Healthcare Cybersecurity

Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses

Posted by HIPAA Journal

The advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was behind the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers, according to a recent alert from Microsoft.

Rather than conducting attacks on many companies and organizations, Nobelium is favoring a compromise-one-to-compromise-many approach. This is possible because service providers are often given administrative access to customers’ networks to allow them to provide IT services. Nobelium is attempting to leverage that privileged access to conduct attacks on downstream businesses and has been conducting attacks since at least May 2021.

Nobelium uses several techniques to compromise the networks of service providers, including phishing and spear phishing attacks, token theft, malware, supply chain attacks, API abuse, and password spraying attacks on accounts using commonly used passwords and passwords that have previously been stolen in data breaches.

Once access to service providers’ networks has been gained, Nobelium moves laterally in cloud environments then leverages the trusted access to conduct attacks on downstream businesses using trusted channels such as externally facing VPNs or the unique software solutions used by service providers to access customers’ networks.

Some of the attacks conducted by Nobelium have been highly sophisticated and involved chaining together artifacts and access from multiple service providers in order to reach their end target, as indicated in the diagram below.

Example of a Nobelium attack leveraging multiple service providers. Source: Microsoft Threat Intelligence Center

Microsoft Threat Intelligence Center (MSTIC) has made several recommendations for service providers and downstream businesses to help with mitigation and remediation.

CPSs and MSPs that rely on elevated privileges to provide services to their customers have been advised to verify and monitor compliance with Microsoft Partner Center security requirements, which include enabling multifactor authentication and enforcing conditional access policies, adopting the Secure Application Model Framework, checking activity logs and monitoring user activities, and removing delegated administrative privileges that are no longer in use.

All downstream businesses that rely on service providers that have administrative access have been advised to review, audit, and minimize access privileges and delegated permissions, including hardening and monitoring all tenant administrator accounts and reviewing service provider permissions access from B2B and local accounts. They should also verify MFA is enabled and conditional access policies are being enforced and regularly review audit logs and configurations.

Microsoft has published detailed information on the tactics, techniques, and procedures (TTP) of Nobelium in its alerts to help IT security teams to block, detect, investigate, and mitigate attacks.

The post Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses appeared first on HIPAA Journal.

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

Posted by HIPAA Journal

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk.

The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats.

The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to PHI to be tracked. Passwords are required to authenticate users, with the HIPAA Security Rule requiring HIPAA-regulated entities to implement, “procedures for creating, changing, and safeguarding passwords.”

The Varonis study, the results of which were published in its 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech, revealed an average healthcare worker has access to 31,000 sensitive files containing PHI, financial, and proprietary data on their first day of work. Those files were stored on parts of the network that can be accessed by all employees.

On average, 20% of each organization’s files are open to every employee, even though in many cases access was not required to complete work duties. 50% of organizations investigated had more than 1,000 sensitive files open to all employees, and one in four files at small healthcare organizations could be accessed by every employee. There were no restrictions on access to 1 in 10 files that contained PHI or intellectual property.

“We discovered that smaller organizations have a shocking amount of exposed data, including sensitive files, intellectual property, and patient records. On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data,” explained Varonis in the report. “This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach.”

To reduce risk, it is vital to operate under the principle of least privilege. If employees are given broad access to sensitive information, not only does that increase the opportunity for insider data theft, if their credentials are compromised in a phishing attack, external threat actors will have easy access to huge volumes of data.

The problem is made worse by poor password practices. 77% of companies studied for the report had 501 or more accounts with passwords set to never expire, and 79% of organizations had more than 1,000 ghost accounts. Ghost accounts are inactive accounts that have not been disabled. These accounts give hackers an easy way to access sensitive data and traverse networks and file structures undetected.

According to the Verizon Data Breach Investigations Report, data breaches increased by 58% in 2020 with cyber threat actors actively targeting the healthcare, pharma, and biotech industries to steal sensitive data, intellectual property, and vaccine research data. The healthcare industry has the highest data breach costs which, according to the IBM Security Cost of a Data Breach Report, are $7.13 million per breach. Organizations that fail to restrict access to protected healthcare information can also face heavy financial penalties, which under HIPAA/HITECH are up to $1.5 million per year, per violation category.

“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotech’s need to double down on maturing incident response procedures and mitigation efforts,” said Varonis. “Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.”

