Healthcare Cybersecurity

CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published healthcare sector-specific guidance on enhancing cyber resilience. The guidance is based on the findings from a two-week risk and vulnerability assessment that was performed in January 2023 at the request of a large healthcare organization that was looking to identify vulnerabilities and potential security improvements.

CISA spent the first week conducting external penetration tests to identify weaknesses that could be exploited, and a week analyzing the internal network, with its assessments including web applications, databases, wireless access points, penetration tests, and phishing testing. The unnamed organization was found to have secured its network sufficiently to prevent external attacks. CISA was unable to find any vulnerabilities that could be easily exploited by malicious actors and was unable to gain access through phishing; however, several weaknesses were identified during internal penetration tests. CISA was able to exploit misconfigurations, weak passwords, and other security issues through multiple attack paths and compromise the organization’s domain.

The penetration and web application testing uncovered no vulnerabilities that could easily be exploited and payloads used in the phishing tests were blocked by a combination of browser controls, security policies, and antivirus software. While some of the payloads were downloaded to disk, they were immediately neutralized by the antivirus software when executed, and while some payloads appeared to have evaded internal protections, they failed to make a connection with their C2 servers.

Phishing tests were also performed on end users in an attempt to harvest credentials. 12 individuals responded to the phishing attempts and disclosed their credentials, but they could not be used as those individuals only had limited access to external-facing resources, and multi-factor authentication had been implemented for cloud accounts. CISA notes that its assessments did not include adversary-in-the-middle attacks using phishing kits such as Evilginx, which can bypass multifactor authentication. CISA recommends using phishing-resistant multifactor authentication to block attacks involving these advanced phishing kits.

The internal penetration tests started with a connection to the network without a valid domain account and attempted to gain domain user access and then escalate privileges until the domain was compromised. The organization’s domain was compromised using four attack paths, and in the fifth attack path, CISA was able to access sensitive information. CISA was able to obtain 55 password hashes, one of which was for a service account that had a weak password that was easily cracked to obtain access to the organization’s domain.

The web application tests identified default credentials in multiple web applications that had not been changed, as well as default printer credentials, along with misconfigurations that allowed CISA to authenticate to the domain controller and validate administrator privileges. CISA used the CrackMapExec tool to spray easily guessable passwords and obtained two sets of valid credentials for standard domain user accounts and demonstrated a path leading to domain compromise. CISA also demonstrated that several systems on the network did not enforce SMB signing, and exploited the misconfiguration to obtain credentials for two additional domain administrator accounts, which were validated confirming a domain compromise.

The fifth attack path involved vulnerability scanning, which identified an unpatched EternalBlue vulnerability in SMB version 1. CISA used a well-known exploit for the vulnerability to establish a shell on the server which allowed commands to be executed in the context of the local SYSTEM account. CISA also identified multiple instances of password reuse, which allowed access to be gained to several resources that contained sensitive information.

The methods and tools used by CISA in its assessments are commonly used by hackers for post-compromise activities. If initial access was gained, the internal vulnerabilities could have been exploited to achieve a full domain compromise. The key findings of the assessments have been published in a cybersecurity advisory – Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment – along with recommended mitigations for addressing the vulnerabilities, which are likely to exist in many healthcare organizations. The guidance can also be applied by software companies and organizations in other critical infrastructure sectors.

The post CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience appeared first on HIPAA Journal.

AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures

The American Hospital Association (AHA) is urging the U.S. Department of Health and Human Services (HHS) to reconsider its plan to make it mandatory for hospitals to comply with new cybersecurity requirements and issue financial penalties if they fail to do so.

Last week, the HHS published its healthcare cybersecurity strategy, which outlines the steps the HHS has taken and plans to take in the future to improve healthcare cybersecurity. Those plans include introducing two tiers of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) – essential and enhanced. The essential HPH CPGs will include high-impact cybersecurity requirements for improving cyber resiliency and are intended to establish a baseline for cybersecurity, whereas the enhanced HPH CPGs are desirable cybersecurity requirements to further improve security and protect patient privacy. While both tiers of HPH CPGs would be voluntary initially, the HHS explained in its cybersecurity strategy that it plans to make the essential HPH CPGs enforceable in the future and will be working with Congress to increase the penalties for HIPAA violations.

