Healthcare Cybersecurity

Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory warning that Russian state-sponsored actors are exploiting default multi-factor authentication protocols and the PrintNightmare vulnerability to gain access to networks to steal sensitive data.

These tactics have been used by Russian state-sponsored cyber actors from as early as May 2021, when a non-governmental organization (NGO) was attacked using these tactics. The threat actors were able to gain access to the network by exploiting default multi-factor authentication protocols (Cisco’s Duo MFA) on an account. The threat actors then exploited the PrintNightmare vulnerability to execute code with system privileges and were able to move laterally to the NGO’s cloud and email accounts and exfiltrated documents. PrintNightmare is a critical remote code execution vulnerability (CVE-2021-34527) in the print spooler service of Microsoft Windows.

The attackers were able to enroll a new device in the NGO’s Duo MFA using compromised credentials, which were obtained in a brute force attack that guessed a simple, predictable password. The account had been unenrolled from Duo after a long period of inactivity but had not been disabled in Active Directory. In the default setting, Duo allows the re-enrollment of new devices for dormant accounts, which allowed the attackers to enroll a new device, complete the authentication requirements, and gain access to the network. The PrintNigthtmare vulnerability was then exploited and privileges were elevated to admin level.

The threat actors were able to change the configuration of Duo MFA to call localhost rather than the Duo server, which disabled multi-factor authentication for active domain accounts, as the default policy of Duo on Windows is to Fail open if the MFA server cannot be reached. Using compromised credentials without MFA enforced allowed the threat actors to move laterally to the NGO’s cloud environment and email accounts.

Russian state-sponsored actors are adept at exploiting poorly configured MFA systems to gain access to networks to steal sensitive data. These tactics can be used on other misconfigured MFA systems. These tactics do not depend on a victim using Cisco’s Duo MFA.

CISA and the FBI have provided a list of mitigations to prevent these tactics from succeeding. It is important to set strong, unique passwords for all accounts and passwords should not be stored on a system where an adversary may have access. Consider using a password manager. These solutions have strong password generators which can help to prevent users from setting vulnerable passwords. To make it harder for brute force attacks to succeed, organizations should implement time-out and lock-out features after a set number of failed login attempts.

The FBI and CISA say MFA should be enforced for all users, without exception. However, before implementing MFA, configuration policies should be reviewed to protect against fail open and re-enrollment scenarios. Inactive accounts in Active Directory and MFA systems should be disabled, network logs should be monitored for suspicious activity and unauthorized or unusual login attempts, and software and operating systems should be kept up to date, with patching prioritized to address known exploited vulnerabilities first.

The post Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability appeared first on HIPAA Journal.

Healthcare Scores Poorly for Practicing the Cyber Incident Response

Posted by HIPAA Journal

2021 was another record-breaking year for healthcare industry data breaches with over 50 million records breached and over 900 data breaches were recorded by databreaches.net. Given the extent to which the healthcare industry is targeted by cyber actors, the risk of a data breach occurring is high. A SecureLink/Ponemon Institute study in 2021 found 44% of healthcare and pharmaceutical companies experienced a data breach in the past 12 months.

While steps can be taken to improve defenses to prevent cyberattacks from succeeding, healthcare organizations need to be prepared for the worse and should have an incident response plan in place that can be immediately initiated in the event of a cyberattack. With proper planning, when a cyberattack occurs, healthcare organizations will be well prepared and will be able to recover in the shortest possible time frame.

Regular exercises should be conducted to ensure everyone is aware of their responsibilities and that the plan works. All too often, victims of cyberattacks discover their incident response plan is inefficient or ineffective due to a lack of testing, which can result in a slow and costly response to a cyberattack.

This month, Immersive Labs released its 2022 cyber workforce benchmark report, which included data from more than 2,100 organizations from a range of industry sectors that use the Immersive Labs platform for conducting cyber crisis simulations. Highly prized, high profiles targets such as technology and financial services performed the most cyber crisis exercises, running an average of 9 and 7 exercises per year respectively, but healthcare organizations were near the bottom of the list, performing an average of 2 exercises per year.