The post Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI appeared first on HIPAA Journal.

International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

Posted by HIPAA Journal

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation.

The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United States to be shut down for a week. While ransomware had always posed a threat to critical infrastructure, these attacks made it clear that critical infrastructure was certainly not off-limits for ransomware gangs.

After the attacks, the White House announced more resources would be made available to deal with the ransomware threat, with the attacks elevated to a level similar to terrorism. President Biden met with Russian President Vladimir Putin and urged him to take action against ransomware gangs operating within its borders, and the United States has been working with cybersecurity leaders to discuss other cybersecurity initiatives to mitigate the threat. As part of the ongoing efforts to deal with the ransomware threat, earlier this month President Biden announced the United States would be participating in a meeting with leaders in more than 30 countries to combat ransomware.

REvil Operation Targeted by Law Enforcement

It has now become clear that the shutdown of the REvil operation was the result of an international law enforcement effort, according to a recent Reuters report. Tom Kellerman, VMWare’s head of cybersecurity strategy and advisor to the US Secret Service said, “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups.”

REvil emerged in 2019 as an offshoot of the GandCrab ransomware operation and soon became the most prolific ransomware group, accounting for 73% of all ransomware detections in Q2, 2021. When it came to taking action against these groups, “REvil was top of the list”, said Kellerman.

In July, before the REvil gang went dark, law enforcement gained access to some of its network infrastructure and servers, with Kellerman confirming law enforcement had prevented attacks on several companies. Mimicking the actions of the REvil gang, law enforcement also compromised its backups. The REvil gang attempted to restore its servers from backups in the belief that they had not been compromised, but the restored infrastructure was under the control of law enforcement.

One of the leaders of the REvil operation who is known as “0_neday”, recently posted on a cybercrime forum confirming an unnamed party had compromised its servers and claimed, “They were looking for me… Good luck, everyone; I’m off.”

The shutdown almost certainly spells the end of the REvil operation; however, when takedowns occur, it is common for ransomware gangs to simply rebrand and start a new operation. The affiliates that have signed up for RaaS operations often jump ship and sign up with other RaaS operations, so while REvil was a major operator, it does not mean that ransomware attacks will slow. After news of the takedown emerged, members of other ransomware gangs posted online showing solidarity with the REvil operation. One member of the Groove operation called for other ransomware groups to respond to the takedown and increase their attacks on targets in the United States.

The post International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Put Cybersecurity First

Posted by HIPAA Journal

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people.

Cybersecurity Advice for Companies

One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought.

Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam filters, web filters, antivirus software, endpoint detection systems, encryption software, and backup solutions. Patch management is also key. Software and firmware updates should be applied promptly, with priority given to patching the most serious vulnerabilities.

Businesses should adopt a mindset of a cyber breach being inevitable, which means they need to know how they will respond to an attack when it occurs. A business continuity plan should be developed and tested. The plan should include emergency protocols while systems and data are inaccessible, the restoration of systems and data, communication with stakeholders, compliance, and reporting breaches to appropriate authorities. Having an incident response plan in place ensures the business can continue to function in the event of a cyber breach and it will greatly speed up the recovery time and help to keep breach costs to a minimum.

FBI Raises Awareness of the Ransomware Threat

This week, the Federal Bureau of Investigation (FBI) is raising awareness of the threat from ransomware. Ransomware is a type of malware used to encrypt files to ensure they cannot be accessed. A ransom demand is then issued for the keys to decrypt files, although there are no guarantees that file recovery will be possible even if the ransom is paid. It is also now common for sensitive data to be stolen before file encryption, with threats issued to publish or sell the data if the ransom is not paid.

Access to computers and networks is gained by exploiting vulnerabilities, conducting brute force attacks to guess weak passwords, and most commonly, through phishing emails. Links are sent in emails that direct users to websites where they are asked to provide their login credentials or download files containing malware. Oftentimes attachments are included in emails that have macros and other scripts that download malware that provides the attackers with persistent access to devices and networks.

Steps recommended by the FBI to avoid ransomware attacks include keeping software up to date, applying patches promptly, using anti-malware software on all devices, backing up data regularly and storing backups offline, and educating employees about how to identify phishing emails and other threats.

Security awareness training for the workforce is vital. Employees are the last line of defense and they are often targeted by cybercriminals. Employees should receive security awareness training during the onboarding process and should be provided with the tools they need to help them keep their company safe, with training regularly provided throughout employment.

