Now that the build-up of Russian troops on the border of Ukraine has progressed into a full invasion, warnings have been issued about the elevated threat of cyberattacks on organizations in the United States and other countries that have imposed economic and military sanctions on Russia.

Russia has a history of using destructive cyberattacks on its adversaries. In 2015 and 2016, the Russian General Staff Main Intelligence Directorate (GRU) conducted cyberattacks on the Ukrainian electricity grid, the Ukrainian financial, energy, and government sectors were targeted in a series of cyberattacks in 2017, and 2017 also saw the use of the NotPetya wiper in attacks on Ukrainian businesses. In January this year, a wiper malware dubbed WhisperGate was used in attacks on the country, and Distributed Denial-of-Service DDoS attacks have recently been reported, along with the use of a new wiper malware in the past few days. Russia was also behind a series of disrupted attacks on Georgia in 2019.

This week, FBI Cyber Section chief David Ring reportedly briefed private executives and state/local officials about the increased threat of ransomware attacks from hacking groups backed by Russia and urged them to consider how critical services could continue to be provided in the event of an attack. There is also concern that recent DDoS attacks in Ukraine could be extended to NATO members and other foreign targets and pro-Russia hacking groups increasing their attacks on organizations in countries that are showing support for Ukraine.

CISA recently issued a “Shields Up” warning to critical infrastructure entities in the United States due to the elevated risk of destructive cyberattacks. CISA urged all organizations to take a proactive approach to defend their digital environments, and the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about the use of misinformation, disinformation, and malinformation (MCD) tactics to shape public opinion, undermine trust, amplify division, and sow discord, which could undermine security in the United States.

On February 23, 2022, the American Hospital Association (AHA) issued a warning to hospitals and health systems that they may be directly targeted by Russian-sponsored cyber actors, become incidental victims of Russian-deployed malware and destructive cyberattacks, and that those attacks have the potential to disrupt the mission-critical service providers of hospitals. While hospitals and health systems may not be the primary targets of cyberattacks, there is still potential for collateral damage, as was the case with the spillover of the NotPetya wiper malware attacks in Ukraine in 2017, which spread globally and disrupted operations at a large U.S. pharmaceutical company, a major U.S. health care communications company, and several U.S. hospitals.

Hospitals and health systems have been advised to review the security alerts published by CISA, the FBI, NSA to better understand the threats they face and implement the recommended mitigations to prepare for possible attacks, enhance their cyber posture, and increase organizational vigilance. The Health Information Sharing and Analysis Center (Health-ISAC) has said it will be increasing its reports and intelligence for its members and will provide strategic analysis and information about the implications of the Russia-Ukraine conflict on the healthcare industry and pharmaceutical firms.

The post Hospitals and Health Systems Warned of Elevated Risk of Destructive Cyberattacks appeared first on HIPAA Journal.

Expanding security capabilities is possible with a tight budget by using free cybersecurity tools and services. Many tools and services have been developed by government agencies, the cybersecurity community, and the public and private sector that can be used to improve defenses against damaging cyberattacks, detect potential intrusions rapidly, and help organizations respond to and remediate security breaches.

Finding appropriate free cybersecurity tools and services can be a time-consuming process. To help critical infrastructure organizations reduce cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has compiled a list of services provided by CISA and other government agencies, open source tools, and tools and services developed and maintained by the cybersecurity community that can be adopted to improve protection, detection, response and the remediation of cyber threats.

The list of free cybersecurity tools and services is divided into four categories, based on the four goals detailed in previously published guidance: CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats.

1. Reducing the likelihood of a damaging cyber incident;
2. Detecting malicious activity quickly;
3. Responding effectively to confirmed incidents; and
4. Maximizing resilience.

All of the tools and services added to the list were assessed by CISA using neutral principles and criteria; however, CISA does not attest to the suitability of any product or service, nor the effectiveness of any solution for any particular use case. While some commercial products and services have been included in the list, CISA does not endorse or provide any recommendations for using those products and services. The list will be periodically updated by CISA to include new products and services and CISA welcomes any suggestions of additional products and services for future inclusion in the list.

