Healthcare Cybersecurity

Exploit Released ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the publication of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service.

The vulnerability has been dubbed PrintNightmare and is tracked as CVE-2021-34527. The flaw is due to the Windows Print Spooler service improperly performing privileged file operations. Microsoft says the flaw can be exploited by an authenticated user calling RpcAddPrinterDriverEx(). If exploited, an attacker would gain SYSTEM privileges and could execute arbitrary code and could install programs; view, change, or delete data; or create new accounts with full user rights.

The PoC exploit for the vulnerability was published by the Chinese security firm Sangfor. Typically, exploits for unpatched vulnerabilities are not released publicly until software developers have been notified about a flaw and sufficient time has been allowed for a patch to be released and applied by users.

In this case an error was made. Sangfor researchers published the PoC exploit in late June, as Microsoft had released a patch to fix the flaw on June 8, 2021. The patch fixed a Windows Print Spooler service vulnerability tracked as CVE-2021-1675, but did not fully fix the PrintNightmare vulnerability, which now has a second CVE code. The researchers deleted the exploit, but it had already been shared and remains in the public domain.

“Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable,” said the CERT Coordination Center.

It is not clear whether Microsoft will release a patch to fix the CVE-2021-34527 vulnerability on Patch Tuesday on July 13 or will issue an out-of-bad update in the next few days.

Microsoft has published two workarounds that will prevent the flaw from being exploited; however, applying those workarounds will affect printing. Exploitation can be prevented either by disabling the Print Spooler service using PowerShell commands or disabling inbound remote printing through Group Policy on all Domain Controllers and Active Directory admin systems. CISA recommends using the workarounds on all Domain Controllers and systems that are not required to print.

This is a good best practice regardless of the PrintNightmare flaw. If any Domain Controller or system is not required to print, the print Spooler Service should be disabled. This will prevent any future vulnerabilities in the Print Spooler service from being exploited.

The post Exploit Released ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability appeared first on HIPAA Journal.

CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that lists cybersecurity bad practices that are exceptionally dangerous and significantly increase risk to critical infrastructure.

There are many published resources that provide information about cybersecurity best practices that should be adopted to improve security, but CISA felt an additional perspective was required as it is equally, if not more, important to ensure that bad cybersecurity practices are eliminated. “Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices,” explained CISA.

CISA is urging leaders of all organizations to engage in urgent conversations to address technology bad practices, especially organizations that support national critical functions.

One of the foundational elements of risk management is “focus on the critical few”, explained CISA Executive Assistant Director Eric Goldstein in a blog post announcing the launch of the new website resource. Organizations may have limited resources to identify and mitigate risks, but eliminating cybersecurity bad practices is an essential element of every organization’s strategic approach to security. “Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of ‘what to do first’,” said Goldstein.

The new resource was created following cyberattacks on critical infrastructure which demonstrated the impact they can have on critical government functions and how they pose a threat to security, national economic security, and/or national public health and safety.

The CISA Bad Practices catalog will grow over time, but currently lists two cybersecurity bad practices that are exceptionally risky: The use of unsupported software that has reached end-of-life and the continued use of known, fixed, and default passwords and credentials in service of Critical Infrastructure and National Critical Functions.

The post CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated appeared first on HIPAA Journal.

OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has conducted a review to determine the extent to which the Centers for Medicare and Medicaid Services (CMS) and Medicare Accreditation Organizations (AOs) require hospitals to have implemented a cybersecurity plan for networked devices and the methods used to assess the cybersecurity of networked medical devices.

Cybersecurity controls are required to protect medical devices that are connected to the Internet, other medical devices, or internal hospital networks. Without those controls, the devices could be accessed by unauthorized individuals and patients could be at risk of harm. Networked medical devices include MRIs, computed tomography, ultrasound, nuclear medicine, and endoscopy systems, as well as systems that communicate with clinical laboratory analyzers such as laboratory information systems. OIG cited an estimate that a large hospital may have around 85,000 medical devices connected to its network.

