Healthcare Cybersecurity

WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework

The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector.

Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource.

WEDI has also recommended the inclusion of specific case studies of healthcare organizations that have experienced a ransomware attack, updating the framework to define contingency planning strategies based on the type of healthcare organization and issue guidance with a focus on contingency planning, execution, and recovery. Ransomware attacks on healthcare providers carry risks that are not applicable to other entities. Further guidance in this area would be of great benefit to healthcare providers and could help to minimize disruption and patient safety issues.

Healthcare organizations have been developing patient access Application Programming Interfaces (APIs) and applications (apps) which are covered by HIPAA, and are therefore required to incorporate safeguards to ensure the privacy and security of any healthcare data they contain, but WEDI has drawn attention to the lack of robust privacy standards that are applicable to third party health apps that are not covered by HIPAA. WEDI says there is a need for a national security framework to ensure that health care data obtained by third-party apps are held to appropriate privacy and security standards.

The number of risks and vulnerabilities to portable and implantable medical devices has grown at an incredible rate in recent years and those risks are likely to grow exponentially in the years to come. WEDI has recommended NIST address cybersecurity issues related to these devices directly in the cybersecurity framework, and also address the issue of insider threats. Many healthcare data breaches are caused by insider threats such as lost electronic devices, phishing and social engineering attacks. WEDI suggests these issues and security awareness training should be addressed in the cybersecurity framework.

WEDI has also recommended NIST develop a version of its cybersecurity framework that is targeted at smaller healthcare organizations, which do not have the resources available to stay informed about the latest security developments and implement the latest security measures and protocols. A version of the framework that is more focused on the threats faced by smaller organizations would be of great benefit and should include realistic proactive steps that can be taken by small healthcare organizations to mitigate risks.

The post WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework appeared first on HIPAA Journal.

15 Most Exploited Vulnerabilities in 2021

The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021.

Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws.

Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor allowing the execution of arbitrary code, which would give the attacker full control of a vulnerable system. The vulnerability was only disclosed publicly in December 2021, yet still ranked first as the most commonly exploited vulnerability, demonstrating how hackers can quickly weaponize and exploit vulnerabilities before organizations can patch. The flaw was rated one of the most serious vulnerabilities to be discovered in the past decade.

CVE Vulnerability Name Vendor and Product Type
CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE)
CVE-2021-40539 Zoho ManageEngine AD SelfService Plus RCE
CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege
CVE-2021-34473 ProxyShell Microsoft Exchange Server RCE
CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass
CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution
CVE-2021-21972 VMware vSphere Client RCE
CVE-2020-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege
CVE-2020-0688 Microsoft Exchange Server RCE
CVE-2019-11510 Pulse Secure Pulse Connect Secure Arbitrary file reading
CVE-2018-13379 Fortinet FortiOS and FortiProxy Path traversal

The remote code execution vulnerability in Zoho ManageEngine AD SelfService Plus – CVE-2021-40539 – has a 9.8 CVSS severity rating and was the second most exploited vulnerability, with attacks exploiting the vulnerability continuing in 2022. The flaw can be exploited remotely and allows web shells to be implanted in a network, allowing the attacker to compromise credentials, move laterally, and exfiltrate sensitive data.

The ProxyLogon flaws in Microsoft Exchange email servers were also extensively exploited. These flaws – CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – allow remote attackers to execute arbitrary code on vulnerable exchange servers to gain access to files and mailboxes on the servers, along with any credentials stored on the servers.

Three ProxyShell vulnerabilities made the top 15 list. These vulnerabilities – CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – can be exploited on Microsoft Exchange email servers that have the Microsoft Client Access Service (CAS) exposed to the Internet. This is a common configuration that allows users to access their emails on their mobile devices and via web browsers. The flaws can be exploited to remotely execute arbitrary code on vulnerable servers.

In many cases, vulnerabilities were exploited within two weeks of the vulnerabilities being publicly disclosed, most commonly as a result of security researchers publishing proof-of-concept exploits, which helped a much broader range of threat actors quickly exploit the vulnerabilities before organizations had the time to patch.

A further 21 vulnerabilities are listed that are also routinely exploited, including many from 2021 and some dating back to 2017.  Patching these vulnerabilities promptly will ensure they cannot be exploited. The Five Eyes agencies have also included a list of mitigations that make it harder for threat actors to exploit these and other vulnerabilities.

The post 15 Most Exploited Vulnerabilities in 2021 appeared first on HIPAA Journal.

Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks

The five eyes cybersecurity agencies have recently issued a joint security alert warning about the threat of cyberattacks on critical infrastructure by Russian nation-state threat actors and pro-Russia cybercriminal groups.

