Healthcare Cybersecurity

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021.

Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers.

While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data.

“It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers can monetize it in a myriad of ways, from selling it on the dark web to filing fraudulent insurance claims,” explained the researchers in the report. “It does not help that many health organizations use devices that run on operating systems that are out-of-date, and many devices were not designed with cybersecurity in mind.”

The researchers confirmed healthcare data breaches are now occurring at almost twice the level of 2018, with data breaches attributed to hacking and IT incidents occurring at almost three times the level of the first half of 2018. In the first half of 2021, 70% of all healthcare data breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights were hacking/IT incidents.

There has been a slight decline in the number of reported data breaches from the last 6 months of 2020, but that does not indicate cyberattacks are falling, as in the last half of 2020 the breach reports submitted to the HHS’ Office for Civil Rights included many breach notices submitted by organizations affected by the data breach at business associate Blackbaud. The number of reported breaches in the first half of 2021 is higher than the first 6 months of last year, and it looks like the trend for increasing numbers of data breaches being reported every year looks set to continue.

There has been a major increase in the number of cyberattacks on business associates of HIPAA covered entities, which now account for 43% of all reported healthcare data breaches. In the first 6 months of 2021, there were 141 data breaches reported by business associates of HIPAA-covered entities. By comparison, there were only 66 data breaches reported by business associates in the last 6 months of 2019. “As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain,” explained the researchers.

Cybercriminals are unlikely to stop attaching healthcare organizations as the attacks are profitable. It is up to healthcare organizations and their business associates to improve their defenses against cyber actors. The Critical Insight researchers have made several recommendations, including assessing third party risk more accurately, regularly reviewing business associate agreements and ensuring they clearly define roles and responsibilities, implementing more comprehensive protections against ransomware and phishing attacks, strengthening access controls, and practicing basic security hygiene.

The post Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals appeared first on HIPAA Journal.

Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps.

The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses.

The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient.

McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and notified the Health Information Sharing & Analysis Center (H-ISAC) about the flaws and recommended mitigations. The flaws affect infusion pumps running older versions of B.Braun software; however, the researchers explained that “vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation.”

Safeguards have been incorporated into the infusion pumps to prevent attackers from changing doses while the pumps are operational, so it would not be possible for an attacker to change doses as they are being administered. The vulnerabilities can however be exploited while the pumps are idle or on standby, so changes could be made to the function of the devices between infusions.

There have been no reported cases of the vulnerabilities in these or other drug infusion pumps being exploited in the wild, but this is a credible attack scenario and one that could easily be exploited to cause harm to patients. The latest version of B.Braun software blocks the initial network vector of the attack chain, but the flaws have not been totally addressed. An attacker could find another way to gain access to the network to which the devices connect and exploit the flaws. Given the number of ransomware attacks that have been reported in recent months, gaining access to healthcare networks is not proving to be a major challenge for many threat actors.

“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation,” suggested the researchers.

The researchers believe that many other medical devices could have vulnerabilities that could be exploited to cause harm to patients. Medical devices are designed primary to ensure patient safety, and safeguards are implemented to ensure patient safety is not put at risk; however, it is common for cybersecurity protections to be given less consideration during the design stage. Further, when security flaws are discovered in medical devices, patching is costly. The devices are tightly controlled, so it is not just a case of releasing a patch or automatically updating the devices as would occur with an Internet browser for instance. Patches need to be thoroughly tested, the devices must be taken out of action while updates are applied, and the patches and updates need to be thoroughly tested. It is for this reason that many devices still use legacy versions of software and firmware.

“For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits,” explained the researchers. “Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long.”

The post Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks

Ransomware attacks dramatically increased in 2020 and cyberattacks using the file-encrypting malware are showing no sign of abating. Attacks have continued to increase this year to the point where there were almost half the number of attempted ransomware attacks in Q2, 2021 as there were all of 2019.

Most threat actors conducting ransomware attacks are now using double extortion tactics, where ransoms must be paid to obtain the keys to decrypt files but also to prevent the publication of data stolen in the attacks. The theft of data prior to file encryption has not only helped ransomware gangs demand huge ransom payments, but the threat of leaking data has greatly increased to probability of the ransom being paid. Many victims end up paying the ransom to prevent data leakage, even though they have valid backups that will allow them to restore the encrypted data for free.

To help public and private sector organizations deal with the threat of these double-extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance, which includes best practices for preventing cyber threat actors from gaining access to networks, steps that can be taken to ensure sensitive data are protected, and procedures that should be followed when responding to a ransomware attack.

