Healthcare Cybersecurity

International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

Posted by HIPAA Journal

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation.

The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United States to be shut down for a week. While ransomware had always posed a threat to critical infrastructure, these attacks made it clear that critical infrastructure was certainly not off-limits for ransomware gangs.

After the attacks, the White House announced more resources would be made available to deal with the ransomware threat, with the attacks elevated to a level similar to terrorism. President Biden met with Russian President Vladimir Putin and urged him to take action against ransomware gangs operating within its borders, and the United States has been working with cybersecurity leaders to discuss other cybersecurity initiatives to mitigate the threat. As part of the ongoing efforts to deal with the ransomware threat, earlier this month President Biden announced the United States would be participating in a meeting with leaders in more than 30 countries to combat ransomware.

REvil Operation Targeted by Law Enforcement

It has now become clear that the shutdown of the REvil operation was the result of an international law enforcement effort, according to a recent Reuters report. Tom Kellerman, VMWare’s head of cybersecurity strategy and advisor to the US Secret Service said, “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups.”

REvil emerged in 2019 as an offshoot of the GandCrab ransomware operation and soon became the most prolific ransomware group, accounting for 73% of all ransomware detections in Q2, 2021. When it came to taking action against these groups, “REvil was top of the list”, said Kellerman.

In July, before the REvil gang went dark, law enforcement gained access to some of its network infrastructure and servers, with Kellerman confirming law enforcement had prevented attacks on several companies. Mimicking the actions of the REvil gang, law enforcement also compromised its backups. The REvil gang attempted to restore its servers from backups in the belief that they had not been compromised, but the restored infrastructure was under the control of law enforcement.

One of the leaders of the REvil operation who is known as “0_neday”, recently posted on a cybercrime forum confirming an unnamed party had compromised its servers and claimed, “They were looking for me… Good luck, everyone; I’m off.”

The shutdown almost certainly spells the end of the REvil operation; however, when takedowns occur, it is common for ransomware gangs to simply rebrand and start a new operation. The affiliates that have signed up for RaaS operations often jump ship and sign up with other RaaS operations, so while REvil was a major operator, it does not mean that ransomware attacks will slow. After news of the takedown emerged, members of other ransomware gangs posted online showing solidarity with the REvil operation. One member of the Groove operation called for other ransomware groups to respond to the takedown and increase their attacks on targets in the United States.

The post International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Put Cybersecurity First

Posted by HIPAA Journal

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people.

Cybersecurity Advice for Companies

One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought.

Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam filters, web filters, antivirus software, endpoint detection systems, encryption software, and backup solutions. Patch management is also key. Software and firmware updates should be applied promptly, with priority given to patching the most serious vulnerabilities.

Businesses should adopt a mindset of a cyber breach being inevitable, which means they need to know how they will respond to an attack when it occurs. A business continuity plan should be developed and tested. The plan should include emergency protocols while systems and data are inaccessible, the restoration of systems and data, communication with stakeholders, compliance, and reporting breaches to appropriate authorities. Having an incident response plan in place ensures the business can continue to function in the event of a cyber breach and it will greatly speed up the recovery time and help to keep breach costs to a minimum.

FBI Raises Awareness of the Ransomware Threat

This week, the Federal Bureau of Investigation (FBI) is raising awareness of the threat from ransomware. Ransomware is a type of malware used to encrypt files to ensure they cannot be accessed. A ransom demand is then issued for the keys to decrypt files, although there are no guarantees that file recovery will be possible even if the ransom is paid. It is also now common for sensitive data to be stolen before file encryption, with threats issued to publish or sell the data if the ransom is not paid.

Access to computers and networks is gained by exploiting vulnerabilities, conducting brute force attacks to guess weak passwords, and most commonly, through phishing emails. Links are sent in emails that direct users to websites where they are asked to provide their login credentials or download files containing malware. Oftentimes attachments are included in emails that have macros and other scripts that download malware that provides the attackers with persistent access to devices and networks.

