A bipartisan Senate bill has been introduced that aims to improve healthcare cybersecurity and ensure that the Department of Health and Human Services (HHS) is implementing effective cybersecurity measures to combat evolving cyber threats. In 2023, record numbers of healthcare records were compromised, and more data breaches were reported than in any other year to date. More than 133 million healthcare records were compromised in 2023 across more than 725 reported breaches, the majority of which were hacking incidents.

Healthcare organizations must ensure that they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which sets minimum standards for cybersecurity. The HHS is the main enforcer of compliance with the HIPAA Rules and issues guidance on healthcare cybersecurity. The HHS also manages the health data of approximately 65 million Americans who receive healthcare services through Medicare. As such, it is vital that the cybersecurity measures at the HHS are robust and capable of defending against evolving cyber threats.

The Strengthening Cybersecurity in Health Care Act was introduced by Senator Angus King (I-MA), Co-Chair of the Cybersecurity Solarium Commission and a member of the Senate Armed Services (SASC) and Intelligence Committees (SSCI), and Senator Marco Rubio (R-FL) and takes aim at the HHS and the cybersecurity protocols and practices that the HHS has introduced to combat evolving cyber threats.

“In recent years, several of Maine’s major healthcare providers have been the victims of cyberattacks. This threat to America’s critical infrastructure is real, and could literally mean the difference between life and death — we must take proactive steps to enhance the cybersecurity of our healthcare and public health sectors,” said Senator King. “The bipartisan Strengthening Cybersecurity in Health Care Act would help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

The Strengthening Cybersecurity in Health Care Act requires the Inspector General of the HHS to evaluate the cybersecurity practices and protocols of the HHS. At least every two years, cybersecurity reviews and penetration tests should be conducted on HHS IT systems, and biennial reports should be submitted to Congress on the current cybersecurity practices at the HHS and its progress on future security practices that it is working on.

The post Bipartisan Bill Aims to Ensure the HHS is Implementing Effective Cybersecurity Measures appeared first on HIPAA Journal.

An amended Federal Trade Commission (FTC) complaint against the data broker Kochava has survived a motion to dismiss. Idaho District Court Judge, B. Lynn Winmill, dismissed the first FTC complaint in May 2022 as the FTC failed to establish that the business practices of Kochava constituted a substantial injury to consumers. In dismissing the complaint, Judge Winmill permitted the FTC to file an amended complaint, which the FTC did in June 2023.

In its complaints, the FTC accused Kochava of invading consumers’ privacy and exposing them to risk by selling their precise geolocation information and other sensitive data to third parties. Geolocation data reveals consumers’ visits to sensitive locations such as abortion clinics, places of worship, addiction treatment facilities, and shelters for survivors of domestic abuse. The FTC explained in its complaint that Kochava obtains sensitive data from other data brokers and does not interact directly with consumers; however, the data amassed by Kochava and sold through its Kochava Collective product is highly granular and contains detailed information about the precise movements of consumers.

The precise geolocation information is obtained from mobile phones which are associated with a persistent and individual identifier. The geolocation data includes consumers’ movements over days, weeks, months, or even years and is accurate to a few meters. As such, it is possible to tell which buildings consumers are in, and in some cases, even the room they are in. The data sold by Kochava directly links to the geolocation data and can include information such as names, addresses, email addresses, and phone numbers. Kochava also collects and sells enormous amounts of additional private and sensitive information of consumers.

Kochava sells data in different forms in the Kochava Collective, which includes precise geolocation data, comprehensive profile of individual consumers (database graph), tracking consumers’ uses of mobile apps (App Graph), and audience segments, which categorize consumers based on identified sensitive and personal characteristics and attributes. The FTC explained in the amended complaint that Kochava’s customers can and do purchase that data and provided an example of the level of detailed information that can be purchased. “Kochava’s data identifies, for example, a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” The FTC said Kochava makes it clear to potential buyers that the purpose of the Kochava Collective is to sell this level of granular consumer data.

The FTC alleges the sale of this information harms consumers in two ways. Consumers are put at risk of suffering secondary harms such as discrimination, stigma, emotional distress, and physical violence, and secondly, it invades their privacy. While the initial complaint failed to sufficiently allege a substantial injury, Judge Winmill ruled that the FTC included sufficient facts in its amended complaint to support both types of harm and the detail was sufficient to satisfy the liberal plausibility standard that the alleged practices of Kochava may violate Section 5 of the FTC Act which covers unfair business practices.

While Kochava’s motion to dismiss was denied, the company still believes that it will prevail. A spokesperson for Kochava said, “Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.” Prior to the FTC complaint being filed, Kochava had already implemented measures to protect consumer privacy, including implementing the Privacy Block feature, which blocks geolocation data from sensitive locations such as those stated in the FTC complaint.

The FTC has been pursuing data brokers over the sale of sensitive data to third parties and recently announced settlements with X-Mode Social/Outlogic and InMarket Media, which the FTC claims have put companies on notice that the period of unchecked monetization and surveillance of consumers’ sensitive data is over.

