Healthcare Cybersecurity

HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new Model Contract Language template for healthcare delivery organizations (HDOs) to use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of its responsibilities for cybersecurity and device management.

“Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment through the device lifecycle,” explained HSCC. “These factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.”

The Model Contract Language is intended to be a reference for shared cooperation and coordination between HDOs and MDMs for security, compliance, management, operation, services, and MDM-managed medical devices, solutions, and connections. The aim is to help HDOs reduce the cost, complexity, and time spent in the contracting process, minimize privacy and security risks, and ensure the confidentiality, integrity, and availability of HDO healthcare technologies.

The contract framework is based on three of the fundamental pillars of cybersecurity: Performance, maturity, and product design maturity, with those three pillars subdivided into 14 core principles

Core Principles of the HSCC Model Contract Language for Medtech Cybersecurity

The contract states that MDMs are required to make their products secure by default, have all security features enabled, reduce the attack surface as far as is possible, and ensure their products are free of malware and unnecessary code and services. All products are required to have the following security controls as standard:

  • Network controls
  • Physical security
  • Anti-malware
  • Intrusion detection
  • Data encryption
  • Access management
  • Security patching
  • Audit & logging
  • Protection against malicious code
  • Privilege escalation controls
  • Document reference architecture
  • Remote access controls

MDMs, HDOs, and group purchasing organizations are encouraged to review the Model Contract Language template and adopt as much of it as is necessary for their organization. “The more uniformity and predictability the sector can achieve in cross-enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system,” said HSCC.

The post HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

Posted by HIPAA Journal

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

Posted by HIPAA Journal

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Security Issues Identified in 75% of Infusion Pumps

Posted by HIPAA Journal

This week, researchers at Palo Alto’s Unit 42 team published a report that shows security gaps and vulnerabilities often exist in smart infusion pumps. These bedside devices automate the delivery of medications and fluids to patients and are connected to networks to allow them to be remotely managed by hospitals.

The researchers used crowdsourced scans from more than 200,000 infusion pumps at hospitals and other healthcare organizations and searched for vulnerabilities and security gaps that could potentially be exploited. The devices were assessed against more than 40 known vulnerabilities and over 70 other IoT vulnerabilities.

75% of the 200,000 infusion pumps were discovered to have security gaps that placed them at an increased risk of being compromised by hackers. Worryingly, 52% of the analyzed devices were found to be vulnerable to two serious infusion pump vulnerabilities dating back to 2019, one of which is a critical flaw with a CVSS severity score of 9.8 out of 10 (Wind River VxWorks CVE-2019-12255), and the other is a high severity flaw with a CVSS score of 7.1 (Wind River VxWorks CVE-2019-12264).

Vulnerabilities in infusion pumps could be exploited to cause harm to patients. By gaining access to the devices, attackers could stop the delivery of drugs and fluids or cause the devices to deliver potentially fatal doses of drugs. Vulnerabilities could also be exploited to gain access to, modify, or delete sensitive patient data, and it is the latter type of vulnerability that is most common.

“While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target,” said the researchers. “Our discovery of security gaps in three out of four infusion pumps that we reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks,”

Large hospitals and clinics can use thousands of infusion pumps. When vulnerabilities are discovered, patching or applying compensating controls quickly can be a major challenge. First, the affected devices must be identified, then they must be patched, fixed, or replaced. If any vulnerable device is missed, it will remain vulnerable to attack and a patient’s life may be put at risk.

It is important to maintain an accurate inventory of infusion pumps (and other IoMT devices) in use and to have the capability to rapidly discover, locate, and assess utilization of the devices. Security teams should perform a holistic risk assessment and proactively find vulnerabilities and identify compliance gaps.

Risk reduction policies should be applied. “Real-time risk monitoring, reporting, and alerting are crucial for organizations to proactively reduce IoMT risk,” suggest the researchers. “Consistent profiling of device activity and behavior yields data that can be accurately converted into risk-based Zero-Trust policy recommendations.” Hospitals and clinics should also take steps to block known targeted IoT malware, spyware, and exploits, prevent the use of DNS for C2 communications, and stop access to bad URLs and malicious websites to prevent the loss of sensitive data.