Intelligence gathered by the agencies indicates the Russian government has been exploring opportunities for conducting cyberattacks against targets in the West in retaliation for the sanctions imposed on Russia and the support being provided to Ukraine. The agencies warn that Russian state-sponsored hacking groups have been conducting Distributed Denial of Service (DDoS) attacks in Ukraine and are known to have used destructive malware in Ukraine on government and critical infrastructure organizations. These hacking groups are highly skilled, can gain access to IT networks, maintain persistence, exfiltrate sensitive data, and can cause major disruption to critical systems, including industrial control systems.

The alert names several Russian government and military organizations that have engaged in these malicious activities, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and the Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM).

The FSB is known to have conducted cyber operations against the Energy Sector, including companies in the US and UK, private sector organizations, cybersecurity companies, and others, and has engaged cybercriminal hackers and tasked them with conducting espionage-focused activities. The SVR has conducted targeted attacks on critical infrastructure organizations and is known for conducting sophisticated attacks using stealthy intrusion tradecraft. The GRU has targeted a range of critical infrastructure organizations, and the TsNIIKhM has a history of conducting attacks on foreign companies and government organziations.

Several cybercriminal groups have publicly voiced their support for Russia and have threatened to conduct cyberattacks on organizations that are perceived to have conducted cyber offensives against the Russian government or the Russian people. These cybercriminal groups are thought to pose a threat to all critical infrastructure organizations, including healthcare. They primarily conduct DDoS attacks with extortion and ransomware attacks.

The cybersecurity agencies have urged all critical infrastructure entities to take steps to prepare for and mitigate cyberattacks. The alert provides detailed information on threat actors and state-sponsored hacking groups of concern and recommendations for preparing for and mitigating cyber threats.

The post Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks appeared first on HIPAA Journal.

2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry

A new report from Comcast Business indicates 2021 was another record-breaking year for Distributed Denial of Service (DDoS) attacks. 9.84 million DDoS attacks were reported in 2021, which is a 14% increase from 2019, although slightly lower than the previous year when 10.1 million attacks were reported.

The slight decline in attacks was due to several factors. 2020 was a particularly bad year as it was a full lockdown year where employees were working remotely and students were learning from home, which provided attackers with a unique landscape against which to launch an unprecedented number of DDoS attacks, and the high prices of cryptocurrencies in 2021 meant many threat actors diverted their botnets from conducting DDoS attacks to mining cryptocurrencies.

DDoS attackers spared no one in 2021; however, 73% of attacks were conducted on just four sectors – healthcare, government, finance, and education. Attackers followed seasonal trends and activities throughout the year, with education being attacked to coincide with the school year, and COVID-19 and vaccine availability drove DDoS attacks on the healthcare industry.

Multi-vector attacks increased by 47% in 2021. Comcast Business DDoS Mitigation Services defended customers against 24,845 multi-vector attacks targeting layers 3, 4, & 7 (Network, Transport & Application) simultaneously. 69% of Comcast Business clients were victims of DDoS attacks in 2021, a 41% increase from 2020, and 55% of Comcast Business customers experienced multi-vector attacks targeting layers, 3, 4, & 7 simultaneously. There was also a major increase in the number of vectors used in multi-vector attacks, increasing from 5 in 2020 to 15 in 2021, with the amplification protocols in the attacks increasing from 3 to 9.

DDoS attacks flood victims’ networks with traffic to render them unusable, and while attacks are often conducted just for that reason, it is common for DDoS attacks to be conducted to distract organizations and consume resources while the attackers engage in other nefarious activities. There is a strong link between DDoS attacks and data breaches. According to a Neustar survey, almost half of organizations (47%) that suffered a DDoS attack discovered a virus on their networks after the attack, 44% said malware was activated, 33% reported a network breach, 32% reported customer data theft, 15% suffered a ransomware attack, and 11% were victims of financial theft.

The most severe attack in 2021 was a 242 Gbps DDoS attack, which would be sufficient to saturate even high bandwidth Ethernet Dedicated Internet (EDI) circuits within minutes. The magnitude of attacks has increased and a trend has been identified where threat actors conduct low-volume attacks to stay under the radar of IT teams and cause damage on multiple levels. This tactic can degrade website performance, yet the attacks are often not detected by IT teams, who only discover they have been targeted when they start receiving complaints from customers.

DDoS attacks are cheap to perform, costing just a few dollars, although for a few hundred dollars massive attacks can be conducted that can cripple businesses. DDoS attacks can be incredibly costly for businesses. The attacks can prevent businesses from reaching their customers and meeting SLAs, and the attacks can result in devastating financial and reputational damage. In some cases, the damage is so severe that businesses have been forced to permanently close. For businesses that depend on availability, every minute of downtime can cause hundreds of thousands or even millions of dollars in losses.

“Even if you are a small business and think you are at a lower risk, you could be in the supply chain for a larger organization,” said explained Comcast Business in the report. “You can be sure that your business partners are watching their threat risk factors and are increasingly concerned about doing business with companies that are not.”

