Healthcare Cybersecurity

CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure

Posted February 14, 2022 by HIPAA Journal

A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health.

The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including healthcare and medical, financial services and markets, higher education and research, and energy.

In the cybersecurity advisory, the CISA, the FBI, and the NSA share information about ransomware trends observed in 2021 ransomware attacks and the tactics, techniques, and procedures known to be used by ransomware gangs to gain access to networks, move laterally, and increase the impact of their attacks and suggest mitigations that can reduce the likelihood of a ransomware attack succeeding and the impact of a successful attack.

2021 Ransomware Attack Trends

In the United States, the first half of 2021 saw ransomware gangs target ‘big game’ targets such as Colonial Pipeline, Kaseya, JBS Foods; however, the increased scrutiny on ransomware gangs following these attacks saw them shift their focus to mid-sized targets; however, big game targeting continued throughout 2021 in the United States and Australia.

In Europe, ransomware gangs have been sharing victim information with other ransomware operations and cybercriminal groups. The BlackMatter ransomware operation shutdown and transferred existing victims to the LockBit 2.0 infrastructure and the Conti ransomware gang is known to have sold access to victims’ networks to other cybercriminal groups.

While double extortion tactics have become the norm, 2021 saw an increase in tripe extortion attacks where, in addition to encryption, files are exfiltrated and a demand is issued for payment to prevent the publication of the stolen data, Internet access is disrupted, and threats are issued to inform partners, shareholders, and suppliers about the attack.

Methods Used to Gain Access to Victims’ Networks

CISA, the FBI, and the NSA say ransomware gangs have increasingly sophisticated technological infrastructure and the ransomware threat is increasing globally. Ransomware gangs are using many methods to gain access networks, which makes implementing defensive measures to block the attacks a major challenge.

Initial access to networks is gained through phishing attacks to obtain credentials, using stolen Remote Desktop Protocol (RDP) credentials, brute force tactics to guess weak credentials and the exploitation of known vulnerabilities that have yet to be patched. CISA has identified several new vulnerabilities that are being actively targeted by ransomware gangs which have been added to its Known Exploited Vulnerabilities Catalog, which now includes 368 vulnerabilities. These attack vectors have proven successful due to the increased attack surface due to remote working and schooling as a result of the pandemic, which has made it difficult for IT security teams to patch vulnerabilities and address security weaknesses while supporting their remote workers and learners.

Ransomware gangs are now operating more like professional businesses and are increasingly outsourcing certain functions to specialist cybercriminal groups, who assist with payments, negotiations, arbitration, and provide 24/7 help centers for victims.

Increasing the Impact of Ransomware Attacks

2021 has seen an increase in the severity of ransomware attacks. The attacks are conducted to cause as much disruption as possible to increase the likelihood of the ransom being paid. Ransomware gangs are targeting cloud infrastructures and are exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. There has been an increase in attacks on managed service providers and their downstream clients, and industrial processes and the software supply chain are being targeted. Attacks are often conducted at the weekend or during holidays when there are likely to be fewer network defenders and support personnel on hand to identify and respond to attacks.

Defending Against Ransomware Attacks

The security advisory details a long list of mitigations to reduce the likelihood of a successful attack and the severity of an attack should perimeter defenses be breached, including limiting the ability of threat actors to learn about an organization’s IT environment and move laterally.

You can view the list of recommended mitigations here.

The post CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure appeared first on HIPAA Journal.

Immediate Patching Required to Fix Critical SAP Vulnerabilities

Posted February 10, 2022 by HIPAA Journal

The German business software provider SAP has released patches to fix a set of critical vulnerabilities that affect SAP applications that use the SAP Internet Communications Manager (ICM). The vulnerabilities were identified by researchers at Onapsis Research Labs, who dubbed the flaws ICMAD (Internet Communications Manager Advanced Desync). All three of the flaws could be exploited to achieve remote code execution, which would allow remote attackers to fully compromise vulnerable SAP applications.

The vulnerabilities affect the following SAP applications:

SAP NetWeaver AS ABAP
ABAP Platform
SAP NetWeaver AS Java
SAP Content Server 7.53
SAP Web Dispatcher

The flaws could be exploited to steal victim sessions and credentials in plaintext, change the behavior of applications, obtain PHI and sensitive business data, and cause denial-of-service. The vulnerability CVE-2022-22536 is the most serious of the three and has been assigned the maximum CVSS severity score of 10/10. Onapsis said the flaw can be easily exploited by an unauthenticated attacker on SAP applications in the default configuration by sending a single request through the commonly exposed HTTP(S) service.

