Healthcare Cybersecurity

July 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks dramatically increased in 2020 and cyberattacks using the file-encrypting malware are showing no sign of abating. Attacks have continued to increase this year to the point where there were almost half the number of attempted ransomware attacks in Q2, 2021 as there were all of 2019.

Most threat actors conducting ransomware attacks are now using double extortion tactics, where ransoms must be paid to obtain the keys to decrypt files but also to prevent the publication of data stolen in the attacks. The theft of data prior to file encryption has not only helped ransomware gangs demand huge ransom payments, but the threat of leaking data has greatly increased to probability of the ransom being paid. Many victims end up paying the ransom to prevent data leakage, even though they have valid backups that will allow them to restore the encrypted data for free.

To help public and private sector organizations deal with the threat of these double-extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance, which includes best practices for preventing cyber threat actors from gaining access to networks, steps that can be taken to ensure sensitive data are protected, and procedures that should be followed when responding to a ransomware attack.

“Ransomware is a serious and increasing threat to all government and private sector organizations, including critical infrastructure organizations,” explained CISA in the guidance. “All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems.”

There are several measures outlined in the document that are important not only preventing ransomware attacks but also limiting their severity. It is essential to maintain offline, encrypted backups of data and to regularly test the backups to make sure file recovery is actually possible. It is also vital that a basic cyber incident response plan, resiliency plan, and associated communications plan are created and maintained, and exercises are conducted to ensure that a rapid response to an attack is possible. To block attacks, steps must be taken to address the key attack vectors, which are phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all organizations should also ensure good cyber hygiene practices are followed.

In order to protect sensitive data, organizations must know where sensitive data reside and who has access to those data repositories. It is also important to ensure that sensitive data are only retained for as long as is strictly necessary. Physical and cybersecurity best practices must be implemented, including restricting access to physical IT assets, encrypting sensitive data at rest and in transit, and to implement firewall and network segmentation to hamper attempts at lateral movement within networks. CISA also recommends ensuring the cyber incident response and communications plans include response and notification procedures for data breach incidents.

A rapid and effective response to a ransomware attack is critical for limiting the harm caused and keeping costs down. The cyber incident response plan should detail all the steps that need to be taken, and the order that they should be taken. The first step is determining which systems have been impacted and immediately isolating them to secure network operations and stop additional data loss. The next step should only be taken if affected devices cannot be removed from the network or the network cannot be temporarily shut down, and that is to power down infected devicesto avoid further spread of the ransomware infection.

Then, triage impacted systems for restoration and recovery, confer with the security team to develop and document an initial understanding of what has occurred, then engage internal and external teams and stakeholders and provide instructions on how they can assist with the response and recovery processes. Organizations should then follow the notification requirements outlined in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breachescan be found on this link.

The post CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks appeared first on HIPAA Journal.

Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks

Posted by HIPAA Journal

Last month, SonicWall published a mid-year update of its Cyber Threat Report which confirmed there has been a major increase in cyberattacks since 2020. In the first 6 months of 2021, cryptojacking attacks increased by 23%, encrypted threats rose by 26%, IoT attacks rose by 59%, and there was a 151% increase in ransomware attacks compared to the corresponding period last year.

Ransomware attacks have been steadily increasing since Q1, 2020, but the rate of increase jumped considerably between Q1 and Q2, 2021, rising to a Q2 total of 188.9 million attempted attacks: an increase of 63.1% from the previous quarter. In June alone there were 78.4 million attempted ransomware attacks, which is more than the total number of attacks in the second quarter of 2020 and almost half of the total number of attempted ransomware attacks in all of 2019. In total, there were 304.7 million attempted ransomware attacks in the first half of 2021.

“Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded,” said SonicWall in the report.

Ransomware attacks are mostly conducted in the United States, which accounts for around 73% of all ransomware attempts, but ransomware attacks have been increasing globally. In the first half of 2021, attacks in North America increased by 180% and there was a 234% increase in ransomware volume in Europe. The United States saw a 185% increase and there was a 144% increase in attacks on UK organizations.

