Healthcare Cybersecurity

Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage

The number of cyberattacks now being reported is higher than ever before. A couple of years ago, healthcare cyberattacks were being reported at a rate of one per day, but in 2021, there have been months where attacks have been reported at twice that rate.

The severity of cyberattacks has also increased and the cost of responding to and recovering from cyberattacks is now much higher. The likelihood of a serious cyberattack occurring and the high costs of remediating such an attack have prompted many healthcare organizations to take out a cyber insurance policy to cover the cost.

The Government Accountability Office (GAO) has recently published a study of the cyber insurance market as required by the National Defense Authorization Act for Fiscal Year 2021. GAO conducted the study of the cyber insurance market to identify key trends and the challenges faced by insurers and the options available to address them.

GAO studied cyber insurance policies, reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviews were conducted with treasury officials and two industry associations representing cyber insurance providers, an organization providing policy language services to insurers, and one large cyber insurance provider.

GAO found the number of insurance clients that hold a cyber insurance policy has increased from 26% in 2016 to 47% in 2020 – an increase of more than 60%. As demand for cyber insurance has increased, so too have insurance premiums. The increase in attack frequency and severity has seen insurance premiums increase dramatically. According to the study, more than half of cyber insurance clients saw their insurance premiums increase by between 10% and 30% in late 2020.

Insurance costs have increased, but coverage has decreased. In certain industry sectors, including healthcare and education, insurers have reduced coverage limits, meaning victims of cyberattacks often have to cover part of the cost themselves.

Many insurers have stopped including coverage for cyberattacks within their existing policies and instead now offer policies specific to cyber risk, but there have been several challenges in creating these policies. Without access to comprehensive, high quality data on losses due to cyberattacks, the insurance industry has found it difficult to price policies appropriately. Industry stakeholders have suggested federal and state governments and industries should collect and share data on incident response, which will help the insurance industry develop better insurance products and price them accordingly.

There have also been problems with the definitions used and what exactly is covered by a cyber insurance policy. For instance, many policies cover cyberterrorism, but it is unclear exactly what cyberterrorism includes. Industry stakeholders have called for better definitions of cyberattacks to be developed to help both insurers and their clients understand exactly what is covered by insurance policies.

GAO found that many businesses, especially smaller businesses, are underestimating their cyber risks and the amount of insurance coverage they need. Researchers also identified many businesses that have failed to take out a policy as they have not understood the magnitude of risks they face, and do not see the value in cyber insurance as they do not believe it will cover the cost of a cyberattack because there are too many exclusions. Better definitions of cyberattacks and exactly what is covered could help these businesses take out the coverage they need.

The post Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage appeared first on HIPAA Journal.

FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash notice about ongoing Conti ransomware attacks targeting healthcare and first responder networks. According to the FBI, the Conti ransomware gang has attacked 16 healthcare and first responder organizations in the United States.

In addition to healthcare providers, the gang has attempted ransomware attacks on 911 dispatch centers, emergency medical services, law enforcement agencies and municipalities. The gang is known to have conducted attacks on 400 organizations worldwide, including a recent attack on the Health Service Executive (HSE) and Department of Health (DoH) in Ireland. To date, the gang has claimed 290 victims in the United States.

Conti ransomware is believed to be operated by the Russian cybercrime group Wizard Spider and is a ransomware-as-a-service (RaaS) operation. The threat group is known for attacking large organizations and issuing huge ransom demands, which have been as high as $25 million. The ransom demand set for each victim based on the extent of the encryption and the perceived ability of the victim to pay.

As is common now with ransomware attacks, the Conti ransomware gang exfiltrates sensitive data prior to file encryption and threatens to sell or publish the data if the ransom is not paid. Victims are given 8 days to make payment, although if attempts have not been made by the victims to get in touch with the gang, contact is often made using Voice Over Internet Protocol (VOIP) services or encrypted email such as ProtonMail after 2-8 days to pressure victims into paying.