Steps recommended by the FBI to avoid ransomware attacks include keeping software up to date, applying patches promptly, using anti-malware software on all devices, backing up data regularly and storing backups offline, and educating employees about how to identify phishing emails and other threats.

Security awareness training for the workforce is vital. Employees are the last line of defense and they are often targeted by cybercriminals. Employees should receive security awareness training during the onboarding process and should be provided with the tools they need to help them keep their company safe, with training regularly provided throughout employment.

Cybersecurity Advice for Individuals

Individuals are being encouraged to take greater care when using products and services to ensure that cybersecurity best practices are followed. That process needs to start before any purchase is made, with cybersecurity considered before signing up for a new service or buying a new product to ensure the company is legitimate.

When new devices, apps, or services are used, individuals should consider applying measures to secure their accounts and check privacy and security settings. Default passwords should be changed with strong, unique passwords set for all accounts. A password manager should be considered as this will help with the generation of secure passwords for all accounts and will mean users do not have to remember complex passwords. It is also important to set up multi-factor authentication on all accounts to ensure they remain protected if passwords are compromised.

The post Cybersecurity Awareness Month: Put Cybersecurity First appeared first on HIPAA Journal.

44% of Healthcare Organizations Don’t Have Full Visibility into Access and Permissions Assigned to Users and Third Parties

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations.

As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated.

The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic.

SecureLink’s study, the results of which were published in the report, A Matter of Life and Death: The State of Critical Access Management in Healthcare, confirmed that many of those breaches involved third-party access to systems. 44% of healthcare and pharmaceutical organizations that responded to the survey said they had suffered at least one cybersecurity incident that was either directly or indirectly caused by a third-party partner.

Vendors and third parties supply many of the components that allow healthcare system to function and with so many third-party components, the attack surface is large. Even though the risk of a third-party data breach is high, the survey revealed only 41% of surveyed healthcare companies had a complete inventory of third parties that have been provided with access to their networks.

“Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access. Healthcare providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyberattacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance,” said Daniel Fabbri, SecureLink Chief Data Scientist.

There is a clear need to improve critical access management in healthcare and strengthen security. The best place to start is the creation of a complete inventory of third parties with access to the network. SecureLink then recommends reviewing users and vendors based on the three pillars of critical access management: access governance, access controls, and access monitoring.

Access governance is concerned with regular reviews of user access to ensure access rights are appropriate. This process can be delegated to staff members’ managers, as they are in the best position to determine what access is required. The principle of least privilege needs to be applied – individuals and third parties should only be provided with access to the systems and data that are required for them to complete their work duties. Reviews and restrictions are a requirement of HIPAA, which also requires policies and procedures to be implemented to ensure access to patient data is terminated when it is no longer required.  The current reality is users and third parties are often given very broad access rights which is risky. The survey revealed 44% of healthcare and pharmaceutical organizations do not have full visibility into the level of access and permissions assigned to internal and external users.

Access controls need to be put in place to limit the data and systems that can be accessed by third parties. Individuals have access rights, which are not changed by access controls, instead, access controls are concerned with giving organizations greater control over the abilities of users and third parties to use (or abuse) their access rights. Access controls should include employing zero-trust network access (ZTNA) solutions, which can help to prevent lateral movement in the event of credentials being compromised.

Access monitoring is vital for security and HIPAA compliance. Organizations need to have visibility into the actions of privileged users and must be able to identify what those users have done or are doing while logged in. All interactions with ePHI must be logged and regularly reviewed to identify suspicious activity but given the huge number of interactions by users on a daily basis, this can be an overwhelming task. 60% of respondents said they thought managing third-party permissions and remote access to their systems would be overwhelming and a drain on internal resources, even though doing so is vital for reducing risk. The only way to effectively monitor for suspicious activity is through the use of machine learning systems. These systems can sift through all interactions and determine events that have no clinical relevance and flag those instances for manual review. While access monitoring may not prevent a breach, it will ensure unauthorized activity is identified promptly. It is all too common insider data breaches to go undetected for months before unauthorized access is detected due to poor access monitoring.