The post Security Issues Identified in 75% of Infusion Pumps appeared first on HIPAA Journal.

Paying a Ransom Doesn’t Put an End to the Extortion

Posted by HIPAA Journal

The healthcare industry has been extensively targeted by ransomware gangs and victims often see paying the ransom as the best option to ensure a quick recovery, but the payment does not always put an end to the extortion. Many victims have paid the ransom to obtain the decryption keys or to prevent the publication of stolen data, only for the ransomware actors to continue with the extortion.

The advice of the Federal Bureau of Investigation (FBI) is never to pay a ransom following a ransomware attack, as doing allows the threat actors to put more resources into their attacks, it encourages other threat groups to get involved in ransomware, and because there is no guarantee that paying a ransom will allow the recovery of data or prevent the misuse of stolen data.

A recent survey conducted by the cybersecurity firm Venafi has helped to quantify the extent to which further extortion occurs. The survey has provided some important statistics about what happens when victims pay or do not pay the ransom demands. The survey was conducted on 1,506 IT security officers from the United States, United Kingdom, Germany, France, Benelux and Australia and explored the rapidly growing risk of ransomware attacks.

Venafi said ransomware attacks increased by 93% in the first half of 2021 and by the end of the year ransomware attacks were being conducted globally at a rate of one every 11 seconds. 67% of companies with 500 or more employees said they had experienced a ransomware attack in the past 12 months, and 83% of ransomware attacks involved double or triple extortion tactics, where sensitive files are stolen and payment is required to decrypt files, prevent the publication of data, and prevent attacks on customers and suppliers.

According to the survey, 38% of attacks involved threats to extort victims’ customers using stolen data, 35% involved threats to expose stolen data on the dark web, and 32% involved threats to inform customers that their data had been stolen.

16% of customers who did not pay the ransom had their data exposed on the dark web. 35% of victims said they paid the ransom but were still unable to recover their data, and 18% of victims said they paid the ransom to prevent the exposure of stolen data, but the information was still exposed on the dark web. 8% said they refused to pay the ransom and then the attackers attempted to extort their customers.

Many ransomware gangs now operate under the ransomware-as-a-service (RaaS) model, where affiliates are recruited to conduct attacks for a cut of any ransoms they generate. While the RaaS operators often provide playbooks and issue guidelines for conducting attacks, there is little enforcement of compliance. Ransomware gangs often operate for short periods and try to extort as much money as possible from victims before shutting down their operations and rebranding and starting again. There have also been cases of ransomware gangs providing stolen data and access to networks to other cybercriminal groups regardless of if the ransom is paid, showing quite clearly that ransomware gangs cannot be trusted. Some ransomware gangs have taken over negotiations with victims from their affiliates and have cut the affiliates out and have not issued payment, showing there is also no honor among thieves.

“Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more,” said Venafi vice president, Kevin Bocek. “The bad news is that attackers are following through on extortion threats, even after the ransom has been paid!”

The post Paying a Ransom Doesn’t Put an End to the Extortion appeared first on HIPAA Journal.

HHS Warns of Potential Threats to the Healthcare Sector

Posted by HIPAA Journal

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the U.S. health sector about potential cyber threats that could spill over from the conflict and affect U.S. healthcare organizations.

HC3 said the HHS is unaware of any specific threats to the Health and Public Health (HPH) Sector; however, it is clear that allies on both sides of the conflict have cyber capabilities and there are fears that there could be cyberattacks on the HPH sector as a consequence of the conflict.

HC3 has warned that threats could come from three areas: Threat actors linked to the Russian government, threat actors linked to the Belarussian government, and cybercriminal groups operating out of Russia and its neighboring states. There is also potential for other cybercriminal groups to either get involved in the conflict or take advantage of the conflict to conduct unrelated cyberattacks.

“Russia has for several decades been one of the most capable cyber powers in the world. Going back to the Moonlight Maze attacks against the US Department of Defense in the 1990s, Russian state-sponsored actors have been believed to be behind some of the most sophisticated cyberattacks publicly disclosed. Specifically, they are known to target adversarial critical infrastructure in furtherance of their geopolitical goals,” warns HC3.

