Healthcare Cybersecurity

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015 involving the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers.

The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the initial intrusion to detect the security breach.

The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules, including security failures and the impermissible disclosure of the PHI of 9.3 individuals. The case was settled in January 2021 and Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations and to implement a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.

The lawsuit was brought against Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and the Blue Cross Blue Shield Association, on behalf of all individuals affected by the data breach. Initially, the lawsuit sought monetary damages and injunctive relief; however, for several legal reasons, the court was unable to certify classes seeking monetary damages, and only certified a class for injunctive relief.

The plaintiffs alleged the defendants had failed to implement appropriate security measures to ensure the confidentiality of PII and PHI, failed to detect the security breach for 17 months, and when the breach was detected, waited too long to notify affected individuals and then failed to provide sufficient information about how victims could protect themselves from harm. The lawsuit required the Excellus defendants and BCBSA to change their information security practices with respect to PII and PHI and to invest in information security. The Excellus defendants and BCBSA denied any wrongdoing and, to date, no court has determined the defendants have done anything wrong.

The Excellus defendants and BCBSA have agreed to cover reasonable attorneys’ fees, costs, and expenses as approved by the courts. The costs include a maximum of $3.3 million to cover attorneys’ fees and the reimbursement of expenses of no more than $1,000,000. Service awards of up to $7,500 will also be provided to class representatives.

Changes will be made to business practices regarding the safeguarding of PII and PHI which will cover the three years from the finalization of the settlement or the two years after each of the changes has been implemented. The information security requirements detailed in the settlement require the Excellus defendants and BCBSA to:

  • Increase and maintain a minimum information security budget
  • Develop a strategy and engage vendors to ensure records containing PII or PHI are disposed of within one year of the original retention period
  • Take steps to improve the security of its network, including the use of tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention
  • Engage in an extensive data archiving program and provide plaintiffs with documentation confirming the extent, scope, and thoroughness of the archiving project
  • Provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR settlement and corrective action plan
  • Make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has not been possible to comply with any of the items

If the settlement is agreed by the court – a hearing has been scheduled for April 13, 2022 – all plaintiffs and class members will be required to release all claims against the Excellus defendants and BCBSA for injunctive and declaratory relief. The settlement will not release any claims against the Excellus defendants and BCBSA for monetary damages.

The post Settlement Reached in Excellus Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

Posted by HIPAA Journal

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy.

The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound devices, patient monitors, and medicine dispensers the next most vulnerable device categories.

The recently announced Urgent11 and Ripple20 IoT vulnerabilities are naturally a cause for concern; however, there are much more common and easily exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities affect around 10% of healthcare IoT and IoMT devices, but the most common risk was weak credentials. Default passwords can easily be found in online device manuals and weak passwords are vulnerable to brute force attacks. One-fifth (21%) of IoT and IoMT devices were found to have default or weak credentials.

The majority of pharmacology, oncology, and laboratory devices and large numbers of the devices used in radiology, neurology, and surgery departments were running outdated Windows versions (older than Windows 10) which are potentially vulnerable.

Unaddressed software and firmware vulnerabilities are common in bedside devices, with the most common being improper input validation, improper authentication, and the continued use of devices for which a device recall notice has been issued. Without visibility into the devices connected to the network and a comprehensive inventory of all IoT and IoMT devices, identifying and addressing vulnerabilities before they are exploited by hackers will be a major challenge and it will be inevitable that some devices will remain vulnerable.

Many medical devices are used in critical care settings, where there is very little downtime. More than 80% of healthcare IoT devices are used monthly or more frequently, which gives security teams a small window for identifying and addressing vulnerabilities and segmenting the network. Having an IT solution in place that can provide visibility into connected medical devices and provide key data on the security of those devices will help security teams identify vulnerable devices and plan for updates.

Oftentimes it is not possible for patches to be applied. Oftentimes healthcare IoT devices are in constant use and they are frequently used past the end-of-support date. In such cases, the best security alternative is virtual patching, where steps are taken to prevent the vulnerabilities from being exploited such as quarantining devices and segmenting the network.

Segmenting the network is one of the most important steps to take to improve healthcare IoT and IoMT security. When segmentation is performed that takes medical workflows and patient care contexts into account, Cybnerio says 92% of critical risks in IoT and IoMT devices can be effectively mitigated.

