Healthcare Cybersecurity

Latest Phishing Kits Allow Multi-Factor Authentication Bypass

Posted by HIPAA Journal

Phishing attacks allow threat actors to obtain credentials, but multi-factor authentication (MFA) makes it harder for phishing attacks to succeed. With MFA enabled, in addition to a username and password, another method of authentication is required before account access is granted. Microsoft has previously said multi-factor authentication blocks 99.9% of automated account compromise attacks; however, MFA does not guarantee protection. A new breed of phishing kit is being increasingly used to bypass MFA.

Researchers at Proofpoint explained in a recent blog post that phishing kits are now being used that leverage transparent reverse proxy (TRP), which allows browser man-in-the-middle (MitM) attacks. The phishing kits allow the attackers to compromise browser sessions and steal credentials and session cookies in real-time, allowing a full account takeover without alerting the victim.

There are multiple phishing kits that can often be purchased for a low cost that allow MFA to be bypassed; some are simple with no-frills functionality, while others are more sophisticated and incorporate multiple layers of obfuscation and have modules for performing a range of functions, including the theft of sensitive data such as passwords, Social Security numbers, credit card numbers, and MFA tokens.

With standard phishing attacks, the attackers create a fake login page to trick visitors into disclosing their credentials. Oftentimes the phishing page is a carbon copy of the site it impersonates, with the URL the only sign that the phishing page is not genuine. One of the MitM phishing kits identified by the Proofpoint team does not use these fake pages, instead, it uses TRP to present the genuine landing page to the visitor. This approach makes it impossible for victims to recognize the phishing scam. When a user lands on the page and a request is sent to that service, Microsoft 365 for instance, the attackers capture the username and password before they are sent and steal the session cookies that are sent in response in real-time.

The researchers refer to a study of MitM phishing kits by Stony Brook University and Palo Alto Networks which identified more than 1,200 phishing sites using MitM phishing kits. Worryingly, these phishing sites are often not detected and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not included on popular blocklists, such as those maintained by VirusTotal. Further, while standard phishing pages typically only have a lifespan of around 24 hours before they are blocked, MitM phishing pages last much longer. 15% of those detected lasted for longer than 20 days before they were added to blocklists.

The use of these phishing kits is increasing, albeit relatively slowly, however, the Proofpoint researchers believe that MitM phishing kits will be much more widely adopted by threat actors in response to the increased use of MFA. “[MitM phishing kits] are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions,” said Proofpoint.

The post Latest Phishing Kits Allow Multi-Factor Authentication Bypass appeared first on HIPAA Journal.

HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a report providing insights into the May 2021 Conti ransomware attack on the Health Service Executive (HSE) in Ireland, and advice for the healthcare and public health (HPH) sector to help prepare, respond, and recover from ransomware attacks.

The report provides information on the vulnerabilities and weaknesses that were exploited by the Conti ransomware gang, and how the HSE’s lack of preparedness for ransomware attacks hampered its efforts to detect, respond and remediate the attack and contributed to the long and expensive recovery process.

The Conti ransomware gang, believed to be a reincarnation of the notorious Ryuk ransomware operation, first gained access to the HSE network on May 7, 2021, and the networks of six voluntary hospitals and one statutory hospital were compromised between May 8, 2021, and May 12, 2021. One of the affected hospitals detected the attack on May 10, and the HSE was alerted to the cyberattack on May 12. Between May 12 and May 13, the attacker accessed files and folders on HSE systems. The Department of Health and one hospital prevented attacks on their networks on May 13, but in the early hours of May 14, 2021, other hospitals and the HSE started to have files encrypted. The HSE said around 80% of its network was encrypted in the attack.

The attackers issued a ransom demand; however, a week after files were encrypted the gang provided the keys to decrypt files for free, but then insisted the HSE pay the ransom to prevent the publication or sale of the stolen data. It took until September 21, 2021 – four months after files were encrypted – to restore 100% of HSE servers and 99% of its applications. Recovery from the ransomware attack cost the HSE hundreds of millions of dollars and the attack could have been even more costly and damaging had the Conti ransomware gang not provided the decryption keys.

The Conti ransomware gang has conducted at least 40 ransomware attacks in 2021 in the United States, Columbia, Europe, India, and Australia, including attacks on HPH entities in at least 20 U.S. states. Attacked healthcare entities include biotech firms, health/medical clinics, home healthcare services, hospices/elderly care, hospitals, pharma firms, healthcare industry services, and public health entities.