Attacks usually start with phishing emails that include weaponized hyperlinks or email attachments or the use of stolen Remote Desktop Protocol (RDP) credentials. Prior to the disruption of the Emotet botnet, the attackers used malicious Word documents with embedded PowerShell scripts, first to stage Cobalt Strike and then to deploy the Emotet Trojan onto the network, which allowed the threat group to deliver their ransomware payload. The group has also been known to use the TrickBot Trojan in their attacks. The time from the initial compromise to the deployment of ransomware is usually between 4 days and 3 weeks, with the ransomware payload often delivered using dynamic link libraries (DLLs).

The threat group uses living-off-the-land techniques to escalate privileges and move laterally within networks, such as Sysinternals and Mimikatz. After encrypting files, the gang often remains in the network and beacons out using Anchor DNS. Remote access tools used by the gang beacon out to domestic and international VPS infrastructure over posts 80, 443, 8443, with port 53 often used for persistence. Indicators of attacks in progress include the creation of new accounts and the installation of tools such as Sysinternals, along with disabled detection and constant HTTP and DNS beacons.

The FBI does not recommend paying ransoms as payment does not guarantee the recovery of files nor the sale or publication of stolen data. The FBI has requested all victims of Conti ransomware attacks share information about the attacks with the FBI including boundary logs showing communications to and from foreign IP addresses, Bitcoin wallet information, decryptor files and/or benign samples of encrypted files.

The FBI has published several mitigations that can be implemented to harden defenses against Conti and other ransomware attacks.  These include:

  • Regularly back up data, test backups, and store backups on air-gapped devices.
  • Retain multiple copies of sensitive and proprietary data on servers that are physically separate and cannot be accessed from the systems where data resides.
  • Implement network segmentation.
  • Use multi-factor authentication.
  • Patch and update systems, software, and firmware promptly.
  • Use strong passwords and regularly change passwords for network systems and accounts.
  • Disable hyperlinks in inbound email.
  • Add email banners to all inbound emails from external sources.
  • Conduct regular user account audits for accounts with administrative privileges.
  • Only use secure networks and avoid public Wi-Fi networks.
  • Use a VPN for remote access.
  • Ensure all members of the workforce are provided with regular security awareness training.

The post FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders appeared first on HIPAA Journal.

U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities

In the wake of the SolarWinds Supply chain attack, ransomware attack on Colonial Pipeline, and President Biden’s cybersecurity executive order, the U.S. House Committee on Homeland Security has cleared five bipartisan bills that seek to address cybersecurity and improve the defenses of state, local, tribal, and territorial (SLTT) governments and critical infrastructure entities.

The cyberattack on Colonial Pipeline forced the company to shut down its 5,500-mile fuel pipeline that delivers 45% of the fuel required by the East Coast. In order to speed up recovery and minimize disruption, Colonial Pipeline’s CEO Joseph Blount authorized the payment of a $4.4 million ransom to the DarkSide ransomware gang; however, even though the ransom was paid, the fuel pipeline remained shut down for 5 days, causing major disruption to fuel supplies.

These attacks have highlighted major vulnerabilities in cybersecurity defenses which need to be addressed to improve national security.

The five bipartisan cybersecurity bills advanced this week are:

  • The Pipeline Security Act (H.R. 3243)
  • The State and Local Cybersecurity Improvement Act (H.R. 3138)
  • The Cybersecurity Vulnerability Remediation Act (H.R. 2980)
  • The CISA Cyber Exercise Act (H.R. 3223)
  • The Domains Critical to Homeland Security Act (H.R. 3264)

The Pipeline Security Act (H.R. 3243), introduced by Congressman Emanuel Cleaver (D-MO), had previously been introduced two years ago but failed to gain traction. The main purpose of the reintroduced bill is to codify the role of the Transportation Safety Administration (TSA) in securing the nation’s natural gas and oil infrastructure to guard pipeline systems against cyberattacks, terrorist attacks, and other threats.