“Ransomware is a serious and increasing threat to all government and private sector organizations, including critical infrastructure organizations,” explained CISA in the guidance. “All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems.”

There are several measures outlined in the document that are important not only preventing ransomware attacks but also limiting their severity. It is essential to maintain offline, encrypted backups of data and to regularly test the backups to make sure file recovery is actually possible. It is also vital that a basic cyber incident response plan, resiliency plan, and associated communications plan are created and maintained, and exercises are conducted to ensure that a rapid response to an attack is possible. To block attacks, steps must be taken to address the key attack vectors, which are phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all organizations should also ensure good cyber hygiene practices are followed.

In order to protect sensitive data, organizations must know where sensitive data reside and who has access to those data repositories. It is also important to ensure that sensitive data are only retained for as long as is strictly necessary. Physical and cybersecurity best practices must be implemented, including restricting access to physical IT assets, encrypting sensitive data at rest and in transit, and to implement firewall and network segmentation to hamper attempts at lateral movement within networks. CISA also recommends ensuring the cyber incident response and communications plans include response and notification procedures for data breach incidents.

A rapid and effective response to a ransomware attack is critical for limiting the harm caused and keeping costs down. The cyber incident response plan should detail all the steps that need to be taken, and the order that they should be taken. The first step is determining which systems have been impacted and immediately isolating them to secure network operations and stop additional data loss. The next step should only be taken if affected devices cannot be removed from the network or the network cannot be temporarily shut down, and that is to power down infected devicesto avoid further spread of the ransomware infection.

Then, triage impacted systems for restoration and recovery, confer with the security team to develop and document an initial understanding of what has occurred, then engage internal and external teams and stakeholders and provide instructions on how they can assist with the response and recovery processes. Organizations should then follow the notification requirements outlined in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breachescan be found on this link.

The post CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks appeared first on HIPAA Journal.

Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks

Last month, SonicWall published a mid-year update of its Cyber Threat Report which confirmed there has been a major increase in cyberattacks since 2020. In the first 6 months of 2021, cryptojacking attacks increased by 23%, encrypted threats rose by 26%, IoT attacks rose by 59%, and there was a 151% increase in ransomware attacks compared to the corresponding period last year.

Ransomware attacks have been steadily increasing since Q1, 2020, but the rate of increase jumped considerably between Q1 and Q2, 2021, rising to a Q2 total of 188.9 million attempted attacks: an increase of 63.1% from the previous quarter. In June alone there were 78.4 million attempted ransomware attacks, which is more than the total number of attacks in the second quarter of 2020 and almost half of the total number of attempted ransomware attacks in all of 2019. In total, there were 304.7 million attempted ransomware attacks in the first half of 2021.

“Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded,” said SonicWall in the report.

Ransomware attacks are mostly conducted in the United States, which accounts for around 73% of all ransomware attempts, but ransomware attacks have been increasing globally. In the first half of 2021, attacks in North America increased by 180% and there was a 234% increase in ransomware volume in Europe. The United States saw a 185% increase and there was a 144% increase in attacks on UK organizations.

Within the United States, certain states have been extensively attacked. Florida was by far the worst affected state, registering 111 million ransomware hits, which is more than the next nine most attacked states combined. There were 26 million attempted attacks in New York, 20 million in Idaho, and 8.8 million in Louisiana.

The most targeted industry – by some margin is government. In 2021, attacks increased to three times the highest point in 2020 and, in June, government customers were hit at around ten times the average rate. The education sector has also been extensively targeted, although attacks on healthcare customers have remained fairly constant throughout the first half of the year.

The biggest ransomware threat in 2021 has been Ryuk ransomware, with 93.9 million instances of Ryuk recorded in the first half of the year, which is three times the level in the corresponding period in 2020. Cerber ransomware was also a major threat, with 52.5 million instances recorded in the first half of 2021. The number of Cerber instances increased sharply in April and May, with May seeing more than five times the number of attempted attacks as January. Two thirds of the 2020 total number of SamSam ransomware attempts were recorded in June alone, when there were 15.7 million attack attempts.

SonicWall says there are several factors that have fueled the increase in attacks. One of the main reasons for the rise is the attacks are extremely profitable for cyber threat actors. Many organizations have paid ransoms to recover files or to prevent the publication of sensitive data stolen in the attacks.

SonicWall says cyber threat actors are also getting better at finding and encrypting backups, making recovery without paying the ransom difficult or impossible. There has also been an increase in data theft prior to the deployment of ransomware, with payments often made to recover data even when valid backups exist to recover files.