In December 2021, the HSE released a 157-page report of an independent post-incident review by PricewaterhouseCoopers (PwC) that detailed the background to the attack, the timeline, the recovery process, cybersecurity failures, and provided many recommendations. The PwC report was the reference for the HC3 report.

The PwC and HC3 reports detail many cybersecurity failures that contributed to the slow detection of the attack, the inability to respond quickly to security alerts and implement mitigations, and the extensive recovery time. Despite the high risk of ransomware attacks on the healthcare industry, the HSE was simply not prepared to deal with a ransomware attack. There was no single owner for cybersecurity at a senior executive or management level, no dedicated committee providing direction and oversight of cybersecurity activities, multiple weaknesses and gaps in cybersecurity controls, no cybersecurity forum to discuss and document risks, no centralized cybersecurity function to manage cybersecurity risks and controls, and the teams responsible for cybersecurity were known to be under-resourced.

The technology used by the HSE was overly complex, which increased vulnerability to cyberattacks. There was a large and unclear security boundary, the effective security boundary did not align with its ability to mandate cybersecurity controls, and there was no effective monitoring of the capability to detect and respond to attacks.  High-risk gaps were identified in 25 of the 28 cybersecurity controls that are most effective at detecting and preventing human-operated ransomware attacks, and the HSE was overly reliant on antivirus software for protecting endpoints. The HSE had no documented cyber incident response plan and had not performed exercises of the technical response to an attack. The HSE was therefore heavily reliant on third parties in the weeks following the attack to provide structure to its response activities.

While many ransomware actors are stealthy, the Conti ransomware attack was not. On May 7, 2021, the HSE’s antivirus detected Cobalt Strike on six servers, two hospitals identified an intrusion before the ransomware was deployed, and two organizations prevented the deployment of ransomware, but there was no centralized response from the HSE.

The report highlights the consequences of not having an effective cybersecurity strategy, the need to prepare thoroughly for an attack, and the importance of governance and cybersecurity leadership. As serious as the attack was, some good can come out of it. Healthcare organizations around the world can learn from the attack and apply the lessons learned by the HSE to prevent attacks on their own IT infrastructure, and ensure they are properly prepared to respond to a ransomware attack should their defenses be breached.

The post HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive appeared first on HIPAA Journal.

FBI Shares Technical Details of Lockbit 2.0 Ransomware

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has released indicators of compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) associated with Lockbit 2.0 ransomware.

Lockbit is a ransomware-as-a-service (RaaS) operation that has been active since September 2019. In the summer of 2021, a new version of the ransomware – Lockbit 2.0 – was released that had more advanced features, including the ability to automatically encrypt files across Windows domains via Active Directory group policies, and a Linux based malware was also developed that could exploit vulnerabilities in VMware ESXi virtual machines.

The affiliates working for the ransomware operation use a  range of TTPs in their attacks, which makes prevention, detection, and mitigation a challenge for security teams. Initial access is gained by exploiting unpatched vulnerabilities, using zero-day exploits, and purchasing access to business networks from initial access brokers (IABs). Shortly after the relaunch of the RaaS, the threat actor started advertising on hacking forums trying to recruit insiders who could provide network access in exchange for a cut of any ransom payment that is generated.

Once access to a network has been gained, the threat actors use a range of publicly available tools for lateral movement, privilege escalation, and exfiltrating sensitive data. Stolen data are used as leverage to pressure victims into paying the ransom. If victims refuse to pay the ransom, stolen data are published on the Lockbit 2.0 data leak site.

The infection process sees log files and shadow volume copies deleted, and system information is enumerated such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Affiliates are able to specify the file types to exfiltrate from the admin panel, and those files are then copied to an attacker-controlled server via HTTP. Some affiliates use other methods to achieve the same purpose, such as rclone and MEGAsync, as well as publicly available file-sharing services. After data exfiltration, the ransomware encrypts files on local and remote devices, leaving core system files intact. The ransomware then deletes itself from the disk and creates persistence at startup. Lockbit 2.0 will exit without infection if Russian or any languages of the former Soviet republics are detected.

Like several other RaaS operations, the group claims it will not conduct ransomware attacks on healthcare organizations; however, other groups have made similar claims yet have still attacked the healthcare sector. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has advised all organizations in the HPH sector to read and apply the information contained in the FBI’s TLP: White Flash Alert and take steps to reduce their attack surface to the greatest extent possible.