There are also highly capable cyber criminal organizations that operate out of Russia or have voiced their support for Russia, including the operators of Conti Ransomware. The Conti ransomware gang, which is widely believed to have also operated Ryuk ransomware, has extensively targeted the healthcare sector in the United States. The Conti ransomware gang engages in big game hunting, multi-stage attacks, and targets managed service providers and their downstream clients. The Conti ransomware gang engages in double and triple extortion, exfiltrating data prior to encryption and then threatening to publish the data and notify partners and shareholders if payment is not made.

HC3 believes that the Conti ransomware gang and/or other cybercriminal groups could either join in the conflict or take advantage of the conflict for financial gain. The threat group known as UNC1151 is believed to be part of the Belarussian military and has reportedly been conducting phishing campaigns targeting Ukrainian soldiers in January, and the Whispergate Wiper was used in cyberattacks in Ukraine, which have been linked to Belarus.

Whispergate is one of three wiper malware variants that have recently been identified. These wiper malware variants use ransomware as a decoy and drop ransom notes that claim files have been encrypted; however, the master boot record is corrupted rather than encrypted and there is no mechanism for recovery.

Another wiper dubbed HermeticWiper has been used in attacks in Ukraine since February 24, 2022, of which several variants have so far been identified. ESET has recently identified another wiper which the firm dubbed IsaacWiper, that it is currently analyzing.

While attacks involving these malware variants are currently concentrated in Ukraine, in 2017, NotPetya wiper malware was used in targeted attacks in Ukraine and was delivered through compromised tax software, but attacks involving the malware spread globally and affected multiple healthcare organizations in the United States.

All organizations in the HPH sector are strongly advised to adopt a heightened state of vigilance, take steps to improve their defenses, and review CISA guidance on mitigations and improving resilience to cyberattacks.

The post HHS Warns of Potential Threats to the Healthcare Sector appeared first on HIPAA Journal.

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

Posted by HIPAA Journal

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry.

2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached.

The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled.

Pino also drew attention to the critical vulnerability identified in the Java-based logging utility Log4J, which has been incorporated into many healthcare applications. The vulnerability was discovered in December 2021 and cybercriminals and other threat groups were quick to exploit it to gain access to servers and networks for a range of malicious purposes.

The vulnerabilities and data breaches show how important it is for healthcare organizations to be vigilant to threats and take prompt action when new risks to the confidentiality, integrity, and availability of protected health information are identified. “With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022,” said Pino.

Pino said OCR investigations and audits have uncovered many cases of noncompliance with the risk analysis and risk management requirements of the HIPAA Rules. “All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope,” explained Pino. “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

OCR’s investigations of data breaches in 2020 showed multiple areas where HIPAA-regulated entities need to take steps to improve compliance with the standards of the HIPAA Security Rule, especially in the following areas:

  • Risk analysis
  • Risk management
  • Information system activity review
  • Audit controls
  • Security awareness and training
  • Authentication

Pino made several recommendations, including reviewing risk management policies and procedures, ensuring data are regularly backed up (and testing backups to ensure data recovery is possible), conducting regular vulnerability scans, patching and updating software and operating systems promptly, training the workforce how to recognize phishing scams and other common attacks, and practicing good cyber hygiene.

“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure”, concluded Pino, who also drew attention to resources that have been made available by CISA and the Office for Civil Rights to help protect against common threats to ePHI.

The post OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture appeared first on HIPAA Journal.

NIST Requests Comments on How to Improve its Cybersecurity Framework

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) is seeking feedback on the usefulness of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and suggestions on any improvements that can be made.

The NIST Cybersecurity Framework was released in 2014 to help public and private sector organizations implement cybersecurity standards and best practices to improve their cybersecurity posture, better defend against cyber threats, and quickly identify and respond to cyberattacks in progress to limit the harm that can be caused. The NIST Cybersecurity Framework is considered the gold standard for cyber threat management; however, that does not mean improvements could not be made.

The last update to the Cybersecurity Framework occurred in April 2018 and the past four years have seen considerable changes to the cybersecurity threat landscape. New threats have emerged, the tactics, techniques, and procedures used by cyber threat actors have changed, there are new technologies and security capabilities, and more resources are available to help with the management of cybersecurity risk. NIST is not considering updating its Framework again to take these factors into account.

