Healthcare Cybersecurity

FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments

Posted by HIPAA Journal

State, local, tribal, and territorial (SLTT) governments have been warned they are being targeted by Business Email Compromise (BEC) scammers. In a March 17, 2021 Private Industry Notification, the Federal Bureau of Investigation (FBI) explained it has observed an increase in BEC attacks on SLTT government entities between 2018 and 2020. Losses to these attacks range from $10,000 to $4 million.

BEC attacks involve gaining access to an email account and sending messages impersonating the account holder with a view to convincing the target to make a fraudulent transaction. The email account is often used to send messages to the payroll department to change employee direct deposit information or to individuals authorized to make wire transfers, to request changes to bank account details or payment methods.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) was notified about 19,369 BEC attacks and losses of almost $1.9 billion were reported. In July 2019, a small city government was scammed out of $3 million after receiving a spoofed email that appeared to be from a contractor requesting a change to their payment method. In December 2019, the email account of a financial coordinator of a government agency of a US territory was compromised and used to send 146 messages to government entities with financial transaction instructions. Many of these requests were queried via email, and the attacker was able to intercept and respond to those messages. In total, $4 million was transferred to the attacker’s account.

In addition to the financial losses, the attacks impair operational capabilities of SLTT government entities, cause reputational damage, and can also result in the loss of sensitive information such as PII, banking information, and employment data.

BEC scammers can easily research targets and can discover SLTT operating information and information about vendors, suppliers, and contractors from public sources. Gaining access to the email accounts is straightforward as the target’s email address is easy to locate, and phishing kits can be purchased cheaply on the darknet for harvesting credentials.

Once an email account is compromised, the writing style of the account holder is copied, and message threads are often hijacked. The scam could involve multiple messages where the target believes they are communicating with the genuine account holder, when they are communicating with the scammer.

The FBI warns that BEC scammers often go for low hanging fruit, and most likely target SLTT government entities with inadequate cybersecurity protocols and take advantage of SLTT government entities that fail to provide sufficient training to the workforce. The move to remote working due to the pandemic has also made it easier for the scammers.

In 2020, CISA conducted phishing simulations of SLTT government entities. Across 152 campaigns consisting of around 40,000 messages, there were around 5,500 unique clicks of fake malicious links, which is a click rate of 13.6%. Such a high click rate suggests security awareness training is failing to teach employees about the risk of email-based attacks and highlights the need for “defense in depth mitigations.”

The FBI suggests ensuring all members of the workforce receive security awareness training, are told about BEC attacks and how to identify phishing emails and fraudulent emails. Employees must be instructed to carefully check email requests for advance payments, changes to bank account information, or requests for sensitive information. Policies and procedures should be implemented that require any bank account change or transaction request to be verified by telephone using a verified number, not information supplied in emails.

Additional measures that should be considered include phishing simulations, multi-factor authentication on email accounts, blocking of automatic email forwarding, monitoring email Exchange servers for configuration changes, adding banners to emails arriving from external sources, and using email filtering services.

Further measures that can be implemented to prevent and detect BEC attacks are detailed in the FBI Alert.

The post FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments appeared first on HIPAA Journal.

Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

Posted by HIPAA Journal

The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US. government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond.

Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online.

Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the entities in question, and steps are taken to fix the vulnerabilities before details are publicly disclosed. In the case of Kottmann, responsible disclosure procedures were not followed. Sensitive information obtained from victims’ networks was publicly disclosed, with no attempts made to notify the breached entities directly prior to the disclosure of stolen data.

On March 18, 2021, Kottmann was indicted by a grand jury in the Western District of Washington for a string of computer intrusion and identity and data theft activities from 2019 to present. The indictment, which only names Kottmann, includes charges of one count of conspiracy to commit computer fraud and abuse, several counts of wire fraud, one count of conspiracy to commit wire fraud, and one count of aggravated identity theft.

Conspiracy to commit computer fraud and abuse carries a maximum jail term of 5 years, the wire fraud and conspiracy to commit wire fraud charges have a maximum jail term of 20 years, and the aggravated identity theft charge has a mandatory 24-month jail term, which runs consecutively to other sentences.

According to the indictment, Kottmann and co-conspirators hacked the systems of dozens of companies and government entities and published data stolen from more than 100 companies on the Internet. Kottmann most often targeted git and other source code repositories, and cloned the source code, files, and other confidential information, which often included access codes, and hard-coded credentails, and other means of gaining access to corporate networks. Kottmann then used the stolen credentials for further intrusions, often copying additional information from victims’ networks before leaking the stolen data online.