While all included tools and services could be of benefit for improving or adding new security capabilities, they are no substitute for developing and implementing a strong cybersecurity program. It is vital to develop such a program and ensure certain foundational cybersecurity measures are implemented, including addressing known flaws in software and operating systems, setting strong passwords, implementing multi-factor authentication, and putting an end to bad cybersecurity practices such as the continued use of legacy solutions that have reached end-of-life and are no longer supported. CISA recommends signing up for its Cyber Hygiene Vulnerability Scanning service and taking steps to get sensitive Stuff of Search (S.O.S) to reduce Internet attack surfaces that are visible to anyone using a web-based platform.

The post CISA Publishes List of Free Cybersecurity Tools to Advance Security Capabilities appeared first on HIPAA Journal.

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has issued a threat brief warning about the risks associated with electronic health record systems, which are often targeted by cyber threat actors.

Cyberattacks on EHRs can be extremely profitable for cyber threat actors. EHRs usually contain all the information required for multiple types of fraud, including names, addresses, dates of birth, Social Security numbers, other government and state ID numbers, health data, and health insurance information. No other records provide such a wide range of information. The information contained in the systems has a high value on the black market and can be easily sold to cybercriminals who specialize in identity theft, tax, and insurance fraud. Malware, and especially ransomware, pose a significant threat to EHRs. Ransomware can be used to encrypt EHR data to prevent access, which causes disruption to medical services and creates patient safety issues, which increases the likelihood of the ransom being paid. Phishing attacks to gain access to the credentials required to access EHRs are also common.

A cybersecurity strategy should be developed to protect against malware and ransomware attacks. Malware and ransomware infections often start with phishing emails, so email security solutions should be implemented, and end users should receive training to help them identify phishing emails and other email threats. Regular security awareness training for the workforce can improve resistance to cyberattacks that target employees, who are one of the weak links in the security chain. Attacks on Remote Desktop Protocol (RDP) are also common. Consider using a VPN solution to prevent exposing RDP. Threat actors often exploit unpatched vulnerabilities, so it is vital to patch promptly and to prioritize patching to address critical vulnerabilities first, especially vulnerabilities that are known to have been exploited in cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities Catalog that can guide IT security teams on prioritizing patching efforts.

Many healthcare organizations encrypt EHR data. Encryption protects data while it is transferred between on-site users and external cloud applications, but there could be blind spots in encryption that could be leveraged by threat actors to avoid being detected while they execute their attack. Cloud services are now commonly used by healthcare organizations, including cloud-hosted EHRs. All data sent to cloud services must be properly protected to comply with HIPAA. Cloud access security broker technology can help in this regard.

Steps need to be taken to prevent attacks by external cyber threat actors, but there are also internal threats to EHR data. Healthcare employees are provided with access to EHRs and can easily abuse that access to view or steal patient data. Employees should receive training on internal policies concerning EHR use and data access and how HIPAA prohibits the unauthorized accessing of records. The sanctions policy should be explained as well as the potential for criminal charges for unauthorized medical record access. Administrative policies should be implemented to make it difficult for employees to access records without authorization and policies for EHR need to be enforced.

There should be monitoring of physical and system access, audits should be regularly conducted to identify unauthorized access, and device and media controls should be implemented to prevent the unauthorized copying of EHR data. An endpoint hardening strategy should also be developed that includes multiple layers of defense on all endpoints. The strategy will also ensure that any intrusion is detected and contained before attackers can gain access to EHRs and patient data.

Healthcare organizations should engage in threat hunting to identify threat actors who have bypassed the security perimeter and infiltrated endpoints. Penetration testers should be used for ‘Red Team’ activities involving the tradecraft of hackers to identify and exploit vulnerabilities. Cybersecurity professionals should also be engaged for the Blue Team, which is concerned with guiding the IT security team on improvements to prevent sophisticated cyberattacks. “These exercises are imperative to understanding issues with an organization’s network, vulnerabilities, and other possible security gaps,” says the HHS.