These devices are usually separated from other systems, they may connect to the same network as the electronic health record (EHR) system. If cybersecurity controls are lacking, they could be vulnerable to an attack that could potentially impact critical healthcare systems. While there have not been any known cases of cyberattacks being conducted specifically to cause patients harm, patients may inadvertently be harmed as a result of an attack conducted for other reasons. In Germany in 2020, a patient died as a result of a ransomware attack. Without access to hospitals systems, the patient had to be rerouted to an alternative facility and died before treatment could be provided.

The CMS has minimum cybersecurity requirements for hospitals but relies on state survey agencies and Medicare accreditation organizations (AOs) to inspect Medicare-participating hospitals. Those surveys are conducted every 3 years. The Social Security Act requires AOs’ survey protocols to be equivalent to or more stringent than those of CMS.

For the study, OIG sent written interview questions to the CMS and conducted telephone interviews with 4 AOs. The study revealed the CMS survey protocol does not include requirements for networked medical device cybersecurity and AOs do not require hospitals to implement cybersecurity plans covering networked medical devices.

OIG found that AOs sometimes review certain aspects of device cybersecurity. The study revealed two AOs had equipment maintenance requirements, which may provide limited insights into medical device cybersecurity. If hospitals identified networked device cybersecurity in their emergency-preparedness risk assessments, AOs would review their mitigation plans; however, most hospitals did not identify device cybersecurity in the risk assessments very often. AOs may also examine networked devices when assessing hospital safeguards for medical record privacy. Nether the CMS nor the AOs had any plans to update their survey requirements in the future to cover networked devices or general cybersecurity.

OIG has recommended the CMS identify and implement a method of addressing the cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with HHS partners and others. CMS concurred with the recommendation and is considering additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers.

OIG suggested several ways that the CMS could improve its oversight and assess medical device cybersecurity. For example, the CMS could use language stating it considers cybersecurity to be part of keeping devices in safe operating condition, highlight the risk that unsecured medical devices connected to the EHR could be a threat to protected health information, and could also remind hospitals to maintain compliance with HIPAA requirements, including the HIPAA Security Rule. The CMS could also instruct surveyors to ask hospitals if they considered cybersecurity of networked devices when they conducted their hazard vulnerability analyses.

The post OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals appeared first on HIPAA Journal.

NIST Publishes Critical Software Definition for U.S. Agencies

Posted by HIPAA Journal

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security.

One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers.

The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from the public and private sector and multiple government agencies when defining what critical software actually is.

“One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government,” explained NIST. “The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”

NIST’s critical software definition is software or software dependencies that contain one or more of the following attributes:

  • Software designed to run with elevated privileges or used to manage privileges.
  • Software with direct or privileged access to networking or computer resources.
  • Software designed to control access to data or operational technology.
  • Software that performs a function critical to trust.
  • Software that operates outside of normal trust boundaries with privileged access.

The above definition applies to all software, whether it is integral to devices or hardware components, stand-alone software, or cloud-based software used for or deployed in production systems or used for operational purposes. That definition covers a broad range of software, including operating systems, hypervisors, security tools, access management applications, web browsers, network monitoring tools, and other software created by private companies and sold to federal agencies, or software developed internally by federal agencies for use within federal networks, including government off-the-shelf software.

NIST has recommended federal agencies should initially focus on implementing the requirements of the Executive Order on standalone, on-premises software that has critical security functions or has significant potential to cause harm if compromised. Next, federal agencies should move onto other categories of software, such as cloud-based software, software that controls access to data, and software components in operational technology and boot-level firmware.

NIST has published a list of EO-critical software, although CISA will publish a more comprehensive finalized list in the coming weeks.

The post NIST Publishes Critical Software Definition for U.S. Agencies appeared first on HIPAA Journal.

Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity

Posted by HIPAA Journal

The Government Accountability Office has published a report following a review of the organizational approach to cybersecurity of the U.S. Department of Health and Human Services (HHS).

The study was conducted because both the HHS and the healthcare and public health sector are heavily reliant on information systems to fulfil their missions, which include providing healthcare services and responding to national health emergencies. Should any information systems be disrupted, it could have major implications for the HHS and healthcare sector organizations and could be catastrophic for Americans who rely on their services.

“A cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities,” said the GAO in the report.

