Healthcare Cybersecurity

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach.

While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach.

The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions.

The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches and considering HIPAA enforcement penalties or other regulatory actions. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule.

The bill also requires the HHS to decrease the extent and length of audits if an entity is determined to have achieved industry-standard security best practices and makes it clear that the HHS is not authorized to increase fines for entities found not to have adhered to recognized security practices.

Recognized security practices are defined as “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”

The healthcare industry is extensively targeted by hackers and healthcare data breaches are becoming much more common. Each year, the number of successful cyberattacks on healthcare organizations and their business associates increases and 2020 was no exception. 2020 was the worst ever year for healthcare industry data breaches by far. It is also worth noting that 2020 saw more HIPAA penalties imposed on HIPAA covered entities and business associates by the HHS’ Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations.

Healthcare organizations and HIPAA business associates that have not yet adopted a common cybersecurity framework or other recognized security practices should consider doing so now. Adoption of recognized security practices will help to reduce the risk of a data breach as well as the negative consequences if a data breach does occur.

The post HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law appeared first on HIPAA Journal.

FBI Issues Warning About Increasing Egregor Ransomware Activity

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about the growing threat of Egregor ransomware attacks.

Egregor ransomware is a ransomware-as-a-service operation that was first identified in September 2020. The threat actors behind the operation recruit affiliates to distribute their ransomware and give them a cut of any ransoms they generate. The affiliates have been highly active over the past three months and have conducted attacks on many large enterprises. High-profile victims include Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink.

The threat group claims to have gained access to more than 150 corporate networks and deployed their ransomware, with the ransom demands exceeding $4 million. Many affiliates have been recruited by the Egregor ransomware gang and each has their preferred method of distributing the ransomware. With a wide range of tactics, techniques, and procedures used to deliver the ransomware, defending against attacks can be a challenge for network defenders.

Initial access to corporate networks is often gained through phishing attacks targeting corporate email accounts using attachments with malicious code that downloads the ransomware payload. Other tactics include brute force attacks on weak passwords and the exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs).

Once a network has been compromised, the attackers escalate privileges and move laterally within networks using tools such as Advanced IP Scanner, Cobalt Strike, AdFind, and malware such as QakBot. The network is explored to find sensitive data, which is exfiltrated using 7zip and Rclone, sometimes hiding the activity as a Service Host Process (svchost). The exfiltrated data is used to pressure victims into paying the ransom with the threat actors threatening to sell or publish the data if payment is not made.

The ransomware first appeared around the same time as the Maze ransomware operation shut down and any Maze ransomware affiliates switched to distributing Egregor ransomware. Several security researchers have suggested the Maze ransomware gang is running the Egregor ransomware operation due to the arrival of Egregor as the Maze operation shut down, similarities between the companies attacked and the ransom notes. The threat actors running the Egregor ransomware operation also appear to have considerable experienced running ransomware-as-a-service operations.

The FBI has advised against paying the ransom demands as there is no guarantee that valid keys will be supplied to unlock encrypted data and that stolen data may not be deleted even if the ransom is paid. Paying the ransom helps to fund future attacks and encourages the threat actors to continue.

Due to the diverse tactics, techniques, and procedures used to distribute the ransomware, network defenders need to harden security organization-wide. To ensure data can be recovered in the event of an attack, regular backups should be performed of critical data, and those backups should be stored offline, in the cloud or on an external hard drive that is not connected to the network. Backups should never be accessible from the network where the data resides.

Antivirus and antimalware solutions should be deployed and set to update automatically, email security gateways should be used to block phishing attacks, and multi-factor authentication should be implemented on corporate email accounts and remote access solutions. If multi-factor authentication cannot be implemented, it is essential to use strong passwords.

Secure networks should be used for remote access and public Wi-Fi networks should be avoided. Public-facing remote access solutions should be regularly updated and patches should be applied promptly. Several attacks saw networks compromised by exploiting vulnerabilities in RDP such as CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108. Patching these vulnerabilities should be prioritized. The FBI also recommends reviewing suspicious .bat and .dll files with recon data, such as .log files, and monitoring for the use of exfiltration tools.