The post FTC’s Amended Complaint Against Kochava Survives Motion to Dismiss appeared first on HIPAA Journal.

The Government Accountability Office (GAO) has found that most federal agencies that manage risk for critical infrastructure sectors have assessed or plan to assess risks associated with ransomware, but they have not gauged the use of leading cybersecurity practices nor determined whether federal support has effectively managed risks in critical infrastructure sectors. Ransomware attacks have increased over the past few years and organizations in critical infrastructure sectors are being extensively targeted. According to the Department of the Treasury, the total value of ransomware attacks in the United States reached $886 million in 2021, up 68% from the previous year. Many of the attacks have been on healthcare organizations and have negatively affected patients by causing delays in treatment and diagnosis.

According to the Federal Bureau of Investigation (FBI), 870 critical infrastructure organizations were affected by ransomware attacks in 2022 and almost half of those attacks were on four critical infrastructure sectors – critical manufacturing, energy, healthcare and public health, and transportation systems. In February 2022, the National Institute of Standards and Technology (NIST) developed a framework for managing ransomware risk, which can be used by organizations to identify and prioritize opportunities for improving security and resilience against ransomware attacks. What is unclear is the extent to which the security practices recommended by NIST to combat ransomware have been implemented across critical infrastructure sectors.

GAO conducted a study to assess federal agency efforts to oversee sector adoption of leading federal practices and evaluate federal agency efforts to assess ransomware risks and the effectiveness of the support they have provided. GAO analyzed documentation related to reporting, risk analysis, and mitigation strategies and compared those efforts to NIST guidance on cybersecurity specific to ransomware. GAO found that the assessed Sector Risk Management Agencies (SRMAs) do not have reliable data on the extent to which the NIST recommendations have been implemented, and until such time that they have that knowledge, the White House’s goal of improving critical infrastructure’s resilience to withstand ransomware threats will be more difficult to achieve.

Most of the SRMAs assessed by GAO had already assessed or plan to assess the risks of cybersecurity threats such as ransomware for their respective sectors, as required by law, but only half of the agencies had evaluated aspects of the support they provided in their respective sectors and none had fully assessed the effectiveness of that support. GAO has made 11 recommendations to the Department of Energy (DoE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), and Department of Transportation (DoT). GAO recommended the Secretaries of the DoE, HHS, DHS, and DoT should coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) and determine the extent to which their sectors are adopting leading cybersecurity practices to combat ransomware. They should also develop and implement routine evaluation procedures that measure the effectiveness of federal support in helping reduce the risk of ransomware in their respective sectors.

The HHS agreed with the recommendations and believes that it has already met one of the recommendations, as it conducted an initial evaluation of the sector’s adoption of cybersecurity practices through prior efforts, such as its April 2023 Hospital Resiliency Landscape Analysis study to measure the adoption of recommended cybersecurity practices in hospitals, and it has developed a Risk Identification and Site Criticality Toolkit. GEO recognized the steps that have already been taken but said the HHS is not yet tracking the sector’s adoption of specific practices that reduce ransomware risk, therefore its recommendations still stand.

The post GAO: Federal Agencies Need to Enhance Oversight of Ransomware Practices appeared first on HIPAA Journal.

The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.

Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.

Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.

Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.

The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.

The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.

The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.

Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.

Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.

Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.

The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.

The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.

A new report from Chainalysis has revealed victims of ransomware attacks paid hackers $1.1 billion in 2023 to obtain the keys to unlock their data and to prevent the release of information stolen in the attacks. Last year was the first time that ransom payments exceeded $1bn and the annual total was a sizeable jump from the $567 million that was paid in 2022. These are also conservative figures, as the researchers are unaware of all of the cryptocurrency wallets used by ransomware gangs.

Ransom payments have been increasing each year but there was a fall in ransom payments in 2022, which dropped from $983 million in 2021 to $567 million in 2022. The researchers believe this anomaly is linked to the Russia-Ukraine war. Many hackers changed their operations from ransomware attacks to attacks focused on espionage and destruction on Ukrainian targets and those that did continue with ransomware found it harder to get paid as Western targets became concerned about sanctions risks, given that many ransomware groups are based in Russia.

In 2023, there was a shift back to ransomware attacks with ransomware actors choosing to attack high-profile institutions and critical infrastructure, including schools, hospitals, and government agencies and the attacks increased in scope and complexity. There were also mass extortion-only attacks by the Clop ransomware group on file transfer solutions such as GoAnywhere MFT and MOVEit, with Clop getting paid at least $100 million for the attacks that exploited the vulnerability in MOVEit.

Chainalysis has observed a trend for big game hunting, which has become the dominant strategy in recent years but there is considerable variety across the ransomware ecosystem with RaaS operations such as Phobos having low payments but making up for that with volume. These groups lower the entry barrier and make it easy for relatively low-skilled hackers to start conducting attacks.

Several trends were observed in 2023, including astronomical growth in the number of threat actors carrying out ransomware attacks. Recorded Future reported 538 new ransomware variants in 2023, which suggests the emergence of many new, smaller ransomware groups. There has also been a shortening of the dwell time, with ransomware deployed more rapidly after initial access, and ransomware groups have been developing more efficient and aggressive tactics.

