Healthcare Cybersecurity

3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions

Posted by HIPAA Journal

Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information, to an untrusted environment.

Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10.

The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited.

The mitigations include only operating the Philips MRI machines within authorized specifications, ensuring physical and logical controls are implemented. Only authorized personnel should be allowed to access the vicinity where the MRI machines are located, and all instructions for using the machines provided by Philips should be followed.

Philips has not received any reports of the vulnerabilities being exploited, nor have there been any reports of incidents from the clinical use of the product in relation to the three vulnerabilities.

The post 3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions appeared first on HIPAA Journal.

Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw

Posted by HIPAA Journal

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education.

The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity.

The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems.

On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory warning exploits for the flaw were in the public domain and being used by APT actors to install web shells on vulnerable servers to gain persistent access.

Palo Alto Networks said a second campaign was then identified that involved extensive scans for vulnerable servers using leased infrastructure in the United States. Vulnerable systems that had not been patched against the vulnerability started to be attacked from September 22, 2021, with those attacks continuing throughout October.

The attackers deployed a web shell called Godzilla, with a subset of victims also having a new backdoor called NGlite installed. The backdoor or web shell was then used to run commands and move laterally within victims’ environments, with sensitive data exfiltrated from victims’ systems. When the attackers located a domain controller, they installed a new credential-stealing tool dubbed KdcSponge, and harvested credentials and exfiltrated files such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.

Palo Alto Networks said its scans indicate there are currently around 11,000 servers running the Zoho software, although it is unclear how many of them have been patched against the CVE-2021-40539 vulnerability. The researchers said the APT group attempted to compromise at least 370 Zoho ManageEngine servers in the United States alone.

The post Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw appeared first on HIPAA Journal.

FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion

Posted by HIPAA Journal

Ransomware gangs often use double extortion tactics to encourage victims to pay the ransom. In addition to file encryption, sensitive data are stolen and a threat is issued to sell or publish the data if the ransom is not paid. The Federal Bureau of Investigation (FBI) has recently issued a private industry notification warning of a new extortion tactic, where ransomware gangs target companies and organizations that are involved in significant time-sensitive financial events, steal sensitive financial data, then threaten to publish that information if payment is not made.

Ransomware gangs conduct extensive research on their victims before launching an attack, which includes gathering publicly available data and nonpublic material. The attacks are then timed to coincide with the release of quarterly earnings reports, SEC filings, initial public offerings, and merger and acquisition activity, with the release of information having the potential to significantly affect the victim’s stock value.

“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” explained the FBI. “Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

Several ransomware operations are known to steal sensitive data and sift through that information to find potentially damaging material. The REvil and Darkside ransomware gangs have both issued threats to contact stock exchanges such as NASDAQ to advise them about a current ransomware attack and provide damaging information to tank share prices.

“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information,” said the Darkside ransomware gang in an April 2021 post on their blog site.

The FBI lists some attacks where companies have been targeted that were undergoing mergers or acquisitions. For example, in early 2020, a ransomware actor with the moniker “Unknown” posted on the Russian “Exploit” hacking forum that a good way to force victims to pay the ransom was to reference their presence on the NASDAQ stock exchange and threaten to leak data to NASDAQ to tank share prices. That advice was followed by several threat actors. Between March 2020 and July 2020, at least three publicly traded US companies that were actively involved in mergers and acquisitions were targeted, two of which were undergoing private negotiations.

Threat actors known to deploy the Pyxie Remote Access Trojan (RAT) before using the Defray777 and RansomEXX ransomware variants were searching for information on victims’ current and near-future stock values in the initial phases of the attacks. A November 2020 analysis of the Trojan revealed keyword searches for terms such as 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.

To prevent attacks and ensure data recovery is possible without paying a ransom, the FBI recommends regularly backing up data and storing it offline, installing and regularly updating antivirus software, making sure all software is kept up to date, adopting the least privilege approach and network segmentation, only using secure networks for connections, and implementing multi-factor authentication.

The FBI doesn’t recommend paying a ransom as it emboldens adversaries to target additional organizations, encourages other threat actors to conduct ransomware attacks, and there is no guarantee that payment will result in data recovery. However, the FBI understands that businesses faced with an inability to function will likely evaluate all options to protect their shareholders, employees, and customers. Regardless of the decision taken, the FBI encourages all ransomware victims to report attacks to their local FBI field office.

The post FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion appeared first on HIPAA Journal.

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Posted by HIPAA Journal

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data.

The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It.

The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats.