Within the United States, certain states have been extensively attacked. Florida was by far the worst affected state, registering 111 million ransomware hits, which is more than the next nine most attacked states combined. There were 26 million attempted attacks in New York, 20 million in Idaho, and 8.8 million in Louisiana.

The most targeted industry – by some margin is government. In 2021, attacks increased to three times the highest point in 2020 and, in June, government customers were hit at around ten times the average rate. The education sector has also been extensively targeted, although attacks on healthcare customers have remained fairly constant throughout the first half of the year.

The biggest ransomware threat in 2021 has been Ryuk ransomware, with 93.9 million instances of Ryuk recorded in the first half of the year, which is three times the level in the corresponding period in 2020. Cerber ransomware was also a major threat, with 52.5 million instances recorded in the first half of 2021. The number of Cerber instances increased sharply in April and May, with May seeing more than five times the number of attempted attacks as January. Two thirds of the 2020 total number of SamSam ransomware attempts were recorded in June alone, when there were 15.7 million attack attempts.

SonicWall says there are several factors that have fueled the increase in attacks. One of the main reasons for the rise is the attacks are extremely profitable for cyber threat actors. Many organizations have paid ransoms to recover files or to prevent the publication of sensitive data stolen in the attacks.

SonicWall says cyber threat actors are also getting better at finding and encrypting backups, making recovery without paying the ransom difficult or impossible. There has also been an increase in data theft prior to the deployment of ransomware, with payments often made to recover data even when valid backups exist to recover files.

It is becoming more common for threat actors to conduct repeat attacks on organizations that have paid the ransom, as there is a god chance that a second ransom will also be paid. Organizations that pay a ransom may also be targeted by other threat groups that have heard that one payment has already been made.

There was some positive news in the report. Malware attacks have declined significantly year over year. SonicWall Capture Labs recorded 2.5 billion malware attempts in the first six months of 2021, which represents a 22% fall from the same period last year. There has also been a decline in the number of malicious PDF and Office files being distributed in spam and phishing emails. The use of malicious Office files declined by 54% in 2021, with malicious PDF files falling by 13%.

The post Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks appeared first on HIPAA Journal.

Scripps Health Ransomware Attack Expected to Cost $106.8 Million

Posted by HIPAA Journal

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack.

While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected.

Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four of its main hospitals in Encinitas, La Jolla, San Diego and Chula Vista, and trauma patients could not be accepted at Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla. Scripps Health said it took 4 weeks to recover from the attack.

Losses sustained as a result of the attack are expected to reach $106.8 million, with the majority of that figure – $91.6 million – due to lost revenue during the 4-week recovery period. $21.1 million had to be spent on response and recovery, and Scripps Health was only able to recover $5.9 million from its cyber insurance policy.

The costs are likely to increase further still. The protected health information of 147,267 patients was compromised in the attack, and several class action lawsuits have been filed against Scripps Health over the theft of patient data. The expected losses do not include litigation costs.

The post Scripps Health Ransomware Attack Expected to Cost $106.8 Million appeared first on HIPAA Journal.

CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert warning about a vulnerability affecting Blackberry’s QNX Real Time Operating System (RTOS), which is extensively used by critical infrastructure organizations and affects multiple consumer, medical, and industrial networks.

The vulnerability is one of 25 that are collectively known as BadAlloc, which affect multiple IoT and OT systems. The flaws are memory allocation integer overflow or wraparound issues in memory allocation functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.

On August 17, 2021, Blackberry announced that its QNX products were affected by one of the BadAlloc vulnerabilities – CVE-2021-22156. The flaw could be exploited by a remote attacker to cause a denial-of-service condition, or even achieve remote code execution, with the latter potentially allowing an attacker to take control of highly sensitive systems.