In the event of a cyberattack, many different people will be involved in the response. It is therefore important for those people to participate in exercises. It is unsurprising that the more people who are involved in incident response exercises the better prepared an organization will be to respond to a cyberattack. Immersive Labs scored the effectiveness of the exercises and found that every exercise that scored more than 90% for effectiveness had an average of 11 people participating. All but one of the crisis scenarios that scored less than 50% for effectiveness had just one person participating. In healthcare, an average of 4 individuals participated in the exercises, compared to 7 in technology and 21 in education.

Immersive Labs analyzed performance for the crisis response exercises and calculated a score based on the quality of decisions throughout the entire simulation. The average performance score across all exercises was 68%, which shows there is significant room for improvement. The leading industry sector was manufacturing, with a performance score of 85%. Worryingly, healthcare performed the worst out of all industry sectors for cyber crisis response by some distance, achieving a performance score of just 18% – considerably lower than the next worst-performing sector – financial services – which scored 45%.

Immersive Labs also analyzed the speed at which 35,000 members of cybersecurity teams at 400 large organizations took to develop the knowledge, skills, and judgment to address 185 breaking threats. On average, it took 96 days for teams to develop the skills to defend against breaking threats.  They found that mitigating against one vulnerability in the Exim mail transfer agent – which affected more than 4.1 million systems and was being actively exploited – took security teams over 6 months on average to master. CISA says vulnerabilities should be patched within 15 days from initial detection.

Developing the human capabilities to defeat attackers is a slow process, especially in healthcare. The best performing sector was leisure/entertainment, which took an average of 65 days for security teams to develop the necessary skills. In healthcare, it took an average of 116 days. Only consulting, infrastructure, and transport performed worse.  Across all industry sectors, the average time to develop the skills to respond to threats was 96 days.

“The modern cyber crisis is an all-encompassing organizational trauma. Stopping incidents bringing operations to a halt and destroying reputation, corporate value and stakeholder relationships requires a holistic response from the entire workforce,” explained Immersive Labs in the report. “Achieving this kind of resilience requires a continually maturing responsive capability for technical and non-technical teams, developed by exercising with a cadence that traditional tabletop exercises struggle to achieve… exercising to gather evidence, and then using these insights to equip teams with relevant skills, is critical to ongoing resilience.”

The post Healthcare Scores Poorly for Practicing the Cyber Incident Response appeared first on HIPAA Journal.

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Posted by HIPAA Journal

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021.

The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net.

Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020.

The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a Tallahassee, FL-based children’s health plan. Vulnerabilities in its website had not been addressed by its business associate since 2013 and those vulnerabilities were exploited by hackers who gained access to the sensitive data of 3,500,000 individuals who applied for health insurance between 2013 and 2020.

Hacking incidents increased for the 6th successive year, with 678 breaches – 75% of the year’s total number of breaches- attributed to hacking incidents, which include malware, ransomware, phishing and email incidents.  Those breaches resulted in the records of 43,782,811 individuals being exposed or stolen – 87% of all breached records in 2021.

There has been a general trend over the past 6 years that has seen the number of insider incidents fall, albeit with an increase in 2020. There were 111 insider incidents in 2021, similar to the 110 incidents in 2019, which is a 26% decrease from 2020. The increase in 2020 is believed to be pandemic-related, with Protenus suggesting the 2020 spike was driven by a pandemic-related increase in insider curiosity or organizational detection of impropriety that has since subsided.

There were 32 theft-related breaches involving at least 110,6656 records and 11 cases of lost or missing devices or paperwork containing the records of at least 30,922 individuals. 73 incidents could not be classified due to a lack of information.