The AHA believes that forcing hospitals to make investments in cybersecurity and imposing financial penalties if they suffer a cyberattack and haven’t implemented certain cybersecurity measures would be counterproductive and undermine the efforts hospitals are already making to improve cybersecurity. “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” said AHA President and CEO Rick Pollack. “The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency, and many others to prevent and mitigate cyberattacks.”

While the AHA expressed support for the HHS proposal to issue incentives for improving cybersecurity and make funding available to help hospitals with low resources cover the initial cost of cybersecurity improvements, punishing hospitals financially is unfair, especially when cyberattacks are commonly conducted by sophisticated cyber actors who work in collusion with hostile nation-states.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

The post AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures appeared first on HIPAA Journal.

Healthcare and Public Health Sector Warned About Open Source Software Risks

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source software was first pioneered by scientists, researchers, and academics and was predicated on the free and open sharing of knowledge. The code for the software is available for anyone to inspect, and changes can be suggested to improve functionality and correct errors and vulnerabilities. As software became more commercialized, there was a decline in open source software; however, it is still pervasive, especially in healthcare where the code is used in a wide range of systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components.

Benefits and Risks of Open Source Software

Open source software has many benefits such as lowering starting costs, shortening the time to market, increasing feedback and collaboration, and allowing more flexible software development processes, and these benefits can be considerable. It is therefore no surprise that this year’s Open Source Security and Risk Analysis Report from Synopsis found open source software in 96% of scanned codebases, and 76% of the code in the codebases was open source. In healthcare, health tech, and life sciences, the percentage of codebases containing open source code increased from around 65% in 2018 to 80% in 2022.

Synopsis determined that 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities. While having many eyes looking at code increases the chance of vulnerabilities being identified and corrected, publishing the code does not guarantee that the code will be inspected for vulnerabilities and security issues, nor that the people who do inspect the code are capable of finding vulnerabilities. The code is also available to malicious actors who can search for vulnerabilities that they can exploit.

Open source code can be used by software developers to add certain functions quickly, easily, and cheaply, and as such, open source code is extensively used, which means that if vulnerabilities exist, they are likely to be embedded in many thousands of applications. One problem with the use of open source code is it is often incorporated into applications but is never updated and many organizations fail to track where open source code has been used. If vulnerabilities are identified and fixed in open source code, those fixes may never be applied since organizations may be unaware of the applications that need to be updated. Further, vulnerabilities may not be found and addressed, as open source projects often lack centralized quality controls, there is no guarantee that the code has been rigorously tested, and open-source projects tend to lack the structure or resources required to take accountability for security issues.

Open Source Software Vulnerabilities Exploited in Healthcare Cyberattacks

While there have been no documented cyberattacks that have specifically targeted medical devices by exploiting open source software vulnerabilities, the potential for harm from attacks on medical devices is considerable. Attacks exploiting open source vulnerabilities could result in medical devices such as insulin pumps, implanted cardioverter defibrillators, defibrillators, and ventilators malfunctioning, with severe implications for patient safety.

Open source software vulnerabilities have been exploited in attacks on the healthcare sector, such as the Heartbleed vulnerability discovered in August 2014 which left networks vulnerable to eavesdropping and data theft. One attack on a health system exploited Heartbleed to gain access to the PHI of 4.5 million patients. More recently, in August 2020, several zero-day vulnerabilities in an open-source integrated information management system at a hospital exposed patients’ test results, and in December 2021, the Log4Shell flaw in the open source Log4j software, which is used to add logging capabilities to Java-based applications, was extensively exploited. The flaw was exploited by nation-state hacking groups such as HAFNIUM, PHOSPHOROUS, and APT35 and allowed access to be gained to sensitive data and for hackers to take full control of vulnerable devices. The vulnerability was also exploited by cybercriminal groups such as Conti in ransomware attacks. In January this year, a series of flaws were found in the open source software used by OpenEMR, which could be exploited to steal patient data and potentially compromise the entire IT infrastructure of an organization.

Recommendations for Reducing Open Source Software Risks

In order to address the risks of open source software, organizations need to know what open source components have been used. There has been a push for software developers to provide a Software Bill of Materials (SBOM) with their software, and healthcare organizations should demand an SBOM from their vendors and should conduct a software composition analysis (SCA) – an automated process to identify open source software in a codebase. HC3 also recommends other steps that can be taken by small and medium/large organizations to reduce open source software risks.