When business applications allow HTTP(S) access, the most common configuration is for an HTTP(S) proxy to be sitting between clients and the backend SAP system, and this configuration allows the flaw to be exploited. The second vulnerability, tracked as CVE-2022-22532 (CVSS 8.1) can also be exploited in this configuration, and even in the absence of proxies. The third vulnerability, tracked as CVE-2022-22533 (No CVSS score at present) can also lead to remote code execution.

The vulnerabilities were identified while researching HTTP smuggling techniques, which the researchers determined could be leveraged using requests that closely mirror legitimate HTTP requests. As such, these attacks would be difficult for security teams to detect. Further, the vulnerabilities are also very easy to exploit.

SAP applications are extensively used by businesses, including in the healthcare industry. When vulnerabilities are discovered, they are quick to be exploited by hackers to gain access to applications to steal data or cripple business systems. Oftentimes, the first exploits of SAP vulnerabilities occur within 72 hours of patches being released.

SAP applications are used to manage business processes and in healthcare, the applications often contain protected health information. Vulnerabilities in SAP applications could therefore be exploited to steal patient data.

SAP and Onapsis have urged all businesses using vulnerable SAP applications to apply the patches immediately to prevent exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory about the vulnerabilities urging immediate patching. Organizations should prioritize patching affected systems that are exposed to untrusted networks, such as the Internet. Onapsis has released a free, open source scanning tool that can be used by businesses to discover if they are vulnerable to ICMAD exploits.

The post Immediate Patching Required to Fix Critical SAP Vulnerabilities appeared first on HIPAA Journal.

Latest Phishing Kits Allow Multi-Factor Authentication Bypass

Posted February 9, 2022 by HIPAA Journal

Phishing attacks allow threat actors to obtain credentials, but multi-factor authentication (MFA) makes it harder for phishing attacks to succeed. With MFA enabled, in addition to a username and password, another method of authentication is required before account access is granted. Microsoft has previously said multi-factor authentication blocks 99.9% of automated account compromise attacks; however, MFA does not guarantee protection. A new breed of phishing kit is being increasingly used to bypass MFA.

Researchers at Proofpoint explained in a recent blog post that phishing kits are now being used that leverage transparent reverse proxy (TRP), which allows browser man-in-the-middle (MitM) attacks. The phishing kits allow the attackers to compromise browser sessions and steal credentials and session cookies in real-time, allowing a full account takeover without alerting the victim.

There are multiple phishing kits that can often be purchased for a low cost that allow MFA to be bypassed; some are simple with no-frills functionality, while others are more sophisticated and incorporate multiple layers of obfuscation and have modules for performing a range of functions, including the theft of sensitive data such as passwords, Social Security numbers, credit card numbers, and MFA tokens.

With standard phishing attacks, the attackers create a fake login page to trick visitors into disclosing their credentials. Oftentimes the phishing page is a carbon copy of the site it impersonates, with the URL the only sign that the phishing page is not genuine. One of the MitM phishing kits identified by the Proofpoint team does not use these fake pages, instead, it uses TRP to present the genuine landing page to the visitor. This approach makes it impossible for victims to recognize the phishing scam. When a user lands on the page and a request is sent to that service, Microsoft 365 for instance, the attackers capture the username and password before they are sent and steal the session cookies that are sent in response in real-time.

The researchers refer to a study of MitM phishing kits by Stony Brook University and Palo Alto Networks which identified more than 1,200 phishing sites using MitM phishing kits. Worryingly, these phishing sites are often not detected and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not included on popular blocklists, such as those maintained by VirusTotal. Further, while standard phishing pages typically only have a lifespan of around 24 hours before they are blocked, MitM phishing pages last much longer. 15% of those detected lasted for longer than 20 days before they were added to blocklists.

The use of these phishing kits is increasing, albeit relatively slowly, however, the Proofpoint researchers believe that MitM phishing kits will be much more widely adopted by threat actors in response to the increased use of MFA. “[MitM phishing kits] are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions,” said Proofpoint.

The post Latest Phishing Kits Allow Multi-Factor Authentication Bypass appeared first on HIPAA Journal.

HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive

Posted February 8, 2022 by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a report providing insights into the May 2021 Conti ransomware attack on the Health Service Executive (HSE) in Ireland, and advice for the healthcare and public health (HPH) sector to help prepare, respond, and recover from ransomware attacks.

The report provides information on the vulnerabilities and weaknesses that were exploited by the Conti ransomware gang, and how the HSE’s lack of preparedness for ransomware attacks hampered its efforts to detect, respond and remediate the attack and contributed to the long and expensive recovery process.

The Conti ransomware gang, believed to be a reincarnation of the notorious Ryuk ransomware operation, first gained access to the HSE network on May 7, 2021, and the networks of six voluntary hospitals and one statutory hospital were compromised between May 8, 2021, and May 12, 2021. One of the affected hospitals detected the attack on May 10, and the HSE was alerted to the cyberattack on May 12. Between May 12 and May 13, the attacker accessed files and folders on HSE systems. The Department of Health and one hospital prevented attacks on their networks on May 13, but in the early hours of May 14, 2021, other hospitals and the HSE started to have files encrypted. The HSE said around 80% of its network was encrypted in the attack.

The attackers issued a ransom demand; however, a week after files were encrypted the gang provided the keys to decrypt files for free, but then insisted the HSE pay the ransom to prevent the publication or sale of the stolen data. It took until September 21, 2021 – four months after files were encrypted – to restore 100% of HSE servers and 99% of its applications. Recovery from the ransomware attack cost the HSE hundreds of millions of dollars and the attack could have been even more costly and damaging had the Conti ransomware gang not provided the decryption keys.

The Conti ransomware gang has conducted at least 40 ransomware attacks in 2021 in the United States, Columbia, Europe, India, and Australia, including attacks on HPH entities in at least 20 U.S. states. Attacked healthcare entities include biotech firms, health/medical clinics, home healthcare services, hospices/elderly care, hospitals, pharma firms, healthcare industry services, and public health entities.

In December 2021, the HSE released a 157-page report of an independent post-incident review by PricewaterhouseCoopers (PwC) that detailed the background to the attack, the timeline, the recovery process, cybersecurity failures, and provided many recommendations. The PwC report was the reference for the HC3 report.

The PwC and HC3 reports detail many cybersecurity failures that contributed to the slow detection of the attack, the inability to respond quickly to security alerts and implement mitigations, and the extensive recovery time. Despite the high risk of ransomware attacks on the healthcare industry, the HSE was simply not prepared to deal with a ransomware attack. There was no single owner for cybersecurity at a senior executive or management level, no dedicated committee providing direction and oversight of cybersecurity activities, multiple weaknesses and gaps in cybersecurity controls, no cybersecurity forum to discuss and document risks, no centralized cybersecurity function to manage cybersecurity risks and controls, and the teams responsible for cybersecurity were known to be under-resourced.

The technology used by the HSE was overly complex, which increased vulnerability to cyberattacks. There was a large and unclear security boundary, the effective security boundary did not align with its ability to mandate cybersecurity controls, and there was no effective monitoring of the capability to detect and respond to attacks. High-risk gaps were identified in 25 of the 28 cybersecurity controls that are most effective at detecting and preventing human-operated ransomware attacks, and the HSE was overly reliant on antivirus software for protecting endpoints. The HSE had no documented cyber incident response plan and had not performed exercises of the technical response to an attack. The HSE was therefore heavily reliant on third parties in the weeks following the attack to provide structure to its response activities.

While many ransomware actors are stealthy, the Conti ransomware attack was not. On May 7, 2021, the HSE’s antivirus detected Cobalt Strike on six servers, two hospitals identified an intrusion before the ransomware was deployed, and two organizations prevented the deployment of ransomware, but there was no centralized response from the HSE.

The report highlights the consequences of not having an effective cybersecurity strategy, the need to prepare thoroughly for an attack, and the importance of governance and cybersecurity leadership. As serious as the attack was, some good can come out of it. Healthcare organizations around the world can learn from the attack and apply the lessons learned by the HSE to prevent attacks on their own IT infrastructure, and ensure they are properly prepared to respond to a ransomware attack should their defenses be breached.

The post HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive appeared first on HIPAA Journal.

FBI Shares Technical Details of Lockbit 2.0 Ransomware

Posted February 8, 2022 by HIPAA Journal

The Federal Bureau of Investigation (FBI) has released indicators of compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) associated with Lockbit 2.0 ransomware.