The post 44% of Healthcare Organizations Don’t Have Full Visibility into Access and Permissions Assigned to Users and Third Parties appeared first on HIPAA Journal.

Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats

Posted by HIPAA Journal

A recent survey conducted on Chief Information Security Officer (CISO) members of the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has highlighted the impact cybersecurity incidents have had on the healthcare industry and the need for federal assistance to deal with the threats.

The healthcare industry has long been targeted by cybercriminals, but attacks have increased during the pandemic. 67% of respondents said their organization had experienced a security incident in the past 12 months with almost half saying they were the victim of a phishing attack. Phishing and business email compromise attacks, malware ransomware, hacking, and insider threats were the most common security exploits used in cyberattacks on the industry.

Cyberattacks can cause patient safety issues. One recent study indicates mortality rates increase following a ransomware attack, as do medical complications and the length of hospital stays. The survey confirmed the impact on patient safety, with 15% of respondents saying there had been a patient safety issue after a cyberattack and 10% saying they were forced to divert patients to other facilities in the wake of an attack.

The increase in attacks has meant an increase in costs. More than 80% of surveyed CISOs reported an increase in costs associated with cyberattacks in the past year. 20% of respondents said costs had increased by 50% in the past year, with one in 6 saying costs have doubled. Not only have remediation costs increased, but the cost of cyber insurance policies has also risen due to the increased risk of cyberattacks.

Indeed, the situation is likely to get worse as there are several emerging threats of major concern, such as the rise in IoT and other connected devices, an increasingly remote workforce, supply chain threats, API security issues, and risks associated with 3rd party consumer health apps.

Funding for cybersecurity has long been a problem in healthcare, but the increase in costs has made the situation far worse and many CISOs are struggling. “We are overwhelmed with unfunded federal mandates. Our organization is struggling through the pandemic while having mandate after mandate applied. [This is] not sustainable,” said one respondent to the survey.

The survey confirmed healthcare providers need more help dealing with the increased threat of attacks. Congress is considering several new measures to improve defenses against cyberattacks for critical infrastructure, including healthcare, but CHIME and AEHIS say healthcare is often left on the periphery, even though the healthcare industry is one of the most targeted parts of critical infrastructure and one of the most vulnerable.

40% of respondents said they need help in the form of grants or federal assistance to improve cybersecurity, a third said they would benefit from regional extension centers with cyber experts on hand who could come on-site to provide guidance and expertise, and 16.7% said they would benefit from closer relationships with federal authorities such as the FBI and CISA.

52% of respondents said they had signed up with an Information Sharing & Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO), but further guidance is needed, as 10% of respondents said they were unsure when it was acceptable to share threat information. When guidance is provided, it needs to be communicated more effectively. For instance, 45% of respondents said they were unaware of 405(d) best practices that had been published by the HHS.

“From this survey it is clear that healthcare providers will need several tools in their arsenal to fight an ever-escalating and complex battle that is being brought directly to their doorstep and threatens their delivery of patient care,” said AEHIS Advisory Board Chair Will Long. “More resources, education, and ongoing support for our sector are needed.”

The post Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats appeared first on HIPAA Journal.

September 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months.

Healthcare data breaches August 2020 to September 2021

While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months.

Healthcare records breached over the past 12 months

Largest Healthcare Data Breaches Reported in September 2021

16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records.

The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was reported to the HHS as affecting 500,000 individuals. The cyberattack is believed to have been conducted by a nation-state hacking group.

Two major data breaches were reported by eye care providers: A hacking incident at U.S. Vision Optical resulted in the exposure of the PHI of 180,000 individuals, and a phishing incident at Simon Eye Management gave the attackers access to email accounts containing the PHI of 144,373 individuals. The breaches are not believed to be related, but they are two of a handful of recent incidents affecting eye care providers.