The post Healthcare and Public Health Sector Warned About Open Source Software Risks appeared first on HIPAA Journal.

HHS Publishes Healthcare Sector Cybersecurity Strategy

On Wednesday, the U.S. Department of Health and Human Services published a concept paper that outlines the HHS’s cybersecurity strategy for the healthcare sector. The paper details the steps that the HHS has already taken to improve cybersecurity in the healthcare sector and the steps the HHS has planned for improving cyber resiliency and protecting patient safety. The Healthcare Sector Cybersecurity Strategy builds on the Biden administration’s National Cybersecurity Strategy and focuses specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks.

The healthcare sector has seen a massive increase in cyberattacks in recent years, with large data breaches increasing by 93% from 2018 to 2023 and ransomware attacks increasing by 278% over the same period. These attacks have resulted in extended stays in hospitals, poorer patient outcomes, delays to diagnosis and treatment, and diversions to other healthcare facilities. These adverse impacts have put patient safety at risk yet they are largely preventable.

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” said HHS Secretary Xavier Becerra. “HHS is working with health care and public health partners to bolster our cyber security capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”

The HHS has already taken several steps to improve healthcare cybersecurity. The HHS has updated its voluntary healthcare-specific cybersecurity guidance – Health Industry Cybersecurity Practices – to reflect the current cybersecurity landscape, released free healthcare-specific cybersecurity trainings to help small- and medium-sized healthcare organizations to train their staff on basic cybersecurity practices, and the HHS’ Office for Civil Rights has published telehealth guidance for healthcare providers and patients to educate patients about the privacy and security of protected health information. The Food and Drug Administration (FDA) has added new cybersecurity requirements for medical device manufacturers and has issued guidance on the pre-market cybersecurity requirements for new medical devices.

The Healthcare Sector Cybersecurity Strategy outlines the path forward and includes four pillars for action to improve cyber resilience in the health sector. The first step is to establish voluntary cybersecurity goals for the healthcare sector. Healthcare organizations have access to numerous cybersecurity standards and guidance and determining which standards should be prioritized can be confusing. The HHS will establish and publish voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) to help healthcare organizations prioritize high-impact cybersecurity practices, and will include essential and enhanced performance goals.

For many healthcare organizations, there are competing priorities and limited resources, which can mean improvements to cybersecurity are put on the back burner. The HHS plans to provide resources to incentivize healthcare organizations to implement cybersecurity practices and will be working with Congress to obtain new authority to administer financial support for domestic investments in cybersecurity. The HHS will create an upfront investment program to help high-need healthcare providers cover the upfront costs of implementing essential HPH CPGs and establish an incentive program to encourage hospitals to implement the enhanced HPH CPGs. Long term, the HHS will enforce the new cybersecurity requirements with the imposition of financial consequences for hospitals that fail to adopt essential cybersecurity practices.

The HHS plans an update to the HIPAA Security Rule in the spring of 2024 and will be adding new cybersecurity requirements. The HHS believes regulatory updates are required in addition to funding and voluntary goals, and those alone will not be enough to drive the behavioral changes needed across the sector. As part of an HHS-wide strategy, the Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through the Medicare and Medicaid programs and the HSS will work with Congress to increase the penalties for HIPAA violations. The HHS is also working with Congress to get increased resources to allow OCR to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for organizations with low resources to help them improve HIPAA compliance.

The fourth pillar for action is to expand and mature the one-stop-shop within the HHS for healthcare cybersecurity within the Administration of Strategic Preparedness and Response (ASPR) to make it easier for the industry to access the support and services provided by the Federal Government. This will enhance coordination between the HHS and the Federal Government, deepen partnerships with private industry, increase the incident response capabilities of the HHS, and promote greater uptake of services and resources such as vulnerability scanning and technical assistance.

“Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals,” wrote the HHS. “Acting on these priorities will protect the health and privacy of all Americans and enable safe access to health care.”

The post HHS Publishes Healthcare Sector Cybersecurity Strategy appeared first on HIPAA Journal.

Urgent Action Required to Address Critical ownCloud Vulnerabilities

Three critical vulnerabilities in the ownCloud platform have been identified, one of which is being actively exploited. Urgent action is required to address the vulnerabilities to protect sensitive networks and sensitive data.

