Healthcare Cybersecurity

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.

Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required.

Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any delay in providing emergency services can have grave consequences and may even be a matter of life and death.

The Cybersecurity Practice Guide was developed in collaboration with NIST’S Public Safety Communications Research lab and industry stakeholders and aims to help resolve authentication issues to ensure sensitive data remains private and confidential and PSFR personnel can rapidly gain access to the data they need via mobile devices and associated applications.

The guide includes a detailed example solution with capabilities to address risk with appropriate security controls, along with a demonstration of the approach using commercially available products. Instructions are also included for implementers and security engineers to help them integrate the solution into their organization’s enterprise and configure it in a way to achieve security goals with minimal impact on operational efficiency and expense.

“This practice guide describes a reference design for multifactor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction,” explained NCCoE.

The NIST Cybersecurity Practice Guide can be found on this link.

The post NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders appeared first on HIPAA Journal.

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.

Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required.

Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any delay in providing emergency services can have grave consequences and may even be a matter of life and death.

The Cybersecurity Practice Guide was developed in collaboration with NIST’S Public Safety Communications Research lab and industry stakeholders and aims to help resolve authentication issues to ensure sensitive data remains private and confidential and PSFR personnel can rapidly gain access to the data they need via mobile devices and associated applications.

The guide includes a detailed example solution with capabilities to address risk with appropriate security controls, along with a demonstration of the approach using commercially available products. Instructions are also included for implementers and security engineers to help them integrate the solution into their organization’s enterprise and configure it in a way to achieve security goals with minimal impact on operational efficiency and expense.

“This practice guide describes a reference design for multifactor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction,” explained NCCoE.

The NIST Cybersecurity Practice Guide can be found on this link.

The post NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders appeared first on HIPAA Journal.

CISA Updates List of Cybersecurity Bad Practices to Eradicate

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of cybersecurity bad practices that must be eradicated.

Cyber threat actors often conduct highly sophisticated attacks to gain access to internal networks and sensitive data, but oftentimes sophisticated tactics, techniques and procedures are not required. The Bad Practices Catalog was created in July 2021 to raise awareness of some of the most egregious errors that are made in cybersecurity that leave the door wide open to hackers.

There have been many lists published on cybersecurity best practices to follow, and while it is vital that those practices are followed, it is critical that these bad practices are eradicated, especially at organizations that support critical infrastructure or national critical functions (NCFs). These bad practices significantly increase risk to the critical infrastructure relied upon for national security, economic stability, and life, health, and safety of the public.

When the Bad Practices Catalog was first published, two entries were added. First on the list is the continued use of software that has reached end-of-life and is no longer supported by the software developer. Without support, patches are no longer issued to correct vulnerabilities, which can be easily exploited by cyber actors to gain access to internal networks.

Second, and equally egregious, is the failure to change default credentials and passwords that are known to have been compromised in data breaches or have otherwise been disclosed.

The latest addition is the use of single factor authentication for remote or administrative access to systems. Single factor authentication is the use of a username and password to secure an account. While this provides a degree of security, it is not sufficient to resist the brute force tactics of hackers. Any Internet-facing system must be protected with multi-factor authentication, which requires an additional authentication factor to be provided in addition to a password before access to the account or system is granted.

One study conducted by Google, in conjunction with the University of California San Diego and New York University, showed multi-factor authentication is effective at blocking 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks, while Microsoft Director of Identity Security Alex Weinert explained in a July 2019 blog post that multi-factor authentication will block 99.9% of attacks on accounts.

CISA considers these practices to be exceptionally risky, especially when they apply to software and technologies that are accessible over the Internet. While it is common knowledge that these practices are dangerous, they are still highly prevalent and commonly allow hackers to gain access to internal networks to steal sensitive data and conduct ransomware attacks.

The post CISA Updates List of Cybersecurity Bad Practices to Eradicate appeared first on HIPAA Journal.

FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to all public and private sector organizations about the increased risk of ransomware attacks at times when offices are normally closed, such as long holiday weekends.