Ransomware continues to be extensively used in attacks on the healthcare industry. 6 of the top 16 attacks in September involved ransomware and potentially saw PHI stolen. Several ransomware gangs have targeted the healthcare sector, with the FIN12 group one of the most active. A recent analysis of FIN12 attacks by Mandiant revealed 20% of the gang’s attacks have been on the healthcare industry, with the attacks accounting for around 20% of all incidents Mandiant responds to.

Hackers have been targeting the healthcare industry, but data breaches can also be caused by insiders with privileged access to PHI. One notable ‘insider’ breach was reported by Premier Management Company and involved data being accessed by a former employee after termination. The incident highlights the importance of ensuring access to PHI (and IT systems) is blocked immediately when an employee is terminated, leaves the company, or when job functions change that no longer require an employee to have access to PHI.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
State of Alaska Department of Health & Social Services AK Health Plan 500,000 Nation-state hacking Incident
U.S. Vision Optical NJ Healthcare Provider 180,000 Unspecified hacking incident
Simon Eye Management DE Healthcare Provider 144,373 Email account breach (phishing)
Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan IL Health Plan 49,000 Ransomware attack
Talbert House OH Healthcare Provider 45,000 Unspecified hacking incident (data exfiltration)
Premier Management Company TX Healthcare Provider 37,636 PHI accessed by an employee after termination
Central Texas Medical Specialists, PLLC dba Austin Cancer Centers TX Healthcare Provider 36,503 Malware
Orlick & Kasper, M.D.’s, P.A. FL Healthcare Provider 30,000 Theft of electronic devices containing PHI
McAllen Surgical Specialty Center, Ltd. TX Healthcare Provider 29,227 Ransomware attack
Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans AZ Health Plan 28,000 Ransomware attack
Horizon House, Inc. PA Healthcare Provider 27,823 Ransomware attack
Rehabilitation Support Services, Inc. NY Healthcare Provider 23,907 Unspecified hacking incident (data exfiltration)
Samaritan Center of Puget Sound WA Healthcare Provider 20,866 Theft of electronic devices containing PHI
Directions for Living FL Healthcare Provider 19,494 Ransomware attack
Buddhist Tzu Chi Medical Foundation CA Healthcare Provider 18,968 Ransomware attack
Eastern Los Angeles Regional Center CA Business Associate 12,921 Email account breach (phishing)

Causes of September 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 53.2% of all breaches reported in the month and 91.6% of all breached records. 1,147,383 healthcare records were exposed or stolen in those incidents, with an average breach size of 33,747 records and a median breach size of 2,453 records.

The number of incidents involving the theft of physical records or electronic equipment containing PHI increased month-over-month. September saw 6 theft incidents reported and 60,236 records compromised. The mean breach size was 10,039 records and the median breach size was 3,918 records. 4 of those breaches involved electronic equipment and could have been prevented had encryption been used.

There were 7 data breaches reported that involved unauthorized access or disclosures of data by insiders. 45,639 records were breached across those incidents, 37,636 of which were obtained in a single incident. The average breach size was 6,520 records and the median breach size was 1,738 records.

Causes of September 2021 healthcare data breaches

Given the high number of hacking and ransomware incidents reported, it is no surprise that the most common location of breached PHI is network servers. Email accounts continue to be targeted in phishing attacks, with 13 incidents in September involving PHI stored in email accounts. The number of devices containing PHI that were stolen highlights the importance of using encryption to protect stored data.

Location of PHI in September 2021 healthcare data breaches

September 2021 Data Breaches by HIPAA-Regulated Entity

Healthcare providers were the worst affected covered entity with 30 reported breaches. 10 breaches were reported by health plans, 6 breaches were reported by business associates, and one breach was reported by a healthcare clearinghouse.