Most healthcare IoT and IoMT cybersecurity efforts are focused on creating a comprehensive inventory of all IoT and IoMT devices and gathering data about those devices to identify potential risks. “Visibility and risk identification are no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up,” said Daniel Brodie, CTO and co-founder, Cynerio.

The post More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability appeared first on HIPAA Journal.

Healthcare Cybersecurity Risks in 2022

Posted by HIPAA Journal

The healthcare industry continues to face a considerable range of threats, with ransomware attacks and data breaches still highly prevalent. Throughout 2021, healthcare data breaches were being reported at a rate of almost 2 per day, and while there was a reduction in the number of ransomware attacks compared to 2020, ransomware remains a major threat with several ransomware gangs actively targeting the healthcare sector.

In its Q4, 2021 Healthcare Cybersecurity Bulletin, released on Friday, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of some of the ongoing cyberattack trends that are expected to continue in Q1, 2022.

Ransomware

Law enforcement agencies in the United States and Europe have increased their efforts to bring the operators of ransomware operations and their affiliates to justice, with those efforts resulting in the arrests of key members of several ransomware groups. This year, in a rare act of cooperation between the United States and Russia, 14 suspected members of the notorious REvil ransomware gang have been arrested. The increased pressure on ransomware gangs has helped to curb attacks, but there are still many ransomware gangs in operation, several of which have been actively targeting the healthcare sector.

Emsisoft tracked 68 ransomware attacks on healthcare providers in 2021, which is a reduction from the 80 healthcare providers attacked in 2020; however, there have also been several attacks on business associates that have affected multiple healthcare organizations. According to a recent FinCEN report, there are at least 68 active ransomware operations and the top 10 ransomware gangs in 2021 generated more than $5.2 billion in ransom payments. Ransomware will continue to be a problem for the healthcare sector in 2022, so it is important to follow industry best practices to prepare for, prevent, and recover from ransomware attacks to ensure patient safety.

Apache Log4J

The vulnerabilities identified in the Apache Log4J logging library, the first of which were made public in late November 2021, continue to pose problems for healthcare organizations. A proof-of-concept exploit was released in December 2021, and multiple threat actors have been exploiting the vulnerabilities. HC3 issued a threat brief on January 20, 2021, warning about the risk of exploitation of the 6 vulnerabilities and suggested mitigations that should be implemented immediately to reduce the risk of exploitation.

Emotet Botnet

Emotet malware first appeared in 2014 and has been extensively used in attacks on healthcare organizations. Devices infected with the Emotet Trojan are added to the botnet, and access to those devices is sold to other threat groups, often leading to ransomware attacks. The botnet was taken down in January 2021, which is part of the reason why there has been a reduction in ransomware attacks; however, the botnet is now being rebuilt with greater resilience to takedown attempts and now has several new capabilities. Emotet is likely to pose a significant threat to the healthcare industry throughout 2022 so it is important to take steps to improve defenses. Emotet is primarily distributed via phishing emails, so healthcare organizations need to implement robust email security measures and ensure they provide security awareness training to the workforce.

Vulnerabilities

Vulnerabilities in information systems continue to be exploited to gain access to healthcare networks and sensitive data. It is critical for healthcare organizations to stay on top of patching and to apply software updates promptly. Patching should be prioritized, with the vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog addressed first, along with any critical vulnerabilities in software, operating systems, and firmware.

The post Healthcare Cybersecurity Risks in 2022 appeared first on HIPAA Journal.

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine.

The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible.

The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected device is powered down and generates the ransom note. The second stage of the malware, stage2.exe, is a file corruptor that runs in the memory and corrupts files based on hardcoded file extensions to prevent the files from being recovered.

The attacks have so far been conducted on targets in Ukraine, but there is a risk of much broader attacks. Wiper malware such as this has been used to attack organizations in Ukraine in the past and in much broader attacks worldwide. In 2017, the NotPetya wiper was used to attack organizations in Ukraine and was delivered in a supply chain attack via legitimate tax software. NotPetya attacks were also conducted globally causing major damage to IT systems and significant data loss. NotPetya is believed to have been used by a Russian hacking group known as Voodoo Bear/Sandworm.