While many employees will be having a long weekend due to Labor Day, this is a time when threat actors are usually highly active. The low staff numbers during holidays and weekends make it less likely that their attacks will be detected and blocked. The CISA and the FBI explained in the warning that they have observed an increase in “highly impactful ransomware attacks occurring on holidays and weekends,” and provided multiple examples of threat actors conducting attacks over holiday weekends in the United States in 2021.

Most recently, the Sodinokibi/REvil ransomware actors conducted an attack on the Kaseya remote monitoring and management tool over the Fourth of July 2021 holiday weekend. The attack affected hundreds of organizations including many managed service providers and their downstream customers.

In May 2021, during the Memorial Day weekend, the same threat actors conducted a ransomware attack on JBS Foods, which affected the company’s food production facilities in the United States, causing all production to stop. JBS Foods paid the $11 million ransom for the keys to decrypt files and prevent the release of data stolen in the attack.

Prior to that, over the Mother’s Day weekend in May, the DarkSide ransomware gang conducted its attack on Colonial Pipeline, which resulted in the fuel pipeline serving the Eastern Seaboard being shut down for a week. Colonial Pipeline paid a $4.4 million ransom payment to accelerate recovery from the attack.

The ransomware threat actors behind the cyberattacks on Kaseya, Colonial Pipeline, and JBS Foods have shut down their operations, but threat actors rarely remain inactive for long. It is common for them to remerge with a new ransomware operation after a period of apparent dormancy. There are also many other ransomware threat actors that are currently highly active that may try to take advantage of the absence of key staff over the holiday weekend.

The ransomware actors behind the Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos ransomware variants have all been active over the course of the past month and attacks involving those ransomware variants have frequently been reported to the FBI over the past 4 weeks.

While neither CISA nor the FBI have discovered any specific threat intelligence to indicate a ransomware or other cyberattack will occur over the Labor Day weekend, based on the attack trends so far this year, there is an increased risk of a major cyberattack occurring.

Consequently, the FBI and CISA are advising security teams to be especially vigilant in the run up to the Labor Day weekend, and to ensure that they are diligent in their network defense practices, engage in preemptive threat hunting on their networks, follow recommended cybersecurity and ransomware best practices, and implement the recommended mitigations to reduce the risk of ransomware and other cyberattacks.

Those mitigations include:

  • Make an offline backup copy of data and testing backups to ensure data recovery is possible
  • Not clicking on suspicious links in emails
  • Secure and monitor RDP connections
  • Update operating systems and software and scan for vulnerabilities
  • Ensure strong passwords are set
  • Ensure multi-factor authentication is implemented
  • Secure networks by implementing segmentation, filtering traffic, and scanning ports
  • Secure user accounts
  • Ensure an incident response plan is developed

Recommended best practices, mitigations, and resources are detailed in the alert, which can be found on this link.

The post FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend appeared first on HIPAA Journal.

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

Posted by HIPAA Journal

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021.

Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers.

While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data.

“It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers can monetize it in a myriad of ways, from selling it on the dark web to filing fraudulent insurance claims,” explained the researchers in the report. “It does not help that many health organizations use devices that run on operating systems that are out-of-date, and many devices were not designed with cybersecurity in mind.”

The researchers confirmed healthcare data breaches are now occurring at almost twice the level of 2018, with data breaches attributed to hacking and IT incidents occurring at almost three times the level of the first half of 2018. In the first half of 2021, 70% of all healthcare data breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights were hacking/IT incidents.

There has been a slight decline in the number of reported data breaches from the last 6 months of 2020, but that does not indicate cyberattacks are falling, as in the last half of 2020 the breach reports submitted to the HHS’ Office for Civil Rights included many breach notices submitted by organizations affected by the data breach at business associate Blackbaud. The number of reported breaches in the first half of 2021 is higher than the first 6 months of last year, and it looks like the trend for increasing numbers of data breaches being reported every year looks set to continue.

There has been a major increase in the number of cyberattacks on business associates of HIPAA covered entities, which now account for 43% of all reported healthcare data breaches. In the first 6 months of 2021, there were 141 data breaches reported by business associates of HIPAA-covered entities. By comparison, there were only 66 data breaches reported by business associates in the last 6 months of 2019. “As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain,” explained the researchers.