5 breaches of those breaches were reported by a HIPAA-covered entity but occurred at a business associate. The adjusted figures are shown in the pie chart below.

September 2021 healthcare data breaches by HIPAA-regulated entity type

September 2021 Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities based in 25 states. Texas was the worst affected state with 6 reported breaches of 500 or more records, followed by California with 5 breaches and Connecticut with 4.

State Breaches
Texas 6
California 5
Connecticut 4
Florida & Washington 3
Arizona, Georgia, Illinois, New York, Ohio, & Pennsylvania 2
Alaska, Delaware, Indiana, Kentucky, Maryland, Minnesota, Missouri, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Virginia, & Wisconsin 1

HIPAA Enforcement Activity in September 2021

The Department of Health and Human Services’ Office for Civil Rights now has a new director, and it is currently unclear what direction she will take in the department’s HIPAA enforcement actions.

Since the fall of 2019 OCR has been targeting HIPAA-regulated entities that fail to comply with the HIPAA Right of Access and September saw the 20th financial penalty imposed under this initiative for the failure to provide individuals with access to their healthcare records.

Children’s Hospital & Medical Center in Omaha, NE, settled its HIPAA Right of Access case with OCR and paid an $80,000 financial penalty. This was the ninth OCR case this year to have resulted in a financial penalty for non-compliance with the HIPAA Rules.

There were no reported enforcement activities by state attorneys general in September.

The post September 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alert Issued About Ongoing BlackMatter Ransomware Attacks

Posted by HIPAA Journal

A joint alert has been issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) about ongoing BlackMatter ransomware attacks.

The group has been conducting attacks in the United States since July 2021, which have included attacks on critical infrastructure entities and two organizations in the U.S. Food and Agriculture Sector. Evidence has been obtained that links the gang to the DarkSide ransomware gang that conducted attacks between September 2020 and May 2021, including the attack on Colonial Pipeline, with BlackMatter ransomware potentially a rebrand of the DarkSide operation.

Investigations into the attacks have allowed the agencies to obtain important information about the tactics, techniques, and procedures (TTPs) of the group, and an analysis has been performed on a sample of the ransomware in a sandbox environment.

The group is known to use previously compromised credentials to gain access to victims’ networks, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) and discover all hosts on the network. The BlackMatter gang deploys ransomware and remotely encrypts the hosts and shared drives as they are identified. The gang is known to exfiltrate data and typically demands ransom payments of between $80,000 and $15 million in Bitcoin or Monero.

In the joint alert, the NSA, FBI, and CISA shared TTPs, provide Snort signatures that can be used for detecting the network activity associated with BlackMatter ransomware attacks, and several mitigations to reduce the risk of a compromise by the gang.

Mitigations include:

  • Implementing detection signatures to identify and block attacks in progress
  • Using strong passwords resistant to brute force attacks
  • Implementing multi-factor authentication to block the use of stolen credentials
  • Patching and updating systems promptly
  • Limiting access to resources over networks
  • Implementing network segmentation and traversal monitoring
  • Using admin disabling tools to support identity and privileged access management
  • Implementing and enforcing backup and restoration policies and procedures

The alert, TTPs, and mitigations can be found here.

The post Alert Issued About Ongoing BlackMatter Ransomware Attacks appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Fight the Phish!

Posted by HIPAA Journal

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack.

Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source.

The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing 9,567 people, loses around 63,343 hours every year to phishing attacks, with the cost equating to around $1,500 per employee.

Phishing is the starting point of the costliest cyberattacks. In 2020, more than $1.8 billion was fraudulently obtained in Business Email Compromise (BEC) attacks, with the average cost of a BEC attack now $5.97 million. Phishing is often the starting point of ransomware attacks, which can have mitigation costs of the order of tens of millions of dollars. On average, an attack costs $996,000 to resolve.

Phishing may be the most common way for cybercriminals to gain access to email accounts, networks, and sensitive data, but these attacks can easily be prevented with the right technology and user training.