Measures that should be taken include setting strong, unique passwords for all accounts, implementing multi-factor authentication, keeping software and operating systems up to date, removing unnecessary access to administrative shares, segmenting networks, and implementing a host-based firewall and robust data backup program.

The post FBI Shares Technical Details of Lockbit 2.0 Ransomware appeared first on HIPAA Journal.

Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors

Posted by HIPAA Journal

Ransomware gangs are increasingly targeting unpatched vulnerabilities in software and operating systems to gain access to business networks, and they are weaponizing zero-day vulnerabilities at record speed. Unpatched vulnerabilities are now the primary attack vector in ransomware attacks, according to Ivanti’s Ransomware End of Year Spotlight report.

Ivanti partnered with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware for its report, which identified 32 new ransomware variants in 2021 – An increase of 26% from the previous year. There are know 157 known ransomware families that are being used in cyberattacks on businesses.

Ivanti says 65 new vulnerabilities were identified in 2021 that are known to have been exploited by ransomware gangs – an increase of 29% year-over-year – bringing the total number of vulnerabilities tied to ransomware attacks to 288. 37% of the new vulnerabilities were trending on the dark web and have been exploited in multiple attacks, and 56% of the 223 older vulnerabilities continue to be routinely exploited by ransomware gangs.

Ransomware gangs and the initial access brokers they often use are searching for and leveraging zero-day vulnerabilities, oftentimes exploiting them in their attacks before the vulnerabilities have been issued CVE codes and have been added to the National Vulnerability Database (NVD). This was the case with the QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and Apache Log4j (CVE-2021-44228) vulnerabilities.

The report highlights the importance of applying patches promptly but also emphasizes the need to prioritize patching to ensure vulnerabilities that have been weaponized are patched first. While it is important to keep track of vulnerabilities as they are added to the NVD, security teams should also sign up to receive threat intelligence feeds and security advisories from security agencies and should be on the lookout for exploitation instances and vulnerability trends.

While ransomware attacks on individual businesses are common, ransomware gangs are looking for major paydays and are increasingly targeting managed service providers and supply chain networks to inflict damage on as many businesses as possible. A supply chain attack or an attack on a managed service provider allows a ransomware gang to conduct ransomware attacks on dozens or even hundreds of victim networks, as was the case with REvil’s ransomware attack on the Kaseya VSA remote management service.

Ransomware gangs are also increasingly collaborating with others, either through ransomware-as-a-service (RaaS), where affiliates are used to conduct large numbers of attacks for a cut of the ransom payments, exploit-as-a-service, where exploits for known vulnerabilities are rented from developers, and dropper-as-a-service operations, where ransomware gangs pay malware operators to drop malicious payloads on infected devices.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks,” said Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti. “Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

The post Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors appeared first on HIPAA Journal.

HC3: BlackMatter Ransomware Threat Level Reduced

Posted by HIPAA Journal

In September 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an advisory to the health sector about an elevated threat of BlackMatter ransomware attacks. A few days ago, a second advisory was issued stating the threat level has been reduced to Blue/Guarded. HC3 said the ransomware-as-a-service (RaaS) operation appears to have been shut down and there have been no further victims listed on the BlackMatter RaaS data leak site since October 31, 2021.

The BlackMatter ransomware operation is believed by many security experts to be a rebranding of the DarkSide ransomware gang, which conducted the ransomware attack on Colonial Pipeline in May 2021 that disrupted fuel delivery to the Eastern Seaboard. The DarkSide operation was shut down shortly after the Colonial Pipeline attack, and BlackMatter ransomware attacks started in July 2021. Approximately half of the attacks conducted by the BlackMatter ransomware gang were on entities based in the United States, including at least four healthcare organizations – A pharmaceutical consulting company, a medical testing & diagnostics company, and a dermatology clinic.

On November 1, 2021, a member of the BlackMatter ransomware operation claimed the RaaS program was being shut down due to pressure from law enforcement and said key members of its group were no longer available. The remaining victims of the attacks were then moved to the LockBit ransomware negotiation site.

It is common for RaaS operations to shut down and then re-emerge under a different name with a different ransomware variant, as appears to be the case with DarkSide and BlackMatter. The affiliates of the operations who conduct the attacks for a cut of the profits simply switch to a competing ransomware operation and continue to conduct attacks.

Several ransomware operations have either shut down or been taken down by law enforcement over the past few months, including the notorious REvil ransomware operation, which was believed to be a rebranding of the GandCrab ransomware operation. Despite these shutdowns, the threat of ransomware attacks remains high.