Healthcare data breaches are the costliest of any industry at an average of $9.23 million per incident and data breaches such as ransomware attacks put patient safety at risk. 62% of healthcare organizations said they thought a data breach would be costly, with 54% saying a data breach would have a major impact on their reputation. 56% of surveyed healthcare organizations said they have previously experienced a data breach, and 29% said they had experienced a data breach in the previous 12 months.

Due to the need to comply with HIPAA, healthcare organizations were better equipped than other industries to prevent and deal with security incidents, with 65% of surveyed healthcare organizations saying they have the appropriate information security tools and resources. While the healthcare industry was significantly more likely than any other industry to have an incident response plan, 42% of respondents said an incident response plan had not been implemented, even though having an incident response plan has been shown to shorten the recovery time and reduce the cost of a data breach.

75% of healthcare organizations said information security is a top priority at their organization, and 61% said they have hired a third-party security expert to evaluate their security practices. However, only 64% employ information security policies, less than half (48%) have regular infrastructure auditing, and only a third (33%) perform vulnerability assessments.

The survey revealed 22% of data breaches were the result of errors by employees. The biggest barriers to employees following information security policies and procedures were a lack of understanding of the threats and risks (49%), lack of accessibility or understanding of policies (41%), and a lack of consistent training and security awareness programs (10%).

While the healthcare industry is better prepared than many other industries, the survey shows there is significant room for improvement. Shred-It suggests healthcare organizations should develop a comprehensive plan covering all data, employ a data minimization strategy, take advantage of the cloud, invest in endpoint detection and response technology, develop an incident response plan, and encrypt all data on-premises, in the cloud, and in transit.

The post 42% of Healthcare Organizations Have Not Developed an Incident Response Plan appeared first on HIPAA Journal.

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections that they have implemented to secure their legacy IT systems and devices.

A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks.

Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices.

Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy system without disrupting critical services, compromising data integrity, or preventing ePHI from being available.

HIPAA-covered entities should ensure that all software, systems, and devices are kept fully patched and up to date, but in healthcare, there are often competing priorities and obligations. If the decision is made to continue using legacy systems and devices, it is essential for security to be considered and for safeguards to be implemented to ensure those systems and devices cannot be hacked. That is especially important if legacy systems and devices can be used to access, store, create, maintain, receive, or transmit electronic protected health information (ePHI).

It is not a violation of the HIPAA Rules to continue using software and devices that have reached the end of life, provided compensating controls are implemented to ensure ePHI is protected. “Despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked,” said OCR in its cybersecurity newsletter, which would violate the HIPAA Rules.

In healthcare, there may be many legacy systems and devices in use that need to be protected. Healthcare organizations need to have full visibility into the legacy systems that reside in their organization, as if the IT department is unaware that legacy systems are in use, compensating controls will not be implemented to ensure they are appropriately protected.

It is vital for a comprehensive inventory to be created that includes all legacy systems and devices and for a security risk assessment to be performed on each system and device. “The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems,” explained OCR in its recent cybersecurity newsletter.

Risks must be identified, prioritized, and mitigated to reduce them to a low and acceptable level. Mitigations include upgrading to a supported version or system, contracting with a vendor to provide extended support, migrating the system to a supported cloud-based solution, or segregating the system from the network.

If HIPAA-covered entities choose to continue maintaining a legacy system existing security controls should be strengthened or compensating controls should be implemented. OCR says consideration should be given to the burdens of maintenance, as they may outweigh the benefits of continuing to use the legacy system and plans should be made for the eventual removal and replacement of the legacy system.

In the meantime, OCR suggests the following controls for improving security:

  • Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
  • Restrict access to the legacy system to a reduced number of users.
  • Strengthen authentication requirements and access controls.
  • Restrict the legacy system from performing functions or operations that are not strictly necessary
  • Ensure backups of the legacy system are performed, especially if strengthened or compensating controls impact prior backup solutions.
  • Develop contingency plans that contemplate a higher likelihood of failure.
  • Implement aggressive firewall rules.
  • Implement supported anti-malware solutions.

The post OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance appeared first on HIPAA Journal.

Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses

Posted by HIPAA Journal

The advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was behind the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers, according to a recent alert from Microsoft.

Rather than conducting attacks on many companies and organizations, Nobelium is favoring a compromise-one-to-compromise-many approach. This is possible because service providers are often given administrative access to customers’ networks to allow them to provide IT services. Nobelium is attempting to leverage that privileged access to conduct attacks on downstream businesses and has been conducting attacks since at least May 2021.