The current theory of the Ukrainian government is the attacks are being conducted by an Advanced Persistent Threat (APT) group known to have strong links with Belarus. There is a legitimate concern that similar attacks may occur in the United States using Whispergate, especially on critical infrastructure organizations and companies with links to Ukraine.

CISA has issued an Insights bulletin providing information on steps that can be taken to protect against the malware threat and reduce the likelihood of a damaging cyber intrusion. The bulletin also includes guidance on how to quickly detect and respond to a potential intrusion, and how to maximize resilience to a destructive cyber threat.

The post CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

2021 healthcare data breaches

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

2021 healthcare data breaches - records breached

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware
Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware
Monongalia Health System, Inc. WV Healthcare Provider 398,164 Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC FL Healthcare Provider 350,000 Hacked network server
Florida Digestive Health Specialists, LLP FL Healthcare Provider 212,509 Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc. IL Health Plan 184,500 Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky KY Healthcare Provider 106,910 Compromised email account
Fertility Centers of Illinois, PLLC IL Healthcare Provider 79,943 Hacked network server
Bansley and Kiener, LLP IL Business Associate 50,119 Ransomware
Oregon Eye Specialists OR Healthcare Provider 42,612 Compromised email accounts
MedQuest Pharmacy, Inc. UT Healthcare Provider 39,447 Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. NY Health Plan 20,579 Phishing
Loyola University Medical Center IL Healthcare Provider 16,934 Compromised email account
Bansley and Kiener, LLP IL Business Associate 15,814 Ransomware
HOYA Optical Labs of America, Inc. TX Business Associate 14,099 Hacked network server
Wind River Family and Community Health Care WY Healthcare Provider 12,938 Compromised email account
Ciox Health GA Business Associate 12,493 Compromised email account
A New Leaf, Inc. AZ Healthcare Provider 10,438 Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Causes of December 2021 healthcare data breaches

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

Location of breached PHUI in December 2021 healthcare data breaches

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 healthcare data breaches by HIPAA-regulated entity type

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State Number of Breaches
Illinois 11
Indiana 5
Florida, Oklahoma, and Texas 4
Arizona 3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia 2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming 1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Posted by HIPAA Journal

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack.

A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022.

According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors.

Stewart said he reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), activated the state’s cybersecurity insurance policy through the State Treasurer’s Office, and engaged third-party forensic investigators to assist with the investigation and response and recovery efforts. “The companies and personnel provided by the insurance policy are widely regarded as the best in the industry,” said Stewart.

The response to the ransomware attack required systems to be taken offline, sites on the network were isolated from each other, and external access to resources over the Internet and by third parties was blocked. The containment approach limited the ability of state employees to use computers and access shared resources and more than a month after the ransomware attack some services continue to face disruption. While the response and recovery approach has resulted in ongoing disruption, Stewart said this approach was necessary to protect the state’s network and the citizens of the state of Maryland and was important to prevent reinfection.

Atif Chaudhry, MDH Deputy Secretary for Operations, said a major focus in the aftermath of the attack was to ensure business and service continuity, which involved implementing the FEMA Incident Command System (ICS). “Under this ICS system, we formed a Unified Command Structure to address the incident. This permits MDH and DoIT to jointly collaborate to manage and address all incident-related matters. DoIT provides the technical expertise and is taking the lead on network security and IT system recovery efforts,” said Chaudhry.

MDH faced a shortage of equipment in the aftermath of the attack, which meant employees have had to share computers at work. To address the problem, Chaudhry said MDH ordered an additional 2,400 laptop computers and a further 3,000 will be ordered this week.  Additional IT equipment such as wireless access points and printers have also been ordered to ensure employees have the equipment they need to do their jobs. Further, alternative processes have been implemented to ensure staff can serve the most urgent needs of the public, which include migration to Google Workspaces. Google Workspaces has provided employees a suite of online tools that are unaffected by the ransomware attack ensuring employees can collaborate and save and share critical files.

The attack has caused disruption to the state’s pandemic response. On Thursday, January 12, 2022, MDH said it had restored around 95% of state-level surveillance data and it is working to restore the complete COVID-19 dataset. Reports will be updated at the earliest opportunity.

The post Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack appeared first on HIPAA Journal.

Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors.

“CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory.

The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks.

Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable Citrix, Pulse Secure, F5 Big-IP, and VMWare products, FortiGate VPNs, Microsoft Exchange, Cisco Router, and Oracle WebLogic Servers.