Healthcare providers continue to be the worst affected HIPAA-covered entity type, but business associate data breaches have increased to almost double the level of 2019. 75% of those incidents were hacking-related, 12% were due to insider error, and 1% were due to insider wrongdoing. Across those incidents, 20.986,509 records were breached. Protenus says that the average number of records breached in business associate data breaches is higher than any other breach.

The time taken to discover a data breach decreased by 30% since 2020. The average time from the date of the breach to discovery is now 132 days; however, it is taking much longer for organizations to disclose data breaches than in 2020. In 2021, the average time to report a data breach was 118 days, which is well over the 60 days stipulated by the HIPAA Breach Notification Rule. In 2020, the time from discovery to reporting was 85 days. The median time for reporting breaches was 62 days in 2021, which is also over the Breach Notification Rule reporting deadline.

“The need for proactive patient privacy monitoring has never been greater. The threats we’re seeing today are much more intrusive than in years past and can come from multiple sources — a random employee snooping or a sophisticated cybersecurity hacker that gains access through an employee channel,” said Nick Culbertson, CEO of Protenus. “Once a breach erodes patient trust in your organization, that’s extremely difficult to recover from.”

The post Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021 appeared first on HIPAA Journal.

Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices

Posted by HIPAA Journal

A group of vulnerabilities dubbed Access:7 have been identified in the web-based technologies PTC Axeda and Axeda Desktop Server which are used to allow one or more people to securely view and operate the same remote desktop via the Internet. If exploited, an attacker could gain full system access, remotely execute code, trigger a denial-of-service condition, read and change configurations, and obtain file system read access and log information access. Three of the vulnerabilities are rated critical and have a CVSS severity score of 9.8 out of 10.

PTC Axeda and Axeda Desktop Server are remote asset connectivity software solutions that are used as part of a cloud-based IoT platform. The software is extensively used in medical and Internet-of-Things (IoT) devices to manage and remotely access connected devices, including multiple medical imaging and laboratory devices. At present, none of the vulnerabilities are believed to have been exploited in the wild.

The vulnerabilities affect all versions of the software. They are:

  • CVE-2022-25246 – Hard-coded credentials – CVSS Severity Score 9.8/10
  • CVE-2022-25247 – Missing authentication for critical function – CVSS Severity Score 9.8/10
  • CVE-2022-25251 – Missing authentication for critical function – CVSS Severity Score 9.8/10
  • CVE-2022-25249 – Improper limitation of a pathname to a restricted directory – CVSS Severity Score 7.5/10
  • CVE-2022-25250 – Missing authentication for critical function – CVSS Severity Score 7.5/10
  • CVE-2022-25252 – Improper check or handling of exceptional conditions – CVSS Severity Score 7.5/10
  • CVE-2022-25248 – Exposure of sensitive information to unauthorized individuals – CVSS Severity Score 5.3/10

The vulnerabilities were identified by researchers at Forescout’s Vedere Labs and CyberMDX. The vulnerabilities are known to affect more than 150 devices from over 100 vendors, which amounts to hundreds of thousands of devices globally with over half of the vulnerable devices used by healthcare organizations.  The vulnerabilities also affect a range of other devices such as ATMs, IoT gateways, label printers, SCADA systems, barcode scanners, vending machines, and asset monitoring and tracking solutions.

Patching the vulnerabilities is not straightforward and these are supply chain vulnerabilities. These vulnerable components are used in several different ways by device manufacturers, and healthcare organizations will be required to wait for fixes to be issued by the device manufacturers.

PTC has made the following recommendations:

  • Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
  • Configure Axeda agent and Axeda Desktop Server (ADS) to only listen on the local host interface 127.0.0.1.
  • Provide a unique password in the AxedaDesktop.ini file for each unit.
  • Never use ERemoteServer in production.
  • Make sure to delete ERemoteServer file from host device.
  • Remove the installation file, for example: Gateway_vs2017-en-us-x64-pc-winnt-vc14-6.9.3-1051.msi
  • When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
  • When running the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
  • Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.

The post Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices appeared first on HIPAA Journal.

HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center has released a new reportHealth Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989.

That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system.

The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan subscribers, Hollywood Presbyterian Medical Center paid an unheard-of ransom of $17,000 in 2016 following a ransomware attack, and the WannaCry exploits affected more than 200,000 systems in 2017.

In 2019, ransomware started to be extensively used in attacks on healthcare organizations with the Ryuk ransomware gang one of the most prolific ransomware operators. One of the gang’s attacks was conducted on a managed service provider and affected around 400 dental offices. Attacks continued, and more actors started using ransomware to extort businesses, with the attacks reaching epidemic proportions in 2020. In 2020, cybercriminals took advantage of the COVID-19 pandemic and used COVID-19 lures in their phishing attacks which continued throughout 2021. McAfee observed an average of 375 COVID-themed threats every minute in 2020.

2020 saw massive cyberattacks reported by SolarWinds, Accellion, CaptureRX, Scripps Health, and Universal Healthcare Services, with Emsisoft reporting $18.6 billion had been paid globally in ransoms to ransomware gangs, although it was estimated that the actual total was most likely closer to $75 billion.

The prolific Maze ransomware gang shut down its operation in 2020, but threats came from many other cyber actors including REvil, Avaddon, and BlackMatter. 2021 saw a massive ransomware attack on the Health Service Executive in Ireland by the Conti ransomware gang. The attack impacted 54 public hospitals and others that depended on HSE infrastructure and it took 4 months to bring all systems back online.

The report makes it clear that cyberattacks targeting healthcare organizations are nothing new. The industry has been targeted for many years and the industry will continue to be targeted for years to come. HC3 recommends healthcare organizations should continue to take steps to improve their defenses against the most common threats such as ransomware, malware, and phishing. Security teams should provide ongoing security awareness training for employees, run phishing simulation exercises to test the effectiveness of training, implement gateway/mail server filtering, blacklisting and whitelisting, and operationalize indicators of compromise.

It is also important to lock down remote access technologies, which are frequently abused to gain access to systems. Virtual Private Networks and technologies leveraging the Remote Desktop Protocol should be operationally minimized, services should be turned off if they are not used, and logs of activity should be maintained and regularly reviewed.

Vulnerability management is essential and needs to be systematic, comprehensive, and repeatable, and there must be mechanisms of enforcement. It is important to maintain situational awareness of applicable vendor updates and alerts and to develop repeatable testing, patching, and update deployment procedures.

It is important for healthcare organizations to understand the value of what the organization has to offer an adversary. That includes protected health information, which carries a high price on the black market, and intellectual property, which is often sought by foreign countries. Once assets have been identified, steps must be taken to ensure that those assets are protected.

In addition to implementing safeguards to protect against attacks, it is important to understand that there will still be a high probability of compromise and to prepare for an attack and plan and test the response in advance to ensure that the business can continue to operate.

It is also recommended that healthcare organizations consider relatively new-ish ways of thinking about defense, and to consider that adversaries are now thinking in terms of maximizing the number of victims and are targeting managed service providers and the supply chain. Healthcare organizations need to think about how they can prevent and mitigate attacks on third parties.

HC3 says situational awareness will continue to be more and more important in 2022 and beyond. There will be new threats, the tactics, techniques, and procedures of threat actors will evolve, and there will be new vulnerabilities. It is important to keep up-to-date with new threats and vulnerabilities and how they can be corrected and mitigated.

It is vital to maintain trusted defense measures and to defend against distributed attacks and other avenues of compromise. HC3 has provided several resources in the report that healthcare organizations can use to develop their defenses and block current and new attack methods.

The post HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity appeared first on HIPAA Journal.

HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new Model Contract Language template for healthcare delivery organizations (HDOs) to use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of its responsibilities for cybersecurity and device management.

“Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment through the device lifecycle,” explained HSCC. “These factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.”

