Healthcare Cybersecurity

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Posted by HIPAA Journal

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.

CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance to help organizations improve their defenses against software supply chain attacks.

The guidance documentDefending Against Software Supply Chain Attacks – explains the three most common methods that threat groups use in supply chain attacks along with in-depth recommendations for software customers and vendors for prevention, mitigation, and improving resilience against software supply chain attacks.

Like many supply chain attacks, the recent SolarWinds Orion attack involved hijacking the software update mechanism of the platform to deliver a version of the software with malicious code that provided the attackers with persistent access to the solution on more than 18,000 customers’ systems, with the attackers then cherry picking targets of interest for more extensive compromises. This was also the method used by the threat group behind the NotPetya wiper attacks in 2017. The software update mechanism used by a popular tax accounting software in Ukraine was hijacked to gain control of the software for use in destructive attacks.

It is also common for attackers to undermine the code signing process to hijack software update mechanisms to deliver malicious code. This is often achieved by self-signing certificates and exploiting misconfigured access controls to impersonate trusted vendors. CISA reports that the Chinese advanced persistent threat group APT41 commonly undermines code signing in its sophisticated attacks in the United States.

The third most common method used in supply chain attacks is to target publicly accessible code libraries and insert malicious code, which is subsequently downloaded by developers. In May 2020, GitHub, the largest platform for open source software, discovered 26 open source projects had been compromised as a result of malicious code being injected into open source software. Blocks of open source code are also commonly used in privately owned software solutions and these too can be easily compromised.

Software supply chain attacks are time consuming and resource intensive and usually require long-term commitment. While criminal threat actors have successfully conducted supply chain attacks, they are more commonly conducted by state sponsored advanced persistent threat groups that have the intent, capabilities, and resources for prolonged software supply chain attack campaigns.

These attacks can allow large numbers of organizations to be compromised by attacking just one. Organizations are vulnerable to these attacks as they give software vendors privileged access to their systems to allow them to operate effectively. Vendors need regular communication with installed software solutions to provide updates to improve security against emerging threats and to fix vulnerabilities. If a vendor is compromised, the attackers can bypass security measures such as firewalls and gain persistent access to all customers’ systems.

The guidance document provides several recommendations and tips for using NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Organizations can greatly improve resilience to software supply chain attacks by operating software within a C-SCRM framework with a mature risk management program.

“A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support. Organizations can manage such risks through a variety of technical and non-technical activities, including those focused on C-SCRM for software and the associated full software lifecycle,” explained NIST.

The guidance details 8 best practices for establishing a C-SCRM approach and applying it to software:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  4. Understand the organization’s supply chain.
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities.
  7. Assess and monitor throughout the supplier relationship.
  8. Plan for the full lifecycle.

Even when this approach is adopted, it is not possible to prevent all supply chain attacks so it is essential for other steps to be taken to mitigate vulnerable software components.

Organizations should develop a vulnerability management program and reduce the attack surface through configuration management. This includes placing configurations under change control, conducting security impact analyses, implementing manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintaining an information system component inventory. Steps should also be taken to increase resilience to a successful exploit and limit the harm that can be caused to mission critical operations, personnel and systems in the event of a successful attack.

The post CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks appeared first on HIPAA Journal.

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

Posted by HIPAA Journal

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%).

While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang.

The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site.

These attacks show that file encryption is not always necessary, with the threat of publication of stolen data often sufficient to ensure payment is made. Coveware notes that while exploitation of the vulnerabilities allowed data to be exfiltrated, it was not possible to deploy ransomware across victims’ networks, otherwise ransomware would most likely have also been used in the attacks.

The Clop ransomware gang was particularly active in Q1, 2020. The group often attacks large enterprises and demands huge ransoms and like many other ransomware gangs, steals data prior to file encryption and threatens to expose that data if payment is not made. These double extortion tactics have become the norm and most ransomware attacks now involve data exfiltration. In Q1, 77% of ransomware attacks involved data exfiltration up from 70% in Q4, 2020.

Ransomware victims may have no choice other than paying the ransom if they are unable to recover encrypted data from backups, but there are risks associated with paying the ransom demand, especially to prevent a data leak. There is no guarantee that data will be destroyed and could still be traded or sold to other threat groups after payment is made. Exfiltrated data may also be stored in multiple locations. Even if the threat actor destroys the data, third parties may still have a copy. Coveware notes that while data exfiltration has increased, a growing number of ransomware victims are electing not to give in to the attackers’ demands and are refusing to pay the ransom to prevent a data leak for these and other reasons.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage.” – Coveware.