There are considerable benefits that come from EHRs, but risks to data must be properly managed. The HHS suggests healthcare leaders change their focus from prevention to the creation of a proactive preparedness plan to understand vulnerabilities in their EHRs and then implement a framework that will be effective at identifying and preventing attacks.

The post HHS Raises Awareness of Threats to Electronic Health Record Systems appeared first on HIPAA Journal.

CrowdStrike has released its annual threat report which shows there was a major increase in data leaks following ransomware attacks in 2021, rising 82% from 2020. CrowdStrike observed 2,686 ransomware attacks in 2021 compared to 1,474 in 2020. There were more than 50 ransomware attacks a week in 2021.

Ransomware gangs also increased their ransom demands in 2021, which were 36% higher than in 2020. In 2021, the average ransom demand was $6.1 million. The healthcare industry was extensively targeted by ransomware gangs in 2021, even though several threat actors claimed they would not conduct attacks on healthcare organizations. CrowdStrike tracked 154 ransomware attacks on healthcare organizations in 2021, up from 94 in 2020, with healthcare ranking 6^th out of all industry sectors for data leaks, down from 4^th position in 2020.

CrowdStrike said the threat landscape became much more crowded in 2021, with several new adversaries emerging including threat actors that have previously not been extensively involved in cyberattacks such as Turkey and Colombia. CrowdStrike identified 21 new adversaries in 2021, with significant increases in Iran-nexus and China-nexus threat actors.

A threat group tracked as Wizard Spider was one of the most prolific ransomware actors in 2021, Carbon Spider specialized in big game hunting, Cozy Bear specialized in targeting cloud environments, Prophet Spider used the Log4j exploit for harvesting credentials from cloud workspace services, and Aquatic Panda targeted the Log4j vulnerability and used the Log4Shell exploit to achieve remote code execution on victims’ systems.

Iran-nexus actors extensively adopted lock-and-leak tactics, Russian threat actors increasingly targeted cloud environments, and China-nexus threat actors specialized in deploying exploits for new vulnerabilities. CrowdStrike said there was a sixfold increase in vulnerability exploitation in 2021, with 10 named adversaries or activity clusters involved in those attacks. Only 2 vulnerabilities were exploited by Chinese threat actors in 2020, compared to 12 in 2021.

Since 2020, ransomware gangs have been exfiltrating sensitive data prior to encrypting files and have been using double extortion tactics on their victims, where payment is required for the keys to decrypt data and also to prevent the leaking of the stolen data on data leaks sites. While ransomware attacks were commonplace, there was also an increase in data theft and extortion without the use of ransomware and there was an active market for the sale and purchase of stolen information on hacking forums and darknet sites.

Malware is commonly used in cyberattacks but attackers are increasingly avoiding the use of malware and are using legitimate credentials to access networks and then living-off-the-land techniques, where existing system tools are used rather than malware to evade security solutions. In 2021, only 38% of cyberattacks involved malware, with 62% of attacks malware free.

CrowdStrike expects cloud-related threats to become more prevalent and to evolve in 2022 as threat actors prioritize targets that provide direct access to large consolidated stores of high-value data. Threat actors are also likely to diversify their tool arsenal to include mobile malware 9nm 2022, and it is highly probable adversaries will continue to seek weaknesses in platforms used by their targets in 2022. “Through the coming year, adversaries are expected to continue to react to vulnerability identification and seek to gain access to their targets through exploitive means as quickly as possible,” said CrowdStrike.

To counter these threats, CrowdStrike recommends learning about the adversaries that are known to target your industry, as this will allow you to better prepare for attacks. It is vital to protect all workloads and have a tested response plan to allow immediate action to be taken in the event of an attack. The speed of the response often dictates whether mitigations succeed or fail.

Cloud misconfigurations are often exploited to gain access to large data stores. One way to reduce the risk of human error is to set up new accounts and infrastructure using default patterns. While it is important to implement technical measures to detect and stop intrusions, it is also important to invest in user awareness programs, as end users can play a key role in preventing data breaches, especially detecting and avoiding phishing attacks and social engineering techniques.