Organizations need to implement email security gateways/spam filtering solutions for all email accounts. This technical measure alone will prevent the majority of phishing emails from arriving in inboxes. Antivirus software and firewalls should be used to protect all endpoints, including computers, phones, tablets, and Internet of Things devices. These solutions should be regularly updated, ideally automatically.

Multi-factor authentication should be used on all accounts that require passwords to login. In the event of a password being obtained in a phishing attack, multi-factor authentication will prevent the password from providing access to the user’s account. Microsoft explained in a 2019 blog post that multi-factor authentication blocks more than 99.9% account compromise attacks.

Employees are the last line of defense in an organization, so it is vital for security awareness training to be provided. Employees need to be taught cybersecurity best practices to eradicate risky behaviors and must learn how to identify and avoid phishing attacks.

Employees should be made aware of the red flags in phishing emails such as call outs to open attachments or click links, unusual wording and formatting, spelling and grammatical errors, threats of negative consequences if rapid action is not taken, and too good to be true offers. If any red flags are identified, it is vital to verify the source of the email or text message and to make content with the sender to confirm a request is authentic. Employees should be conditioned to stop and think before taking any action requested in an email or text message and never to respond, open attachments, or click links in messages if there is any doubt about the sender or request.

According to Verizon, “There is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down.” In 2012, phishing email click rates were around 25% but by 2019 they had fallen to around 3% as a result of improved awareness of phishing and more extensive end user training.

Given the scale of the threat from phishing, once-a-year security awareness training sessions are no longer sufficient. While annual training may meet the minimum requirement for compliance with HIPAA, it is not sufficient to reduce the risk of a successful attack to low and acceptable level. Security awareness training for the workforce needs to be an ongoing process, with regular training provided throughout the year accompanied by phishing simulation exercises where the phishing identification skills of employees are put to the test. Through training and phishing simulation exercises, susceptibility to phishing attacks can be greatly reduced.

CISA has produced a tip sheet for Cybersecurity Awareness Month to help individuals fight the phish.

The post Cybersecurity Awareness Month: Fight the Phish! appeared first on HIPAA Journal.

FIN12 Ransomware Gang Actively Targeting the Healthcare Sector

Posted by HIPAA Journal

Ransomware is currently the biggest cyber threat faced by the healthcare industry. Attacks often cripple healthcare IT systems for weeks or months and prevent medical records from being accessed. One study by the Ponemon Institute/Censinet shows attacks result in treatment delays, an increase in complications, poorer patient outcomes, and an increase in mortality rates.

Several ransomware gangs have publicly stated they will not attack the healthcare industry, but that is certainly not true of FIN12. According to a recently published analysis of the ransomware actor by Mandiant, around 20% of the attacks conducted by the group have been on the healthcare industry.

FIN12 is a prolific ransomware actor that focuses on big game targets. Almost all the victims of FIN12 have annual revenues over $300 million, with an average of almost $6 billion. FIN12 has been active since at least 2018 and has largely targeted North America where 85% of its attacks have occurred, although the gang has recently expanded geographically and now also conducts attacks in Europe and the Asia Pacific region. The most frequently targeted industries are healthcare, education, financial, manufacturing, and technology.

Mandiant says FIN12 is the most prolific ransomware actor it tracks that focuses on high value targets. Around 20% of all ransomware incidents the company responds to are conducted by FIN12, which makes it the most frequently encountered ransomware deployment actor.

The reason why FIN12 targets the healthcare industry when many ransomware-as-a-service operations do not attack the healthcare sector is not entirely clear. Mandiant suggests the need for healthcare providers to regain access to patient data quickly is likely the key factor. Healthcare providers are more likely to pay the ransom and more likely to pay the ransom quickly, whereas negotiations with victims in other sectors may drag on for weeks.