“While the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void,” warned HC3.

The post HC3: BlackMatter Ransomware Threat Level Reduced appeared first on HIPAA Journal.

Technologies Supporting Telehealth are Placing Healthcare Data at Risk

Posted by HIPAA Journal

A new report from Kaspersky indicates the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed.

Massive Increase in the Use of Telehealth

The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth.

Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give them telehealth capabilities.

Telehealth has literally been a lifesaver during the pandemic; however, the use of new technologies is not without risk. Many of the products and services now being used to support telehealth include a variety of third-party components that have not been verified as having the necessary safeguards to ensure the confidentiality, integrity, and availability of healthcare data, and they are potentially putting patient information is at risk.

Kaspersky hypothesized that the rapid digitalization of medical services and the wealth of sensitive and valuable patient data collected, stored, or transmitted by these new healthcare technologies has not gone unnoticed and cybercriminals, who are looking to exploit vulnerabilities. A study was devised to explore the security landscape of telehealth in 2020 and 2021 to determine the extent to which healthcare data is being put at risk.

Analysis of Telehealth Applications and Related Technology

In the summer of 2021, Kaspersky conducted an analysis of 50 of the most popular applications that were being used to provide telehealth services to identify vulnerabilities that could potentially be exploited to gain access to patient data, and checked for the presence of malicious code used to mimic those applications or steal data from them. No vulnerabilities were identified in the 50 applications, although that does not mean vulnerabilities do not exist, only that they have not been found by researchers. Deeper analyses of those apps may uncover vulnerabilities.

“In the absence of centralized quality control of telehealth at the application level, their security can significantly vary from product to product,” suggests Kaspersky. “Another unfortunate fact is that smaller companies, like start-ups, simply do not have enough hands and resources to control the quality and safety of their applications. Accordingly, such applications may contain many vulnerabilities currently unknown to the public that cybercriminals can find and use.”

The researchers then looked at wearable devices and sensors, which are often used in conjunction with telemedicine, specifically, the most commonly used protocol for transferring data from wearable devices and sensors – MQTT..

Kaspersky notes in its report – Telehealth: A New Frontier in Medicine- and Security – that MQTT does not require authentication for data transfers, and even if authentication is implemented, data are transferred in plain text with no encryption, which means MQTT is susceptible to man-in-the-middle (MITM) attacks to gain access to the transferred data. If a device is exposed to the Internet, data transfers via MQTT could easily be intercepted.

According to Kaspersky, between 2016 and 2021, 87 vulnerabilities have been identified in MQTT, and 57 of those vulnerabilities were rated critical or high-severity. Many of those vulnerabilities have still not been patched.

Kaspersky reports that the most common wearable device platform, Qualcomm Snapdragon Wearable, is riddled with vulnerabilities. Since the platform was launched in 2020, more than 400 bugs have been detected, many of which have yet to be patched. Multiple vulnerabilities have also been identified in other vendors’ wearable devices.

Cybercriminals Are Looking to Exploit Vulnerabilities to Access Patient Data

Kaspersky warns that cybercriminals are increasingly using medical themes in their phishing campaigns. Between June 2021 and December 2021, more than 150,000 phishing attacks were detected that used medical themes as lures, and as the digitization of healthcare increases, that trend is only likely to continue to increase.

Telehealth is likely to continue to be used to provide care to patients for years to come and there have been calls for the telehealth flexibilities introduced in response to the pandemic to be made permanent. It is therefore vital for app developers and manufacturers of wearable devices, as well as the healthcare organizations that use them, to be aware of the security risks associated with the technology.

Developers need to be aware of vulnerabilities that could be exploited to gain access to patient data and should implement appropriate safeguards to keep data protected. Users of telehealth services, especially frontline workers who have a say in the platforms and devices used for telehealth, should study the security of each application or product and take steps to secure their accounts with strong passwords, multifactor authentication.

“We expected that 2021 would be a year of greater collaboration between the medical sector and IT security specialists,” said Kaspersky. “In some ways, our expectations were met, but the explosive growth of telehealth has brought new challenges to this collaboration which have yet to be solved.”

The post Technologies Supporting Telehealth are Placing Healthcare Data at Risk appeared first on HIPAA Journal.

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015 involving the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers.

The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the initial intrusion to detect the security breach.

The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules, including security failures and the impermissible disclosure of the PHI of 9.3 individuals. The case was settled in January 2021 and Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations and to implement a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.

