Healthcare Cybersecurity

Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors

Posted by HIPAA Journal

Two medium-severity vulnerabilities have been identified in Innokas Yhtymä Oy vital signs monitors which allow communications between downstream devices to be modified and certain features of the monitors to be disabled. The vulnerabilities affect All versions of VC150 patient monitors prior to software version 1.7.15.

Vulnerable patient monitors have a stored cross-site scripting (XSS) vulnerability which allows a web script or HTML to be injected via the filename parameter to update multiple endpoints of the administrative web interface. The vulnerability is due to improper neutralization of input during web page generation. The vulnerability is tracked as CVE-2020-27262 and has been assigned a severity score of 4.6 out of 10.

The second vulnerability, tracked as CVE-2020-27260, is due to improper neutralization of special elements in the output used by downstream components. HL7 v2.x injection vulnerabilities allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into HL7 v2.x messages via multiple expected parameters. The vulnerability has been assigned a severity rating of 5.3 out of 10.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy has released a software update to correct the flaws and recommends only using software version 1.7.15b or later. There have been no cases reported of the vulnerabilities being exploited in the wild.

It is also recommended to adhere to network best practices including segmenting networks, using VLANs, and isolating patient monitors. Physical protections should be implemented to prevent unauthorized access to patient monitors and clinical staff should be instructed to report any cases of unauthorized individuals attempting to login or tamper with the monitors.

The post Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors appeared first on HIPAA Journal.

Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin

Posted by HIPAA Journal

A joint statement has been issued by the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) on behalf of the Trump Administration attributing the supply chain attack on SolarWinds Orion software to Russian threat actors.

Following the attack, the National Security Council created a task force known as the Cyber Unified Coordination Group (UCG) to investigate the breach, which consisted of the FBI, CISA, and ODNI, with support provided by the NSA. The task force is still investigating the scope of the data security incident but has announced that the attack was conducted by an Advanced Persistent Threat (APT) actor and was “likely Russian in origin.”

Evidence has been mounting that the SolarWinds software was compromised as part of an intelligence gathering operation run by Russia. While several media outlets have previously reported the security breach as being a Russia-led operation, and Secretary of State Mike Pompeo and former Attorney General Bill Barr both suggested Russia was behind the campaign, this is the first official public attribution issued by the Trump administration. President Trump had previously stated China may have been involved and has yet to comment on the attribution to Russia. Russia has denied any involvement in the attack.

The hackers compromised the software update feature of SolarWinds Orion software an incorporated a backdoor dubbed Sunburst/Solarigate which remote access the systems of organizations that downloaded the compromised software update.  The investigation confirmed the operation has been active for nine months, during which time the systems of thousands of organizations were compromised. The hackers then picked targets of interest for further compromise. The second stage of the attack saw further malware delivered and the hackers attempt to gain access to victims’ cloud environments. Microsoft said gaining access to the cloud environments of victims was the primary goal of the attack.

The UCG believes the systems of around 18,000 public and private sector companies were breached via the SolarWinds Orion software update; however, a much smaller number experienced follow-on activity on their systems. Amazon and Microsoft have launched investigations in the security breach and have been examining their cloud environments for signs of compromise. Based on their evidence, it appears that the cloud environments of around 250 of the 18,000 victims were compromised. That figure may well rise as the investigation into the attack continues.

A further malware variant called Supernova – a web shell – has also been detected on the networks of some victims. This malware variant was delivered by exploiting a zero-day vulnerability in the SolarWinds Orion software and does not appear to have been delivered by the same threat actors.

Fewer than 10 U.S. government agencies had their systems breached. The Department of Justice is the most recent government agency to announce it was affected. While the hackers had access to its systems, the DOJ said the breach was limited to its Microsoft Office 365 email environment and only around 3% of its mailboxes were accessed. The DOJ said none of its classified systems appear to have been breached.

The post Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin appeared first on HIPAA Journal.