Mandiant believes FIN12 is a specialist ransomware deployment actor that uses initial access brokers (IABs). IABs provide the access and credentials FIN12 requires to conduct its attacks. IABs typically receive a cut of any ransom payments that are generated, although some ransomware operations pay a flat rate for access. Mandiant has seen evidence that FIN12 pays a percentage of the ransom to the IAB, usually around 30%-35%.

One of the IABs extensively used by FIN12 is TrickBot, a botnet operation that sells persistent access to victims’ networks. The group has also partnered with the BazarLoader operation, and more recently has branched out and appears to have purchased credentials to login to Citrix environments. FIN12 most commonly deploys Ryuk ransomware, a ransomware variant that is capable of spreading throughout a network and infecting and encrypting data on multiple systems.

In contrast to many ransomware actors which spend weeks inside a victim’s network before deploying ransomware, FIN12’s attacks are rapid and have an average time-to-ransom (TTR) of less than 4 days. The gang appears to be prioritizing speed in its attacks as the TTR has been decreasing. Some of the recent attacks have had a TTR of just 2.5 days. “These efficiency gains are enabled by their specialization in a single phase of the attack lifecycle, which allows threat actors to develop expertise more quickly,” says Mandiant.

Mandiant says the gang stands out from other ransomware actors as multifaceted extortion is relatively rare. It is now very common for data to be exfiltrated prior to the use of ransomware and for ransomware gangs to threaten to publish the stolen data if victims do not pay. Mandiant suggests the decision not to engage in data theft is likely due to the effect it would have on the TTR. In attacks where FIN12 has exfiltrated data, the TTR was around 12.5 days.

While victims may be more likely to pay the ransom due to the threat of public shaming and data exposure, there is also a much higher risk of detection prior to file encryption. “FIN12’s apparent success without the need to incorporate additional extortion methods likely suggests the notion that they do not believe spending additional time to steal data is worth the risk of having their plans to deploy ransomware thwarted,” suggests Mandiant.

The post FIN12 Ransomware Gang Actively Targeting the Healthcare Sector appeared first on HIPAA Journal.

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

Posted by HIPAA Journal

A new bill has been introduced that requires victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid.

The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States.

Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the attack.

Chainalysis believes almost $350 million in cryptocurrency was paid to ransomware gangs globally in 2020, which is a year-over-year increase of 311%. Attacks have continued to increase in 2021. According to Check Point’s mid-year security report, in the first half of 2021, there were 93% more ransomware attacks than the corresponding period last year.

As the ransomware attack on Colonial Pipeline demonstrated, the gangs behind these attacks pose a significant national security threat. That attack resulted in the closure of a major fuel pipeline for around a week. The attack on JPS Foods threatened food production, and the huge number of attacks on the healthcare industry has affected the ability of healthcare providers to provide care to patients. This year, CISA said ransomware attacks delay care and affect patient outcomes, and there has already been a death in the United States which is alleged to have been due to a ransomware attack.

Ransomware attacks are continuing to increase because they are profitable and give ransomware gangs and their affiliates a good return on investment. There is also little risk of being caught and brought to justice. Unfortunately, investigations of ransomware gangs can be hampered by a lack of data, hence the introduction of the Ransom Disclosure Act.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them.”

While the FBI encourages the reporting of ransomware attacks to assist with its investigations, reporting attacks is not mandatory. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” sad Congresswoman Ross. “I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back.”

The Ransom Disclosure Act will require:

  • Ransomware victims (except individuals) to disclose any ransom payments within 48 hours of the date of payment, including the amount, currency used, and any information that has been gathered on the entity demanding the ransom.
  • The DHS will be required to publish information disclosed during the previous year about the ransoms paid, excluding identifying information about the entities who paid.
  • The DHS will be required to set up a website for individuals to voluntarily report ransom payments.
  • The Secretary of Homeland Security will be required to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated the attacks, and make recommendations for protecting information systems and strengthening cybersecurity.

The post Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours appeared first on HIPAA Journal.