The State and Local Cybersecurity Improvement Act (H.R. 3138), introduced by Congresswoman Yvette D. Clarke (D-NY), authorizes the creation of a new $500 million grant program that will provide funds to SLTT governments to help them secure their networks from ransomware and other types of cyberattacks.

The Cybersecurity Vulnerability Remediation Act (H.R. 2980), introduced by Congresswoman Sheila Jackson Lee (D-TX), gives the DHS’ Cybersecurity and Infrastructure Security (CISA) Agency the authority to assist critical infrastructure owners and operators in developing mitigation strategies to protect against known, critical vulnerabilities.

The CISA Cyber Exercise Act (H.R. 3223), introduced by Congresswoman Elissa Slotkin (D-MI), creates a National Cyber Exercise program within CISA that will ensure more frequent testing of preparedness and resilience to cyberattacks on critical infrastructure.

The Domains Critical to Homeland Security Act (H.R. 3264), introduced by Ranking Member John Katko (R-NY), gives the DHS the authority conduct research and development into supply chain risks for critical domains of the United States economy, and send the results to Congress.

A further two bills were introduced that tackle non-cybersecurity issues – the DHS Blue Campaign Enhancement Act (H.R. 2795) and the DHS Medical Countermeasures Act” (H.R. 3263) – which strengthen DHS’ human trafficking prevention efforts and DHS’ medical countermeasures following chemical, biological, radiological, nuclear, or explosive attacks, disease outbreaks and pandemics.

The post U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities appeared first on HIPAA Journal.

Ransomware Gangs Adopt Triple Extortion Tactics

Following on from the DarkSide ransomware attack on Colonial Pipeline, several ransomware threat actors have ceased activity or have implemented rules that their affiliates must follow, including banning all attacks on critical infrastructure firms, healthcare organizations, and government organizations.  Some popular hacking forums are distancing themselves from ransomware and have banned ransomware groups from advertising their RaaS programs. However, there are many threat actors conducting attacks and not all are curbing their activities. It remains to be seen whether there will be any reduction in attacks, even in the short term.

So far in 2021, attacks have been occurring at record levels, with the healthcare and utility sectors the most targeted. An analysis of attacks by Check Point Research found that since the start of April 2021, ransomware attacks have been occurring at a rate of around 1,000 per week, with a 21% increase in impacted organizations in the first trimester of 2021 and 7% more in April.

The number of attacked organizations is up 102% from the corresponding period in 2020 and in April 2021, an average of 109 ransomware attacks were reported by healthcare organizations every week, with 59 attacks per week on the utilities sector and 34 in legal/insurance. Ransom payments have also increased and are up 171% from the same time last year, with the average payment now $310,000.

Since early 2020, ransomware threat groups have been using double extortion tactics to increase the probability of victims paying the ransom. Instead of simply encrypting files and demanding payment for the keys to decrypt data, prior to data encryption, the attackers exfiltrate any sensitive data they can find. Threats are then issued to publish the data if payment is not made.

Now, a new tactic has been detected by researchers at Check Point – triple extortion attacks. As with the double extortion tactics of breaching a healthcare network, exfiltrating data, and demanding a ransom for the keys to decrypt files and prevent the sale or publication of stolen data on leak sites, some threat groups are also targeting individuals whose data has been stolen. They too are issued with a ransom demand to prevent their personal and health data from being sold or put in the public domain.

This tactic has been observed since late 2020 and has continued to gain traction in 2021, with the first known case affecting the Vastaamo Clinic in Finland in October 2020. In that case, the attackers stole large amounts of data and issued ransom demands to the clinic and patients, with the latter including a threat to publish their psychotherapy notes if they failed to pay to prevent the data leak.

While the REvil ransomware operation did not issue demands for payment from individuals, their tactics have included contacting individuals by telephone to alert them to the attack to pile on the pressure on the breached entity to pay up.