NSA Releases Guidance on Eliminating Weak Encryption Protocols

Posted by HIPAA Journal

The National Security Agency (NSA) has released guidance to help organizations eliminate weak encryption protocols, which are currently being exploited by threat actors to decrypt sensitive data.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were developed to create protected channels using encryption and authentication to ensure the security of sensitive data between a server and a client.  The algorithms used by these protocols to encrypt data have since been updated to improve the strength of encryption, but obsolete protocol configurations are still in use. New attacks have been developed that exploit weak encryption and authentication protocols, which are being actively used by threat actors to decrypt and obtain sensitive data.

The NSA explains that most products that use obsolete TLS versions, cipher suites, and key exchange methods have been updated, but implementations have often not kept up and continued use of these out-of-date TLS configurations carries an elevated risk of exploitation. Continued use of outdated protocols provides a false sense of security, as while data transmissions are protected, the level of protection provided is insufficient to prevent decryption of data by nation state actors and other well-resourced threat actors.

The new NSA guidance explains how to detect outdated TLS and SSL configurations, replace them with newer, more secure versions, and block obsolete TLS versions, cipher suites, and key exchange methods.

 

The guidance is primarily aimed at cybersecurity leaders in the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB), but can be used by all network owners and operators to better secure sensitive data.

The NSA recommends updating SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and only using TLS 1.2 or TLS 1.3. The guidance included detailed information on the tools, network signatures, and server configurations necessary to only allow strong encryption protocol configurations.

“Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks,” said the NSA in the guidance. “To help system administrators fix their network components, NSA developed several server configurations and network signatures to accompany the report that are available on the NSA Cybersecurity Github.”

Updating TLS configurations will ensure that government agencies and enterprise organizations have stronger encryption and authentication and will better protect sensitive data.

The post NSA Releases Guidance on Eliminating Weak Encryption Protocols appeared first on HIPAA Journal.

Healthcare Industry Cyberattacks Increase by 45%

Posted by HIPAA Journal

In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active.

A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October.

The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and December; however, ransomware attacks showed the largest percentage increase and ransomware remains the biggest malware threat.

Conti ransomware continues to pose a threat and has been used in many healthcare industry ransomware attacks, although Ryuk remains the most commonly used ransomware variant, followed by Sodinokibi. The biggest increase in attacks was in Central Europe, which saw a 145% spike in attacks, followed by East Asia (137%) and Latin America (112%). There was a 67% rise in attacks in Europe and a 37% increase in North America. The country with the biggest increase was Canada, which saw attacks increase by 250%.

Ransomware attacks are financially motivated. Ransomware gives threat actors a large payout in a matter of days after conducting an attack and ransoms are often paid to allow files to be restored or to prevent the release or sale of stolen sensitive data. The healthcare industry is targeted because there is a higher probability that a ransom will be paid than attacks on other industry sectors. Healthcare providers need to restore access to patient data quickly to ensure care can continue to be provided to patients, especially at a time when there is tremendous pressure due to the number of new patients requiring treatment for COVID-19.

While it is still common for ransomware to be distributed via spam email and exploit kits, the attacks on the healthcare industry have been highly targeted, with the main ransomware variants used in the attacks delivered manually. Initial access to healthcare networks is gained using a variety of methods. Many ransomware attacks start with phishing emails that deliver Trojans such as Emotet, TrickBot, and Dridex. Check Point advises security professionals to search for these Trojans on the network, along with Cobalt Strike, all of which are used to deliver Ryuk ransomware.

Many ransomware attacks start with a phishing email, so it is important to ensure that anti-phishing cybersecurity solutions are implemented, and for employees to receive regular training to help them identify phishing and social engineering attacks.

While most phishing attacks occur in the week during business hours, ransomware attacks commonly commence over the weekend and during holidays, when monitoring by security staff is likely to be reduced. Healthcare organizations are advised to raise their guard over the weekend and during holidays to detect attacks in progress.

Vulnerabilities in software and operating systems are commonly exploited to gain access to healthcare networks, so prompt patching is vital, but in healthcare it is not always possible for patches to be applied. Check Point recommends using an intrusion prevention system (IPS) with virtual patching capabilities that can prevent the exploitation of vulnerabilities in systems and applications that cannot be patched. Anti-ransomware cybersecurity solutions should also be used that have a remediation feature that can block attacks within minutes if ransomware is deployed.