The ownCloud platform is used extensively in healthcare for storing, synchronizing, and sharing files and collaborating and consolidating work processes. As such, the platform is a prime target for malicious actors as it allows them to access highly sensitive data. The Clop hacking groups demonstrated how serious vulnerabilities in file sharing platforms can be, having mass exploited vulnerabilities in Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution earlier this year.

Security advisories were issued by ownCloud on November 21, 2023, about three vulnerabilities, the most serious of which has a maximum CVSS v3.1 severity score of 10. The remaining two vulnerabilities have been assigned CVSS scores of 9.8 and 9. Evidence of active exploitation of the flaws was identified by the cybersecurity firm Greynoise from November 25, 2023, with the malicious activity originating from 32 unique IP addresses.

  • CVE-2023-49103 – A critical vulnerability in versions 0.2.0 – 0.3.0 of the graphapi app that allows disclosure of sensitive credentials and configuration in containerized deployments. The graphapi app relies on a third-party library that provides a URL. When the URL is accessed, it reveals the configuration details of the PHP environment, which includes environment variables for the webserver. In containerized deployments, the disclosed information can include the ownCloud admin password, mail server credentials, and license key. The vulnerability has a CVSS severity score of 10 out of 10.
  • CVE-2023-49105 – A critical WebDAV API authentication bypass vulnerability using pre-signed URLs. The vulnerability affects core 10.6.0 – 10.13.0 and can be exploited to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured, which is the default setting. The vulnerability has a CVSS severity score of 9.8 out of 10.
  • CVE-2023-49104 – A critical subdomain validation bypass vulnerability in oauth2 < 0.6.1. An attacker can pass in a specially crafted redirect-URL that bypasses the validation code, allowing the attacker to redirect callbacks to a TLD controlled by the attacker. The vulnerability has a CVSS severity score of 9.0 out of 10.

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning on December 5, 2023, urging HPH sector organizations to take immediate action and apply the actions recommended by ownCloud. “The nature of this platform is such that it needs to be integrated into the information infrastructure of a customer organization to function, which provides attackers with a target that can potentially provide access to sensitive information, as well as a staging point for further attacks,” explained HC3.

At present, only the CVE-2023-49103 is believed to have been actively exploited in attacks in the wild. This vulnerability should therefore be treated with the highest priority; however, the remaining vulnerabilities should also be addressed as soon as possible as exploitation is likely.

ownCloud notes that while the graphapi app can be disabled, that will not fully address the CVE-2023-49103 vulnerability. The owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file should also be deleted and the phpinfo function should be disabled in Docker containers. Owncloud also recommends changing potentially exposed secrets such as the credentials for ownCloud administration, the mail server, the database, and the Object-Store/S3 access key. Owncloud’s mitigations for the vulnerabilities can be found on the following links:

The post Urgent Action Required to Address Critical ownCloud Vulnerabilities appeared first on HIPAA Journal.

Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks

Concern is growing as ransomware groups ramp up exploitation of a critical vulnerability in NetScaler ADS (formerly Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, dubbed Citrix Bleed.

Citrix issued a security advisory about the vulnerability on October 10, 2023, and issued a patch to correct the flaw, which can be exploited to bypass password protection and multifactor authentication. The buffer overflow vulnerability is tracked as CVE-2023-4966 and has a CVSS severity score of 9.4 out of 10. The vulnerability appears to have been exploited in the wild since August 2023. The vulnerability is easy to exploit and allows threat actors to take over legitimate user sessions. Once initial access has been gained, threat actors can elevate privileges, harvest credentials, move laterally, and access sensitive data and resources.

The vulnerability affects the following NetScaler ADC and Gateway versions:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
  • NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers still using these versions should upgrade their appliances to one of the supported versions.

On October 18, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog, and a security advisory about the flaw was issued on November 21, 2023, as it became clear that the vulnerability was being exploited more widely, including by the LockBit 3.0 ransomware group in attacks on critical infrastructure.

On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an urgent security advisory to the healthcare and public health (HPH) sector about the flaw along with a further advisory on November 30, 2023, urging healthcare organizations to patch the vulnerability as soon as possible to protect against exploitation. Applying the patch will prevent the vulnerability from being exploited; however, if it has already been exploited, the compromised sessions will remain active. Steps must therefore also be taken to ensure all active sessions are removed.