According to the indictment, Kottmann would speak with the media and publish information on social media networks about her role in the hacks “to recruit others, grow the scheme, and further promote the hacking activity and Kottmann’s own reputation in the hacking community.”

The FBI’s cyber task force led the investigation into Kottmann, with Swiss law enforcement executing a search warrant of Kottmann’s property in Lucerne on March 12, 2021 that resulted in computer equipment being seized. The FBI recently seized a domain that was operated by Kottmann and used to publicly disclose stolen data.

“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud,” said Acting U.S. Attorney Tessa M. Gorman.  “These actions can increase vulnerabilities for everyone from large corporations to individual consumers.  Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”

The post Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft appeared first on HIPAA Journal.

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

FBI: $4.2 Billion Lost to Cybercrime in 2020

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has published its annual Internet Crime Report. 791,790 complaints were made to the FBI’s Internet Crime Complaint Center (IC3) in 2020, which is a 69% increase from 2019. More than $4.2 billion was lost to cybercrime in 2020, an increase of 20% from 2019. Since 2016, there have been reported losses to cybercrime of more than $13.3 billion.

In 2020, the most reported cybercriminal activity was phishing, which accounted for 30.5% of all complaints to IC3. 2.45% of complaints were about business email compromise (BEC) attacks. Business email compromise scams involve compromising a business email account through social engineering or phishing and using the account to arrange fraudulent transfers of funds. While these incidents were far less numerous than phishing, they were the biggest cause of losses. $1,866,642,107 was lost to BEC attacks in 2020. 2020 saw a 19% reduction in BEC attacks compared to 2019, although losses increased by 0.1 billion.

FBI IC3 2020 Losses to Cybercrime

Source: IC3 Internet Crime Report 2020

In 2020, cybercriminals exploited the COVID-19 pandemic to scam businesses and individuals. IC3 received more than 28,500 complaints about COVID-19 related scams, including targeting the Coronavirus Aid, Relief, and Economic Security Act (CARES) Act which provided small businesses with financial assistance during the pandemic.

Thousands of complaints were received by IC3 about scams targeting unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans, as well as phishing scams that used COVID-19 themed lures to obtain personally identifiable information to steal identities and fraudulently apply for CARES Act benefits. Recently, IC3 has been receiving complaints about scams related to vaccines, such as demands to pay out of pocket to receive the vaccine, be placed on a waiting list, or get early access to the vaccine.

Tech support fraud is a growing problem. These scams involve offers of customer, security, and technical support to resolve non-existent problems and defraud individuals. 15,421 complaints about tech support scams were received by IC3 in 2020 from victims in 60 countries, with more than $146 million lost to the scams in 2020, up 171% from 2019.

2,474 complaints were made to IC3 about ransomware attacks, which involved adjusted losses of $29.1 million. Ransomware was most commonly installed following email phishing campaigns, exploitation of Remote Desktop Protocol (RDP) vulnerabilities, and exploitation of unpatched vulnerabilities in software.

The FBI reported on the major successes of the IC3 Recovery Asset Team (RAT) in 2020. RAT was set up in 2018 to streamline communications with financial institutions to freeze transfers made to domestic accounts under false pretenses. RAT dealt with 1,303 incidents in 2020 involving losses of almost $463 million. The team had an 82% success rate and was able to freeze more than $380 million in fraudulent transfers.

One of the major successes was seen in June 2020 when a victim company was tricked into making a fraudulent $60 million payment to a Hong Kong bank account. The St. Louis field office was able to block and recover all $60 million. In April 2020, a healthcare victim was tricked into making 5 wire transfers totaling more than $2 million. RAT was able to successfully implement its Financial Fraud Kill Chain (FFKC) and freeze the transfers.

The post FBI: $4.2 Billion Lost to Cybercrime in 2020 appeared first on HIPAA Journal.

CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti.

“TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert.

In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since the Emotet botnet was disrupted, TrickBot has become the most widely distributed malware variant and tops Check Point’s malware index for the first time.

TrickBot was used in the ransomware attack on Universal Healthcare Services that took systems offline for several weeks. TrickBot was used to gain access to UHS systems and detect and harvest data, after which the malware delivered the Ryuk ransomware payload. The attack caused UHS to suffer losses of $67 million in 2020.

TrickBot is primarily distributed via spear phishing emails, which are tailored for the organization that is being targeted. The emails use a combination of malicious attachments and hyperlinks to websites where the malware is downloaded. In February, the TrickBot gang conducted a large-scale phishing campaign targeting the legal and insurance sectors that used a.zip file attachment containing malicious JavaScript for delivering the malware.

One of the most recent phishing campaigns uses fake traffic violation notifications as the lure to get recipients to open a “photo proof” of the traffic violation. Clicking the photo launches a JavaScript file that establishes a connection with the gang’s command and control (C2) server and TrickBot malware is downloaded onto the victim’s system.