The post Healthcare Industry Cyberattacks Increase by 45% appeared first on HIPAA Journal.

Hidden Backdoor Identified in 100,000 Zyxel Devices

Posted by HIPAA Journal

A vulnerability has been identified in Zyxel devices such as VPN gateways, firewalls, and access point (AP) controllers that could be exploited by threat actors to gain remote administrative access to the devices. By exploiting the vulnerability, threat actors would be able to make changes to firewall settings, allow/deny certain traffic, intercept traffic, create new VPN accounts, make internal services publicly accessible, and gain access to internal networks behind Zyxel devices. Around 100,000 Zyxel devices worldwide have the vulnerability.

Zyxel manufacturers networking equipment and its devices are popular with small to medium sized businesses and are also used by large enterprises and government agencies.

The vulnerability, tracked as CVE-2020-29583, was identified by Niels Teusink of the Dutch cybersecurity firm EYE, who discovered a hidden user account in the latest version of Zyxel firmware (4.60 patch 0).  The user account, zyfwp, which was not visible in the user interface of the products, was discovered to have a hardcoded plain-text password which Teusink found in one of the product binaries. The hardcoded administrative password was introduced in the latest version of the firmware.

Teusink was able to use the credentials to login to vulnerable devices over SSH and the web interface. Since the password is hardcoded, users of the devices are unable to change the password. An attacker could use the credentials to login remotely and compromise a vulnerable Zyxel device.

“As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet,” said Teusink.

The vulnerability was reported to Zyxel and a patch has been released to correct the flaw. Zyxel explained that the account had been included to allow the company to deliver automatic firewall updates to connected access points through FTP.

The flaw is present in several Zyxel products including the Zyxel Advanced Threat Protection (APT) firewall, Unified Security Gateway (USG), USG Flex, and VPN version 4.60 and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an alert about the vulnerability which was rated high risk for large and medium government entities and large and medium business entities, and medium risk for small government entities and small business entities.

All users of the vulnerable products have been advised to apply the patch as soon as possible to prevent exploitation. While there have not been any reported cases of exploitation of the vulnerability in the wild, exploitation of the flaw is likely.

Affected product series Patch available in
Firewalls  
ATP series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
AP controllers

 

  
NXC2500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021

MS-ISAC has made the following recommendations to mitigate the threat.

  • Apply appropriate updates provided by Zyxel to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privilege user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

The post Hidden Backdoor Identified in 100,000 Zyxel Devices appeared first on HIPAA Journal.

Largest Healthcare Data Breaches in 2020

Posted by HIPAA Journal

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records.

The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years.

The Largest Healthcare Data Breaches in 2020

When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom to prevent the exposure of client data. Blackbaud received assurances that the stolen data was permanently deleted and not been further disclosed.

The total victim count from the Blackbaud ransomware attack may never be known, but more than 6 dozen healthcare providers have reported being affected to date and over 8 million healthcare records have potentially been compromised. That breach clearly tops the list of the largest healthcare data breaches in 2020 and ranks as one of the largest healthcare data breaches of all time.

2020’s Largest Healthcare Data Breaches

The individual entities that reported data breaches in 2020 involving more than 300,000 healthcare records are listed below. In some cases, the actual data breach occurred prior to 2020, but was only discovered and reported in 2020.

Trinity Health – 3,320,726 Individuals

At more than 3.3 million records, Trinity Health was the worst affected healthcare victim of the ransomware attack on Blackbaud Inc. The hackers potentially obtained the philanthropy database of the Livonia, Michigan-based Catholic health system, which contained patient and donor information from 2000 to 2020.

MEDNAX Services, Inc. – 1,290,670 Individuals

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, suffered a breach of its Office 365 environment in June 2020 after employees responded to phishing emails. The breach was extensive, involving patient and guarantor information such as Social Security numbers, driver’s license numbers, and health insurance and financial information.

Inova Health System – 1,045,270 Individuals

Virginia-based Inova Health System was also a victim of the Blackbaud ransomware attack. The hackers gained access to Blackbaud’s systems on February 7, 2020 and the breach continued until May 20, 2020. Ransomware was deployed on May 14, 2020. Inova’s fundraising database was potentially compromised which contained patient and donor information.