Many RaaS operations have increased the number of attacks by recruiting more affiliates, but some RaaS operations have struggled to scale up their operations. The Conti gang outsourced their chat operations which made negotiations and recoveries more difficult. The Lockbit and BlackKingdom gangs experienced technical difficulties which resulted in permanent data loss for some of their victims, and even the most prolific ransomware operation – Sodinokibi – experienced problems matching encryption keys with victims resulting in permanent data loss.

These technical problems show that even ransomware operations that intend to provide the keys to decrypt data are not always able to. Coveware also observed a worrying trend where ransomware gangs deliberately disrupt recovery after the ransom is paid. The Lockbit and Conti gangs were observed attempting to steal more data during the recovery phase and even attempting to re-launch their ransomware after victims have paid. Coveware notes that this kind of disruption was rare in 2020, but it is becoming more common. Technical issues and disruption to the recovery process have contributed to an increase in downtime due to an attack, which is up 10% in Q1 to 23 days.

In Q4, email phishing became the most common method of ransomware delivery, but Remote Desktop Protocol connections are once again the most common method of gaining access to victim networks. Phishing is still commonly used and is the method of attack favored by the Conti ransomware gang – the second most prevalent ransomware operation in Q1.

Exploitation of software vulnerabilities also increased, with unpatched vulnerabilities in Fortinet and Pulse Secure VPN appliances the most commonly exploited flaws. Coveware believes the majority of ransomware-as-a-service operators and affiliates do not exploit software vulnerabilities, instead they pay specialist threat actors for access to compromised networks. Those threat actors mostly target smaller organizations, with RDP the most common method of attack for larger organizations.

The post Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks appeared first on HIPAA Journal.

Best Practices for Network Defenders to Identify and Block Russian Cyber Operations

Posted by HIPAA Journal

A joint cybersecurity advisory has been issued by the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) about ongoing cyber operations by the Russian Foreign Intelligence Service (SVR).

The advisory provides further information on the tactics, techniques, and procedures (TTPs) used by SVR hackers to gain access to networks and the stealthy intrusion tradecraft used to move laterally within compromised networks. Best practices have been shared to allow network defenders to improve their defenses, secure their networks, and conduct investigations to determine whether their systems have already been compromised.

The advisory follows on from an April 15, 2021 joint alert from the NSA, CISA, and FBI following the formal declaration by the U.S. Government that the SolarWinds supply chain attack was conducted by SVR cyber actors known as The Dukes, CozyBear, Yttrium, and APT29. The CVR operatives are primarily targeting government agencies, policy analysis organizations and think tanks, IT companies, and critical infrastructure companies to gather intelligence information.

Prior to 2018, SVR operatives were primarily using stealthy malware on victims’ networks but have now changed their focus to target cloud resources, including cloud-based email services such as Microsoft Office 365, as was the case with the SolarWinds supply chain attack.

System misconfigurations are exploited, and compromised accounts are used to blend in with normal traffic in cloud environments. The hackers are able to avoid detection more easily when attacking cloud resources as many organizations do not effectively defend, monitor, or even fully understand these environments.

The SVR operatives have previously used password spraying to guess weak passwords associated with administrative accounts. These attacks are conducted in a slow and low manner to avoid detection, such as attempting small numbers of passwords at infrequent intervals using IP addresses in the country where the target is located. Once administrator access is gained, changes are made to the permissions of email accounts on the network to allow emails to be intercepted. Once an account is compromised, it is typically accessed using a single IP address on a leased virtual private server. If an account is accessed which turns out to be of no use, permissions are changed back to the original settings to minimize the possibility of detection.

Zero-day vulnerabilities in virtual private networks (VPN) have also been exploited to obtain network access, including the Citrix NetScaler vulnerability CVE-2019-19781. Once exploited, user credentials are harvested and used to authenticate to systems on the network without multifactor authentication enabled. Attempts are also made to access web-based resources containing information of interest to the foreign intelligence service.

A Go-based malware variant dubbed WELLMESS has been used to gain persistent access to networks and, in 2020, was primarily used in targeted attacks on organizations involved in COVID-19 vaccine development, with the attackers targeting research repositories and Active Directory servers.