Cybercriminals are unlikely to stop attaching healthcare organizations as the attacks are profitable. It is up to healthcare organizations and their business associates to improve their defenses against cyber actors. The Critical Insight researchers have made several recommendations, including assessing third party risk more accurately, regularly reviewing business associate agreements and ensuring they clearly define roles and responsibilities, implementing more comprehensive protections against ransomware and phishing attacks, strengthening access controls, and practicing basic security hygiene.

The post Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals appeared first on HIPAA Journal.

Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps

Posted by HIPAA Journal

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps.

The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses.

The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient.

McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and notified the Health Information Sharing & Analysis Center (H-ISAC) about the flaws and recommended mitigations. The flaws affect infusion pumps running older versions of B.Braun software; however, the researchers explained that “vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation.”

Safeguards have been incorporated into the infusion pumps to prevent attackers from changing doses while the pumps are operational, so it would not be possible for an attacker to change doses as they are being administered. The vulnerabilities can however be exploited while the pumps are idle or on standby, so changes could be made to the function of the devices between infusions.

There have been no reported cases of the vulnerabilities in these or other drug infusion pumps being exploited in the wild, but this is a credible attack scenario and one that could easily be exploited to cause harm to patients. The latest version of B.Braun software blocks the initial network vector of the attack chain, but the flaws have not been totally addressed. An attacker could find another way to gain access to the network to which the devices connect and exploit the flaws. Given the number of ransomware attacks that have been reported in recent months, gaining access to healthcare networks is not proving to be a major challenge for many threat actors.

“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation,” suggested the researchers.

The researchers believe that many other medical devices could have vulnerabilities that could be exploited to cause harm to patients. Medical devices are designed primary to ensure patient safety, and safeguards are implemented to ensure patient safety is not put at risk; however, it is common for cybersecurity protections to be given less consideration during the design stage. Further, when security flaws are discovered in medical devices, patching is costly. The devices are tightly controlled, so it is not just a case of releasing a patch or automatically updating the devices as would occur with an Internet browser for instance. Patches need to be thoroughly tested, the devices must be taken out of action while updates are applied, and the patches and updates need to be thoroughly tested. It is for this reason that many devices still use legacy versions of software and firmware.

“For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits,” explained the researchers. “Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long.”

The post Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks dramatically increased in 2020 and cyberattacks using the file-encrypting malware are showing no sign of abating. Attacks have continued to increase this year to the point where there were almost half the number of attempted ransomware attacks in Q2, 2021 as there were all of 2019.

Most threat actors conducting ransomware attacks are now using double extortion tactics, where ransoms must be paid to obtain the keys to decrypt files but also to prevent the publication of data stolen in the attacks. The theft of data prior to file encryption has not only helped ransomware gangs demand huge ransom payments, but the threat of leaking data has greatly increased to probability of the ransom being paid. Many victims end up paying the ransom to prevent data leakage, even though they have valid backups that will allow them to restore the encrypted data for free.

To help public and private sector organizations deal with the threat of these double-extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance, which includes best practices for preventing cyber threat actors from gaining access to networks, steps that can be taken to ensure sensitive data are protected, and procedures that should be followed when responding to a ransomware attack.

“Ransomware is a serious and increasing threat to all government and private sector organizations, including critical infrastructure organizations,” explained CISA in the guidance. “All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems.”

There are several measures outlined in the document that are important not only preventing ransomware attacks but also limiting their severity. It is essential to maintain offline, encrypted backups of data and to regularly test the backups to make sure file recovery is actually possible. It is also vital that a basic cyber incident response plan, resiliency plan, and associated communications plan are created and maintained, and exercises are conducted to ensure that a rapid response to an attack is possible. To block attacks, steps must be taken to address the key attack vectors, which are phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all organizations should also ensure good cyber hygiene practices are followed.

In order to protect sensitive data, organizations must know where sensitive data reside and who has access to those data repositories. It is also important to ensure that sensitive data are only retained for as long as is strictly necessary. Physical and cybersecurity best practices must be implemented, including restricting access to physical IT assets, encrypting sensitive data at rest and in transit, and to implement firewall and network segmentation to hamper attempts at lateral movement within networks. CISA also recommends ensuring the cyber incident response and communications plans include response and notification procedures for data breach incidents.