Victims of Egregor ransomware attacks are being encouraged to report the attacks to their local FBI office or the FBI’s 24/7 CyberWatch. Victims should bear in mind that payment of a ransom potentially carries sanctions risks. Last year, the Office of Foreign Assets Control (OFAC) of the Treasury Department warned that paying a ransom could violate OFAC regulations if it involves a sanction nexus. OFAC should be contacted prior to victims paying any ransom payment in order to avoid future sanctions.

The post FBI Issues Warning About Increasing Egregor Ransomware Activity appeared first on HIPAA Journal.

Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors

Two medium-severity vulnerabilities have been identified in Innokas Yhtymä Oy vital signs monitors which allow communications between downstream devices to be modified and certain features of the monitors to be disabled. The vulnerabilities affect All versions of VC150 patient monitors prior to software version 1.7.15.

Vulnerable patient monitors have a stored cross-site scripting (XSS) vulnerability which allows a web script or HTML to be injected via the filename parameter to update multiple endpoints of the administrative web interface. The vulnerability is due to improper neutralization of input during web page generation. The vulnerability is tracked as CVE-2020-27262 and has been assigned a severity score of 4.6 out of 10.

The second vulnerability, tracked as CVE-2020-27260, is due to improper neutralization of special elements in the output used by downstream components. HL7 v2.x injection vulnerabilities allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into HL7 v2.x messages via multiple expected parameters. The vulnerability has been assigned a severity rating of 5.3 out of 10.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy has released a software update to correct the flaws and recommends only using software version 1.7.15b or later. There have been no cases reported of the vulnerabilities being exploited in the wild.

It is also recommended to adhere to network best practices including segmenting networks, using VLANs, and isolating patient monitors. Physical protections should be implemented to prevent unauthorized access to patient monitors and clinical staff should be instructed to report any cases of unauthorized individuals attempting to login or tamper with the monitors.

The post Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors appeared first on HIPAA Journal.

Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin

A joint statement has been issued by the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) on behalf of the Trump Administration attributing the supply chain attack on SolarWinds Orion software to Russian threat actors.

Following the attack, the National Security Council created a task force known as the Cyber Unified Coordination Group (UCG) to investigate the breach, which consisted of the FBI, CISA, and ODNI, with support provided by the NSA. The task force is still investigating the scope of the data security incident but has announced that the attack was conducted by an Advanced Persistent Threat (APT) actor and was “likely Russian in origin.”

Evidence has been mounting that the SolarWinds software was compromised as part of an intelligence gathering operation run by Russia. While several media outlets have previously reported the security breach as being a Russia-led operation, and Secretary of State Mike Pompeo and former Attorney General Bill Barr both suggested Russia was behind the campaign, this is the first official public attribution issued by the Trump administration. President Trump had previously stated China may have been involved and has yet to comment on the attribution to Russia. Russia has denied any involvement in the attack.

The hackers compromised the software update feature of SolarWinds Orion software an incorporated a backdoor dubbed Sunburst/Solarigate which remote access the systems of organizations that downloaded the compromised software update.  The investigation confirmed the operation has been active for nine months, during which time the systems of thousands of organizations were compromised. The hackers then picked targets of interest for further compromise. The second stage of the attack saw further malware delivered and the hackers attempt to gain access to victims’ cloud environments. Microsoft said gaining access to the cloud environments of victims was the primary goal of the attack.

The UCG believes the systems of around 18,000 public and private sector companies were breached via the SolarWinds Orion software update; however, a much smaller number experienced follow-on activity on their systems. Amazon and Microsoft have launched investigations in the security breach and have been examining their cloud environments for signs of compromise. Based on their evidence, it appears that the cloud environments of around 250 of the 18,000 victims were compromised. That figure may well rise as the investigation into the attack continues.