Cybersecurity Advice for Individuals

Individuals are being encouraged to take greater care when using products and services to ensure that cybersecurity best practices are followed. That process needs to start before any purchase is made, with cybersecurity considered before signing up for a new service or buying a new product to ensure the company is legitimate.

When new devices, apps, or services are used, individuals should consider applying measures to secure their accounts and check privacy and security settings. Default passwords should be changed with strong, unique passwords set for all accounts. A password manager should be considered as this will help with the generation of secure passwords for all accounts and will mean users do not have to remember complex passwords. It is also important to set up multi-factor authentication on all accounts to ensure they remain protected if passwords are compromised.

The post Cybersecurity Awareness Month: Put Cybersecurity First appeared first on HIPAA Journal.

44% of Healthcare Organizations Don’t Have Full Visibility into Access and Permissions Assigned to Users and Third Parties

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations.

As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated.

The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic.

SecureLink’s study, the results of which were published in the report, A Matter of Life and Death: The State of Critical Access Management in Healthcare, confirmed that many of those breaches involved third-party access to systems. 44% of healthcare and pharmaceutical organizations that responded to the survey said they had suffered at least one cybersecurity incident that was either directly or indirectly caused by a third-party partner.

Vendors and third parties supply many of the components that allow healthcare system to function and with so many third-party components, the attack surface is large. Even though the risk of a third-party data breach is high, the survey revealed only 41% of surveyed healthcare companies had a complete inventory of third parties that have been provided with access to their networks.

“Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access. Healthcare providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyberattacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance,” said Daniel Fabbri, SecureLink Chief Data Scientist.

There is a clear need to improve critical access management in healthcare and strengthen security. The best place to start is the creation of a complete inventory of third parties with access to the network. SecureLink then recommends reviewing users and vendors based on the three pillars of critical access management: access governance, access controls, and access monitoring.

Access governance is concerned with regular reviews of user access to ensure access rights are appropriate. This process can be delegated to staff members’ managers, as they are in the best position to determine what access is required. The principle of least privilege needs to be applied – individuals and third parties should only be provided with access to the systems and data that are required for them to complete their work duties. Reviews and restrictions are a requirement of HIPAA, which also requires policies and procedures to be implemented to ensure access to patient data is terminated when it is no longer required.  The current reality is users and third parties are often given very broad access rights which is risky. The survey revealed 44% of healthcare and pharmaceutical organizations do not have full visibility into the level of access and permissions assigned to internal and external users.

Access controls need to be put in place to limit the data and systems that can be accessed by third parties. Individuals have access rights, which are not changed by access controls, instead, access controls are concerned with giving organizations greater control over the abilities of users and third parties to use (or abuse) their access rights. Access controls should include employing zero-trust network access (ZTNA) solutions, which can help to prevent lateral movement in the event of credentials being compromised.

Access monitoring is vital for security and HIPAA compliance. Organizations need to have visibility into the actions of privileged users and must be able to identify what those users have done or are doing while logged in. All interactions with ePHI must be logged and regularly reviewed to identify suspicious activity but given the huge number of interactions by users on a daily basis, this can be an overwhelming task. 60% of respondents said they thought managing third-party permissions and remote access to their systems would be overwhelming and a drain on internal resources, even though doing so is vital for reducing risk. The only way to effectively monitor for suspicious activity is through the use of machine learning systems. These systems can sift through all interactions and determine events that have no clinical relevance and flag those instances for manual review. While access monitoring may not prevent a breach, it will ensure unauthorized activity is identified promptly. It is all too common insider data breaches to go undetected for months before unauthorized access is detected due to poor access monitoring.

The post 44% of Healthcare Organizations Don’t Have Full Visibility into Access and Permissions Assigned to Users and Third Parties appeared first on HIPAA Journal.

Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats

Posted by HIPAA Journal

A recent survey conducted on Chief Information Security Officer (CISO) members of the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has highlighted the impact cybersecurity incidents have had on the healthcare industry and the need for federal assistance to deal with the threats.

The healthcare industry has long been targeted by cybercriminals, but attacks have increased during the pandemic. 67% of respondents said their organization had experienced a security incident in the past 12 months with almost half saying they were the victim of a phishing attack. Phishing and business email compromise attacks, malware ransomware, hacking, and insider threats were the most common security exploits used in cyberattacks on the industry.