It is becoming more common for threat actors to conduct repeat attacks on organizations that have paid the ransom, as there is a god chance that a second ransom will also be paid. Organizations that pay a ransom may also be targeted by other threat groups that have heard that one payment has already been made.

There was some positive news in the report. Malware attacks have declined significantly year over year. SonicWall Capture Labs recorded 2.5 billion malware attempts in the first six months of 2021, which represents a 22% fall from the same period last year. There has also been a decline in the number of malicious PDF and Office files being distributed in spam and phishing emails. The use of malicious Office files declined by 54% in 2021, with malicious PDF files falling by 13%.

The post Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks appeared first on HIPAA Journal.

Scripps Health Ransomware Attack Expected to Cost $106.8 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack.

While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected.

Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four of its main hospitals in Encinitas, La Jolla, San Diego and Chula Vista, and trauma patients could not be accepted at Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla. Scripps Health said it took 4 weeks to recover from the attack.

Losses sustained as a result of the attack are expected to reach $106.8 million, with the majority of that figure – $91.6 million – due to lost revenue during the 4-week recovery period. $21.1 million had to be spent on response and recovery, and Scripps Health was only able to recover $5.9 million from its cyber insurance policy.

The costs are likely to increase further still. The protected health information of 147,267 patients was compromised in the attack, and several class action lawsuits have been filed against Scripps Health over the theft of patient data. The expected losses do not include litigation costs.

The post Scripps Health Ransomware Attack Expected to Cost $106.8 Million appeared first on HIPAA Journal.

CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert warning about a vulnerability affecting Blackberry’s QNX Real Time Operating System (RTOS), which is extensively used by critical infrastructure organizations and affects multiple consumer, medical, and industrial networks.

The vulnerability is one of 25 that are collectively known as BadAlloc, which affect multiple IoT and OT systems. The flaws are memory allocation integer overflow or wraparound issues in memory allocation functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.

On August 17, 2021, Blackberry announced that its QNX products were affected by one of the BadAlloc vulnerabilities – CVE-2021-22156. The flaw could be exploited by a remote attacker to cause a denial-of-service condition, or even achieve remote code execution, with the latter potentially allowing an attacker to take control of highly sensitive systems.

The flaw affects the calloc() function in the C runtime library of multiple BlackBerry QNX products. “To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation,” explained CISA. “An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.”

The flaw affects all BlackBerry programs with dependency on the C runtime library, including medical devices that incorporate BlackBerry QNX software.

CISA is strongly encouraging all critical infrastructure organizations and other organizations that develop, maintain, support, or use the affected QNX-based systems to apply the patch as soon as possible to prevent exploitation of the flaw. CISA warns that the “installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.”

Vulnerable products and versions are:

Product Affected Version
 QNX SDP  6.5.0SP1, 6.5.0,  6.4.1, 6.4.0
 QNX Momentics Development Suite  6.3.2
 QNX Momentics 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
 QNX Realtime Platform  6.1.0a, 6.1.0, 6.0.0a, 6.0.0
 QNX Cross Development Kit  6.0.0, 6.1.0
 QNX Development Kit (Self-hosted)  6.0.0, 6.1.0
 QNX Neutrino RTOS Safe Kernel  1.0
 QNX Neutrino RTOS Certified Plus  1.0
 QNX Neutrino RTOS for Medical Devices  1.0, 1.1
 QNX OS for Automotive Safety  1.0
 QNX OS for Safety  1.0, 1.0.1
 QNX Neutrino Secure Kernel  6.4.0, 6.5.0
 QNX CAR Development Platform  2.0RR

Mitigations:

  • Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
  • Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
  • End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied.

If it is not possible to apply the patch, or if a fix has not yet been released, CISA recommends ensuring only ports and protocols used by RTOS apps are accessible and all others are blocked.

The post CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure appeared first on HIPAA Journal.

Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms

Reposify, a provider of an external attack surface management platform, has published the findings of a study of security vulnerabilities at pharmaceutical firms which shows the vast majority of pharma firms have unresolved vulnerabilities that are putting sensitive data and internal systems at risk of compromise.

The study was conducted to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs and other security issues. Data analyzed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report were collected over a two-week period in March 2021 and covered 18 of the leading pharmaceutical companies worldwide and more than 900 of their subsidiaries.

Pharmaceutical companies hold vast amounts of sensitive personal data and extremely valuable drug and vaccine research data. That has made them an attractive target for cybercriminals. During the COVID-19 pandemic, nation state hackers targeted pharma and biotech firms to gain access to sensitive COVID-19 research and vaccine development data.