TrickBot is capable of lateral movement via the Server Message Block (SMB) Protocol, exfiltrates sensitive data from victim systems, and is capable of cryptomining and host enumeration. “TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting to trying to manipulate, interrupt, or destroy systems and data,” explained CISA/FBI.

CISA has developed a snort signature for detecting network activity associated with TrickBot malware and the CISA/FBI alert also details cybersecurity best practices that make it harder for TrickBot to be installed and will help to harden systems against network propagation.

The post CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware appeared first on HIPAA Journal.

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

Posted by HIPAA Journal

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and the live feeds and archived footage from almost 150,000 cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals.

As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information.

Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes.

Till Kottmann, one of the hackers in the collective, said her collective accessed Verkada systems on March 8, 2021 and had full access for around 36 hours. Since the system was fully centralized, it was easy to access and download camera footage from its clients. Kottmann described the security on Verkada’s systems as “nonexistent and irresponsible.” Kottmann said an internal development system had inadvertently been exposed to the Internet and hard-coded credentials for a system account were stored in an unencrypted subdomain that provided full access.

The hackers were able to use the credentials to login to the web-based systems used by all customers to access their own security cameras, except the super admin privileges allowed them to access the security cameras of all customers.

Footage was obtained from corporate customers including Tesla, Equinox, Cloudflare, and Nissan, along with camera feeds from Madison County Jail in Huntsville, AL, Sandy Hook Elementary School in Newtown, CT and many others.

The security cameras of ICU departments in hospitals could also be accessed, including Halifax Health in Florida and Wadley Regional Medical Center in Texarkana, TX.

Verkada issued a statement about the hacking incident, saying “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.” All affected customers have now been notified and an investigation into the breach has been launched.

Surveillance Cameras are a Potential Security Risk

The hacking incident should serve as a wake-up call about the dangers of surveillance cameras. While security cameras can improve security, they may also be a security weak point. This incident is certainly notable in terms of scale, buy Verkada is not the only security camera company to have suffered a breach.

In 2020, the threat group behind the Chalubo and FBot botnets – which targets poorly secured IoT devices – was discovered to be exploiting vulnerabilities in CCTV cameras manufactured by Taiwan-based LILIN and using the devices for DDoS attacks.

Also in 2020, vulnerabilities were identified in around 700,000 security cameras including those manufactured by Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis which put them at risk of being hacked. The vulnerabilities could be exploited to bypass firewalls and steal passwords. The flaws were present in a P2P solution from Shenzhen Yunni Technology Company that was used by the camera manufacturers.

The post Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras appeared first on HIPAA Journal.

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Posted by HIPAA Journal

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations.

The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks.

These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data.

Healthcare ransomware attacks cripple IT systems, prevent patient medical records from being accessed, cause disruption to patient care, and put patient safety at risk. Recovering data and restoring systems can take weeks or months and mitigating the attacks is expensive, with considerable loss of revenue due to downtime. In 2020, the ransomware attack on the University of Vermont Health Network was costing $1.5 million a day in recovery costs and lost revenue.

The True Cost of Healthcare Ransomware Attacks

Researchers at Comparitech recently conducted a study to identify the true cost of ransomware attacks on US healthcare organizations. The researchers gathered information on all ransomware attacks reported to the US Department of Health and Human Services’ Office for Civil Rights since 2016, as well as attacks reported through media outlets but were not made public by OCR as they affected fewer than 500 individuals.

Calculating the true cost of healthcare ransomware attacks is difficult, as only limited data is made public. Ransoms may be paid, but the amounts are often not disclosed and attacks that affect fewer than 500 individuals are often not made public.

The researchers identified 92 healthcare ransomware attacks in 2020, including the attack on Blackbaud. More than 600 separate hospitals, clinics, and other healthcare facilities were affected by those attacks, with a further 100 affected by the attack on Blackbaud. Those attacks involved the theft or exposure of the protected health information of at least 18,069,012 patients.

Ransom demands were issued ranging from $300,000 to $1.14 million, with data from Coveware indicating an average ransom demand of $169,446 in 2020. $15.6 million in ransoms were demanded from healthcare organizations in the United States in 2020, and $2,112,744 is known to have been paid to ransomware gangs in 2020. The true figure is substantially higher as many ransoms were paid but the amounts were not publicly disclosed.