Russian APT actors have extensive cyber capabilities and are known to conduct highly sophisticated attacks and maintain a long-term presence in compromised networks and cloud environments, with initial access, often gained using legitimate credentials. Custom malware is often deployed on operational technology (OT) and industrial control systems (ICS) and the malware is used to exfiltrate sensitive data.

All critical infrastructure entities have been advised to closely monitor their networks and systems for signs of malicious activity and take steps to improve their cybersecurity defenses. Security professionals have been advised to create and maintain a cyber incident response plan and follow cybersecurity best practices for identity and access management.

Centralized log collection and monitoring will make it easier to investigate and detect threats in a timely manner. Security teams should search for network and host-based artifacts, review authentication logs for signs of multiple failed login attempts across different accounts, and investigate login failures using valid usernames. It is also recommended to implement security solutions capable of behavioral analysis to identify suspicious network and account activity.

It is important to implement network segmentation as this will help to limit lateral movement within compromised networks and subnetworks if the perimeter defenses are breached. Regular backups should be performed, and backups should be tested to make sure data recovery is possible. Backups should be stored offline and should not be accessible from the systems where the data resides.

If suspicious activity is detected, affected systems should be isolated from the network, backup data should be secured by taking it offline, and data and artifacts should be collected. In the event of a cyberattack, critical infrastructure entities should consider engaging a third-party cybersecurity firm to assist with response and recovery. Any attack should be reported to the FBI and CISA.

While Russian APT actors have previously concentrated their efforts on attacks on utilities, government, and defense, there is a significant threat of attacks on the healthcare and pharmaceutical sectors as a result of the COVID-19 pandemic. Russian state-sponsored APT actors continue to seek intellectual property related to COVID-19 research, vaccines, treatments, and testing, along with any clinical research data supporting those areas.

The agencies have also issued a reminder that the Department of State is running a Rewards for Justice Program, which provides a reward of up to $10 million for information about foreign actors who are engaging in malicious cyber activities, in particular cyberattacks against U.S. critical infrastructure organizations.

The post Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors appeared first on HIPAA Journal.

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

Posted by HIPAA Journal

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks.

The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security.

The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of sight over the entire healthcare supply chain. The HSCA guidance is for the entire supply chain and explains some of the key considerations for medical device manufacturers, HDOs, and service providers to improve cybersecurity and address weaknesses before they are exploited by threat actors.

Two of the most important steps to take are to participate in at least one Information Sharing and Analysis Organization (ISAO), such as the Health Information Sharing and Analysis Center (H-ISAC), and to adopt an IT security risk assessment methodology, such as the NIST Cybersecurity Framework (CSF).

An ISAO is a community that actively collaborates to identify and disseminate actionable threat intelligence about the latest cybersecurity threats that allows members to take proactive steps to reduce risk. The NIST CSF and other cybersecurity frameworks help organizations establish and improve their cybersecurity program, prioritize activities, understand their current security status, and identify security gaps that need to be addressed.

HCSA also recommends appointing an information technology and/or network security officer who has overall responsibility for the security of the organization who can communicate risks to decision makers and oversee the security efforts of the organization.

Cybersecurity training for the workforce is vital. All employees must be made aware of the threats they are likely to encounter and should be taught best practices to follow to reduce risk. Training should be provided annually, and phishing simulations conducted regularly to reinforce training. Any employee who fails a simulation should be provided with further training.

Good patch management practices are essential for addressing known vulnerabilities before they can be exploited, anti-virus software should be deployed on all endpoints and be kept up to date, firewalls should be implemented at the network perimeter and internally, least-privilege access should be applied to system resources, and networks should be segmented to prevent lateral movement in the event of a breach. Password policies should also be implemented that are consistent with the latest NIST guidance.

To prevent the interception of sensitive data, all data in transit should be encrypted, backup and data restoration procedures should be implemented and regularly tested to ensure recovery is possible in the event of a cyberattack, and the life expectancy of all devices and software solutions should be specified in all purchase agreements, including all supporting components. Plans should then be made to upgrade equipment and software prior to reaching end-of-life.

In addition to these standard cybersecurity best practices, HCSA has provided specific considerations for HDOs, device manufacturers, and service providers in the guidance – Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations – which is available for download from the HCSA website.

The post Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity appeared first on HIPAA Journal.