Lockbit is a ransomware-as-a-service (RaaS) operation that has been active since September 2019. In the summer of 2021, a new version of the ransomware – Lockbit 2.0 – was released that had more advanced features, including the ability to automatically encrypt files across Windows domains via Active Directory group policies, and a Linux based malware was also developed that could exploit vulnerabilities in VMware ESXi virtual machines.

The affiliates working for the ransomware operation use a range of TTPs in their attacks, which makes prevention, detection, and mitigation a challenge for security teams. Initial access is gained by exploiting unpatched vulnerabilities, using zero-day exploits, and purchasing access to business networks from initial access brokers (IABs). Shortly after the relaunch of the RaaS, the threat actor started advertising on hacking forums trying to recruit insiders who could provide network access in exchange for a cut of any ransom payment that is generated.

Once access to a network has been gained, the threat actors use a range of publicly available tools for lateral movement, privilege escalation, and exfiltrating sensitive data. Stolen data are used as leverage to pressure victims into paying the ransom. If victims refuse to pay the ransom, stolen data are published on the Lockbit 2.0 data leak site.

The infection process sees log files and shadow volume copies deleted, and system information is enumerated such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Affiliates are able to specify the file types to exfiltrate from the admin panel, and those files are then copied to an attacker-controlled server via HTTP. Some affiliates use other methods to achieve the same purpose, such as rclone and MEGAsync, as well as publicly available file-sharing services. After data exfiltration, the ransomware encrypts files on local and remote devices, leaving core system files intact. The ransomware then deletes itself from the disk and creates persistence at startup. Lockbit 2.0 will exit without infection if Russian or any languages of the former Soviet republics are detected.

Like several other RaaS operations, the group claims it will not conduct ransomware attacks on healthcare organizations; however, other groups have made similar claims yet have still attacked the healthcare sector. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has advised all organizations in the HPH sector to read and apply the information contained in the FBI’s TLP: White Flash Alert and take steps to reduce their attack surface to the greatest extent possible.

Measures that should be taken include setting strong, unique passwords for all accounts, implementing multi-factor authentication, keeping software and operating systems up to date, removing unnecessary access to administrative shares, segmenting networks, and implementing a host-based firewall and robust data backup program.

The post FBI Shares Technical Details of Lockbit 2.0 Ransomware appeared first on HIPAA Journal.

Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors

Posted February 4, 2022 by HIPAA Journal

Ransomware gangs are increasingly targeting unpatched vulnerabilities in software and operating systems to gain access to business networks, and they are weaponizing zero-day vulnerabilities at record speed. Unpatched vulnerabilities are now the primary attack vector in ransomware attacks, according to Ivanti’s Ransomware End of Year Spotlight report.

Ivanti partnered with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware for its report, which identified 32 new ransomware variants in 2021 – An increase of 26% from the previous year. There are know 157 known ransomware families that are being used in cyberattacks on businesses.

Ivanti says 65 new vulnerabilities were identified in 2021 that are known to have been exploited by ransomware gangs – an increase of 29% year-over-year – bringing the total number of vulnerabilities tied to ransomware attacks to 288. 37% of the new vulnerabilities were trending on the dark web and have been exploited in multiple attacks, and 56% of the 223 older vulnerabilities continue to be routinely exploited by ransomware gangs.

Ransomware gangs and the initial access brokers they often use are searching for and leveraging zero-day vulnerabilities, oftentimes exploiting them in their attacks before the vulnerabilities have been issued CVE codes and have been added to the National Vulnerability Database (NVD). This was the case with the QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and Apache Log4j (CVE-2021-44228) vulnerabilities.

The report highlights the importance of applying patches promptly but also emphasizes the need to prioritize patching to ensure vulnerabilities that have been weaponized are patched first. While it is important to keep track of vulnerabilities as they are added to the NVD, security teams should also sign up to receive threat intelligence feeds and security advisories from security agencies and should be on the lookout for exploitation instances and vulnerability trends.

While ransomware attacks on individual businesses are common, ransomware gangs are looking for major paydays and are increasingly targeting managed service providers and supply chain networks to inflict damage on as many businesses as possible. A supply chain attack or an attack on a managed service provider allows a ransomware gang to conduct ransomware attacks on dozens or even hundreds of victim networks, as was the case with REvil’s ransomware attack on the Kaseya VSA remote management service.