The NIST Cybersecurity Framework has been adopted by many healthcare organizations to improve cybersecurity, but some healthcare organizations have faced challenges implementing the Framework and currently fewer than half of healthcare organizations are adhering to NIST standards. NIST wants to learn about the challenges organizations have faced implementing the Framework and the commonalities and conflicts with other non-NIST frameworks and approaches that are used in conjunction with the NIST Cybersecurity Framework. There may be ways of improving alignment or integration of those approaches with the NIST Cybersecurity Framework. NIST wants suggestions on changes that could be made to the features of the Framework, features that should be added or removed, and any other ways that NIST could improve the Framework to make it more useful.

In addition to feedback on the Cybersecurity Framework, NIST has requested comments on possible improvements to other NIST guidance and standards, including its guidance on improving supply chain cybersecurity. NIST recently announced that it would launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in supply chains. NIST has requested comments on challenges related to the cybersecurity aspects of supply chain risk management that could be addressed by the NIICS, and whether there are currently gaps in existing cybersecurity supply chain risk management guidance and resources, including the application of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST has requested all comments be submitted by April 25, 2022.

The post NIST Requests Comments on How to Improve its Cybersecurity Framework appeared first on HIPAA Journal.

Hospitals and Health Systems Warned of Elevated Risk of Destructive Cyberattacks

Posted by HIPAA Journal

Now that the build-up of Russian troops on the border of Ukraine has progressed into a full invasion, warnings have been issued about the elevated threat of cyberattacks on organizations in the United States and other countries that have imposed economic and military sanctions on Russia.

Russia has a history of using destructive cyberattacks on its adversaries. In 2015 and 2016, the Russian General Staff Main Intelligence Directorate (GRU) conducted cyberattacks on the Ukrainian electricity grid, the Ukrainian financial, energy, and government sectors were targeted in a series of cyberattacks in 2017, and 2017 also saw the use of the NotPetya wiper in attacks on Ukrainian businesses. In January this year, a wiper malware dubbed WhisperGate was used in attacks on the country, and Distributed Denial-of-Service DDoS attacks have recently been reported, along with the use of a new wiper malware in the past few days. Russia was also behind a series of disrupted attacks on Georgia in 2019.

This week, FBI Cyber Section chief David Ring reportedly briefed private executives and state/local officials about the increased threat of ransomware attacks from hacking groups backed by Russia and urged them to consider how critical services could continue to be provided in the event of an attack. There is also concern that recent DDoS attacks in Ukraine could be extended to NATO members and other foreign targets and pro-Russia hacking groups increasing their attacks on organizations in countries that are showing support for Ukraine.

CISA recently issued a “Shields Up” warning to critical infrastructure entities in the United States due to the elevated risk of destructive cyberattacks. CISA urged all organizations to take a proactive approach to defend their digital environments, and the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about the use of misinformation, disinformation, and malinformation (MCD) tactics to shape public opinion, undermine trust, amplify division, and sow discord, which could undermine security in the United States.

On February 23, 2022, the American Hospital Association (AHA) issued a warning to hospitals and health systems that they may be directly targeted by Russian-sponsored cyber actors, become incidental victims of Russian-deployed malware and destructive cyberattacks, and that those attacks have the potential to disrupt the mission-critical service providers of hospitals. While hospitals and health systems may not be the primary targets of cyberattacks, there is still potential for collateral damage, as was the case with the spillover of the NotPetya wiper malware attacks in Ukraine in 2017, which spread globally and disrupted operations at a large U.S. pharmaceutical company, a major U.S. health care communications company, and several U.S. hospitals.

Hospitals and health systems have been advised to review the security alerts published by CISA, the FBI, NSA to better understand the threats they face and implement the recommended mitigations to prepare for possible attacks, enhance their cyber posture, and increase organizational vigilance. The Health Information Sharing and Analysis Center (Health-ISAC) has said it will be increasing its reports and intelligence for its members and will provide strategic analysis and information about the implications of the Russia-Ukraine conflict on the healthcare industry and pharmaceutical firms.

The post Hospitals and Health Systems Warned of Elevated Risk of Destructive Cyberattacks appeared first on HIPAA Journal.