In addition to the ransom payment there is the cost of downtime, which in some cases can be weeks or months following the attack. Coveware research indicates the average downtime ranged from 15 days in Q1, 2020 to 21 days in Q4, 2020. The Comparitech researchers determined the total downtime from the attacks in 2020 was likely to be 1,669 days. Using a 2017 estimate of the cost of downtime of $8,662 per minute, the researchers determined the attacks cost at least $20.8 billion in 2020, which is more than double the estimated cost of ransomware attacks in 2019 ($8.46 billion).

The researchers identified 270 healthcare ransomware attacks in the United States between January 2016 and December 2020, which affected around 2,100 hospitals, clinics, and other healthcare facilities. The attacks resulted in the theft or encryption of the records of more than 25 million individuals, with the overall cost to the healthcare industry estimated to be $31 billion.

 

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

You can view the full findings from the Comparitech healthcare ransomware study on this link.

The post Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion appeared first on HIPAA Journal.

Small and Medium Sized Practices Under Increased Pressure from Cyberattacks

Posted by HIPAA Journal

2020 saw cyberattacks on healthcare organizations increase significantly. While large healthcare organizations are being targeted by Advanced Persistent Threat (APT) groups and ransomware gangs, there has also been a marked increase in attacks on small- to medium-sized healthcare organizations.

A cyberattack on a large healthcare organization could allow the hackers to steal large quantities of protected health information and ransomware attacks typically see ransom demands issued for millions of dollars. The rewards from these attacks are considerable, but large healthcare organizations tend to invest heavily in cybersecurity and often have their own IT security teams to protect and monitor their IT networks. Cyberattacks on these organizations require more skill and they can be difficult and time consuming.

Medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend to be less well protected, which makes cyberattacks much easier and still highly profitable.

Cyberattacks on Small- and Medium-Sized Healthcare Organizations are Increasing

The CTI League recently published a report highlighting the work completed by its “Dark Team” on emerging threats to the healthcare industry. In the final Quarter of 2020, its researchers identified a sharp increase in cyberattacks on the healthcare sector. “From October to December the CTI League observed a dramatic uptick in focused attacks against healthcare entities, particularly small and medium sized hospitals and clinics, which impacted clinical workflows at hundreds of healthcare providers,” explained the researchers in the report.

Ransomware attacks on small to mid-sized healthcare organizations have been increasing, according to the ransomware response company Coveware. Coveware’s data for Q3, 2020 shows more than 70% of ransomware attacks were conducted on companies with fewer than 1,000 employees and 65.9% of ransomware attacks in Q4, 2020 were on small (30.2%) and medium (35.7%) sized companies. The Ryuk and Sodinokibi ransomware operations continue to target large enterprises; but there are many more smaller operations that target small- to medium-sized entities, including the Dharma, Snitch, and Netwalker ransomware operations.

Q4, 2020 Ransomware Attacks. Source: Coveware

Attacks on small-and medium-sized organizations tend to be easier to pull off, as access controls tend to be simpler and it is less common for 2-factor authentication to be implemented. These organizations also tend to have less robust backup systems, which makes data recovery without paying the ransom problematic. Oftentimes backups are performed, but they do not cover all systems, or the backups are not tested to make sure file recovery is possible. It is also common for cybersecurity best practices such as network segmentation not to be followed.

These organizations have less money available to devote to cybersecurity and often have a lack of skilled in-house cybersecurity professionals. It is also common for them not to view themselves as being targets for hackers. Medium sized healthcare organizations are undoubtedly a sweet spot – Attacks are easier as defenses are poorer, so less skill is required to breach defenses. That means they are attractive targets for the affiliates of many of the smaller ransomware operations. These organizations are also likely to have the funds available to pay reasonably high ransom demands.

How Can Small- and Medium Sized Healthcare Organizations Improve their Security Posture?

Preventing attacks with limited resources can be difficult, so it is important to concentrate on the main attack vectors. The initial aim is not to make it impossible for systems to be compromised. The initial aim should be to make small changes to improve defenses to make attacks harder.

Phishing is the most common attack vector so improving defenses against phishing emails will go a long way toward improving your security posture. An advanced email security solution will help to block more phishing emails for a relatively low cost. Employee security awareness training will help to make employees aware of cyber threats. The importance of training employees to identify phishing emails cannot be overstated. Strong passwords need to be set and 2-factor authentication should be implemented on all username-password systems.

RDP compromise is also a common attack vector. Start with changing default ports, locking out individuals after a set number of failed logins to block brute force tactics to guess weak passwords, and use whitelists to restrict access. Also ensure you apply patches and perform security updates promptly to correct known vulnerabilities. If it is not possible to apply patches, ensure those systems are not Internet facing and segment networks to hamper lateral movement and limit the harm caused if systems are breached.

The post Small and Medium Sized Practices Under Increased Pressure from Cyberattacks appeared first on HIPAA Journal.