A further malware variant called Supernova – a web shell – has also been detected on the networks of some victims. This malware variant was delivered by exploiting a zero-day vulnerability in the SolarWinds Orion software and does not appear to have been delivered by the same threat actors.

Fewer than 10 U.S. government agencies had their systems breached. The Department of Justice is the most recent government agency to announce it was affected. While the hackers had access to its systems, the DOJ said the breach was limited to its Microsoft Office 365 email environment and only around 3% of its mailboxes were accessed. The DOJ said none of its classified systems appear to have been breached.

The post Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin appeared first on HIPAA Journal.

NSA Releases Guidance on Eliminating Weak Encryption Protocols

The National Security Agency (NSA) has released guidance to help organizations eliminate weak encryption protocols, which are currently being exploited by threat actors to decrypt sensitive data.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were developed to create protected channels using encryption and authentication to ensure the security of sensitive data between a server and a client.  The algorithms used by these protocols to encrypt data have since been updated to improve the strength of encryption, but obsolete protocol configurations are still in use. New attacks have been developed that exploit weak encryption and authentication protocols, which are being actively used by threat actors to decrypt and obtain sensitive data.

The NSA explains that most products that use obsolete TLS versions, cipher suites, and key exchange methods have been updated, but implementations have often not kept up and continued use of these out-of-date TLS configurations carries an elevated risk of exploitation. Continued use of outdated protocols provides a false sense of security, as while data transmissions are protected, the level of protection provided is insufficient to prevent decryption of data by nation state actors and other well-resourced threat actors.

The new NSA guidance explains how to detect outdated TLS and SSL configurations, replace them with newer, more secure versions, and block obsolete TLS versions, cipher suites, and key exchange methods.

 

The guidance is primarily aimed at cybersecurity leaders in the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB), but can be used by all network owners and operators to better secure sensitive data.

The NSA recommends updating SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and only using TLS 1.2 or TLS 1.3. The guidance included detailed information on the tools, network signatures, and server configurations necessary to only allow strong encryption protocol configurations.

“Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks,” said the NSA in the guidance. “To help system administrators fix their network components, NSA developed several server configurations and network signatures to accompany the report that are available on the NSA Cybersecurity Github.”

Updating TLS configurations will ensure that government agencies and enterprise organizations have stronger encryption and authentication and will better protect sensitive data.

The post NSA Releases Guidance on Eliminating Weak Encryption Protocols appeared first on HIPAA Journal.

Healthcare Industry Cyberattacks Increase by 45%

In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active.

A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October.

The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and December; however, ransomware attacks showed the largest percentage increase and ransomware remains the biggest malware threat.

Conti ransomware continues to pose a threat and has been used in many healthcare industry ransomware attacks, although Ryuk remains the most commonly used ransomware variant, followed by Sodinokibi. The biggest increase in attacks was in Central Europe, which saw a 145% spike in attacks, followed by East Asia (137%) and Latin America (112%). There was a 67% rise in attacks in Europe and a 37% increase in North America. The country with the biggest increase was Canada, which saw attacks increase by 250%.

Ransomware attacks are financially motivated. Ransomware gives threat actors a large payout in a matter of days after conducting an attack and ransoms are often paid to allow files to be restored or to prevent the release or sale of stolen sensitive data. The healthcare industry is targeted because there is a higher probability that a ransom will be paid than attacks on other industry sectors. Healthcare providers need to restore access to patient data quickly to ensure care can continue to be provided to patients, especially at a time when there is tremendous pressure due to the number of new patients requiring treatment for COVID-19.

While it is still common for ransomware to be distributed via spam email and exploit kits, the attacks on the healthcare industry have been highly targeted, with the main ransomware variants used in the attacks delivered manually. Initial access to healthcare networks is gained using a variety of methods. Many ransomware attacks start with phishing emails that deliver Trojans such as Emotet, TrickBot, and Dridex. Check Point advises security professionals to search for these Trojans on the network, along with Cobalt Strike, all of which are used to deliver Ryuk ransomware.

