A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers.

The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information.

Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past (23%), with 5% experiencing a breach in the past year. By far the biggest cause of data breaches was human error. 46% of small practices and 51% of large practices said human error was the leading cause of data breaches.

23% of small healthcare practices said they had experienced a ransomware attack in the past, compared to 45% of large practices. 5% of the attacks on small healthcare providers and 12% of attacks on large healthcare providers occurred in the past 12 months. 76% of small practices and 74% of large practices said they were able to recover at least some of their data from backups without paying the ransom, which highlights the importance of having good backup policies. That is especially important as paying the ransom comes with no guarantee that files can be recovered. 23% of small practices paid the ransom to recover their data compared to 19% of large healthcare providers, but 14% of small healthcare providers said they did not recover their data after paying.

11% of large practices permanently lost their data due to the attack, 7% accepted data loss and 4% paid the ransom but were still unable to recover their data. Most of the healthcare providers did not state how much was paid as a ransom. Two small practices said they paid between $5,000 and $10,000 and two paid between $25,000 and $100,000.

To defend against attacks, healthcare organizations have implemented a range of technical safeguards, with the most common measures being firewalls, antivirus software, email security solutions, and data backup technology. Small practices were investing more money than larger organizations in antivirus technology, and while such solutions are important, it is also important to invest in email and networks security tools. Larger organizations with deeper pockets were more likely to invest in those tools and be better protected as a result. Software Advice suggests that smaller healthcare providers should consider reducing spending on antivirus software and improving email and network security, as that could help to prevent more data breaches.

It is important not to neglect the human element of cybersecurity, especially considering the large number of data breaches that were attributed to human error. Providing security awareness training to employees is a requirement of the HIPAA Security Rule, but it should not just be a checkbox option. Regular security awareness training to teach employees how to recognize and avoid threats can greatly reduce the risk of a successful cyberattack but 42% of small practices and 25% of large practices said they spent no more than 2 hours on privacy and security awareness training for employees in 2021.

2-factor authentication is an important security measure to implement to prevent stolen credentials from being used to access accounts. Microsoft has previously said that 2-factor authentication can block more than 99% of automated attacks on accounts. It is encouraging that 90% of large practices have implemented 2FA to some degree, but small practices are much less likely to use 2FA to protect their accounts. 22% of small practices said they have not implemented 2FA at all and 59% only use 2FA on some applications.

“Paying for every data protection tool available isn’t a wise option as it leaves you vulnerable to other avenues of attack or breach, such as incidental exposure or human error. Instead, remember that you must guard yourself on multiple fronts,” suggests Software Advice. That involves training employees, investing in the right security tools to protect data, and developing an action plan to help mitigate harm in the event of a breach or attack.

The post Differences Between Small and Large Healthcare Organizations on Security appeared first on HIPAA Journal.

Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications. Proof-of-concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is being actively exploited.

The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions and is remotely exploitable in the default configuration while running a Spring Boot application that depends on Spring Cloud Function, such as when depending on packages such as spring-cloud-function-web and spring-cloud-starter-function-web.

According to VMWare, which owns Spring, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression, which will allow remote code execution and access to local resources. The vulnerability was initially assigned a CVSS severity score of 5.4, but was later upgraded to critical. Proof-of-concept exploits for the vulnerability are in the public domain.

The vulnerability has been addressed by VNWare in Spring Cloud Function versions 3.1.7 and 3.2.3. Immediate upgrading to a secure version is recommended to prevent exploitation.

A proof of concept exploit has been publicly released for another zero-day vulnerability that affects the Spring Core Java framework. The vulnerability, dubbed Spring4Shell, allows unauthenticated individuals to remotely execute code on applications.

The vulnerability – tracked as CVE-2022-22965 – is due to unsafe deserialization of passed arguments and affects Spring MVC and Spring WebFlux applications on JDK 9 or higher. An exploit for the vulnerability is in the public domain, but will not work if an application is deployed as a Spring Boot executable jar, which is the default. The exploit will only work if the application is run on Tomcat as a WAR deployment with a spring-webmvc or “spring-webflux” dependency; however, there may be other ways to exploit the vulnerability.