Cyberattacks can cause patient safety issues. One recent study indicates mortality rates increase following a ransomware attack, as do medical complications and the length of hospital stays. The survey confirmed the impact on patient safety, with 15% of respondents saying there had been a patient safety issue after a cyberattack and 10% saying they were forced to divert patients to other facilities in the wake of an attack.

The increase in attacks has meant an increase in costs. More than 80% of surveyed CISOs reported an increase in costs associated with cyberattacks in the past year. 20% of respondents said costs had increased by 50% in the past year, with one in 6 saying costs have doubled. Not only have remediation costs increased, but the cost of cyber insurance policies has also risen due to the increased risk of cyberattacks.

Indeed, the situation is likely to get worse as there are several emerging threats of major concern, such as the rise in IoT and other connected devices, an increasingly remote workforce, supply chain threats, API security issues, and risks associated with 3rd party consumer health apps.

Funding for cybersecurity has long been a problem in healthcare, but the increase in costs has made the situation far worse and many CISOs are struggling. “We are overwhelmed with unfunded federal mandates. Our organization is struggling through the pandemic while having mandate after mandate applied. [This is] not sustainable,” said one respondent to the survey.

The survey confirmed healthcare providers need more help dealing with the increased threat of attacks. Congress is considering several new measures to improve defenses against cyberattacks for critical infrastructure, including healthcare, but CHIME and AEHIS say healthcare is often left on the periphery, even though the healthcare industry is one of the most targeted parts of critical infrastructure and one of the most vulnerable.

40% of respondents said they need help in the form of grants or federal assistance to improve cybersecurity, a third said they would benefit from regional extension centers with cyber experts on hand who could come on-site to provide guidance and expertise, and 16.7% said they would benefit from closer relationships with federal authorities such as the FBI and CISA.

52% of respondents said they had signed up with an Information Sharing & Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO), but further guidance is needed, as 10% of respondents said they were unsure when it was acceptable to share threat information. When guidance is provided, it needs to be communicated more effectively. For instance, 45% of respondents said they were unaware of 405(d) best practices that had been published by the HHS.

“From this survey it is clear that healthcare providers will need several tools in their arsenal to fight an ever-escalating and complex battle that is being brought directly to their doorstep and threatens their delivery of patient care,” said AEHIS Advisory Board Chair Will Long. “More resources, education, and ongoing support for our sector are needed.”

The post Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats appeared first on HIPAA Journal.

September 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months.

Healthcare data breaches August 2020 to September 2021

While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months.

Healthcare records breached over the past 12 months

Largest Healthcare Data Breaches Reported in September 2021

16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records.

The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was reported to the HHS as affecting 500,000 individuals. The cyberattack is believed to have been conducted by a nation-state hacking group.

Two major data breaches were reported by eye care providers: A hacking incident at U.S. Vision Optical resulted in the exposure of the PHI of 180,000 individuals, and a phishing incident at Simon Eye Management gave the attackers access to email accounts containing the PHI of 144,373 individuals. The breaches are not believed to be related, but they are two of a handful of recent incidents affecting eye care providers.

Ransomware continues to be extensively used in attacks on the healthcare industry. 6 of the top 16 attacks in September involved ransomware and potentially saw PHI stolen. Several ransomware gangs have targeted the healthcare sector, with the FIN12 group one of the most active. A recent analysis of FIN12 attacks by Mandiant revealed 20% of the gang’s attacks have been on the healthcare industry, with the attacks accounting for around 20% of all incidents Mandiant responds to.