The post 2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry appeared first on HIPAA Journal.

FBI Issues Warning About BlackCat Ransomware Operation

The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-a-s-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021, shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide, which was behind the ransomware attack on Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own; however, it is more likely that BlackCat is a rebrand of BlackMatter/DarkSide.

The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the group does appear willing to negotiate payments with victims.

Unusually for ransomware, it is written in RUST, which is considered to be a more secure programming language that ensures better performance and concurrent processing. Initial access to networks is usually gained using previously compromised credentials, and once access is gained, Active Directory user and administrator accounts are compromised. The ransomware executable is highly customizable and allows attacks on a wide range of corporate environments, it supports multiple encryption methods, and can disable security features on victim networks.

The group uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy the ransomware, initially using PowerShell scripts and Cobalt Strike. Windows administrative tools and Microsoft Sysinternals tools are also used during compromise. Prior to encrypting files, victim data is stolen, including from cloud providers. Threats are then issued to publish the stolen data on the leak site if the ransom is not paid. In the flash alert, the FBI has shared indicators of compromise (IoCs) and mitigation measures that should be adopted to improve security and make it harder for attacks to succeed.

As with all ransomware attacks, the FBI recommends not paying the ransom as there is no guarantee that files will be recovered, payment does not prevent further attacks, and there is no guarantee that any data stolen in the attack will not be published, stolen, or misused. However, the FBI accepts that payment of the ransom may be the only option in some cases to protect customers, patients, employees, and shareholders.

Regardless of whether or not the ransom is paid, the FBI has requested victims report attacks to their local FBI field office. The FBI has requested IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.

The post FBI Issues Warning About BlackCat Ransomware Operation appeared first on HIPAA Journal.

HHS Issues Warning to HPH Sector about Hive Ransomware

The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP: White alert about the Hive ransomware group – A particularly aggressive cybercriminal operation that has extensively targeted the healthcare sector in the United States.

HC3 has shared an analysis of the tactics, techniques, and procedures (TTPs) known to be used by the group in their attacks and has shared cybersecurity principles and mitigations that can be adopted to improve resilience against Hive ransomware attacks.

The Hive ransomware group has been conducting attacks since at least June 2021. The group is known for using double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to publish the data if the ransom is not paid. The group is also known to contact victims by phone to pressure them into paying the ransom.

Hive is a ransomware-a-service (RaaS) operation where affiliates are recruited to conduct attacks on the gang’s behalf in exchange for a cut of the profits that are generated, which allows the core members of the group to concentrate on development and operations.

Having affiliates with different specialties means a variety of TTPs are employed to gain access to networks; however, the group most commonly uses phishing emails, Remote Desktop Protocol, and VPN compromise in their attacks. Once access to networks is gained, compromised systems are searched to identify applications and processes involved in backing up data, and then those processes and applications are terminated or disrupted. Shadow copies, backup files, and system snapshots are also deleted to make it harder for victims to recover without paying the ransom.

The ransomware is actively developed, and several features and practices have been adopted to prevent analysis of the ransomware, interception and monitoring of negotiations with victims, and the group has adopted a new IPv4 obfuscation technique – IPfuscation – to make their attacks stealthier.

Defending against Hive ransomware attacks requires standard cybersecurity best practices to be followed, including  the following:

  • Changing default passwords and setting strong passwords
  • Implementing 2-factor authentication, especially for remote access services
  • Providing regular security awareness training to the workforce
  • Creating multiple copies of backups, testing those backups, and storing backups offline
  • Ensuring there is continuous monitoring, supported by a constant input of threat data
  • Implementing a comprehensive vulnerability management program and prioritizing known exploited vulnerabilities
  • Ensuring software and operating systems are kept up to date
  • Implementing comprehensive endpoint security solutions that are automatically updated with the latest signatures/updates.

The post HHS Issues Warning to HPH Sector about Hive Ransomware appeared first on HIPAA Journal.

Microsoft Sinkholes Notorious ZLoader Botnet

The notorious cybercrime ZLoader botnet, which was used to deliver Ryuk ransomware in attacks on healthcare providers, has been disabled by Microsoft’s Digital Crimes Unit (DCU). Microsoft recently obtained a court order from the United States District Court for the Northern District of Georgia authorizing the seizure of 65 hard-coded domains used by the ZLoader botnet for command-and-control communications. Those domains have now been sinkholed, preventing the operator of the botnet from communicating with devices infected with ZLoader malware.

ZLoader malware included a domain generation algorithm (DGA) which is triggered if communication with the hard-coded domains is not possible, which serves as a failsafe against any takedown efforts. The court order also allowed Microsoft to seize 319 DGA-registered domains. Microsoft is working to block the registration of any future DGA domains.