The post 2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands appeared first on HIPAA Journal.

HIMSS has published the findings of its 2021 Healthcare Cybersecurity Survey which revealed 67% of respondents have experienced at least one significant security incident in the past 12 months, with the most significant security breaches the result of phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was conducted on 167 healthcare cybersecurity professionals, who had at least some responsibility for day-to-day cybersecurity operations or oversight.

The surveyed IT professionals were asked about the most significant security breaches they had experienced in the previous 12 months, and in 45% of cases it was a phishing attack, and 57% of respondents said the most significant breach involved phishing. Phishing attacks are most commonly conducted via email, with email-based phishing attacks accounting for 71% of the most significant security incidents; however, 27% said there was a significant voice phishing incident (vishing), 21% said they had a significant SMS phishing incident (smishing), and 16% said there had been a significant social media phishing incident.

Phishing was the most common initial point of compromise, accounting for 71% of the most significant security breaches, with social engineering attacks accounting for 15%. Human error is frequently the cause of serious data breaches, accounting for 19% of the most significant security breaches, with 15% caused by the continued use of legacy software for which support is no longer provided. The survey also revealed basic security controls have not been fully implemented at many organizations.

Ransomware attacks continue to plague the healthcare industry, and the attacks often cause major disruption and have high mitigation costs. 17% of respondents said the most significant security incident they suffered was a ransomware attack. 7% of respondents said negligent insider activity caused the biggest security incident, although HIMSS notes that healthcare organizations often do not have robust defenses against insider breaches, so it is possible that these types of breaches have been underreported.

Given the extent to which phishing leads to account compromises or more extensive cyberattacks, it is important for healthcare organizations to implement robust email security measures to block phishing emails and to also invest in security awareness training for the workforce. No single security solution will block all phishing attacks, so it is vital for the workforce to receive training on how to identify phishing and social engineering attacks. Teaching employees security best practices can help to reduce human error which frequently leads to data breaches.

The continued use of legacy systems once end-of-life has been reached can be a challenge in healthcare, but plans should be made to upgrade outdated systems, and if that is not feasible, mitigations should be put in place to make exploitation of vulnerabilities more difficult, such as isolating legacy systems and not exposing them to the Internet.

44% of respondents said their most significant breach had no negligible impact; however, 32% said security breaches caused disruption to systems that impacted business operations, 26% said security breaches disrupted IT systems, and 22% said security breaches resulted in data breaches or data leakage. 21% said the security breaches had an impact on clinical care, and 17% said the most significant security incident resulted in financial loss.

Despite the risk of cyberattacks, budgets for cybersecurity budgets remain slim. 40% of surveyed IT professionals said 6% or less of their IT budget was devoted to cybersecurity, which is the same percentage as the past four years even though the risk of attacks has increased. 40% of respondents said they either had a budget that has not changed since last year or had decreased, and 35% said their cybersecurity budget is not anticipated to change.

The HIMSS survey probed respondents to find out about the most significant security challenges, which for 47% of respondents was insufficient budget. Staff compliance with policies and procedures was a major challenge for 43% of respondents, the continued use of legacy software was an issue for 39% of respondents, and 34% said they struggled with patch and vulnerability management.

Employees making errors, device management, identity and access management, establishing a cybersecurity culture, data leaks, and shadow IT were also rated as major security challenges.

“The findings of the 2021 HIMSS Healthcare Cybersecurity Survey suggest that healthcare organizations still have significant challenges to overcome. These barriers to progress include tight security budgets, growing legacy footprints and the growing volume of cyber-attacks and compromises. Additionally, basic security controls have not been fully implemented at many organizations,” concluded HIMSS. “Perhaps the largest vulnerability is the human factor. Healthcare organizations should do more to support healthcare cybersecurity professionals and their cybersecurity programs.”

The post HIMSS Cybersecurity Survey Suggests the Human Factor is the Largest Vulnerability in Healthcare appeared first on HIPAA Journal.