“We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique,” explained Check Point Research. “Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly… Such victims are a natural target for extortion, and might be on the ransomware groups’ radar from now on.”

The post Ransomware Gangs Adopt Triple Extortion Tactics appeared first on HIPAA Journal.

CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on evicting threat actors from networks compromised in the SolarWinds Orion supply chain attacks and, including subsequent compromises of Active Directory and M365 environments.

The attacks have been attributed to threat actors tied to the Russian Foreign Intelligence Service (SVR). After gaining network access through the update mechanism of SolarWinds Orion, the threat actor selected targets of interest for further compromise and bypassed multi-factor authentication methods and moved laterally into Microsoft 365 environments by compromising federated identity solutions. Most of the targets selected for further compromise were government departments and agencies and critical infrastructure organizations, although private sector organizations may also have experienced more extensive compromises.

The guidance applies to evicting adversaries from on-premises and cloud environments and includes a 3-phase remediation plan. CISA notes that malicious compromises are unique to each victim, so careful consideration must be given to each of the steps and the guidance then applied to the unique environment of each breached entity to ensure success.

All three phases are required to fully evict an adversary from either on-premises or cloud environments, so shortcuts should not be taken. The failure to follow all steps could result in substantial, long-term undetected Advanced Persistent Threat (APT) activity, prolonged theft of data, and erosion of public trust in victims’ networks.

The guidance provides the plan for evicting adversaries from a network, but does not provide specific details on how the required actions should be taken.

Any attempt to evict an adversary from the network requires a pre-eviction phase, an eviction phase, and a post-eviction phase. The pre-eviction phase is concerned with confirming tactics, techniques, and procedures (TTTPs) associated with the attacks and fully investigating the true scope of compromise. During the remediation process, steps will be taken to improve security and build more resilient networks; however, the eviction process is complex, time-consuming, and will require business networks to be disconnected from the Internet for 3-5 days.

A thorough risk assessment must be conducted prior to any eviction attempt to understand the potential impacts on critical business functions. There will likely be disruption to business operations, so it is essential that the remediation efforts are properly planned, the impact on the business is fully understood, and appropriate resources are made available to limit disruption.

After completing all eviction steps, entities enter into the post-eviction phase which involves confirming the adversary has been evicted. This phase includes integrating detection mechanisms, configuring endpoint forensics and detection solutions for aggressive collection, and maintaining vigilance, with steps taken over the 60 days after completing the eviction phase.

“In the hours, days, and weeks after the network’s internet connection is restored, the agency’s detection capability will be important in verifying that all threat actor activity within the enterprise has stopped,” explained CISA. “Extended vigilance is necessary because this threat actor has demonstrated extreme patience with follow-on activity.”

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise can be found on this link.

The post CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks appeared first on HIPAA Journal.

April 2021 Healthcare Data Breach Report

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach  causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations

The DarkSide ransomware gang has notified its affiliates that it has shut down its ransomware-as-a-service (RaaS) operation. The announcement came after the group’s public infrastructure was taken offline in what appears to be a law enforcement operation.

On May 13, the DarkSide data leak site went offline along with much of the group’s public infrastructure, including the payment server used to obtain ransom payments from victims and its breach data content delivery network. The gang also said its cryptocurrency wallets had been emptied and the funds transferred to an unknown account.

Intel 471 obtained a copy of a note written by the gang explaining to its affiliates that part of its public infrastructure was lost, its servers could not be accessed via SSH, and its hosting panels had been blocked. The group said its hosting company did not provide any further information other than the loss of the servers was “at the request of law enforcement.”

The group explained that it will be releasing the decryptors for all companies that have been attacked but have not paid the ransom; however, those decryptors are being released to the affiliates who conducted the attacks, not to the attacked companies. It will be up to individual affiliates whether to provide them to their victims or attempt to obtain payment.

“In view of the [loss of servers] and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” wrote the gang.