To remove active and persistent sessions after the patch has been applied, admins should run the following commands:

  • kill aaa session -all
  • kill icaconnection -all
  • kill rdp connection -all
  • kill pcoipConnection -all
  • clear lb persistentSessions

Steps should also be taken to investigate potential exploits of the vulnerability. NetScaler has issued guidance for investigations and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation steps for defending against ransomware attacks.

The American Hospital Association has recently issued a security advisory urging hospitals to take immediate action to protect against exploitation of the Citrix Bleed vulnerability, given that hospitals are prime targets for ransomware groups. “This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems.  Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

The post Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks appeared first on HIPAA Journal.

BD Discloses Vulnerabilities in FACSChorus Software

Becton, Dickinson and Company (BD) has recently disclosed seven vulnerabilities in its FACSChorus software. The vulnerabilities are low- to medium-severity with CVSS scores ranging from 2.4 to 5.4. Successful exploitation of the vulnerabilities could allow an attacker to modify system configurations, access sensitive data, or access system components; however, in order to exploit the vulnerabilities an attacker would need to have physical access.

The vulnerabilities, in order of severity, are:

CVE-2023-29060 – Missing protection mechanism for alternate hardware interface – CVSS 5.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1 – The workstation operating system does not restrict what devices can interact with its USB ports. The vulnerability could be exploited with physical access to gain access to system information and potentially exfiltrate data.

CVE-2023-29061 – Missing authentication for critical function – CVSS 5.2

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation has no BIOS password. The vulnerability could be exploited with physical access to change the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

CVE-2023-29064 – Hard-coded credentials – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, including tokens and passwords for administrative accounts.

CVE-2023-29065 – Insecure inherited permissions – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software database can be accessed directly with the privileges of the currently logged-in user. Exploitation would allow a threat actor with physical access to potentially gain credentials, and then alter or destroy data stored in the database.

CVE-2023-29062 – Improper authentication – CVSS 3.8

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The operating system hosting the FACSChorus application is configured to allow the transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. NTLMv2 hashes can be sent to a malicious entity position on the local network and can be brute-forced if a weak password is used.

CVE-2023-29066 – Incorrect privilege assignment – CVSS 3.2

Vulnerability is present in BD FACSChorus v5.0 and v5.1 and the respective workstations. The software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

CVE-2023-29063 – Missing protection mechanism for alternate hardware interface – CVSS 2.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation does not prevent physical access to its PCI express (PCIe) slots. A threat actor could insert a PCI card designed for memory capture and isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

BD notified CISA about the vulnerabilities and confirmed that all 7 of the vulnerabilities will be addressed in an upcoming software release but has suggested mitigations and compensating controls that can be implemented in the interim. These include ensuring physical access controls are in place to restrict access to the software and respective workstations to authorized end users, ensuring industry-standard security controls are implemented if the workstations are connected to the local network, and tightly controlling administrative access to the software and workstations.

The post BD Discloses Vulnerabilities in FACSChorus Software appeared first on HIPAA Journal.

Ransomware Affiliate Group Dismantled in International Law Enforcement Operation

An international law enforcement operation has led to the arrest of multiple core members of an organized group of ransomware affiliates in Ukraine. The members of the group were behind attacks involving ransomware variants such as LockerGoga, MegaCortex, HIVE, and Dharma, which were used in more than 250 ransomware attacks in large organizations in 71 countries. The attacks conducted by the group resulted in losses of several hundred million dollars.

The group exploited unpatched vulnerabilities, conducted brute force and SQL injection attacks, and also used stolen credentials and phishing for initial access. Once access was gained to networks, the group used tools such as TrickBot malware, along with post-exploitation frameworks such as Cobalt Strike and PowerShell Empire to move laterally and remain inside networks undetected. In some cases, the dwell time was several months before ransomware was deployed to encrypt files. Members of the group had different responsibilities, with some tasked with gaining access to networks while others were responsible for negotiating with victims and laundering the proceeds of the attacks.

A joint investigation was launched in September 2019 by the French authorities that involved law enforcement agencies in Norway, the United Kingdom, and Ukraine, with financial support provided by Eurojust and assistance provided by Europol. Parallel investigations were also conducted by law enforcement agencies in the Netherlands, Germany, Switzerland, and the United States which helped uncover the true magnitude and complexity of the operation. Europol established a virtual command center in the Netherlands which received data seized in the raids.