Nobelium uses several techniques to compromise the networks of service providers, including phishing and spear phishing attacks, token theft, malware, supply chain attacks, API abuse, and password spraying attacks on accounts using commonly used passwords and passwords that have previously been stolen in data breaches.

Once access to service providers’ networks has been gained, Nobelium moves laterally in cloud environments then leverages the trusted access to conduct attacks on downstream businesses using trusted channels such as externally facing VPNs or the unique software solutions used by service providers to access customers’ networks.

Some of the attacks conducted by Nobelium have been highly sophisticated and involved chaining together artifacts and access from multiple service providers in order to reach their end target, as indicated in the diagram below.

Example of a Nobelium attack leveraging multiple service providers. Source: Microsoft Threat Intelligence Center

Microsoft Threat Intelligence Center (MSTIC) has made several recommendations for service providers and downstream businesses to help with mitigation and remediation.

CPSs and MSPs that rely on elevated privileges to provide services to their customers have been advised to verify and monitor compliance with Microsoft Partner Center security requirements, which include enabling multifactor authentication and enforcing conditional access policies, adopting the Secure Application Model Framework, checking activity logs and monitoring user activities, and removing delegated administrative privileges that are no longer in use.

All downstream businesses that rely on service providers that have administrative access have been advised to review, audit, and minimize access privileges and delegated permissions, including hardening and monitoring all tenant administrator accounts and reviewing service provider permissions access from B2B and local accounts. They should also verify MFA is enabled and conditional access policies are being enforced and regularly review audit logs and configurations.

Microsoft has published detailed information on the tactics, techniques, and procedures (TTP) of Nobelium in its alerts to help IT security teams to block, detect, investigate, and mitigate attacks.

The post Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses appeared first on HIPAA Journal.

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

Posted by HIPAA Journal

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk.

The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats.

The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to PHI to be tracked. Passwords are required to authenticate users, with the HIPAA Security Rule requiring HIPAA-regulated entities to implement, “procedures for creating, changing, and safeguarding passwords.”

The Varonis study, the results of which were published in its 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech, revealed an average healthcare worker has access to 31,000 sensitive files containing PHI, financial, and proprietary data on their first day of work. Those files were stored on parts of the network that can be accessed by all employees.

On average, 20% of each organization’s files are open to every employee, even though in many cases access was not required to complete work duties. 50% of organizations investigated had more than 1,000 sensitive files open to all employees, and one in four files at small healthcare organizations could be accessed by every employee. There were no restrictions on access to 1 in 10 files that contained PHI or intellectual property.

“We discovered that smaller organizations have a shocking amount of exposed data, including sensitive files, intellectual property, and patient records. On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data,” explained Varonis in the report. “This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach.”

To reduce risk, it is vital to operate under the principle of least privilege. If employees are given broad access to sensitive information, not only does that increase the opportunity for insider data theft, if their credentials are compromised in a phishing attack, external threat actors will have easy access to huge volumes of data.

The problem is made worse by poor password practices. 77% of companies studied for the report had 501 or more accounts with passwords set to never expire, and 79% of organizations had more than 1,000 ghost accounts. Ghost accounts are inactive accounts that have not been disabled. These accounts give hackers an easy way to access sensitive data and traverse networks and file structures undetected.

According to the Verizon Data Breach Investigations Report, data breaches increased by 58% in 2020 with cyber threat actors actively targeting the healthcare, pharma, and biotech industries to steal sensitive data, intellectual property, and vaccine research data. The healthcare industry has the highest data breach costs which, according to the IBM Security Cost of a Data Breach Report, are $7.13 million per breach. Organizations that fail to restrict access to protected healthcare information can also face heavy financial penalties, which under HIPAA/HITECH are up to $1.5 million per year, per violation category.

“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotech’s need to double down on maturing incident response procedures and mitigation efforts,” said Varonis. “Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.”

The post Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI appeared first on HIPAA Journal.

International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

Posted by HIPAA Journal

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation.

The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United States to be shut down for a week. While ransomware had always posed a threat to critical infrastructure, these attacks made it clear that critical infrastructure was certainly not off-limits for ransomware gangs.

After the attacks, the White House announced more resources would be made available to deal with the ransomware threat, with the attacks elevated to a level similar to terrorism. President Biden met with Russian President Vladimir Putin and urged him to take action against ransomware gangs operating within its borders, and the United States has been working with cybersecurity leaders to discuss other cybersecurity initiatives to mitigate the threat. As part of the ongoing efforts to deal with the ransomware threat, earlier this month President Biden announced the United States would be participating in a meeting with leaders in more than 30 countries to combat ransomware.