The vulnerability is not as serious as the Log4J/Log4Shell vulnerability, but Spring is popular and widely used for building applications.

The vulnerability has been fixed in the following versions:

• Spring Framework 5.3.18 and Spring Framework 5.2.20
• Spring Boot 2.5.12
• Spring Boot 2.6.6

CISA Warns of Attacks on Uninterruptible Power Supply Devices

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) have issued a warning that cyber threat actors are exploiting vulnerabilities in Internet-connected uninterruptible power supply (UPS) devices to gain access to networks.

UPS devices are routinely attached to networks for power monitoring, maintenance, and convenience, and are used to provide clean and emergency power to IT equipment and applications. Many UPS vendors have added IoT capabilities to the devices to allow them to be accessed via the Internet.

CISA and the DoE are aware of threat actors using these devices to gain access to networks, most commonly by using unchanged default usernames and passwords to access the devices.

All users of these devices have been advised to immediately enumerate their UPSs and similar systems and ensure they are not accessible via the Internet, or if Internet access is required, to ensure the device or system is behind a virtual private network. Default credentials should be changed, long passwords or passphrases used to secure the devices, and multifactor authentication should be enforced

The post Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released its 2021 Internet Crime Report, which reveals there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021.

14 of the 16 critical infrastructure sectors reported at least one ransomware attack, although the healthcare and public health sector was the worst affected, accounting for 148 of those attacks, followed by financial services with 89 attacks, and the information technology sector with 74.

The Conti ransomware gang was the most active in 2021 with 87 reported attacks on critical infrastructure organizations, followed LockBit ransomware (58), and the now-disbanded REvil/Sodinokibi ransomware operation (51). The Conti gang favored targets in critical manufacturing, commercial facilities, and the food and agriculture sectors, LockBit most frequently attacked healthcare and public health, government facilities, and financial services, and REvil targeted healthcare and public health, financial services, and the information technology sectors.

Other prolific ransomware operations in 2021 include Ragnar Locker, which attacked 52 critical infrastructure organizations, and Cuba ransomware, which was used in attacks on 49 critical infrastructure organizations. Ransomware gangs use a variety of methods to gain access to victim networks; however, the most common attack vectors in 2021 were phishing emails, Remote Desktop Protocol (RDP) exploitation, and the exploitation of software vulnerabilities. While 2021 saw several major ransomware operations shut down, others have taken their place. IC3 anticipates 2022 will see an increase in ransomware attacks on critical infrastructure.

IC3 said there was an unprecedented increase in cyberattacks and malicious cyber activity in 2021 targeting a wide range of business sectors and individuals. A record number of complaints were submitted to IC3 by the American public in 2021, increasing by 7% from 2020 to 847,376 complaints. Across those complaints there were reported losses of more than $6.9 billion – a 64.29% increase from the $4.2 billion in losses reported in 2020.

Losses to Cybercrime over the Past 5 Years. Source IC3

Phishing – including vishing, smishing, and harming – was the most prevalent type of cybercrime in 2021, with 323,972 complaints about phishing incidents reported to IC3 in 2021, up 34% from 2020. Nonpayment/non-delivery crimes were the second most reported incidents, which claimed 82,478 victims.

19,954 complaints were received about business email compromise (BEC)/email account compromise (EAC) scams in 2021, which ranked top for victim losses with adjusted losses of almost $2.4 billion in 2021 – a 28% increase from 2020. IC3 said BEC attacks have become much more sophisticated. While they used to involve compromised email accounts that were used to request W2 forms or fraudulent wire transfers, scammers have exploited the increased reliance on telework and virtual communications platforms.

A compromised email account of an employer or financial director is often used to request employees participate in virtual meeting platforms. “In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a “deep fake” audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly,” explained IC3.

More than $44 million was lost to phishing scams in 2021, and the 3,729 reported ransomware attacks involved losses of at least $49 million. Losses to ransomware are difficult to determine. The $49 million does not include associated costs such as remediation, only reported ransom payments, and ransom payments are not always reported to IC3.