The HHS must implement safeguards in place to protect its computer systems from cyber threat actors looking to obtain sensitive data to commit fraud and identity theft, conduct attacks that aim to disrupt operations, or gain access to networks to launch attacks on other computer systems.  Throughout the pandemic, many threat actors and APT groups have targeted the healthcare sector, with the GAO pointing out that the FBI and CISA have issued multiple alerts over the past 12 months warning about cyber threats specifically targeting healthcare and public health entities.

The GAO reports that the HHS has clearly defined roles and responsibilities, which is essential for effective collaboration; however, there were several areas where improvements could be made, mostly concerning collaboration with its partners.

HHS working groups were assessed on the extent to which they demonstrated Leading Practices for Collaboration. All seven of the HHS working groups met the Leading Practices: Bridge organizational cultures, identify leadership, include relevant participants in the group, identity resources. 6 working groups met the Leading Practices: Clarify roles and responsibilities and document and regularly update written guidance and agreements, and five groups met the Leading Practice: Define and track outcomes and accountability.

The GAO made seven recommendations on how the HHS can improve collaboration and coordination within the HHS and with the healthcare sector.

  1. The HHS Secretary should order the CIO coordinate cybersecurity threat information sharing between the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
  2. The HHS Secretary should order the CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
  3. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council’s Cybersecurity Working Group and HHS Cybersecurity Working Group.
  4. The HHS Secretary should order the CIO to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements.
  5. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration.
  6. The HHS Secretary should direct the Assistant Secretary for Preparedness and Response to finalize written agreements that include a description of how the Government Coordinating Council’s Cybersecurity Working Group will collaborate; identify the roles and responsibilities of the working group; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the finalized agreements.
  7. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials leading the working group review and approve the updated charter.

The HHS concurred with six of the recommendations and disagreed with one. The HHS is currently taking action to address the 6 recommendations it concurred with. The HHS did not concur with the recommendation to coordinate cybersecurity information sharing between HC3 and HTOC.

The post Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity appeared first on HIPAA Journal.

Bipartisan Group of Senators Introduce Federal Data Breach Notification Bill

Posted by HIPAA Journal

A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.

The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline.

The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide actionable cyber threat information which will be made available to government and private sector entities and the public to allow action to be taken promptly to tackle threats.

Incidents classified as significant cybersecurity intrusions that would warrant notifications are cyberattacks that:

  • Involve or are believed to involve a nation state.
  • Involve or are believed to involve an Advanced Persistent Threat (APT) actor.
  • Involve or are believed to involve a transnational organized crime group.
  • Could harm U.S. national security interests, foreign relations, or the U.S. economy.
  • Likely to be of significant national consequence.
  • Has potential to affect CISA systems.
  • Involves ransomware.

The draft bill requires breach notifications to include a description of the cybersecurity intrusion, the affected systems and networks, estimates of the dates when the intrusion is thought to have occurred, a description of the vulnerabilities thought to have been exploited, and the tactics, techniques, and procedures (TTPs) used by the threat actor. In addition, notifications should include any information that could be used to identify the threat actor, contact information to allow the breached entity to be contacted by federal agencies, and details of any actions taken to mitigate the threat.

The bill requires the Department of Homeland Security to work with other federal agencies to draw up a set of reporting criteria and to harmonize those criteria with the regulatory requirements in effect on the date of enactment.

Any covered entity that fails to report a cyber intrusion covered by the bill will face penalties determined by the Administrator of the General Services Administration. Businesses violating the terms of the Cyber Incident Notification Act of 2021 could face a financial penalty of 0.5% of gross revenue for the previous year and sanctions could include removal from federal contracting schedules.

While there is clearly a need for a national data breach notification law, several attempts have been made previously to introduce a data breach notification bill, but all have failed to make it through the Senate.  In addition to this bill, Several House members and Senators are believed to be working on their own data breach notification bills.

The post Bipartisan Group of Senators Introduce Federal Data Breach Notification Bill appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys

Posted by HIPAA Journal

The Avaddon ransomware-as-a-service operation was shut down on Friday and the threat group released the decryption keys for all victims. Bleeping Computer was sent an email with password and a link to a password protected ZIP file that contained the private keys for 2,934 Avaddon ransomware victims. The keys were confirmed as legitimate by Emsisoft and Coveware, with the former now having released a free decryptor that can be used by all Avaddon ransomware victims to decrypt their files.