On November 21, 2023, coordinated raids were conducted at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia in Ukraine. More than 20 investigators took part in the operation and assisted the Ukrainian National Police. The Ukrainian National Police seized computer equipment, electronic media, and other evidence of illegal activities, along with cars, bank and SIM cards, and almost 4 million hryvnias ($110,050) in cash and cryptocurrency assets. The 32-year-old mastermind of the operation was arrested along with four of his most active accomplices.

The latest arrests follow a first round of arrests in 2021 using the same investigation framework. 12 individuals were arrested in the raids on October 26, 2021, in Ukraine and Switzerland, all of whom had been involved in multiple ransomware attacks. In addition to the arrests, $52,000 in cash was seized along with 5 luxury vehicles and many electronic devices. The analysis of the electronic devices and other evidence collected in the first round of raids led to the identification of the suspects that were targeted in the latest phase of the operation.

The post Ransomware Affiliate Group Dismantled in International Law Enforcement Operation appeared first on HIPAA Journal.

Warren General Hospital Data Breach Affects 169,000 Patients

Data breaches have recently been reported by Warren General Hospital in Pennsylvania, Southwest Behavioral Health Center in Utah, CareTree in Illinois, and the Medical University of South Carolina.

Warren General Hospital Data Breach

On November 9, 2023, Warren General Hospital (WGH) in Warren, PA, announced it had fallen victim to a cyberattack that potentially affected the confidential information of current and former patients and employees. Suspicious activity was detected within its network on September 24, 2023. Assisted by third-party cybersecurity experts, WGH determined that an unauthorized actor had access to its network between September 15, 2023, and September 23, 2023, and during that time, downloaded files from its network.

The review of the files confirmed they contained names, in combination with one or more of the following:  address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information, which may have included diagnosis, medications, lab results, and other treatment information.

WGH said existing policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 168,921 patients.

Southwest Behavioral Health Center Data Breach

Southwest Behavioral Health Center, a Saint George, UT-based provider of mental health treatment and psychiatric services, has recently reported a data breach to the HHS’ Office for Civil Rights that affected 17,147 current and former patients.

A security breach was detected on March 13, 2023, and a third-party cybersecurity firm was engaged to investigate and determine the extent to which patient data had been compromised. The investigation revealed an unauthorized third party gained access to parts of its system containing files that included patient data prior to March 13, 2023l however, it was not possible to determine the specific files that may have been accessed or copied from its network.

The review of the files potentially involved confirmed they contained patient data such as names, dates of birth, Social Security numbers, personal health record information, and medical information. After verifying contact information, notification letters started to be issued on November 9, 2023, to all patients that had potentially been affected.

Medical University of South Carolina Data Breach

The Medical University of South Carolina (SUMC) in Charleston has been affected by a data breach at one of its third-party vendors. Westat collects data from SUMC patients on behalf of the Centers for Disease Control and Prevention (CDC) for public health reporting purposes. Westat used Progress Software’s MOVEit Transfer file transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group between May 28 and May 29, 2023. Westat has already reported the breach to the HHS’ Office for Civil Rights in two separate reports, one affecting 50,065 individuals and a second affecting 20,045. SUMC reported the breach as affecting 1,758 individuals and said it involved names, addresses, dates of birth, diagnoses, provider names, and insurance information.

CareTree Data Breach

CareTree Inc., a Chicago, IL-based provider of smart care management and patient advocate software for care providers, has recently confirmed there has been unauthorized access to the CareTree platform. Suspicious activity was detected within its platform on or around August 16, 2023. The forensic investigation confirmed access to the platform was gained on July 21, 2023.

The review of the affected files confirmed that they contained the information of 1,097 CareTree patients; however, CareTree was unable to confirm the specific information exposed for each patient because the information is no longer available. The types of information potentially compromised included names, addresses, driver’s license numbers, Social Security numbers, financial account information, dates of birth, medical information including diagnosis, lab results, medications or other treatment information, and/or health insurance information. In its substitute breach notice, CareTree said, “CareTree will provide notice of this event to all individuals whose personal information was involved, along with information and steps potentially impacted individuals can take to better protect their information.”

The post Warren General Hospital Data Breach Affects 169,000 Patients appeared first on HIPAA Journal.