IC3 reported on the successes of its Recovery Asset Team (RAT) in freezing funds for victims of cybercrime. “In 2021, the IC3’s RAT initiated the Financial Fraud Kill Chain on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.”

The post FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021 appeared first on HIPAA Journal.

2021 was another record-breaking year for healthcare industry data breaches with over 50 million records breached and over 900 data breaches were recorded by databreaches.net. Given the extent to which the healthcare industry is targeted by cyber actors, the risk of a data breach occurring is high. A SecureLink/Ponemon Institute study in 2021 found 44% of healthcare and pharmaceutical companies experienced a data breach in the past 12 months.

While steps can be taken to improve defenses to prevent cyberattacks from succeeding, healthcare organizations need to be prepared for the worse and should have an incident response plan in place that can be immediately initiated in the event of a cyberattack. With proper planning, when a cyberattack occurs, healthcare organizations will be well prepared and will be able to recover in the shortest possible time frame.

Regular exercises should be conducted to ensure everyone is aware of their responsibilities and that the plan works. All too often, victims of cyberattacks discover their incident response plan is inefficient or ineffective due to a lack of testing, which can result in a slow and costly response to a cyberattack.

This month, Immersive Labs released its 2022 cyber workforce benchmark report, which included data from more than 2,100 organizations from a range of industry sectors that use the Immersive Labs platform for conducting cyber crisis simulations. Highly prized, high profiles targets such as technology and financial services performed the most cyber crisis exercises, running an average of 9 and 7 exercises per year respectively, but healthcare organizations were near the bottom of the list, performing an average of 2 exercises per year.

In the event of a cyberattack, many different people will be involved in the response. It is therefore important for those people to participate in exercises. It is unsurprising that the more people who are involved in incident response exercises the better prepared an organization will be to respond to a cyberattack. Immersive Labs scored the effectiveness of the exercises and found that every exercise that scored more than 90% for effectiveness had an average of 11 people participating. All but one of the crisis scenarios that scored less than 50% for effectiveness had just one person participating. In healthcare, an average of 4 individuals participated in the exercises, compared to 7 in technology and 21 in education.

Immersive Labs analyzed performance for the crisis response exercises and calculated a score based on the quality of decisions throughout the entire simulation. The average performance score across all exercises was 68%, which shows there is significant room for improvement. The leading industry sector was manufacturing, with a performance score of 85%. Worryingly, healthcare performed the worst out of all industry sectors for cyber crisis response by some distance, achieving a performance score of just 18% – considerably lower than the next worst-performing sector – financial services – which scored 45%.

Immersive Labs also analyzed the speed at which 35,000 members of cybersecurity teams at 400 large organizations took to develop the knowledge, skills, and judgment to address 185 breaking threats. On average, it took 96 days for teams to develop the skills to defend against breaking threats.  They found that mitigating against one vulnerability in the Exim mail transfer agent – which affected more than 4.1 million systems and was being actively exploited – took security teams over 6 months on average to master. CISA says vulnerabilities should be patched within 15 days from initial detection.

Developing the human capabilities to defeat attackers is a slow process, especially in healthcare. The best performing sector was leisure/entertainment, which took an average of 65 days for security teams to develop the necessary skills. In healthcare, it took an average of 116 days. Only consulting, infrastructure, and transport performed worse.  Across all industry sectors, the average time to develop the skills to respond to threats was 96 days.

“The modern cyber crisis is an all-encompassing organizational trauma. Stopping incidents bringing operations to a halt and destroying reputation, corporate value and stakeholder relationships requires a holistic response from the entire workforce,” explained Immersive Labs in the report. “Achieving this kind of resilience requires a continually maturing responsive capability for technical and non-technical teams, developed by exercising with a cadence that traditional tabletop exercises struggle to achieve… exercising to gather evidence, and then using these insights to equip teams with relevant skills, is critical to ongoing resilience.”

The post Healthcare Scores Poorly for Practicing the Cyber Incident Response appeared first on HIPAA Journal.