The same day that the group’s infrastructure was taken down, President Biden held a press conference about the Colonial Pipeline ransomware attack explaining the efforts made by the government to limit disruption and promising action would be taken against the DarkSide ransomware gang.

“We don’t believe the Russian government was involved in this attack,” said President Biden. “We do have strong reason to believe that the criminals who did the attack are living in Russia.” Biden went on to say that the United States was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and that the U.S. would “pursue a measure to disrupt their ability to operate.” President Biden also confirmed that the U.S. Department of Justice has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.

Prior to the shutdown, the hacking community had started to shun the DarkSide group. One of the two top-tier dark web forums used by the DarkSide gang to advertise its RaaS operation deleted the DarkSide account along with two threads about its ransomware operation, according to Gemini Advisory. Gemini Advisory also claims to have heard from several credible sources that the group no longer has a presence on the dark web. One top-tier dark web forum often used by ransomware gangs has also imposed sanctions on ransomware operations and has banned them entirely from the forum, claiming ransomware has become too toxic.

Intel 471 reports that it is not only the DarkSide operation that has been shut down. Several other ransomware operations have halted their operations, although it is unclear whether this is a permanent shut down or if the ransomware gangs are simply laying low and will start up their operations again under a different name. The Babuk ransomware operators claim to have provided their source code to another team and are pulling out of ransomware attacks. They said their ransomware will be operated by a different group under a different name.

The REvil ransomware gang, one of the most prolific ransomware operations, has also announced that it will no longer be promoting its ransomware operation on dark web forums and expects to make its operation private. Both REvil and Avaddon have taken the decision to stop their affiliates from attacking companies in certain sectors. Both ransomware gangs released statements confirming new rules have been introduced for affiliates that prohibit them from conducting attacks on the government, healthcare, charities, and educational institutions in any country. They also require their affiliates to obtain approval from the group before any attack. Should any affiliate attack a prohibited target, the victim will be provided with the decryptor free of charge and the affiliate will be permanently kicked out of the RaaS program.

Intel 471 also reports that the cryptocurrency mixing service, BitMix, which was used by REvil and Avaddon to launder the cryptocurrency generated from ransomware attacks has also been shut down.

The post DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation.

The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure.

President Biden is planning to lead by example and is urging the private sector and critical infrastructure firms to follow the lead of the Federal government in improving resilience to cyberattacks and preparing for attacks to ensure that disruption to operational capabilities is kept to a minimum.

The key elements of the Executive Order on Improving the Nation’s Cybersecurity are:

  • Removing barriers to threat information sharing to make it easier for private sector companies to report threats and data breaches that could potentially have an impact on Federal networks.
  • Modernizing and implementing stronger cybersecurity standards in the Federal government. This includes widespread use of multifactor authentication, more extensive use of data encryption, the adoption of a zero-trust architecture, and a more rapid transition to secure cloud services.
  • The creation of a standard cyber incident response playbook. Government departments and agencies need to know, in advance, how to respond to threats. The playbook will ensure a rapid and uniform response to any cybersecurity incident.
  • Improvements to investigative and remediation capabilities. Detailed security event logs must be maintained by federal departments and agencies to ensure that cyberattacks can be easily investigated and remediated. Breach investigations have previously been hampered due to the lack of robust and consistent logging.
  • Improving software supply chain security. All software sold to the U.S. government will need to adhere to new security standards. Developers will be required to maintain greater visibility into their software solutions and make security data publicly available. The government will also launch a pilot “energy star” label program to demonstrate whether software was developed securely.
  • A Cybersecurity Safety Review Board will be created that consists of government and private sector leads that will meet following any significant security breach to analyze what has happened. Recommendations can then be made and implemented to ensure similar attacks are prevented in the future.
  • Improvements to cyber incident detection capabilities. A government-wide endpoint detection and response system will be implemented, along with robust intra-governmental information sharing.

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” explained the Biden Administration in a statement about the Executive Order. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

The post Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.