The SVR cyber actors are capable adversaries that use custom malware and open source and commercially available tools in their attacks. Several recommendations and best practices have been offered to help network defenders improve resilience to each of the methods known to be used by SVR operatives and identify potential attacks in progress.

The post Best Practices for Network Defenders to Identify and Block Russian Cyber Operations appeared first on HIPAA Journal.

DOJ Launches Ransomware and Digital Extortion Task Force

Posted by HIPAA Journal

In response to the growing threat from ransomware attacks, the U.S Department of Justice has launched a new Ransomware and Digital Extortion Task Force that will target the entire ransomware ecosystem as a whole. The aim is not only to bring the individuals conducting the attacks to justice, but also any individuals who assist attackers, including those who launder ransom payments.

The Task Force will include representatives from the DOJ criminal, national security and civil divisions, the Federal Bureau of Investigation, and the Executive Office for United States Attorneys and will work closely with the Departments of Homeland Security and the Treasury. The task force will also work to improve collaboration with the private sector and international partners.

Resources will be increased to address ransomware attacks, training and intelligence gathering will be improved, and the task force will coordinate with the Department of Justice to investigate leads and connections to known cybercriminal organizations and nation state threat groups. In addition to aggressively pursuing all individuals involved in attacks, the task force will make recommendations to Congress on how best to help victims of attacks while discouraging the payment of ransoms.

The task force will help to tackle the proliferation of ransomware attacks by making them less lucrative. According to an internal DOJ Memo written by DOJ Acting Deputy Attorney General John Carlin, “This will include the use of all available criminal, civil, and administrative actions for enforcement, ranging from takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains.”

The aim of the task force is to better protect individuals and businesses from ransomware attacks and to ensure the individuals involved are brought to justice. At present, ransomware gangs, members of which are often based overseas, know that there is little risk of being caught and attacks can be extremely profitable.

Ransomware attacks increased sharply in 2020, which was the worst ever year for ransomware attacks. According to a recent report from Chainalysis, more than $370 million in ransom payments were collected by ransomware gangs in 2020, which is an increase of 336% from the previous year. Ransoms are often paid as victims are well aware that paying the ransom, even if it is several million dollars, is a fraction of the cost of recovering from the attack without paying. The cost of attacks could easily be 10 or 20 times higher if the ransom is not paid.

In 2019, the City of Baltimore refused to pay a $75,000 ransom and the attack ended up costing the city more than $18 million. According to the GetApp 2020 Data Security Survey, 28% of businesses have suffered a ransomware attack in the past 12 months and 75% of victims paid the ransom to reduce the cost of remediation.

Ransomware attacks are costing the U.S economy billions. Cybersecurity Ventures has predicted ransomware attacks will continue to increase and are likely to occur at a rate of one every 11 seconds in 2021, with the total cost of the attacks rising to $20 billion in 2021 in the United States alone, with the global cost expected to reach $6 trillion in 2021.

The post DOJ Launches Ransomware and Digital Extortion Task Force appeared first on HIPAA Journal.

Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited

Posted by HIPAA Journal

Three zero-day vulnerabilities have been identified in SonicWall Email Security products that are being actively exploited in the wild by at least one threat actor. The vulnerabilities can be chained to gain administrative access to enterprise networks and achieve code execution.

SonicWall Email Security solutions are deployed as a physical appliance, virtual appliance, software installation, or as a hosted SaaS solution and provide protection from phishing, spear phishing, malware, ransomware, and BEC attacks. The solutions do not need to be Internet facing, but hundreds are exposed to the Internet and are vulnerable to attack.

In one instance, a threat actor with intimate knowledge of the SonicWall application exploited the vulnerabilities to gain administrative access to the application and installed a backdoor that provided persistent access. The threat actor was able to access files and emails, harvest credentials from memory, and then used those credentials to move laterally within the victim’s network.

The three vulnerabilities were identified by the Mandiant Managed Defense team. SonicWall has now developed, tested, and released patches to correct the flaws. The SonicWall Hosted Email Security product was automatically updated on April 21, 2021 so customers using the hosted email security solution do not need to take any action, but users of other vulnerable SonicWall Email Security products will need to apply the patches to prevent exploitation.

SonicWall said “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.”

The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10. The other two vulnerabilities have CVSS scores of 7.2 and 6.7.

  • CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host. (CVSS 9.8)
  • CVE-2021-20022 – Post-authentication vulnerability allowing uploads of arbitrary files to a remote host. (CVSS 7.2)
  • CVE-2021-20023 – Post-authentication vulnerability allowing arbitrary file read on a remote host. (CVSS 6.7)

Mandiant identified the threat actor exploiting the vulnerabilities as UNC2682 and blocked the attack before the threat group could achieve its final aim, so the objective of the attack is unknown. Other threat groups may also attempt to exploit the vulnerabilities to obtain persistent access to enterprise networks and steal sensitive data.

“At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account – highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain,” explained Mandiant. “The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

Affected Product Version Patched Version CVEs
SonicWall Email Security versions 10.0.4-Present 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.3 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.2 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.1 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 7.0.0-9.2.2 Active support license allows upgrade to above secure versions but without an active support license upgrades are not possible CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.4-Present HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.3 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.2 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.1 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023

The post Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited appeared first on HIPAA Journal.

Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw

Posted by HIPAA Journal

At least one threat group is exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products, according to a recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). While there has not been an official attribution, the threat actor has been linked to China by some security researchers and targets have included government, defense, financial, and critical infrastructure organizations.

FireEye has been tracking the malicious activity and reports that at least 12 malware families have been involved in cyberattacks exploiting the vulnerabilities since August 2020. These attacks have involved the harvesting of credentials to allow lateral movement within victim networks and the use of scripts and the replacement of files to achieve persistence.

Several entities have now confirmed that they have been attacked after they identified malicious activity using the Pulse Connect Secure Integrity Tool. Access has been gained to Pulse Connect Secure appliance by exploiting multiple vulnerabilities including three vulnerabilities that were disclosed in 2019 and 2020 and one recently disclosed zero-day vulnerability. Patches have been available for several months to fix the first three vulnerabilities – CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243; however, a patch has yet to be released to correct the most recently disclosed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has received the maximum CVSS vulnerability severity score of 10/10. Ivanti published a security advisory about the new vulnerability on April 20, 2021. Exploitation of the flaw allows a remote unauthenticated attacker to execute arbitrary code in the Pulse Connect Secure Gateway. The flaw is believed to be exploitable by sending a specially crafted HTTP request to a vulnerable device, although this has yet to be confirmed by Ivanti. The vulnerability affects Pulse Connect Secure 9.0R3 and higher.

At least one threat group is exploiting the vulnerabilities to place web shells on vulnerable Pulse Secure VPN appliances. The web shells allow the threat actor to bypass authentication and multi-factor authentication controls, log passwords, and gain persistent access to the appliance even after the patches have been applied.

Ivanti and CISA strongly advise all users of the vulnerable Pulse Connect Secure appliances to apply the patches immediately to prevent exploitation and to implement the mitigations recently published by Ivanti to reduce the risk of exploitation of the CVE-2021-22893 vulnerability until a patch is released. The workaround involves deleting two Pulse Connect Secure features – Windows File Share Browser and Pulse Secure Collaboration – which can be achieved by importing the workaround-2104.xml file. A patch is expected to be released to correct the CVE-2021-22893 in May 2021.

Since patching will not block unauthorized access if the vulnerabilities have already been exploited, CISA strongly recommends using the Pulse Connect Secure Integrity Tool to investigate whether the vulnerabilities have already been exploited.

CISA has issued an emergency directive requiring all federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to identify malicious activity, and apply the mitigation against CVE-2021-22893. The actions must be taken by 5 pm Eastern Daylight Time on Friday, April 23, 2021.

The post Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw appeared first on HIPAA Journal.

HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem

Posted by HIPAA Journal

Healthcare providers are increasingly leveraging health information technology to provide virtual healthcare services to patients. Telehealth services allow patients living in rural areas and the elderly to gain access to essential medical services, and the pandemic has seen a major expansion in telehealth to provide virtual healthcare services to patients to reduce the spread of COVID-19.

According to FAIR Health, the number of telehealth claims to private insurers has increased by 4,347% in the past year, with virtual care such as telehealth now one of the fastest growing areas of healthcare. The Centers for Medicare and Medicaid Services has committed to providing long term support for virtual healthcare services and Frost & Sullivan predicts there will be a seven-fold increase in telehealth by 2025.

The major expansion of healthcare services has happened quickly and at a time when the healthcare industry is being targeted by cybercriminals more than ever before. Hackers have been exploiting vulnerabilities with ease to gain access to sensitive healthcare data and disrupt operations for financial gain. A 2020 study by SecurityScorecard and DarkOwl revealed there was a near exponential increase in targeted attacks on telehealth providers as the popularity of telehealth soared.

