransomware attacks are down overall, that is not the case for the healthcare industry, which saw a 328% increase in attacks in 1H 2022.

While the reduction in attacks is certainly good news, it should be noted that the year-to-date figures for ransomware attacks are still higher than they were in all of 2017, 2018, and 2019. In the United States, SonicWall recorded an average of 707 ransomware attempts per customer in the first half of 2022. SonicWall attributes the decrease in attacks to the combination of geopolitical forces, volatile cryptocurrency prices, and an increased government and law-enforcement focus on ransomware gangs.

Malware

Ransomware attacks had increased for two straight years, but malware attacks have been at very low levels, with 2021 seeing malware attacks hit a 7-year low. 1H 2022 has seen a sharp increase in malware attacks, with 11% more attacks than 1H 2021, reaching 2.8 billion in 1H 2022 with an average of 8,240 attempts per customer. There was a marked rise in never-before-seen malware variants in 2022, which increased by 45% from 1H 2021. Cryptojacking has increased by 30% compared to 1H 2021, even with the sharp fall in the value of cryptocurrencies. Cryptjacking attacks in healthcare fell by 87%.

The biggest increase in malware was seen in IoT malware, which increased by 77% increase from 1H 2021 with 57 million detections, which was the highest rate of detection since the attacks started to be tracked by SonicWall. The number of hits in 1H 2022 was only slightly lower than the total hits recorded in all of 2021. IoT attacks in the United States increased by 228% in June and IoT malware attacks in healthcare increased by 123%.

Malicious Files

SonicWall reported in its mid-year 2021 update that there had been a 54% fall in the number of malicious Office files and a 13% drop in malicious PDF files, but the fall in number was short-lived, with this year seeing an increase in malicious file detections. In the first half of 2022, detections of malicious Office files increased by 18%, and malicious PDF file detections increased by 9%. PDF files now account for 18% of malicious file types, with Office files accounting for 10%, with more than 84% of malicious Office files being Excel files. Excel Macro 4.0 (XLM) files are the most common, accounting for 64% of malicious Excel files. Executable files are still the most common malicious file types, accounting for more than one-third of malicious files.

Encrypted Attacks

SonicWall observed a 132% increase in encrypted attacks in 1H 2022, continuing the trend of the past two years. May 2022 was the second highest month for malware over HTTPS ever recorded. Encrypted threats were most prevalent in the United States, and accounted for 41% of the global volume, with a 284% increase over the corresponding period last year. Encrypted attacks in healthcare fell by 6%.

Intrusion Attempts

Intrusion attempts rose by 18% globally in 1H 2022, but the number of malicious intrusions fell by 19%. However, in North America, there was an increase in intrusion attempts but the attacks appear to have peaked in June. Intrusion attempts increased by 39% in healthcare, 46% in government, and 200% in retail. Even with these increases, the 1H 2022 figures are lower than they were in 2021.

The post Ransomware Attacks Drop by 23% Globally but Increase by 328% in Healthcare appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

Posted by HIPAA Journal

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM Security. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020.

The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services.

Summary of 2022 Data Breach Costs

  • Global average cost of a data breach – $4.35 million (+2.6%)
  • Global average cost per record – $164 (+1.9%)
  • Average cost of a U.S. data breach – $9.44 million (+4.3%)
  • Average cost of a healthcare data breach – $10.1 million (+9.4%)
  • Average cost of a ransomware attack – $4.54 million (-1.7%)
  • Average cost where phishing was the initial attack vector $4.91 million
  • Average cost of a $1 million record data breach – $49 million
  • Average cost of 50-60 million record data breach – $387 million

For the first time in at least six years, the biggest component of the data breach costs was detection and escalation, which cost $1.44 million in 2022, up from $1.24 million in 2021. Next was lost business, which cost an average of $1.42 million in 2022, down from $1.59 million in 2022. Post-breach response increased slightly from $1.14 million in 2021 to $1.18 million in 2022, and there was a small increase in notification costs, which rose from $0.27 million in 2021 to $0.31 million in 2022.