Avaddon is a relatively new ransomware-as-a-service operation which started up in March 2020. The threat group behind the operation recruited affiliates to conduct attacks and provided them with a portal through which they could generate copies of the ransomware to conduct their own attacks. All ransoms generated were then shared between the affiliate and the RaaS operator.

It is not uncommon for RaaS operations to suddenly stop and release the keys for victims that have not yet paid, but the timing of the shut down suggests the RaaS operator may have got nervous with the increased focus of governments and law enforcement agencies on ransomware gangs.

Following the ransomware attacks on JBS and Colonial Pipeline attack, the White House ordered the Department of Justice to centralize its approach to ransomware investigations and treat attacks in the same way as terrorist attacks. White House deputy press secretary Karine Jean-Pierre said it would also be “delivering the message that responsible states do not harbor ransomware criminals,” and will be engaging with the Russian government to try to get action taken against ransomware gangs that operate in the country.

The G7 nations also committed to take action on ransomware attacks and issued a communique calling on Russia and other countries that may harbor ransomware gangs to take steps to identify, disrupt, and hold individuals to account who are conducting ransomware attacks, abusing virtual currency to launder ransom, and commit other cybercrimes. President Biden is also expected to speak with Vladimir Putin at the Geneva summit on June 16 about ransomware gangs operating out of Russia.

Following the DarkSide ransomware attack on Colonial Pipeline that disrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang announced it was shutting down. The REvil and Avaddon gangs issued a joint statement saying they were updating their rules and would not permit its affiliates to conduct ransomware attacks on critical infrastructure firms, governments, healthcare organizations, and educational institutions. It would appear that this was not enough for the Avaddon ransomware gang. It remains to be seen whether the operation has permanently been shut down or if the operator of the ransomware is just laying low for a while. It is not uncommon for ransomware operations to shut down then rebrand and recommence their attacks several weeks or months later.

“The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too,” said Emsisoft threat analyst Brett Callow to Bleeping Computer.

The post Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys appeared first on HIPAA Journal.

HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has urged President Biden to provide further funding and support to improve the cybersecurity posture of the healthcare sector to improve resilience to cyberattacks.

In a recent letter addressed to President Biden and copied to Senate and House party leaders, the HSCC called for more funds to help the healthcare sector deal with cyber threats, improved collaboration between the healthcare industry and government, and for the government to provide a roadmap for making improvements to the cybersecurity readiness of the healthcare sector.

Under the American Rescue Plan, the government has made funding available to modernize federal information technology systems to improve resilience against future cyberattacks. $9 billion will be invested to help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency (CISA) and the General Services Administration, and $690 million has been made available to CISA to bolster cybersecurity across federal civilian networks; however, none of that funding has been made available to directly help the healthcare sector, even though the healthcare sector has been heavily targeted by cyber actors prior to and during the pandemic.

According the HSCC, the healthcare sector is currently stretched to its limits to meet its clinical and public health obligations. The healthcare industry has faced relentless cybersecurity threats that have grown in magnitude and complexity year after year, and the situation has become far worse during the pandemic. Those threats, including ransomware, have targeted the technology integral to patient care.

Cyberattacks such as the ransomware attack on Colonial Pipeline threaten national security, but these attacks are also placing patient safety at risk. The attacks can result in denial of service, corruption of data on medical devices, and data manipulation that can have a direct implication for clinical operations, patient care, and public health.

“In assessing how the American Rescue Plan, coupled with the recently released Executive Order on Improving the Nation’s Cybersecurity, can measurably strengthen the security and resiliency of the healthcare system and patient safety, we request an enhanced strategic planning process within the administration that will complement the ongoing cybersecurity partnership between the HSCC, the Department of Health and Human Services and other essential government partners,” said HSCC in the letter. “As you lead the nation out of the pandemic, put more Americans back to work and increase their access to health insurance, the ability of the healthcare sector to deter cyber threats is imperative for the nation to maintain public health and global competitiveness beyond the pandemic.”

The post HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector appeared first on HIPAA Journal.