Magellan Health Inc. 1,013,956 Individuals

Arizona-based Magellan Health was the victim of an April 2020 ransomware attack in which the protected health information of patients was potentially compromised. The attack ended with the deployment of ransomware but started with a spear phishing email. Several of its affiliated entities were also affected by the breach.

Dental Care Alliance – 1,004,304 Individuals

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in December. Few details have been released about the nature of the hacking incident as the investigation is still ongoing. The breach affected many of its affiliated dental practices.

Luxottica of America Inc. – 829,454 Individuals

Luxottica of America Inc., an operator of vision care facilities across the United States and owner of the eyewear brands Ray-Ban, Oakley, and Persol, experienced a cyberattack in August 2020 which saw hackers gain access to its web-based appointment scheduling system which contained the PHI of patients of its eye care partners.

Northern Light Health – 657,392 Individuals

The Maine health system Northern Light Health was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

Health Share of Oregon – 654,362 Individuals

In May 2020, the Medicaid coordinated care organization Health Share of Oregon reported the theft of a laptop computer from its non-emergent medical transportation vendor. The laptop was stolen in November 2019 and was not encrypted, which potentially gave the thief access to patents’ contact information, Health Share ID numbers, and Social Security numbers.

Florida Orthopaedic Institute – 640,000 Individuals

Florida Orthopaedic Institute suffered a ransomware attack in April which saw patient information on its servers encrypted. Prior to the use of ransomware, patient data may have been viewed or obtained by the hackers.

Elkhart Emergency Physicians – 550,000 Individuals

Elkhart Emergency Physicians reported a breach in May 2020 involving the improper disposal of patient records by a third-party storage vendor – Central Files Inc. Elkhart Emergency Physicians was the worst affected entity, but several other clients of the vendor were also impacted by the breach. The records had been dumped without being shredded after the storage facility permanently closed.

Aetna ACE – 484,157 Individuals

Aetna reported a data breach in December which occurred at business associate EyeMed, which provides vision benefit services for its members. The breach occurred when an EyeMed employee responded to a phishing email, which allowed the attacker to gain access to email accounts containing PHI. Several EyeMed clients were affected by the breach.

Saint Luke’s Foundation – 360,212 Individuals

Kansas City, MO-based Saint Luke’s Foundation was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

NorthShore University Health System – 348,746 Individuals

Evanston, IL-based NorthShore University Health System was also affected by the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database.

SCL Health Colorado – 343,493 Individuals

SCL Health Colorado was also a victim of the Blackbaud ransomware attack. The PHI of patients in its Colorado, Montana and Kansas locations was potentially accessed by the attackers.

AdventHealth – 315,811 Individuals

The Altamonte Springs, FL-based healthcare system AdventHealth was also a victim of the Blackbaud ransomware attack which saw the hackers gain access to its fundraising database.

Nuvance Health – 314,829 Individuals

Nuvance Health was a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database between February and May.

Magellan Rx Management – 314,704 Individuals

Magellan Rx Management was one of the victims of the ransomware attack on its parent company, Magellan Health, in April. The hackers potentially stole patient data prior to encrypting files.

The Baton Rouge Clinic – 308,169 Individuals

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July involving ransomware. The attackers potentially viewed or obtained patient data prior to the deployment of ransomware.

The post Largest Healthcare Data Breaches in 2020 appeared first on HIPAA Journal.

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

Posted by HIPAA Journal

The DHS’ Cybersecurity and infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain.

The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks.

According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto Networks believe the second malware variant, named Supernova, is not associated with the group that deployed the Sunburst/Solarigate backdoor.

Several resources have already been published to help organizations assess the risk associated with the cyber activity and detect and mitigate potential breaches and eliminate the threat actors from their networks. The new website pools the resources and provides easy access to pertinent information on this global incident. The website will be regularly updated as new information becomes available as the investigations into the cyber activity continue.