Many ransomware attacks start with a phishing email, so it is important to ensure that anti-phishing cybersecurity solutions are implemented, and for employees to receive regular training to help them identify phishing and social engineering attacks.

While most phishing attacks occur in the week during business hours, ransomware attacks commonly commence over the weekend and during holidays, when monitoring by security staff is likely to be reduced. Healthcare organizations are advised to raise their guard over the weekend and during holidays to detect attacks in progress.

Vulnerabilities in software and operating systems are commonly exploited to gain access to healthcare networks, so prompt patching is vital, but in healthcare it is not always possible for patches to be applied. Check Point recommends using an intrusion prevention system (IPS) with virtual patching capabilities that can prevent the exploitation of vulnerabilities in systems and applications that cannot be patched. Anti-ransomware cybersecurity solutions should also be used that have a remediation feature that can block attacks within minutes if ransomware is deployed.

The post Healthcare Industry Cyberattacks Increase by 45% appeared first on HIPAA Journal.

Hidden Backdoor Identified in 100,000 Zyxel Devices

A vulnerability has been identified in Zyxel devices such as VPN gateways, firewalls, and access point (AP) controllers that could be exploited by threat actors to gain remote administrative access to the devices. By exploiting the vulnerability, threat actors would be able to make changes to firewall settings, allow/deny certain traffic, intercept traffic, create new VPN accounts, make internal services publicly accessible, and gain access to internal networks behind Zyxel devices. Around 100,000 Zyxel devices worldwide have the vulnerability.

Zyxel manufacturers networking equipment and its devices are popular with small to medium sized businesses and are also used by large enterprises and government agencies.

The vulnerability, tracked as CVE-2020-29583, was identified by Niels Teusink of the Dutch cybersecurity firm EYE, who discovered a hidden user account in the latest version of Zyxel firmware (4.60 patch 0).  The user account, zyfwp, which was not visible in the user interface of the products, was discovered to have a hardcoded plain-text password which Teusink found in one of the product binaries. The hardcoded administrative password was introduced in the latest version of the firmware.

Teusink was able to use the credentials to login to vulnerable devices over SSH and the web interface. Since the password is hardcoded, users of the devices are unable to change the password. An attacker could use the credentials to login remotely and compromise a vulnerable Zyxel device.

“As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet,” said Teusink.

The vulnerability was reported to Zyxel and a patch has been released to correct the flaw. Zyxel explained that the account had been included to allow the company to deliver automatic firewall updates to connected access points through FTP.

The flaw is present in several Zyxel products including the Zyxel Advanced Threat Protection (APT) firewall, Unified Security Gateway (USG), USG Flex, and VPN version 4.60 and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an alert about the vulnerability which was rated high risk for large and medium government entities and large and medium business entities, and medium risk for small government entities and small business entities.

All users of the vulnerable products have been advised to apply the patch as soon as possible to prevent exploitation. While there have not been any reported cases of exploitation of the vulnerability in the wild, exploitation of the flaw is likely.

Affected product series Patch available in
Firewalls  
ATP series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
AP controllers

 

 
NXC2500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021

MS-ISAC has made the following recommendations to mitigate the threat.

  • Apply appropriate updates provided by Zyxel to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privilege user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

The post Hidden Backdoor Identified in 100,000 Zyxel Devices appeared first on HIPAA Journal.

Largest Healthcare Data Breaches in 2020

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records.

The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years.

The Largest Healthcare Data Breaches in 2020

When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom to prevent the exposure of client data. Blackbaud received assurances that the stolen data was permanently deleted and not been further disclosed.

The total victim count from the Blackbaud ransomware attack may never be known, but more than 6 dozen healthcare providers have reported being affected to date and over 8 million healthcare records have potentially been compromised. That breach clearly tops the list of the largest healthcare data breaches in 2020 and ranks as one of the largest healthcare data breaches of all time.

2020’s Largest Healthcare Data Breaches

The individual entities that reported data breaches in 2020 involving more than 300,000 healthcare records are listed below. In some cases, the actual data breach occurred prior to 2020, but was only discovered and reported in 2020.