Ransomware gangs are also increasingly collaborating with others, either through ransomware-as-a-service (RaaS), where affiliates are used to conduct large numbers of attacks for a cut of the ransom payments, exploit-as-a-service, where exploits for known vulnerabilities are rented from developers, and dropper-as-a-service operations, where ransomware gangs pay malware operators to drop malicious payloads on infected devices.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks,” said Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti. “Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

The post Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors appeared first on HIPAA Journal.

HC3: BlackMatter Ransomware Threat Level Reduced

Posted February 3, 2022 by HIPAA Journal

In September 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an advisory to the health sector about an elevated threat of BlackMatter ransomware attacks. A few days ago, a second advisory was issued stating the threat level has been reduced to Blue/Guarded. HC3 said the ransomware-as-a-service (RaaS) operation appears to have been shut down and there have been no further victims listed on the BlackMatter RaaS data leak site since October 31, 2021.

The BlackMatter ransomware operation is believed by many security experts to be a rebranding of the DarkSide ransomware gang, which conducted the ransomware attack on Colonial Pipeline in May 2021 that disrupted fuel delivery to the Eastern Seaboard. The DarkSide operation was shut down shortly after the Colonial Pipeline attack, and BlackMatter ransomware attacks started in July 2021. Approximately half of the attacks conducted by the BlackMatter ransomware gang were on entities based in the United States, including at least four healthcare organizations – A pharmaceutical consulting company, a medical testing & diagnostics company, and a dermatology clinic.

On November 1, 2021, a member of the BlackMatter ransomware operation claimed the RaaS program was being shut down due to pressure from law enforcement and said key members of its group were no longer available. The remaining victims of the attacks were then moved to the LockBit ransomware negotiation site.

It is common for RaaS operations to shut down and then re-emerge under a different name with a different ransomware variant, as appears to be the case with DarkSide and BlackMatter. The affiliates of the operations who conduct the attacks for a cut of the profits simply switch to a competing ransomware operation and continue to conduct attacks.

Several ransomware operations have either shut down or been taken down by law enforcement over the past few months, including the notorious REvil ransomware operation, which was believed to be a rebranding of the GandCrab ransomware operation. Despite these shutdowns, the threat of ransomware attacks remains high.

“While the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void,” warned HC3.

The post HC3: BlackMatter Ransomware Threat Level Reduced appeared first on HIPAA Journal.

Technologies Supporting Telehealth are Placing Healthcare Data at Risk

Posted February 2, 2022 by HIPAA Journal

A new report from Kaspersky indicates the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed.

Massive Increase in the Use of Telehealth

The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth.

Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually. Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give them telehealth capabilities.

Telehealth has literally been a lifesaver during the pandemic; however, the use of new technologies is not without risk. Many of the products and services now being used to support telehealth include a variety of third-party components that have not been verified as having the necessary safeguards to ensure the confidentiality, integrity, and availability of healthcare data, and they are potentially putting patient information is at risk.

Kaspersky hypothesized that the rapid digitalization of medical services and the wealth of sensitive and valuable patient data collected, stored, or transmitted by these new healthcare technologies has not gone unnoticed and cybercriminals, who are looking to exploit vulnerabilities. A study was devised to explore the security landscape of telehealth in 2020 and 2021 to determine the extent to which healthcare data is being put at risk.

Analysis of Telehealth Applications and Related Technology

In the summer of 2021, Kaspersky conducted an analysis of 50 of the most popular applications that were being used to provide telehealth services to identify vulnerabilities that could potentially be exploited to gain access to patient data, and checked for the presence of malicious code used to mimic those applications or steal data from them. No vulnerabilities were identified in the 50 applications, although that does not mean vulnerabilities do not exist, only that they have not been found by researchers. Deeper analyses of those apps may uncover vulnerabilities.

“In the absence of centralized quality control of telehealth at the application level, their security can significantly vary from product to product,” suggests Kaspersky. “Another unfortunate fact is that smaller companies, like start-ups, simply do not have enough hands and resources to control the quality and safety of their applications. Accordingly, such applications may contain many vulnerabilities currently unknown to the public that cybercriminals can find and use.”

The researchers then looked at wearable devices and sensors, which are often used in conjunction with telemedicine, specifically, the most commonly used protocol for transferring data from wearable devices and sensors – MQTT..

