Healthcare Cybersecurity

November 2023 Healthcare Data Breach Report

Posted by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hacking and data theft incident
Welltok, Inc. CO Business Associate 8,493,379 Hacking incident (MOVEit Transfer)
Sutter Health CA Healthcare Provider 845,441 Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 636,848 Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC NY Healthcare Provider 605,809 Hacking and data theft incident
State of Maine ME Health Plan 453,894 Hacking incident (MOVEit Transfer)
Proliance Surgeons WA Healthcare Provider 437,392 Ransomware attack
Medical Eye Services, Inc. NY Business Associate 377,931 Hacking incident (MOVEit Transfer)
Medical College of Wisconsin WI Healthcare Provider 240,667 Hacking incident (MOVEit Transfer)
Warren General Hospital PA Healthcare Provider 168,921 Hacking and data theft incident
Financial Asset Management Systems (“FAMS”) GA Business Associate 164,796 Ransomware attack
Morrison Community Hospital District IL Healthcare Provider 122,488 Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center TX Healthcare Provider 100,643 Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. NJ Healthcare Provider 79,582 Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”) TN Health Plan 78,692 Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC NJ Business Associate 30,806 Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center TX Healthcare Provider 28,531 Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan CA Business Associate 26,523 Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System NY Healthcare Provider 26,000 Hacking and data theft incident
Westat, Inc. MD Business Associate 20,045 Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City KS Healthcare Provider 18,255 Hacking and data theft incident
Southwest Behavioral Health Center UT Healthcare Provider 17,147 Hacking and data theft incident
TGI Direct, Inc. MI Business Associate 16,113 Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC MS Healthcare Provider 13,129 Hacking and data theft incident
U.S. Drug Mart, Inc. TX Healthcare Provider 13,016 Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island NY Healthcare Provider 13,000 Hacking and data theft incident
Foursquare Healthcare, Ltd. TX Healthcare Provider 10,890 Ransomware attack
Saisystems International, Inc. CT Business Associate 10,063 Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States.  Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State Number of Breaches
California 8
New York 6
Illinois & Texas 5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington 2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin 1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates

Posted by Steve Alder

In response to the law enforcement operation that resulted in the seizure of its websites, the ALPHV/BlackCat ransomware group has removed virtually all restrictions on affiliates and said discounts and extensions have stopped, and patient data will now be published on its leak site.

The Department of Justice (DoJ) recently announced that the Federal Bureau of Investigation was able to gain access to the infrastructure of the ALPHV/BlackCat ransomware group, which allowed it to seize the websites used for communication, data leaks, and negotiations and obtain the decryption keys to help around 500 victims recover from attacks. The decryption tool developed by the FBI has saved around $68 million in ransom payments, according to the DoJ.

According to the search warrant, the FBI engaged with a confidential human source (CHS) to sign up to become an affiliate of the group. After an interview with the operators, the CHS was provided with credentials to access the backend affiliate portal, thus giving the FBI access to the portal. The FBI was able to obtain 946 public/private key pairs for the group’s Tor sites that were used to host victim communication sites, leak sites, and affiliate panels.

Updated ALPHV/BlackCat Cybersecurity Advisory Published

A joint cybersecurity advisory has been issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) that updates its April 2022 advisory about ALPHV. The latest advisory includes updated information on the tactics, techniques, and procedures (TTPs) associated with the group and Indicators of Compromise (IoCs) from FBI investigations as recently as December 6, 2023. Healthcare organizations are strongly advised to implement the recommended mitigations as while the law enforcement operation was a success and caused disruption, the ALPHV group claims it is still operational. Based on its response, the group has now decided to play hardball.

ALPHV Responds by Removing Restrictions

ALPHV is also able to access its sites and responded with an update of its own, stating on its leak site that the website has been unseized. The group provided its side of the story, claiming that the FBI only gained access to the decryption keys from the previous month and a half – around 400 victims. The group said it has attacked more than 3,000 companies and that as a result of the FBI’s actions, the decryption keys for those will never be released.

In the angry message, the group said it has now removed all but one of the restrictions for affiliates. Affiliates will still not be permitted to conduct any attacks on targets in the Commonwealth of Independent States, but all other restrictions have been removed. “You can now block hospitals, nuclear power plants, anything and anywhere,” wrote the group. In the post, ALPHV said it will no longer offer discounts on ransom demands, will not provide any time extensions, and that if patient data is stolen, it will no longer be removed and will be uploaded to its data leak site. The group also claimed it will always notify the SEC and the HHS in the event of no initial contact.