On average, 52% of the breach costs are incurred in the first year, 29% in the second year, and 19% after two years. In highly regulated industries such as healthcare, a much larger percentage of the costs are incurred later, with 45% of costs in the first year, 31% in year 2, and 24% later than year 2, which was attributed to regulatory and legal costs.

The report explored the different initial attack vectors and found that the most common entry route was the use of stolen credentials, which accounted for 19% of all data breaches, with these data breaches costing an average of $4.5 million. Phishing attacks accounted for 16% of all data breaches, and phishing was the costliest attack vector, with an average data breach cost of $4.91 million, closely followed by business email compromise attacks, which accounted for 6% of all data breaches and cost an average of $4.89 million. Cloud misconfigurations accounted for 15% of data breaches and cost an average of $4.14 million, and vulnerabilities in third-party software accounted for 13% of data breaches and cost an average of $.55 million per breach.

The average time to identify a data breach was 207 days in 2022, down from 212 days in 2021. The average time to contain a data breach was 277 days, down from 287 days in 2021. A shorter data breach lifecycle (time to identify and contain a breach) equates to a lower breach cost. Data breaches with a lifecycle of fewer than 200 days cost 26.5% ($1.12 million) less on average than data breaches with a lifecycle of over 200 days.

One of the most important steps to take to improve security is to adopt zero trust strategies, but only 59% of organizations had adopted zero trust, and almost 80% of critical infrastructure organizations had yet to implement zero-trust strategies. The average breach cost for critical infrastructure organizations without zero trust was $5.4 million, which was $1.17 million more than those that had implemented zero trust strategies.

Cost of Data Breaches by Breach Cause

The average cost of a ransomware attack fell slightly by 1.7% to $4.54 million, not including the cost of the ransom itself. Ransomware attacks increased significantly in 2022 and accounted for 11% of all data breaches, up from 7.8% of data breaches in 2021. Ransomware attacks took 49 days longer to identify and contain than the global average, taking an average of 237 days to identify the intrusion and 89 days to contain the attack. Paying the ransom only saw a $610,000 reduction in data breach costs, on average, not including the amount of the ransom. Since ransom amounts are often high, the report indicates that paying the ransom does not necessarily lower the breach cost. In fact, paying may well increase the cost of the breach.

Around one-fifth of data breaches were the result of supply chain compromises. The average cost of a supply chain compromise was $4.46 million, which was 2.5% higher than the overall average cost of a data breach. It took an average of 235 days to identify the breach and 68 days to contain the breach – 26 days more than the average data breach

45% of data breaches occurred in the cloud, with data breaches in the public cloud costing considerably more than data breaches with a hybrid cloud model. 43% of organizations that experienced a data breach in the cloud were in the early stages of their migration to the cloud and had not started applying security practices to secure their cloud environments. Organizations in the early stages of cloud adoption had data breach costs of an average of $4.53 million, whereas those at a mature stage had average breach costs of $3.87 million.

Data Breach Cost Savings

IMB identified several steps that organizations can take to reduce the financial cost and reputational consequences of a data breach. The main cost-saving elements were:

  • Fully deployed security AI and automation – $3.05 million
  • Incident response team with regularly tested IR plan – $2.66 million
  • Adoption of zero trust – $1.5 million
  • Mature cloud security practices – $720,000
  • Being fully staffed vs insufficiently staffed $550,000
  • Use of extended detection and response (XDR) technologies – 29-day reduction in response time

The post IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million appeared first on HIPAA Journal.

Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Posted by HIPAA Journal

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management.

Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches.

Cyberattacks on vendors serving the healthcare industry have increased in recent years. Rather than attacking an HDO directly, a cyber actor can attack a vendor to gain access to sensitive data or to abuse the privileged access the vendor has to a HDO’s network. For example, a successful intrusion at a managed service provider allows a threat actor to gain access to the networks of all of the company’s clients by abusing the MSP’s privileged access to client systems. This is advantageous for a hacker as it means it is not necessary to hack into the networks of each MSP client individually.