According to the 2020 Cost of a Data Breach Report from IBM Security/Ponemon Institute, pharma and biotech firms had a high rate of security incidents in 2020, with 53% of them resulting from malicious activity. The average cost of a pharma data breach in 2020 was $5.06 million and the average time to identify and contain a breach was 257 days.

“With the pandemic causing a rush to scale and digitize, pharmaceutical companies’ digital footprints have further expanded creating many new blind spots where attackers could and did easily break in to access confidential, highly sensitive data,” explained Reposify.

In 2020 there were hundreds of mergers and acquisitions, with larger pharmaceutical firms buying up smaller companies in the sector. These smaller firms were typically focused on fast innovation and agility, which often meant insufficient resources were put into cybersecurity. M&A transactions therefore had significant potential to introduce major security risks.

Reposify researchers analyzed 2020 M&A transactions and found in 70% of cases, the newly acquired subsidiary had a negative impact on the security posture of the parent company. The vulnerabilities introduced were often considerable, “adding tens, or in some cases, hundreds of sensitive exposed and unpatched services.”

The researchers analyzed the prevalence of key risks which are visible externally and could potentially be exploited by cyber threat actors, including misconfigured databases and cloud services and unpatched software vulnerabilities. The median number of high severity security issues per company was 269, with a median of 125 critical severity issues per company.

Key findings from the report include:

  • 92% of pharmaceutical companies had at least one exposed database which was potentially leaking data.
  • 76% had an exposed RDP service.
  • 69% of exposed services discovered were classified as being a part of the unofficial network perimeter.
  • 50% of pharma firms had an exposed FTP with anonymous authentication.
  • 46% of pharma firms had an exposed SMB service.

“Pharmaceutical companies must harden their security and make it more difficult for attackers to gain a foothold in their systems”, said Reposify. “This effort must begin with gaining a clear view of their external attack surface and continuous monitoring and elimination of risky attack vectors.” The report also highlighted the importance of performing pre-acquisition cybersecurity due diligence, including mapping and analysis of the acquisition target’s external attack surface.

The post Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms appeared first on HIPAA Journal.

New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers

A new ransomware variant has been detected by researchers at Heimdal Security that is being used by a threat group that calls itself DeepBlueMagic. The ransomware differs considerably from all other previously identified ransomware strains.

Heimdal Security researchers discovered the new ransomware variant on Wednesday, August 11, 2021, which had been used in an attack on a device running Windows Server 2012 R2. The analysis of the attack revealed DeepBlueMagic ransomware works completely differently to any other ransomware encountered in the past.

The researchers determined DeepBlueMagic ransomware disables security solutions installed on devices to prevent detection, then proceeds to encrypt entire hard drives using a third-party disk encryption tool rather than files. All drives on the targeted server are encrypted with the exception of the system drive (“C:\” partition).

The ransomware uses BestCrypt Volume Encryption software from Jetico. In the attack, the D:\ drive was turned into a RAW partition rather than NTFS, which rendered it inaccessible. Following an attack, any attempt to access the encrypted drive would result in the Windows OS interface prompting the user to accept formatting of the disk, since the drive would be unreadable.

Further analysis of the attack revealed the ransomware stopped all third-party Windows services on the targeted device, thus disabling all security solutions. Then, DeepBlueMagic ransomware deleted the Volume Shadow Copy of Windows to ensure the drive could not be restored. An attempt was also made to activate Bitlocker on all endpoints in the Active Directory.

In this attack, the disk encryption process was started but was not completed; only the volume headers were encrypted. This meant that the encryption process could be continued, or the rescue file created by Jetico’s BestCrypt Volume Encryption could be used to restore the drive; however, the rescue file was also encrypted by the ransomware. In order to access the rescue file, a password must be provided.

Heimdal Security said the ransomware itself was self-deleted in the attack, so it could not be recovered and analyzed on this occasion. The researchers were not able to determine how the ransomware was installed on the server but said there were no failed login attempts so it was not delivered as a result of a brute force attack. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.

The ransomware note saved to the desktop advised the victim to make contain via email to find out how much must be paid for the password to recover the encrypted drives.

Heimdal Security researchers said because the encryption process was only partially completed, recovery without paying the ransom is possible. They simulated the DeepBlueMagic process and attempted to use several decryption tools and were able to successfully restore the files on the inaccessible partition using the free TestDisk tool from CGSecurity.org.

“The information we have for now is enough to recognize [DeepBlueMagic] mode of operations and to include protection against it in the next version of Heimdal™ Ransomware Encryption Protection,” explained the researchers.

The post New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers appeared first on HIPAA Journal.