A rebrand may still be on the cards, but based on the response, the group is still operational and now plans to be even more vindictive. ALPH said if victims do not make contact before they are added to its blog, stolen data will be leaked and the families of executive teams and employees will be harassed – “even your young children are not exempt,” wrote ALPHV.

The post ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.

CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published healthcare sector-specific guidance on enhancing cyber resilience. The guidance is based on the findings from a two-week risk and vulnerability assessment that was performed in January 2023 at the request of a large healthcare organization that was looking to identify vulnerabilities and potential security improvements.

CISA spent the first week conducting external penetration tests to identify weaknesses that could be exploited, and a week analyzing the internal network, with its assessments including web applications, databases, wireless access points, penetration tests, and phishing testing. The unnamed organization was found to have secured its network sufficiently to prevent external attacks. CISA was unable to find any vulnerabilities that could be easily exploited by malicious actors and was unable to gain access through phishing; however, several weaknesses were identified during internal penetration tests. CISA was able to exploit misconfigurations, weak passwords, and other security issues through multiple attack paths and compromise the organization’s domain.

The penetration and web application testing uncovered no vulnerabilities that could easily be exploited and payloads used in the phishing tests were blocked by a combination of browser controls, security policies, and antivirus software. While some of the payloads were downloaded to disk, they were immediately neutralized by the antivirus software when executed, and while some payloads appeared to have evaded internal protections, they failed to make a connection with their C2 servers.

Phishing tests were also performed on end users in an attempt to harvest credentials. 12 individuals responded to the phishing attempts and disclosed their credentials, but they could not be used as those individuals only had limited access to external-facing resources, and multi-factor authentication had been implemented for cloud accounts. CISA notes that its assessments did not include adversary-in-the-middle attacks using phishing kits such as Evilginx, which can bypass multifactor authentication. CISA recommends using phishing-resistant multifactor authentication to block attacks involving these advanced phishing kits.

The internal penetration tests started with a connection to the network without a valid domain account and attempted to gain domain user access and then escalate privileges until the domain was compromised. The organization’s domain was compromised using four attack paths, and in the fifth attack path, CISA was able to access sensitive information. CISA was able to obtain 55 password hashes, one of which was for a service account that had a weak password that was easily cracked to obtain access to the organization’s domain.

The web application tests identified default credentials in multiple web applications that had not been changed, as well as default printer credentials, along with misconfigurations that allowed CISA to authenticate to the domain controller and validate administrator privileges. CISA used the CrackMapExec tool to spray easily guessable passwords and obtained two sets of valid credentials for standard domain user accounts and demonstrated a path leading to domain compromise. CISA also demonstrated that several systems on the network did not enforce SMB signing, and exploited the misconfiguration to obtain credentials for two additional domain administrator accounts, which were validated confirming a domain compromise.

The fifth attack path involved vulnerability scanning, which identified an unpatched EternalBlue vulnerability in SMB version 1. CISA used a well-known exploit for the vulnerability to establish a shell on the server which allowed commands to be executed in the context of the local SYSTEM account. CISA also identified multiple instances of password reuse, which allowed access to be gained to several resources that contained sensitive information.

The methods and tools used by CISA in its assessments are commonly used by hackers for post-compromise activities. If initial access was gained, the internal vulnerabilities could have been exploited to achieve a full domain compromise. The key findings of the assessments have been published in a cybersecurity advisory – Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment – along with recommended mitigations for addressing the vulnerabilities, which are likely to exist in many healthcare organizations. The guidance can also be applied by software companies and organizations in other critical infrastructure sectors.

The post CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience appeared first on HIPAA Journal.

AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures

Posted by Steve Alder

The American Hospital Association (AHA) is urging the U.S. Department of Health and Human Services (HHS) to reconsider its plan to make it mandatory for hospitals to comply with new cybersecurity requirements and issue financial penalties if they fail to do so.

Last week, the HHS published its healthcare cybersecurity strategy, which outlines the steps the HHS has taken and plans to take in the future to improve healthcare cybersecurity. Those plans include introducing two tiers of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) – essential and enhanced. The essential HPH CPGs will include high-impact cybersecurity requirements for improving cyber resiliency and are intended to establish a baseline for cybersecurity, whereas the enhanced HPH CPGs are desirable cybersecurity requirements to further improve security and protect patient privacy. While both tiers of HPH CPGs would be voluntary initially, the HHS explained in its cybersecurity strategy that it plans to make the essential HPH CPGs enforceable in the future and will be working with Congress to increase the penalties for HIPAA violations.