There were some success stories in 2023 due to law enforcement operations, including the takedown of the Hive group and the disruption of Alphv. The FBI reports that it the Hive operation allowed it to provide the decryption keys to many victims, saving $130 million in ransom payments, although Chainalysis estimates the impact was far greater, with the disruption caused preventing an estimated $210.4 million in payments.

The post Ransom Payments Exceeded $1 Billion in 2023 appeared first on HIPAA Journal.

In the past year, more than 150 healthcare organizations have benefitted from alerts from the Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities and intrusions that have helped them to implement mitigations before harm has been caused. These alerts have helped victims of attacks avoid delays to patient care and saved millions of dollars in costs.

In March 2023, CISA launched its Pre-Ransomware Notification Initiative which sees alerts issued if vulnerabilities are detected that are known to be actively exploited by ransomware groups to allow organizations to take action to prevent the vulnerabilities from being exploited. There is a dwell time after vulnerabilities have been exploited before ransomware is deployed, which can be a few hours to a few days. If organizations are alerted about an attack in the early stages, it is possible to block the attack before data theft and file encryption. Since launching the pilot program in January 2023, CISA has sent more than 1,200 such notifications, including to 154 healthcare organizations about early-stage ransomware activity.

When CISA’s Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity, JCDC notifies the affected company and provides specific mitigation advice to help them rapidly respond. There have been cases where the advice has come after file encryption, and in those cases, JCDC has worked closely with the organizations to help them with their remediation efforts. One of the successes of this program was an early notification to a mass transport partner that prevented an estimated $350 million attack on critical transportation infrastructure.

In some cases, JDCD has been able to identify the exfiltrated data and provide detailed information about the intrusion to support the investigative and remediation efforts. In 2023, a Fortune 500 organization suffered a $60 million ransomware attack and CISA was able to help establish a CISO position and provided guidance to help it improve its IT infrastructure and security controls to better defend against future attacks.

The post CISA Pre-Ransomware Alerts Helped 154 Healthcare Organizations Save Millions in Costs appeared first on HIPAA Journal.

Ransomware activity almost doubled in 2023 according to the annual GuidePoint Research and Intelligence Team (GRIT) Ransomware Report. The GRIT team identified 4,519 victims of ransomware attacks in 2023 up from 2,507 in 2022. The United States was the most targeted country accounting for 49% of attacks, with 8 out of the 10 most impacted countries located in North America or Europe. On average, 12.4 victims were posted on data leak sites each day in 2023, an 80.1% increase in public postings from 2022. While the increase was largely driven by mass exploitation campaigns, these attacks only accounted for 5% of total victims in 2023, showing there was also a significant increase in ransomware activity overall.

The main ransomware players in 2023 were LockBit, Alphv, and Clop, with LockBit by far the most active, having conducted more attacks than Alphv and Clop combined. These established groups conducted 85% of attacks and used well-defined tactics. They are also drivers of innovation and tactical change across the ransomware ecosystem with emerging and developing groups tending to copy the new tactics developed by the established groups to improve the effectiveness and efficiency of their attacks. The more established groups are more likely to exploit critical and high-severity vulnerabilities as it provides them with a reliable way of exploiting victims at scale, as was seen with Clop in 2023, which exploited zero-day vulnerabilities in two file transfer solutions Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution.

These groups may conduct the majority of attacks, but there were another 60 smaller ransomware groups that were active in 2023.  Emerging and developing ransomware groups are much more likely to target healthcare organizations than established groups. Historically, healthcare has been considered off-limits for some ransomware programs due to the negative press coverage and extra attention from law enforcement agencies, although established groups increased the number of attacks on healthcare organizations in 2023. Attacks on the sector may also increase further in 2024. AlphV claimed not to permit attacks on the sector but removed the restrictions for affiliates following the law enforcement takedown of its data leak site late last year.

With fewer victims paying ransoms, ransomware groups have been forced to develop new tactics to coerce victims. The BlogXX group, which attacked an Australian health insurer in late 2022, proceeded to leak patient data when the ransom wasn’t paid, including lists of patients who had abortion procedures and mental health treatment. AlphV similarly chose to pile on the pressure by publishing photographs of cancer patients. ALphV also started filing complaints with the U.S. Securities and Exchange Commission (SEC) about omissions and misstatements in victims’ SEC filings and the failure to report attacks within the required 4 days. The were also multiple cases of patients being contacted directly by ransomware groups and told they needed to pay to have their data deleted after their healthcare provider refused to pay the ransom.

The GRIT Team expects 2024 will see an increase in posted ransomware victims and an increase in novel coercive tactics, but no change in law enforcement takedowns and arrests. G9overnents and law enforcement agencies are expected to increase efforts to discourage the payment of ransom but it is unlikely that there will be significant movement on banning ransom payments altogether.

The post Emerging Ransomware Groups Disproportionately Attack Healthcare Orgs appeared first on HIPAA Journal.