The lawsuit was brought against Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and the Blue Cross Blue Shield Association, on behalf of all individuals affected by the data breach. Initially, the lawsuit sought monetary damages and injunctive relief; however, for several legal reasons, the court was unable to certify classes seeking monetary damages, and only certified a class for injunctive relief.

The plaintiffs alleged the defendants had failed to implement appropriate security measures to ensure the confidentiality of PII and PHI, failed to detect the security breach for 17 months, and when the breach was detected, waited too long to notify affected individuals and then failed to provide sufficient information about how victims could protect themselves from harm. The lawsuit required the Excellus defendants and BCBSA to change their information security practices with respect to PII and PHI and to invest in information security. The Excellus defendants and BCBSA denied any wrongdoing and, to date, no court has determined the defendants have done anything wrong.

The Excellus defendants and BCBSA have agreed to cover reasonable attorneys’ fees, costs, and expenses as approved by the courts. The costs include a maximum of $3.3 million to cover attorneys’ fees and the reimbursement of expenses of no more than $1,000,000. Service awards of up to $7,500 will also be provided to class representatives.

Changes will be made to business practices regarding the safeguarding of PII and PHI which will cover the three years from the finalization of the settlement or the two years after each of the changes has been implemented. The information security requirements detailed in the settlement require the Excellus defendants and BCBSA to:

  • Increase and maintain a minimum information security budget
  • Develop a strategy and engage vendors to ensure records containing PII or PHI are disposed of within one year of the original retention period
  • Take steps to improve the security of its network, including the use of tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention
  • Engage in an extensive data archiving program and provide plaintiffs with documentation confirming the extent, scope, and thoroughness of the archiving project
  • Provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR settlement and corrective action plan
  • Make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has not been possible to comply with any of the items

If the settlement is agreed by the court – a hearing has been scheduled for April 13, 2022 – all plaintiffs and class members will be required to release all claims against the Excellus defendants and BCBSA for injunctive and declaratory relief. The settlement will not release any claims against the Excellus defendants and BCBSA for monetary damages.

The post Settlement Reached in Excellus Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

Posted by HIPAA Journal

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy.

The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound devices, patient monitors, and medicine dispensers the next most vulnerable device categories.

The recently announced Urgent11 and Ripple20 IoT vulnerabilities are naturally a cause for concern; however, there are much more common and easily exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities affect around 10% of healthcare IoT and IoMT devices, but the most common risk was weak credentials. Default passwords can easily be found in online device manuals and weak passwords are vulnerable to brute force attacks. One-fifth (21%) of IoT and IoMT devices were found to have default or weak credentials.

The majority of pharmacology, oncology, and laboratory devices and large numbers of the devices used in radiology, neurology, and surgery departments were running outdated Windows versions (older than Windows 10) which are potentially vulnerable.

Unaddressed software and firmware vulnerabilities are common in bedside devices, with the most common being improper input validation, improper authentication, and the continued use of devices for which a device recall notice has been issued. Without visibility into the devices connected to the network and a comprehensive inventory of all IoT and IoMT devices, identifying and addressing vulnerabilities before they are exploited by hackers will be a major challenge and it will be inevitable that some devices will remain vulnerable.

Many medical devices are used in critical care settings, where there is very little downtime. More than 80% of healthcare IoT devices are used monthly or more frequently, which gives security teams a small window for identifying and addressing vulnerabilities and segmenting the network. Having an IT solution in place that can provide visibility into connected medical devices and provide key data on the security of those devices will help security teams identify vulnerable devices and plan for updates.

Oftentimes it is not possible for patches to be applied. Oftentimes healthcare IoT devices are in constant use and they are frequently used past the end-of-support date. In such cases, the best security alternative is virtual patching, where steps are taken to prevent the vulnerabilities from being exploited such as quarantining devices and segmenting the network.

Segmenting the network is one of the most important steps to take to improve healthcare IoT and IoMT security. When segmentation is performed that takes medical workflows and patient care contexts into account, Cybnerio says 92% of critical risks in IoT and IoMT devices can be effectively mitigated.

Most healthcare IoT and IoMT cybersecurity efforts are focused on creating a comprehensive inventory of all IoT and IoMT devices and gathering data about those devices to identify potential risks. “Visibility and risk identification are no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up,” said Daniel Brodie, CTO and co-founder, Cynerio.

The post More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability appeared first on HIPAA Journal.