Kaspersky notes in its report – Telehealth: A New Frontier in Medicine- and Security – that MQTT does not require authentication for data transfers, and even if authentication is implemented, data are transferred in plain text with no encryption, which means MQTT is susceptible to man-in-the-middle (MITM) attacks to gain access to the transferred data. If a device is exposed to the Internet, data transfers via MQTT could easily be intercepted.

According to Kaspersky, between 2016 and 2021, 87 vulnerabilities have been identified in MQTT, and 57 of those vulnerabilities were rated critical or high-severity. Many of those vulnerabilities have still not been patched.

Kaspersky reports that the most common wearable device platform, Qualcomm Snapdragon Wearable, is riddled with vulnerabilities. Since the platform was launched in 2020, more than 400 bugs have been detected, many of which have yet to be patched. Multiple vulnerabilities have also been identified in other vendors’ wearable devices.

Cybercriminals Are Looking to Exploit Vulnerabilities to Access Patient Data

Kaspersky warns that cybercriminals are increasingly using medical themes in their phishing campaigns. Between June 2021 and December 2021, more than 150,000 phishing attacks were detected that used medical themes as lures, and as the digitization of healthcare increases, that trend is only likely to continue to increase.

Telehealth is likely to continue to be used to provide care to patients for years to come and there have been calls for the telehealth flexibilities introduced in response to the pandemic to be made permanent. It is therefore vital for app developers and manufacturers of wearable devices, as well as the healthcare organizations that use them, to be aware of the security risks associated with the technology.

Developers need to be aware of vulnerabilities that could be exploited to gain access to patient data and should implement appropriate safeguards to keep data protected. Users of telehealth services, especially frontline workers who have a say in the platforms and devices used for telehealth, should study the security of each application or product and take steps to secure their accounts with strong passwords, multifactor authentication.

“We expected that 2021 would be a year of greater collaboration between the medical sector and IT security specialists,” said Kaspersky. “In some ways, our expectations were met, but the explosive growth of telehealth has brought new challenges to this collaboration which have yet to be solved.”

The post Technologies Supporting Telehealth are Placing Healthcare Data at Risk appeared first on HIPAA Journal.

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Posted January 26, 2022 by HIPAA Journal

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015 involving the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers.

The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the initial intrusion to detect the security breach.

The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules, including security failures and the impermissible disclosure of the PHI of 9.3 individuals. The case was settled in January 2021 and Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations and to implement a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.

The lawsuit was brought against Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and the Blue Cross Blue Shield Association, on behalf of all individuals affected by the data breach. Initially, the lawsuit sought monetary damages and injunctive relief; however, for several legal reasons, the court was unable to certify classes seeking monetary damages, and only certified a class for injunctive relief.

The plaintiffs alleged the defendants had failed to implement appropriate security measures to ensure the confidentiality of PII and PHI, failed to detect the security breach for 17 months, and when the breach was detected, waited too long to notify affected individuals and then failed to provide sufficient information about how victims could protect themselves from harm. The lawsuit required the Excellus defendants and BCBSA to change their information security practices with respect to PII and PHI and to invest in information security. The Excellus defendants and BCBSA denied any wrongdoing and, to date, no court has determined the defendants have done anything wrong.

The Excellus defendants and BCBSA have agreed to cover reasonable attorneys’ fees, costs, and expenses as approved by the courts. The costs include a maximum of $3.3 million to cover attorneys’ fees and the reimbursement of expenses of no more than $1,000,000. Service awards of up to $7,500 will also be provided to class representatives.

Changes will be made to business practices regarding the safeguarding of PII and PHI which will cover the three years from the finalization of the settlement or the two years after each of the changes has been implemented. The information security requirements detailed in the settlement require the Excellus defendants and BCBSA to:

Increase and maintain a minimum information security budget
Develop a strategy and engage vendors to ensure records containing PII or PHI are disposed of within one year of the original retention period
Take steps to improve the security of its network, including the use of tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention
Engage in an extensive data archiving program and provide plaintiffs with documentation confirming the extent, scope, and thoroughness of the archiving project
Provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR settlement and corrective action plan
Make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has not been possible to comply with any of the items

If the settlement is agreed by the court – a hearing has been scheduled for April 13, 2022 – all plaintiffs and class members will be required to release all claims against the Excellus defendants and BCBSA for injunctive and declaratory relief. The settlement will not release any claims against the Excellus defendants and BCBSA for monetary damages.

The post Settlement Reached in Excellus Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information