Hackers have been targeting the healthcare industry, but data breaches can also be caused by insiders with privileged access to PHI. One notable ‘insider’ breach was reported by Premier Management Company and involved data being accessed by a former employee after termination. The incident highlights the importance of ensuring access to PHI (and IT systems) is blocked immediately when an employee is terminated, leaves the company, or when job functions change that no longer require an employee to have access to PHI.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
State of Alaska Department of Health & Social Services AK Health Plan 500,000 Nation-state hacking Incident
U.S. Vision Optical NJ Healthcare Provider 180,000 Unspecified hacking incident
Simon Eye Management DE Healthcare Provider 144,373 Email account breach (phishing)
Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan IL Health Plan 49,000 Ransomware attack
Talbert House OH Healthcare Provider 45,000 Unspecified hacking incident (data exfiltration)
Premier Management Company TX Healthcare Provider 37,636 PHI accessed by an employee after termination
Central Texas Medical Specialists, PLLC dba Austin Cancer Centers TX Healthcare Provider 36,503 Malware
Orlick & Kasper, M.D.’s, P.A. FL Healthcare Provider 30,000 Theft of electronic devices containing PHI
McAllen Surgical Specialty Center, Ltd. TX Healthcare Provider 29,227 Ransomware attack
Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans AZ Health Plan 28,000 Ransomware attack
Horizon House, Inc. PA Healthcare Provider 27,823 Ransomware attack
Rehabilitation Support Services, Inc. NY Healthcare Provider 23,907 Unspecified hacking incident (data exfiltration)
Samaritan Center of Puget Sound WA Healthcare Provider 20,866 Theft of electronic devices containing PHI
Directions for Living FL Healthcare Provider 19,494 Ransomware attack
Buddhist Tzu Chi Medical Foundation CA Healthcare Provider 18,968 Ransomware attack
Eastern Los Angeles Regional Center CA Business Associate 12,921 Email account breach (phishing)

Causes of September 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 53.2% of all breaches reported in the month and 91.6% of all breached records. 1,147,383 healthcare records were exposed or stolen in those incidents, with an average breach size of 33,747 records and a median breach size of 2,453 records.

The number of incidents involving the theft of physical records or electronic equipment containing PHI increased month-over-month. September saw 6 theft incidents reported and 60,236 records compromised. The mean breach size was 10,039 records and the median breach size was 3,918 records. 4 of those breaches involved electronic equipment and could have been prevented had encryption been used.

There were 7 data breaches reported that involved unauthorized access or disclosures of data by insiders. 45,639 records were breached across those incidents, 37,636 of which were obtained in a single incident. The average breach size was 6,520 records and the median breach size was 1,738 records.

Causes of September 2021 healthcare data breaches

Given the high number of hacking and ransomware incidents reported, it is no surprise that the most common location of breached PHI is network servers. Email accounts continue to be targeted in phishing attacks, with 13 incidents in September involving PHI stored in email accounts. The number of devices containing PHI that were stolen highlights the importance of using encryption to protect stored data.

Location of PHI in September 2021 healthcare data breaches

September 2021 Data Breaches by HIPAA-Regulated Entity

Healthcare providers were the worst affected covered entity with 30 reported breaches. 10 breaches were reported by health plans, 6 breaches were reported by business associates, and one breach was reported by a healthcare clearinghouse.

5 breaches of those breaches were reported by a HIPAA-covered entity but occurred at a business associate. The adjusted figures are shown in the pie chart below.

September 2021 healthcare data breaches by HIPAA-regulated entity type

September 2021 Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities based in 25 states. Texas was the worst affected state with 6 reported breaches of 500 or more records, followed by California with 5 breaches and Connecticut with 4.

State Breaches
Texas 6
California 5
Connecticut 4
Florida & Washington 3
Arizona, Georgia, Illinois, New York, Ohio, & Pennsylvania 2
Alaska, Delaware, Indiana, Kentucky, Maryland, Minnesota, Missouri, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Virginia, & Wisconsin 1

HIPAA Enforcement Activity in September 2021

The Department of Health and Human Services’ Office for Civil Rights now has a new director, and it is currently unclear what direction she will take in the department’s HIPAA enforcement actions.

Since the fall of 2019 OCR has been targeting HIPAA-regulated entities that fail to comply with the HIPAA Right of Access and September saw the 20th financial penalty imposed under this initiative for the failure to provide individuals with access to their healthcare records.

Children’s Hospital & Medical Center in Omaha, NE, settled its HIPAA Right of Access case with OCR and paid an $80,000 financial penalty. This was the ninth OCR case this year to have resulted in a financial penalty for non-compliance with the HIPAA Rules.

There were no reported enforcement activities by state attorneys general in September.

The post September 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alert Issued About Ongoing BlackMatter Ransomware Attacks

Posted by HIPAA Journal

A joint alert has been issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) about ongoing BlackMatter ransomware attacks.