A rapid and effective response to a ransomware attack is critical for limiting the harm caused and keeping costs down. The cyber incident response plan should detail all the steps that need to be taken, and the order that they should be taken. The first step is determining which systems have been impacted and immediately isolating them to secure network operations and stop additional data loss. The next step should only be taken if affected devices cannot be removed from the network or the network cannot be temporarily shut down, and that is to power down infected devicesto avoid further spread of the ransomware infection.

Then, triage impacted systems for restoration and recovery, confer with the security team to develop and document an initial understanding of what has occurred, then engage internal and external teams and stakeholders and provide instructions on how they can assist with the response and recovery processes. Organizations should then follow the notification requirements outlined in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breachescan be found on this link.

The post CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks appeared first on HIPAA Journal.

Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks

Posted by HIPAA Journal

Last month, SonicWall published a mid-year update of its Cyber Threat Report which confirmed there has been a major increase in cyberattacks since 2020. In the first 6 months of 2021, cryptojacking attacks increased by 23%, encrypted threats rose by 26%, IoT attacks rose by 59%, and there was a 151% increase in ransomware attacks compared to the corresponding period last year.

Ransomware attacks have been steadily increasing since Q1, 2020, but the rate of increase jumped considerably between Q1 and Q2, 2021, rising to a Q2 total of 188.9 million attempted attacks: an increase of 63.1% from the previous quarter. In June alone there were 78.4 million attempted ransomware attacks, which is more than the total number of attacks in the second quarter of 2020 and almost half of the total number of attempted ransomware attacks in all of 2019. In total, there were 304.7 million attempted ransomware attacks in the first half of 2021.

“Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded,” said SonicWall in the report.

Ransomware attacks are mostly conducted in the United States, which accounts for around 73% of all ransomware attempts, but ransomware attacks have been increasing globally. In the first half of 2021, attacks in North America increased by 180% and there was a 234% increase in ransomware volume in Europe. The United States saw a 185% increase and there was a 144% increase in attacks on UK organizations.

Within the United States, certain states have been extensively attacked. Florida was by far the worst affected state, registering 111 million ransomware hits, which is more than the next nine most attacked states combined. There were 26 million attempted attacks in New York, 20 million in Idaho, and 8.8 million in Louisiana.

The most targeted industry – by some margin is government. In 2021, attacks increased to three times the highest point in 2020 and, in June, government customers were hit at around ten times the average rate. The education sector has also been extensively targeted, although attacks on healthcare customers have remained fairly constant throughout the first half of the year.

The biggest ransomware threat in 2021 has been Ryuk ransomware, with 93.9 million instances of Ryuk recorded in the first half of the year, which is three times the level in the corresponding period in 2020. Cerber ransomware was also a major threat, with 52.5 million instances recorded in the first half of 2021. The number of Cerber instances increased sharply in April and May, with May seeing more than five times the number of attempted attacks as January. Two thirds of the 2020 total number of SamSam ransomware attempts were recorded in June alone, when there were 15.7 million attack attempts.

SonicWall says there are several factors that have fueled the increase in attacks. One of the main reasons for the rise is the attacks are extremely profitable for cyber threat actors. Many organizations have paid ransoms to recover files or to prevent the publication of sensitive data stolen in the attacks.

SonicWall says cyber threat actors are also getting better at finding and encrypting backups, making recovery without paying the ransom difficult or impossible. There has also been an increase in data theft prior to the deployment of ransomware, with payments often made to recover data even when valid backups exist to recover files.

It is becoming more common for threat actors to conduct repeat attacks on organizations that have paid the ransom, as there is a god chance that a second ransom will also be paid. Organizations that pay a ransom may also be targeted by other threat groups that have heard that one payment has already been made.

There was some positive news in the report. Malware attacks have declined significantly year over year. SonicWall Capture Labs recorded 2.5 billion malware attempts in the first six months of 2021, which represents a 22% fall from the same period last year. There has also been a decline in the number of malicious PDF and Office files being distributed in spam and phishing emails. The use of malicious Office files declined by 54% in 2021, with malicious PDF files falling by 13%.

The post Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks appeared first on HIPAA Journal.