ZLoader is part of a family of malware variants that descended from the ZeuS banking Trojan. Initially, ZeuS was used for credential and financial theft, with the aim of transferring money out of victims’ financial accounts. The threat actor behind the malware then established a malware-as-a-service operation to deliver malware and ransomware for other threat actors such as Ryuk.

Ryuk ransomware has been extensively used in attacks on the healthcare industry since its emergence in 2018, and ZLoader was one of the ways the ransomware was delivered. ZLoader is capable of disabling a popular antivirus solution to evade detection, and the malware has been installed on thousands of devices, many of which are in education and healthcare.

The takedown of the botnet is significant; however, the operators of the botnet are likely already working to set up new command and control infrastructure. Microsoft said the takedown has been a success and resulted in the temporary disabling of the ZLoader infrastructure, which has made it more difficult for the organized criminal gang to continue with its malicious activities.

“We referred this case to law enforcement, who are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers to identify and remediate victims,” said Microsoft. Microsoft also confirmed that it is prepared to take further legal action and implement technical measures to deal with ZLoader and other botnets.

Microsoft also named an individual who is believed to be responsible for developing a component of the malware that was used for delivering ransomware – Denis Malikov, who resides in Simferopol on the Crimean Peninsula. “We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

Microsoft said it was assisted with its investigation of the ZLoader operation by the cybersecurity firm ESET, Palo Alto Networks’ Unit 42, team, and Black Lotus Labs, and was provided with additional insights from the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Health Information Sharing and Analysis Center (H-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team.

The post Microsoft Sinkholes Notorious ZLoader Botnet appeared first on HIPAA Journal.

JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed.

Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks on hospital networks.

The vulnerabilities, which are collectively named JekyllBot:5, were identified by Asher Brass and Daniel Brodie of the healthcare IoT security firm Cynerio. The researchers said the vulnerabilities require a low level of skill to exploit, can be exploited remotely if the system is connected to the Internet, and exploitation of the vulnerabilities does not require any special privileges.

One of the vulnerabilities is rated critical with a CVSS severity score of 9.8 out of 10 and the other four are all high-severity issues with CVSS scores between 7.6 and 8.2. The most serious vulnerability, tracked as CVE-2022-1070, could be exploited by an unauthenticated attacker to access the TUG Home Base Server websocket, which would allow the attacker to cause a denial-of-service condition, gain access to sensitive information, and take full control of TUG robots.

Two of the vulnerabilities – CVE-2022-1066 and CVE-2022-26423 – are due to missing authentication and have been given CVSS scores of 8.2. The first vulnerability can be exploited by an unauthenticated attacker and allows new users to be created with administrative privileges and allows existing users to be modified or deleted. The second vulnerability allows an unauthenticated attacker to freely access hashed user credentials.

The remaining two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console vulnerable to cross-site scripting attacks. Both flaws have been given a CVSS score of 7.6.

“The worst-case scenario is a total disruption of critical care and violation of patient privacy, and JekyllBot:5 would give attackers the means to compromise security in ways they would not otherwise be able to, especially in terms of physical security,” said Brodie.

The researchers notified Aethon and CISA about the vulnerabilities. Aethon has patched the vulnerabilities via a new firmware release – version 24. All versions of the firmware prior to version 24 are at risk of exploitation of the JekyllBot:5 vulnerabilities.

Further steps can also be taken to minimize the risk of the exploitation of vulnerabilities. CISA recommends not exposing control system devices and systems to the Internet, locating all control systems behind firewalls, and isolating systems such as TUG Home Base Server from business networks. If remote access is necessary, Virtual Private Networks should be required for access and VPNs should be kept up to date and always be running the latest software version.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

The post JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots appeared first on HIPAA Journal.

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform.

The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp.

Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals.

Since accounts used by Mailchimp customers to send marketing campaigns such as newsletters may be whitelisted by subscribers, any phishing campaigns conducted using the compromised accounts may see the emails delivered to inboxes. HC3 says it is only aware of one phishing campaign being conducted using a compromised account, which targeted users in the cryptocurrency and financial sectors, but there is a risk that campaigns could also be conducted targeting users in the healthcare and public health (HPH) sector.

HC3 has recommended organizations in the HPH sector take steps to mitigate the threat. HC3 says the best defense is user awareness training since phishing emails will come from a legitimate and trusted sender. Employees should be made aware of the threat and be instructed to be wary of any emails sent via Mailchimp. While phishing emails could be sent, malware may also be delivered. Antivirus software should be implemented, network intrusion prevention systems are beneficial, and HC3 also suggests using web filters to restrict access to web content that is not necessary for business operations.

Anti-spoofing and other email authentication mechanisms are also recommended. These include performing validity checks of the sender domain using SPK, checking the integrity of messages using DKIM, and checking to make sure the sender is authorized to use the domain using DMARC.

The post Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms appeared first on HIPAA Journal.