The Model Contract Language is intended to be a reference for shared cooperation and coordination between HDOs and MDMs for security, compliance, management, operation, services, and MDM-managed medical devices, solutions, and connections. The aim is to help HDOs reduce the cost, complexity, and time spent in the contracting process, minimize privacy and security risks, and ensure the confidentiality, integrity, and availability of HDO healthcare technologies.

The contract framework is based on three of the fundamental pillars of cybersecurity: Performance, maturity, and product design maturity, with those three pillars subdivided into 14 core principles

Core Principles of the HSCC Model Contract Language for Medtech Cybersecurity

The contract states that MDMs are required to make their products secure by default, have all security features enabled, reduce the attack surface as far as is possible, and ensure their products are free of malware and unnecessary code and services. All products are required to have the following security controls as standard:

  • Network controls
  • Physical security
  • Anti-malware
  • Intrusion detection
  • Data encryption
  • Access management
  • Security patching
  • Audit & logging
  • Protection against malicious code
  • Privilege escalation controls
  • Document reference architecture
  • Remote access controls

MDMs, HDOs, and group purchasing organizations are encouraged to review the Model Contract Language template and adopt as much of it as is necessary for their organization. “The more uniformity and predictability the sector can achieve in cross-enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system,” said HSCC.

The post HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

Posted by HIPAA Journal

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

Posted by HIPAA Journal

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Security Issues Identified in 75% of Infusion Pumps

Posted by HIPAA Journal

This week, researchers at Palo Alto’s Unit 42 team published a report that shows security gaps and vulnerabilities often exist in smart infusion pumps. These bedside devices automate the delivery of medications and fluids to patients and are connected to networks to allow them to be remotely managed by hospitals.

The researchers used crowdsourced scans from more than 200,000 infusion pumps at hospitals and other healthcare organizations and searched for vulnerabilities and security gaps that could potentially be exploited. The devices were assessed against more than 40 known vulnerabilities and over 70 other IoT vulnerabilities.

75% of the 200,000 infusion pumps were discovered to have security gaps that placed them at an increased risk of being compromised by hackers. Worryingly, 52% of the analyzed devices were found to be vulnerable to two serious infusion pump vulnerabilities dating back to 2019, one of which is a critical flaw with a CVSS severity score of 9.8 out of 10 (Wind River VxWorks CVE-2019-12255), and the other is a high severity flaw with a CVSS score of 7.1 (Wind River VxWorks CVE-2019-12264).

Vulnerabilities in infusion pumps could be exploited to cause harm to patients. By gaining access to the devices, attackers could stop the delivery of drugs and fluids or cause the devices to deliver potentially fatal doses of drugs. Vulnerabilities could also be exploited to gain access to, modify, or delete sensitive patient data, and it is the latter type of vulnerability that is most common.

“While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target,” said the researchers. “Our discovery of security gaps in three out of four infusion pumps that we reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks,”

Large hospitals and clinics can use thousands of infusion pumps. When vulnerabilities are discovered, patching or applying compensating controls quickly can be a major challenge. First, the affected devices must be identified, then they must be patched, fixed, or replaced. If any vulnerable device is missed, it will remain vulnerable to attack and a patient’s life may be put at risk.

It is important to maintain an accurate inventory of infusion pumps (and other IoMT devices) in use and to have the capability to rapidly discover, locate, and assess utilization of the devices. Security teams should perform a holistic risk assessment and proactively find vulnerabilities and identify compliance gaps.

Risk reduction policies should be applied. “Real-time risk monitoring, reporting, and alerting are crucial for organizations to proactively reduce IoMT risk,” suggest the researchers. “Consistent profiling of device activity and behavior yields data that can be accurately converted into risk-based Zero-Trust policy recommendations.” Hospitals and clinics should also take steps to block known targeted IoT malware, spyware, and exploits, prevent the use of DNS for C2 communications, and stop access to bad URLs and malicious websites to prevent the loss of sensitive data.

The post Security Issues Identified in 75% of Infusion Pumps appeared first on HIPAA Journal.