In order for virtual healthcare services to reach their full potential, it is essential for healthcare industry stakeholders to identify and address the privacy and security risks to healthcare data, which can be a challenge in a complex, connected environment such as healthcare.

This week, the Healthcare and Public Health Sector Coordinating Council (HSCC) has published a white paper that provides guidance for the healthcare industry on identifying cybersecurity vulnerabilities and risks related to the use and management of telehealth and telemedicine.

The new resource, Health Industry Cybersecurity—Securing Telehealth and Telemedicine, was published for the benefit of healthcare systems, clinicians, vendors, service providers, and patients, who together share the responsibility for ensuring telehealth provides the maximum benefit while keeping privacy and security risks to a low and acceptable level.

The document explains the cyber risks associated with telehealth and telemedicine and outlines the regulatory issues that apply to telehealth services, providing audit tools, guidance on policies and procedures, and suggesting best practices to adopt.

The guidance document outlines the policy underpinnings of healthcare cybersecurity, explains regulations and organizational policies, cybersecurity considerations, and includes recommendations for implementing and maintaining telemedicine programs.

“Currently, there is no single federal agency with authority to establish and enforce privacy and security requirements for the entire telehealth ecosystem,” explained HSCC. “At a minimum, telehealth systems need to maintain security and privacy consistent with those of all other forms of care.”

Healthcare organizations are encouraged to adopt the best practices suggested in the white paper and implement the recommendations appropriate to their risk profile to improve privacy and security protections to get the optimal benefit from telehealth and telemedicine services.

You can download the HIC-STAT white paper on this link.

The post HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem appeared first on HIPAA Journal.

Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks

Posted by HIPAA Journal

Health-ISAC, in conjunction with the American Hospital Association (AHA), has published guidance for healthcare information security teams to help them improve resilience against supply chain cyberattacks such as the recent SolarWinds Orion incident.

The white paperStrategic Threat Intelligence: Preparing for the Next “SolarWinds” Event – provides insights into the cyberattack and explores the characteristics that made such an attack possible. The document provides technical recommendations for senior business leaders, C-suite executives, and IT and information security teams to help them prevent and mitigate similar attacks.

Solutions such as SolarWinds Orion have privileged access to the assets they are used to manage, and those supply chain dependencies and inherent trust models were exploited in the SolarWinds Orion attack. The attackers exploited a software update mechanism to inject a backdoor into the network monitoring platform. The update was downloaded and applied by around 18,000 customers and selected companies were then targeted in more in-depth compromises, including several government agencies and cybersecurity firms. The U.S. government recently formally attributed cyberattack to the Russian Foreign Intelligence Service (SVR).

Platforms such as SolarWinds Orion are an attractive target for threat actors. They are used by many attractive targets such as large enterprises and government agencies, they have a centralized system that controls multiple subsystems, networks, and products, and they require little interaction, if any, from the controlled system. The system has an undisclosed, unpatched, or unknown opening that attackers can exploit for a degree of administrative control and, if that opening is exploited, the attackers can gain limited or total control of the subsystems it controls.

All of those factors were exploited in the SolarWinds attack and a further four incidents are described in the white paper where similar characteristics were exploited – – The 2003 HP OpenView vulnerability, WannaCry, NotPetya, and the 2021 SAP Solution Manager incident.

Similar cybersecurity incidents are likely to happen time and time again, so it is important for steps to be taken to minimise risk and limit the damage that can be caused. The white paper details the risks involved with enterprise IT systems such as SolarWinds Orion and provides recommendations that can be applied to allow organizations to predict, and hopefully prevent, similar incidents in the future.

Recommendations include signing up with an ISAC to receive timely and actionable threat intelligence, conducting vulnerability scans to identify vulnerabilities, patching promptly, adhering to the principle of least privilege, and implementing a program of continuous verification to ensure that security controls are still effective at blocking threats.

“What is truly needed is close cooperation between governments, the healthcare sector and all critical infrastructure globally via a formal exchange of cyber threat information and combined cyber defenses – to create a truly global approach,” explained Health-ISAC in the white paper. “We urge organizations to use the strategic and tactical issues discussed in this paper as considerations for all trusted systems used, or planning to be used, in your environment.

The post Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks appeared first on HIPAA Journal.