The flaw affects the calloc() function in the C runtime library of multiple BlackBerry QNX products. “To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation,” explained CISA. “An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.”

The flaw affects all BlackBerry programs with dependency on the C runtime library, including medical devices that incorporate BlackBerry QNX software.

CISA is strongly encouraging all critical infrastructure organizations and other organizations that develop, maintain, support, or use the affected QNX-based systems to apply the patch as soon as possible to prevent exploitation of the flaw. CISA warns that the “installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.”

Vulnerable products and versions are:

Product Affected Version
 QNX SDP  6.5.0SP1, 6.5.0,  6.4.1, 6.4.0
 QNX Momentics Development Suite  6.3.2
 QNX Momentics 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
 QNX Realtime Platform  6.1.0a, 6.1.0, 6.0.0a, 6.0.0
 QNX Cross Development Kit  6.0.0, 6.1.0
 QNX Development Kit (Self-hosted)  6.0.0, 6.1.0
 QNX Neutrino RTOS Safe Kernel  1.0
 QNX Neutrino RTOS Certified Plus  1.0
 QNX Neutrino RTOS for Medical Devices  1.0, 1.1
 QNX OS for Automotive Safety  1.0
 QNX OS for Safety  1.0, 1.0.1
 QNX Neutrino Secure Kernel  6.4.0, 6.5.0
 QNX CAR Development Platform  2.0RR

Mitigations:

  • Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
  • Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
  • End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied.

If it is not possible to apply the patch, or if a fix has not yet been released, CISA recommends ensuring only ports and protocols used by RTOS apps are accessible and all others are blocked.

The post CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure appeared first on HIPAA Journal.

Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms

Posted by HIPAA Journal

Reposify, a provider of an external attack surface management platform, has published the findings of a study of security vulnerabilities at pharmaceutical firms which shows the vast majority of pharma firms have unresolved vulnerabilities that are putting sensitive data and internal systems at risk of compromise.

The study was conducted to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs and other security issues. Data analyzed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report were collected over a two-week period in March 2021 and covered 18 of the leading pharmaceutical companies worldwide and more than 900 of their subsidiaries.

Pharmaceutical companies hold vast amounts of sensitive personal data and extremely valuable drug and vaccine research data. That has made them an attractive target for cybercriminals. During the COVID-19 pandemic, nation state hackers targeted pharma and biotech firms to gain access to sensitive COVID-19 research and vaccine development data.

According to the 2020 Cost of a Data Breach Report from IBM Security/Ponemon Institute, pharma and biotech firms had a high rate of security incidents in 2020, with 53% of them resulting from malicious activity. The average cost of a pharma data breach in 2020 was $5.06 million and the average time to identify and contain a breach was 257 days.

“With the pandemic causing a rush to scale and digitize, pharmaceutical companies’ digital footprints have further expanded creating many new blind spots where attackers could and did easily break in to access confidential, highly sensitive data,” explained Reposify.

In 2020 there were hundreds of mergers and acquisitions, with larger pharmaceutical firms buying up smaller companies in the sector. These smaller firms were typically focused on fast innovation and agility, which often meant insufficient resources were put into cybersecurity. M&A transactions therefore had significant potential to introduce major security risks.

Reposify researchers analyzed 2020 M&A transactions and found in 70% of cases, the newly acquired subsidiary had a negative impact on the security posture of the parent company. The vulnerabilities introduced were often considerable, “adding tens, or in some cases, hundreds of sensitive exposed and unpatched services.”

The researchers analyzed the prevalence of key risks which are visible externally and could potentially be exploited by cyber threat actors, including misconfigured databases and cloud services and unpatched software vulnerabilities. The median number of high severity security issues per company was 269, with a median of 125 critical severity issues per company.

Key findings from the report include:

  • 92% of pharmaceutical companies had at least one exposed database which was potentially leaking data.
  • 76% had an exposed RDP service.
  • 69% of exposed services discovered were classified as being a part of the unofficial network perimeter.
  • 50% of pharma firms had an exposed FTP with anonymous authentication.
  • 46% of pharma firms had an exposed SMB service.