The AHA believes that forcing hospitals to make investments in cybersecurity and imposing financial penalties if they suffer a cyberattack and haven’t implemented certain cybersecurity measures would be counterproductive and undermine the efforts hospitals are already making to improve cybersecurity. “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” said AHA President and CEO Rick Pollack. “The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency, and many others to prevent and mitigate cyberattacks.”

While the AHA expressed support for the HHS proposal to issue incentives for improving cybersecurity and make funding available to help hospitals with low resources cover the initial cost of cybersecurity improvements, punishing hospitals financially is unfair, especially when cyberattacks are commonly conducted by sophisticated cyber actors who work in collusion with hostile nation-states.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

The post AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures appeared first on HIPAA Journal.

Healthcare and Public Health Sector Warned About Open Source Software Risks

Posted by Steve Alder

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source software was first pioneered by scientists, researchers, and academics and was predicated on the free and open sharing of knowledge. The code for the software is available for anyone to inspect, and changes can be suggested to improve functionality and correct errors and vulnerabilities. As software became more commercialized, there was a decline in open source software; however, it is still pervasive, especially in healthcare where the code is used in a wide range of systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components.

Benefits and Risks of Open Source Software

Open source software has many benefits such as lowering starting costs, shortening the time to market, increasing feedback and collaboration, and allowing more flexible software development processes, and these benefits can be considerable. It is therefore no surprise that this year’s Open Source Security and Risk Analysis Report from Synopsis found open source software in 96% of scanned codebases, and 76% of the code in the codebases was open source. In healthcare, health tech, and life sciences, the percentage of codebases containing open source code increased from around 65% in 2018 to 80% in 2022.

Synopsis determined that 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities. While having many eyes looking at code increases the chance of vulnerabilities being identified and corrected, publishing the code does not guarantee that the code will be inspected for vulnerabilities and security issues, nor that the people who do inspect the code are capable of finding vulnerabilities. The code is also available to malicious actors who can search for vulnerabilities that they can exploit.

Open source code can be used by software developers to add certain functions quickly, easily, and cheaply, and as such, open source code is extensively used, which means that if vulnerabilities exist, they are likely to be embedded in many thousands of applications. One problem with the use of open source code is it is often incorporated into applications but is never updated and many organizations fail to track where open source code has been used. If vulnerabilities are identified and fixed in open source code, those fixes may never be applied since organizations may be unaware of the applications that need to be updated. Further, vulnerabilities may not be found and addressed, as open source projects often lack centralized quality controls, there is no guarantee that the code has been rigorously tested, and open-source projects tend to lack the structure or resources required to take accountability for security issues.

Open Source Software Vulnerabilities Exploited in Healthcare Cyberattacks

While there have been no documented cyberattacks that have specifically targeted medical devices by exploiting open source software vulnerabilities, the potential for harm from attacks on medical devices is considerable. Attacks exploiting open source vulnerabilities could result in medical devices such as insulin pumps, implanted cardioverter defibrillators, defibrillators, and ventilators malfunctioning, with severe implications for patient safety.

Open source software vulnerabilities have been exploited in attacks on the healthcare sector, such as the Heartbleed vulnerability discovered in August 2014 which left networks vulnerable to eavesdropping and data theft. One attack on a health system exploited Heartbleed to gain access to the PHI of 4.5 million patients. More recently, in August 2020, several zero-day vulnerabilities in an open-source integrated information management system at a hospital exposed patients’ test results, and in December 2021, the Log4Shell flaw in the open source Log4j software, which is used to add logging capabilities to Java-based applications, was extensively exploited. The flaw was exploited by nation-state hacking groups such as HAFNIUM, PHOSPHOROUS, and APT35 and allowed access to be gained to sensitive data and for hackers to take full control of vulnerable devices. The vulnerability was also exploited by cybercriminal groups such as Conti in ransomware attacks. In January this year, a series of flaws were found in the open source software used by OpenEMR, which could be exploited to steal patient data and potentially compromise the entire IT infrastructure of an organization.