REvil Operation Targeted by Law Enforcement

It has now become clear that the shutdown of the REvil operation was the result of an international law enforcement effort, according to a recent Reuters report. Tom Kellerman, VMWare’s head of cybersecurity strategy and advisor to the US Secret Service said, “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, have truly engaged in significant disruptive actions against these groups.”

REvil emerged in 2019 as an offshoot of the GandCrab ransomware operation and soon became the most prolific ransomware group, accounting for 73% of all ransomware detections in Q2, 2021. When it came to taking action against these groups, “REvil was top of the list”, said Kellerman.

In July, before the REvil gang went dark, law enforcement gained access to some of its network infrastructure and servers, with Kellerman confirming law enforcement had prevented attacks on several companies. Mimicking the actions of the REvil gang, law enforcement also compromised its backups. The REvil gang attempted to restore its servers from backups in the belief that they had not been compromised, but the restored infrastructure was under the control of law enforcement.

One of the leaders of the REvil operation who is known as “0_neday”, recently posted on a cybercrime forum confirming an unnamed party had compromised its servers and claimed, “They were looking for me… Good luck, everyone; I’m off.”

The shutdown almost certainly spells the end of the REvil operation; however, when takedowns occur, it is common for ransomware gangs to simply rebrand and start a new operation. The affiliates that have signed up for RaaS operations often jump ship and sign up with other RaaS operations, so while REvil was a major operator, it does not mean that ransomware attacks will slow. After news of the takedown emerged, members of other ransomware gangs posted online showing solidarity with the REvil operation. One member of the Groove operation called for other ransomware groups to respond to the takedown and increase their attacks on targets in the United States.

The post International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Put Cybersecurity First

Posted by HIPAA Journal

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people.

Cybersecurity Advice for Companies

One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought.

Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam filters, web filters, antivirus software, endpoint detection systems, encryption software, and backup solutions. Patch management is also key. Software and firmware updates should be applied promptly, with priority given to patching the most serious vulnerabilities.

Businesses should adopt a mindset of a cyber breach being inevitable, which means they need to know how they will respond to an attack when it occurs. A business continuity plan should be developed and tested. The plan should include emergency protocols while systems and data are inaccessible, the restoration of systems and data, communication with stakeholders, compliance, and reporting breaches to appropriate authorities. Having an incident response plan in place ensures the business can continue to function in the event of a cyber breach and it will greatly speed up the recovery time and help to keep breach costs to a minimum.

FBI Raises Awareness of the Ransomware Threat

This week, the Federal Bureau of Investigation (FBI) is raising awareness of the threat from ransomware. Ransomware is a type of malware used to encrypt files to ensure they cannot be accessed. A ransom demand is then issued for the keys to decrypt files, although there are no guarantees that file recovery will be possible even if the ransom is paid. It is also now common for sensitive data to be stolen before file encryption, with threats issued to publish or sell the data if the ransom is not paid.

Access to computers and networks is gained by exploiting vulnerabilities, conducting brute force attacks to guess weak passwords, and most commonly, through phishing emails. Links are sent in emails that direct users to websites where they are asked to provide their login credentials or download files containing malware. Oftentimes attachments are included in emails that have macros and other scripts that download malware that provides the attackers with persistent access to devices and networks.

Steps recommended by the FBI to avoid ransomware attacks include keeping software up to date, applying patches promptly, using anti-malware software on all devices, backing up data regularly and storing backups offline, and educating employees about how to identify phishing emails and other threats.

Security awareness training for the workforce is vital. Employees are the last line of defense and they are often targeted by cybercriminals. Employees should receive security awareness training during the onboarding process and should be provided with the tools they need to help them keep their company safe, with training regularly provided throughout employment.

Cybersecurity Advice for Individuals

Individuals are being encouraged to take greater care when using products and services to ensure that cybersecurity best practices are followed. That process needs to start before any purchase is made, with cybersecurity considered before signing up for a new service or buying a new product to ensure the company is legitimate.

When new devices, apps, or services are used, individuals should consider applying measures to secure their accounts and check privacy and security settings. Default passwords should be changed with strong, unique passwords set for all accounts. A password manager should be considered as this will help with the generation of secure passwords for all accounts and will mean users do not have to remember complex passwords. It is also important to set up multi-factor authentication on all accounts to ensure they remain protected if passwords are compromised.

The post Cybersecurity Awareness Month: Put Cybersecurity First appeared first on HIPAA Journal.