When third-party vendors are used, the attack surface is increased significantly, and managing and reducing risk can be a challenge. While third-party vendors are used in all industry sectors, third-party vendor security risks are most prevalent in the healthcare sector. The CSA suggests that this is due to the lack of automation, extensive use of digital applications and medical devices, and the lack of fully deployed critical vendor management controls. Since healthcare organizations tend to use a large number of vendors, conducting comprehensive and accurate risk assessments for all vendors and implementing critical vendor management controls can be a very time-consuming and costly process.

“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group. “This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies.”

If an HDO chooses to use a third-party vendor, it is essential that effective monitoring controls are implemented, but it is clear from the number of third-party or vendor-related data breaches that many healthcare organizations struggle to identify, protect, detect, respond to, and recover from these incidents, which suggests the current approaches for assessing and managing vendor risks are failing. These failures can have a major financial impact, not just in terms of the breach mitigation costs, but HDOs also face the risk of regulatory fines from the HHS’ Office for Civil Rights and state Attorneys General and there is also significant potential for long-lasting reputation damage.

The CSA makes several suggestions in the paper, including adopting the NIST Cybersecurity Framework for monitoring, measuring, and tracking third-party risk. The NIST Framework is mostly concerned with cybersecurity, but the same principles can also be applied for measuring other types of risk. The core functions of the framework are identify, protect, detect, respond, and recover. Using the framework, HDOs can identify risks, understand what data is provided to each, prioritize vendors based on the level of risk, implement safeguards to protect critical services, ensure monitoring controls are implemented to detect security incidents, and a plan is developed for responding to and mitigating any security breach.

“The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential,” said Michael Roza, a contributor to the paper.

The post Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations appeared first on HIPAA Journal.

HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued guidance to help healthcare organizations protect against web application attacks.

Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient monitoring, online pharmacies, dental CAD systems, inventory management, and more. These applications are accessed through a standard web browser, however, in contrast to most websites, the user is required to authenticate to the application.

Web application attacks are conducted by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting vulnerabilities in web applications have been increasing and web application attacks are now the number one healthcare attack vector, according to the 2022 Verizon Data Breach Investigations Report.

Web application attacks most commonly target internet-facing web servers and commonly leverage stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. Web application attacks include cross-site scripting (XSS), SQL injection (SQLi), path traversal, local file inclusion, cross-site request forgery (CSRF), and XML external entity (XXE). These attacks are conducted to gain access to sensitive data, to access applications and networks for espionage, or for extortion, such as ransomware attacks. The May 2021 ransomware attack on Scripps Health used a web application attack as the initial attack vector. The attack saw the EHR system and patient portal taken out of action for several weeks.

Distributed Denial of Service attacks on web applications may be conducted to deny access to the application. Comcast Business reports that in 2021, the healthcare sector was the industry most affected by DDoS attacks on web applications, with attacks increasing in response to the COVID-19 pandemic, vaccine availability, and school openings. DDoS attacks are commonly conducted as a smokescreen. While IT teams fight to resolve the DDoS attack, their attention is elsewhere and malware is deployed on the network. DDoS attacks are also conducted by hacktivists. A Major DDoS attack was conducted on Boston Children’s Hospital in April 2014 over the course of a week by a hacker in response to a child custody issue. In that attack, individuals were prevented from accessing the appointment scheduling system, fundraising site, and patient portal.

Like all software-based solutions, web applications may contain vulnerabilities that could potentially be exploited remotely by threat actors to gain access to the applications themselves or the underlying infrastructure and databases. When developing web applications, it is important to follow web application security best practices and design the applications to continue to function as expected when they come under attack and to prevent access to assets by potentially malicious agents. Secure development practices can help to prevent vulnerabilities from being introduced, and security measures should be implemented throughout the software development lifecycle to ensure that design-level flaws and implementation-level vulnerabilities are addressed.