The group has been conducting attacks in the United States since July 2021, which have included attacks on critical infrastructure entities and two organizations in the U.S. Food and Agriculture Sector. Evidence has been obtained that links the gang to the DarkSide ransomware gang that conducted attacks between September 2020 and May 2021, including the attack on Colonial Pipeline, with BlackMatter ransomware potentially a rebrand of the DarkSide operation.

Investigations into the attacks have allowed the agencies to obtain important information about the tactics, techniques, and procedures (TTPs) of the group, and an analysis has been performed on a sample of the ransomware in a sandbox environment.

The group is known to use previously compromised credentials to gain access to victims’ networks, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) and discover all hosts on the network. The BlackMatter gang deploys ransomware and remotely encrypts the hosts and shared drives as they are identified. The gang is known to exfiltrate data and typically demands ransom payments of between $80,000 and $15 million in Bitcoin or Monero.

In the joint alert, the NSA, FBI, and CISA shared TTPs, provide Snort signatures that can be used for detecting the network activity associated with BlackMatter ransomware attacks, and several mitigations to reduce the risk of a compromise by the gang.

Mitigations include:

  • Implementing detection signatures to identify and block attacks in progress
  • Using strong passwords resistant to brute force attacks
  • Implementing multi-factor authentication to block the use of stolen credentials
  • Patching and updating systems promptly
  • Limiting access to resources over networks
  • Implementing network segmentation and traversal monitoring
  • Using admin disabling tools to support identity and privileged access management
  • Implementing and enforcing backup and restoration policies and procedures

The alert, TTPs, and mitigations can be found here.

The post Alert Issued About Ongoing BlackMatter Ransomware Attacks appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Fight the Phish!

Posted by HIPAA Journal

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack.

Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source.

The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing 9,567 people, loses around 63,343 hours every year to phishing attacks, with the cost equating to around $1,500 per employee.

Phishing is the starting point of the costliest cyberattacks. In 2020, more than $1.8 billion was fraudulently obtained in Business Email Compromise (BEC) attacks, with the average cost of a BEC attack now $5.97 million. Phishing is often the starting point of ransomware attacks, which can have mitigation costs of the order of tens of millions of dollars. On average, an attack costs $996,000 to resolve.

Phishing may be the most common way for cybercriminals to gain access to email accounts, networks, and sensitive data, but these attacks can easily be prevented with the right technology and user training.

Organizations need to implement email security gateways/spam filtering solutions for all email accounts. This technical measure alone will prevent the majority of phishing emails from arriving in inboxes. Antivirus software and firewalls should be used to protect all endpoints, including computers, phones, tablets, and Internet of Things devices. These solutions should be regularly updated, ideally automatically.

Multi-factor authentication should be used on all accounts that require passwords to login. In the event of a password being obtained in a phishing attack, multi-factor authentication will prevent the password from providing access to the user’s account. Microsoft explained in a 2019 blog post that multi-factor authentication blocks more than 99.9% account compromise attacks.

Employees are the last line of defense in an organization, so it is vital for security awareness training to be provided. Employees need to be taught cybersecurity best practices to eradicate risky behaviors and must learn how to identify and avoid phishing attacks.

Employees should be made aware of the red flags in phishing emails such as call outs to open attachments or click links, unusual wording and formatting, spelling and grammatical errors, threats of negative consequences if rapid action is not taken, and too good to be true offers. If any red flags are identified, it is vital to verify the source of the email or text message and to make content with the sender to confirm a request is authentic. Employees should be conditioned to stop and think before taking any action requested in an email or text message and never to respond, open attachments, or click links in messages if there is any doubt about the sender or request.

According to Verizon, “There is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down.” In 2012, phishing email click rates were around 25% but by 2019 they had fallen to around 3% as a result of improved awareness of phishing and more extensive end user training.

Given the scale of the threat from phishing, once-a-year security awareness training sessions are no longer sufficient. While annual training may meet the minimum requirement for compliance with HIPAA, it is not sufficient to reduce the risk of a successful attack to low and acceptable level. Security awareness training for the workforce needs to be an ongoing process, with regular training provided throughout the year accompanied by phishing simulation exercises where the phishing identification skills of employees are put to the test. Through training and phishing simulation exercises, susceptibility to phishing attacks can be greatly reduced.

CISA has produced a tip sheet for Cybersecurity Awareness Month to help individuals fight the phish.

The post Cybersecurity Awareness Month: Fight the Phish! appeared first on HIPAA Journal.