“Pharmaceutical companies must harden their security and make it more difficult for attackers to gain a foothold in their systems”, said Reposify. “This effort must begin with gaining a clear view of their external attack surface and continuous monitoring and elimination of risky attack vectors.” The report also highlighted the importance of performing pre-acquisition cybersecurity due diligence, including mapping and analysis of the acquisition target’s external attack surface.

The post Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms appeared first on HIPAA Journal.

New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers

Posted by HIPAA Journal

A new ransomware variant has been detected by researchers at Heimdal Security that is being used by a threat group that calls itself DeepBlueMagic. The ransomware differs considerably from all other previously identified ransomware strains.

Heimdal Security researchers discovered the new ransomware variant on Wednesday, August 11, 2021, which had been used in an attack on a device running Windows Server 2012 R2. The analysis of the attack revealed DeepBlueMagic ransomware works completely differently to any other ransomware encountered in the past.

The researchers determined DeepBlueMagic ransomware disables security solutions installed on devices to prevent detection, then proceeds to encrypt entire hard drives using a third-party disk encryption tool rather than files. All drives on the targeted server are encrypted with the exception of the system drive (“C:\” partition).

The ransomware uses BestCrypt Volume Encryption software from Jetico. In the attack, the D:\ drive was turned into a RAW partition rather than NTFS, which rendered it inaccessible. Following an attack, any attempt to access the encrypted drive would result in the Windows OS interface prompting the user to accept formatting of the disk, since the drive would be unreadable.

Further analysis of the attack revealed the ransomware stopped all third-party Windows services on the targeted device, thus disabling all security solutions. Then, DeepBlueMagic ransomware deleted the Volume Shadow Copy of Windows to ensure the drive could not be restored. An attempt was also made to activate Bitlocker on all endpoints in the Active Directory.

In this attack, the disk encryption process was started but was not completed; only the volume headers were encrypted. This meant that the encryption process could be continued, or the rescue file created by Jetico’s BestCrypt Volume Encryption could be used to restore the drive; however, the rescue file was also encrypted by the ransomware. In order to access the rescue file, a password must be provided.

Heimdal Security said the ransomware itself was self-deleted in the attack, so it could not be recovered and analyzed on this occasion. The researchers were not able to determine how the ransomware was installed on the server but said there were no failed login attempts so it was not delivered as a result of a brute force attack. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.

The ransomware note saved to the desktop advised the victim to make contain via email to find out how much must be paid for the password to recover the encrypted drives.

Heimdal Security researchers said because the encryption process was only partially completed, recovery without paying the ransom is possible. They simulated the DeepBlueMagic process and attempted to use several decryption tools and were able to successfully restore the files on the inaccessible partition using the free TestDisk tool from CGSecurity.org.

“The information we have for now is enough to recognize [DeepBlueMagic] mode of operations and to include protection against it in the next version of Heimdal™ Ransomware Encryption Protection,” explained the researchers.

The post New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers appeared first on HIPAA Journal.

NIST Updates Guidance on Developing Cyber Resilient Systems

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released a major update to its guidance on developing cyber-resilient systems.

A draft version of the updated guidance – NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been released which includes updates to reflect the changing tactics, techniques, and procedures (TTPs) of cyber threat actors, who are now conducting more destructive attacks, including the use of ransomware.

Organizations used to be able to focus their resources on perimeter defenses and penetration resistance; however, these measures are no longer as effective as they once were at preventing attacks. A modern approach is now required which requires more resilience to be built into IT systems, which requires measures to be taken to limit the ability of an attacker to damage infrastructure and move laterally within networks.

“The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target,” explained NIST.