HC3 has suggested several mitigations to protect against web application attacks and limit the harm that can be caused. These include

  • Automated vulnerability scanning and security testing
  • Web application firewalls for blocking malicious traffic
  • Secure development testing
  • CAPTCHA and login limits
  • Multifactor authentication
  • Logon monitoring
  • Screening for compromised credentials

Healthcare organizations should also refer to the Health Industry Cybersecurity Practices (HICP), established under the HHS 405(d) program, for mitigating vulnerabilities in web applications, and web application developers should refer to the OWASP Top 10, which is a standard awareness document detailing the most critical security risks to web applications.

The post HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks

Posted by HIPAA Journal

A recent Phishing by Industry Benchmarking Report has confirmed that providing security awareness training to the workforce significantly reduces susceptibility to phishing attacks. The benchmarking study was conducted by KnowBe4 to determine how effective security awareness training is at reducing susceptibility to phishing attacks. For the report, KnowBe4 analyzed data from more than 9.5 million users across 19 industry sectors, over 30,000 organizations, and 23.4 million simulated phishing emails. The study was conducted on small 22,558 organizations with 1-249 employees, 5,876 mid-sized organizations with between 250 and 999 employees, and 1,709 large organizations with 1,000 or more employees.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches in 2021 involved a human element, confirming that people play a major role in security incidents and data breaches. Cybercriminals continue to target the human element as it provides an easy way of gaining access to business networks, and one of the main whys that employees are targeted is through phishing, which has continued to increase year over year.

Technology exists to block phishing attacks, and while products such as spam filters, antivirus software, and web filters are effective and will block a substantial number of threats, some threats will bypass those defenses and will reach employees. Many organizations fail to invest adequately in security awareness training and intervention, even though it is just as important as technology.

For the study, KnowBe4 established a baseline against which the effect of security awareness training could be measured, which the company calls the phish-prone percentage (PPP). The baseline PPP is the percentage of employees who clicked on simulated phishing emails prior to any security awareness training being provided. Training was then provided to employees and the PPP was recalculated after 90 days and after one year of continuous training.

Across all industry sectors and organization sizes, the average baseline PPP was 32.4%, which was one point higher than in 2021. The baseline in small healthcare and pharmaceutical organizations (32.5%) was second worst out of all industry sectors behind education (32.7%). The PPP was second worst in mid-sized organizations (36.6%) behind the hospitality sector (39.4%), and fourth worst in large organizations with a PPP of 45%.

When the phishing test was repeated 90 days after the provision of training, the PPP had dropped to 19.7% at small healthcare and pharmaceutical organizations, 19.1% at mid-sized organizations, and 17.2% at large organizations – Percentage drops of 12.8, 17.5, and 27.8 respectively. Across all industry sectors, the PPP fell from 32.4% to 17.6%. These figures clearly demonstrate the benefits of providing security awareness training to employees and that training provides a fast return on investment.

The third phase of the study involved a repeat of the phishing test after a year of ongoing training and saw the average PPP across all industry sectors and organization sizes drop from 32.4% to 5%. The healthcare and pharmaceutical sector saw the PPP drop to 4.1% in small organizations, 5.1% in mid-sized organizations, and 5.9% in large organizations. That equates to an 87% improvement in small healthcare and pharmaceutical organizations, an 86% improvement in mid-sized organizations, and an 87% improvement in large organizations.

“As with any significant change, it takes time to break old habits and create new ones, “explained KnowBe4 in the report. “Once these new habits are formed, however, they become the new normal, part of the organizational culture, and influence how others behave, especially new hires who look to others to see what is socially and culturally acceptable in the organization.”

KnowBe4 also pointed out that in order to favorably change overall security behaviors, security awareness training programs need to have a clearly defined and communicated mandate, a strong alignment with organizational security policies, an active connection to overall security culture, and full support of executives. “Without consistent and enthusiastic executive support, raising security awareness within an organization is certain to fail.”

The post Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks appeared first on HIPAA Journal.