The APT actor has compromised the networks of a large number of entities and is selectively choosing targets of interest for further network exploitation, but any organization that has installed the compromised software updates is at risk if corrective action is not taken.

It is important for all organizations that use SolarWinds Orion to take action to investigate for signs of compromise. As CISA explained in its latest alert, “If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.” CISA also points out that even if entities have not installed the compromised SolarWinds Orion update, that does not necessary mean they will not be affected. Their managed service providers and partners may have been compromised, which could give the APT actor access to their networks.

The website includes a link to a free tool that has been released by CISA for detecting unusual and potentially malicious activity in Azure/Microsoft Office 365 environments. The new tool provides a narrowly focused view of activity related to the identity- and authentication-based attacks that have been observed across a wide range of sectors following the deployment of the Sunburst/Solarigate backdoor.

The tool – named Sparrow – can be used to narrow down large data sets of investigation modules and telemetry to provide information specific to the attacks on federated identity sources and applications.

The post CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool appeared first on HIPAA Journal.

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

The post NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

FBI Warns of DoppelPaymer Ransomware Attacks Targeting Critical Infrastructure

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning of an increase in DoppelPaymer ransomware activity and a change in tactics by the threat actors to pressure victims into paying.

DoppelPaymer ransomware first emerged in the summer of 2019 and has since been used in attacks on a range of verticals including healthcare, education, and the emergency services. The ransomware is believed to be operated by the Evil Corp (TA505) threat group, which was behind Locky ransomware and the Dridex banking Trojan.

Like many human-operated ransomware operations, the threat group exfiltrates data prior to the encryption of files and uses the stolen data as leverage to get the ransom paid. While victims may be able to recover encrypted files from backups, the threat of the public release or sale of stolen data is sufficient to get them to pay the ransom demand.

The threat group is known for demanding large ransom payments, often as high as seven figures. The gang is also believed to have been the first to start cold calling victims to pressure them into paying; a tactic that has now been adopted by several ransomware gangs including Ryuk, Conti, and Sekhmet.

The DoppelPaymer gang has been calling victims since at least February 2020 to issue threats if payment is not made, such as the public release of stolen data, sale of stolen data, and even threats of violence. In one case, a call was made using a spoofed U.S. number by an individual claiming to be in North Korea who threatened to send an individual to an employee’s home if the ransom was not paid. Subsequently, calls were made to several of the individual’s relatives.

The FBI explained in the alert that several attacks have been conducted in recent months that have caused significant disruption to critical services. Many healthcare providers have been attacked causing disruption to patient services. One attack on a hospital in Germany resulted in patients being redirected to alternative facilities, with one patient dying before treatment could be provided. Law enforcement officials later determined that the patient would likely have died due to poor health irrespective of the attack and the FBI notes that when the threat group was notified that lives were being put at risk, the extortion attempt was withdrawn, and the digital decryption keys were provided without charge.

Another attack on a large U.S. healthcare provider in July 2019 saw 13 servers impacted by the attack. While the ransom was not paid and files were recovered from backups, the recovery process took several weeks. In September 2020, the ransomware gang attacked a 911 dispatch center which prevented the county from accessing its computer-aided dispatch (CAD) system. In a separate attack on a different country, servers were encrypted that prevented access to systems used for emergency dispatch, patrol, jail, and the payroll departments. A U.S. city was attacked in the summer of 2020 causing major disruption to emergency services, the police department, and government functions.

Ransomware attacks on healthcare organizations have increased as the year has gone on, with Kroll reporting a 75% increase in attacks on healthcare providers in October 2020. Ransom payments are similarly increasing. Beazley has reported ransom demands in attacks on its clients doubled in the first 6 months of 2020, while Coveware reported the average ransom demand rose to $234,000 in the third quarter of 2020, up 31% from Q2.

The advice of the FBI is never to pay ransom demands unless there is no alternative, as payment does not guarantee the recovery of files or prevent data exposure. Payment of the ransom also encourages the attackers to conduct further attacks and incentivizes others to get involved in ransomware operations.

The post FBI Warns of DoppelPaymer Ransomware Attacks Targeting Critical Infrastructure appeared first on HIPAA Journal.