Hackers can gain access to internal networks even with sophisticated perimeter defenses in place, as recent cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have shown. The initial attack vector could be a phishing email, the exploitation of an unpatched software vulnerability, or even a supply chain attack. All these methods could be used to bypass traditional defenses and gain a foothold in the network. It is therefore critical for safeguards to be implemented to limit the harm that can be caused, which for many organizations will require improvements to their detection, response, and recovery capabilities.

The approach now advocated by NIST is more in line with zero trust, where it must be assumed that an attacker has already gained access to the network, applications, and systems. Organizations therefore need to build in resiliency into their IT systems to ensure that they will continue to function to a sufficient degree to continue to support mission critical business operations.

“What we want to achieve is a system that we call ‘cyber resilient’ or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations – even if it’s not in a perfect state or even in somewhat of a degraded state,” said NIST fellow Ron Ross.

The updates to the guidance cover three key areas:

  • Updated controls that support cyber resiliency, in line with the recommendations detailed in NIST Special Publication SP 800-53, Revision 5 – Security and Privacy Controls for Information Systems and Organizations.
  • The creation of a single threat taxonomy for organizations in line with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK] framework.
  • The addition of detailed mapping and analysis of cyber resiliency implementation which support NIST SP 800-53 controls and the MITRE ATT&CK framework techniques, mitigations, and candidate mitigations.

NIST’s cyber resiliency techniques were combined with the MITRE ATT&CK framework because of the high level of adoption of the MITRE ATT&CK framework, with the aim being to simplify the approach to building more resilient systems.

The guidance document was updated by NIST Fellow Ron Ross, NIST supervisory computer scientist Victoria Pillitteri, and Richard Graubart, Deborah Bodeau, and Rosalie McQuaid of MITRE.

NIST is seeking feedback on the draft version of the guidance document until September 20, 2021. The final version of the guidance is due to be published before year end.

The post NIST Updates Guidance on Developing Cyber Resilient Systems appeared first on HIPAA Journal.

Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms

Posted by HIPAA Journal

A recent study published in the Journal of the American Medical Informatics Association (JAMIA) sought to identify the relationship between cybersecurity risk ratings and healthcare data breaches.

The study was conducted using data obtained from the Department of Health and Human Services between 2014-2019 and hospital cybersecurity ratings obtained from BitSight. The data sample included 3,528 hospital-year observations and Fortune 1000 firms were used as the benchmark against which hospital cybersecurity ratings were compared.

For many years, healthcare has lagged other industries when it comes to managing and reducing cybersecurity risk. The researchers found that in aggregate, hospitals had significantly lower cybersecurity ratings than the Fortune 1000 firms; however, the situation has been improving and, based on BitSight risk ratings, the healthcare industry has now caught up with Fortune 1000 firms. By 2019, the difference between the cybersecurity risk ratings of hospitals and Fortune 1000 firms was no longer statistically significant.

While the gap has virtually been closed between hospitals and Fortune 1000 firms, hospitals were found to be statistically more vulnerable than Fortune 1000 firms to certain types of cyberattack, notably botnets, malware and spam, where security still lagged other industry sectors.

Hospitals with low cybersecurity risk ratings were associated with a significant risk of suffering a data breach. Over the period of study, the probability of a data breach occurring at a hospital with a low cybersecurity rating was between 14% and 33%.

“Recent hacking and ransomware attacks may be shifting the security landscape for hospitals, with much larger potential hospital and patient consequences,” said researchers Sung Choi of the University of Central Florida and M. Eric Johnson of Vanderbilt University. “Ongoing risk assessment is needed to keep up with these threats and will likely require even further security investment.”

The researchers suggested hospital executives need to work to reduce risks related to their technical controls, should improve software and security applications, and tackle human vulnerabilities. Human vulnerabilities are often exploited by cyber threat actors in phishing and malware attacks. By enhancing employee security awareness training programs and conducting training more regularly, hospitals will be able to develop a security culture which will help to further reduce risk.

You can read the study in JAMIA 9DOI: 10.1093/jamia/ocab142).

The post Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms appeared first on HIPAA Journal.