Recommendations for Reducing Open Source Software Risks

In order to address the risks of open source software, organizations need to know what open source components have been used. There has been a push for software developers to provide a Software Bill of Materials (SBOM) with their software, and healthcare organizations should demand an SBOM from their vendors and should conduct a software composition analysis (SCA) – an automated process to identify open source software in a codebase. HC3 also recommends other steps that can be taken by small and medium/large organizations to reduce open source software risks.

The post Healthcare and Public Health Sector Warned About Open Source Software Risks appeared first on HIPAA Journal.

HHS Publishes Healthcare Sector Cybersecurity Strategy

Posted by Steve Alder

On Wednesday, the U.S. Department of Health and Human Services published a concept paper that outlines the HHS’s cybersecurity strategy for the healthcare sector. The paper details the steps that the HHS has already taken to improve cybersecurity in the healthcare sector and the steps the HHS has planned for improving cyber resiliency and protecting patient safety. The Healthcare Sector Cybersecurity Strategy builds on the Biden administration’s National Cybersecurity Strategy and focuses specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks.

The healthcare sector has seen a massive increase in cyberattacks in recent years, with large data breaches increasing by 93% from 2018 to 2023 and ransomware attacks increasing by 278% over the same period. These attacks have resulted in extended stays in hospitals, poorer patient outcomes, delays to diagnosis and treatment, and diversions to other healthcare facilities. These adverse impacts have put patient safety at risk yet they are largely preventable.

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” said HHS Secretary Xavier Becerra. “HHS is working with health care and public health partners to bolster our cyber security capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”

The HHS has already taken several steps to improve healthcare cybersecurity. The HHS has updated its voluntary healthcare-specific cybersecurity guidance – Health Industry Cybersecurity Practices – to reflect the current cybersecurity landscape, released free healthcare-specific cybersecurity trainings to help small- and medium-sized healthcare organizations to train their staff on basic cybersecurity practices, and the HHS’ Office for Civil Rights has published telehealth guidance for healthcare providers and patients to educate patients about the privacy and security of protected health information. The Food and Drug Administration (FDA) has added new cybersecurity requirements for medical device manufacturers and has issued guidance on the pre-market cybersecurity requirements for new medical devices.

The Healthcare Sector Cybersecurity Strategy outlines the path forward and includes four pillars for action to improve cyber resilience in the health sector. The first step is to establish voluntary cybersecurity goals for the healthcare sector. Healthcare organizations have access to numerous cybersecurity standards and guidance and determining which standards should be prioritized can be confusing. The HHS will establish and publish voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) to help healthcare organizations prioritize high-impact cybersecurity practices, and will include essential and enhanced performance goals.

For many healthcare organizations, there are competing priorities and limited resources, which can mean improvements to cybersecurity are put on the back burner. The HHS plans to provide resources to incentivize healthcare organizations to implement cybersecurity practices and will be working with Congress to obtain new authority to administer financial support for domestic investments in cybersecurity. The HHS will create an upfront investment program to help high-need healthcare providers cover the upfront costs of implementing essential HPH CPGs and establish an incentive program to encourage hospitals to implement the enhanced HPH CPGs. Long term, the HHS will enforce the new cybersecurity requirements with the imposition of financial consequences for hospitals that fail to adopt essential cybersecurity practices.

The HHS plans an update to the HIPAA Security Rule in the spring of 2024 and will be adding new cybersecurity requirements. The HHS believes regulatory updates are required in addition to funding and voluntary goals, and those alone will not be enough to drive the behavioral changes needed across the sector. As part of an HHS-wide strategy, the Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through the Medicare and Medicaid programs and the HSS will work with Congress to increase the penalties for HIPAA violations. The HHS is also working with Congress to get increased resources to allow OCR to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for organizations with low resources to help them improve HIPAA compliance.

The fourth pillar for action is to expand and mature the one-stop-shop within the HHS for healthcare cybersecurity within the Administration of Strategic Preparedness and Response (ASPR) to make it easier for the industry to access the support and services provided by the Federal Government. This will enhance coordination between the HHS and the Federal Government, deepen partnerships with private industry, increase the incident response capabilities of the HHS, and promote greater uptake of services and resources such as vulnerability scanning and technical assistance.

“Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals,” wrote the HHS. “Acting on these priorities will protect the health and privacy of all Americans and enable safe access to health care.”

The post HHS Publishes Healthcare Sector Cybersecurity Strategy appeared first on HIPAA Journal.