Trinity Health – 3,320,726 Individuals

At more than 3.3 million records, Trinity Health was the worst affected healthcare victim of the ransomware attack on Blackbaud Inc. The hackers potentially obtained the philanthropy database of the Livonia, Michigan-based Catholic health system, which contained patient and donor information from 2000 to 2020.

MEDNAX Services, Inc. – 1,290,670 Individuals

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, suffered a breach of its Office 365 environment in June 2020 after employees responded to phishing emails. The breach was extensive, involving patient and guarantor information such as Social Security numbers, driver’s license numbers, and health insurance and financial information.

Inova Health System – 1,045,270 Individuals

Virginia-based Inova Health System was also a victim of the Blackbaud ransomware attack. The hackers gained access to Blackbaud’s systems on February 7, 2020 and the breach continued until May 20, 2020. Ransomware was deployed on May 14, 2020. Inova’s fundraising database was potentially compromised which contained patient and donor information.

Magellan Health Inc. 1,013,956 Individuals

Arizona-based Magellan Health was the victim of an April 2020 ransomware attack in which the protected health information of patients was potentially compromised. The attack ended with the deployment of ransomware but started with a spear phishing email. Several of its affiliated entities were also affected by the breach.

Dental Care Alliance – 1,004,304 Individuals

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in December. Few details have been released about the nature of the hacking incident as the investigation is still ongoing. The breach affected many of its affiliated dental practices.

Luxottica of America Inc. – 829,454 Individuals

Luxottica of America Inc., an operator of vision care facilities across the United States and owner of the eyewear brands Ray-Ban, Oakley, and Persol, experienced a cyberattack in August 2020 which saw hackers gain access to its web-based appointment scheduling system which contained the PHI of patients of its eye care partners.

Northern Light Health – 657,392 Individuals

The Maine health system Northern Light Health was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

Health Share of Oregon – 654,362 Individuals

In May 2020, the Medicaid coordinated care organization Health Share of Oregon reported the theft of a laptop computer from its non-emergent medical transportation vendor. The laptop was stolen in November 2019 and was not encrypted, which potentially gave the thief access to patents’ contact information, Health Share ID numbers, and Social Security numbers.

Florida Orthopaedic Institute – 640,000 Individuals

Florida Orthopaedic Institute suffered a ransomware attack in April which saw patient information on its servers encrypted. Prior to the use of ransomware, patient data may have been viewed or obtained by the hackers.

Elkhart Emergency Physicians – 550,000 Individuals

Elkhart Emergency Physicians reported a breach in May 2020 involving the improper disposal of patient records by a third-party storage vendor – Central Files Inc. Elkhart Emergency Physicians was the worst affected entity, but several other clients of the vendor were also impacted by the breach. The records had been dumped without being shredded after the storage facility permanently closed.

Aetna ACE – 484,157 Individuals

Aetna reported a data breach in December which occurred at business associate EyeMed, which provides vision benefit services for its members. The breach occurred when an EyeMed employee responded to a phishing email, which allowed the attacker to gain access to email accounts containing PHI. Several EyeMed clients were affected by the breach.

Saint Luke’s Foundation – 360,212 Individuals

Kansas City, MO-based Saint Luke’s Foundation was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

NorthShore University Health System – 348,746 Individuals

Evanston, IL-based NorthShore University Health System was also affected by the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database.

SCL Health Colorado – 343,493 Individuals

SCL Health Colorado was also a victim of the Blackbaud ransomware attack. The PHI of patients in its Colorado, Montana and Kansas locations was potentially accessed by the attackers.

AdventHealth – 315,811 Individuals

The Altamonte Springs, FL-based healthcare system AdventHealth was also a victim of the Blackbaud ransomware attack which saw the hackers gain access to its fundraising database.

Nuvance Health – 314,829 Individuals

Nuvance Health was a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database between February and May.

Magellan Rx Management – 314,704 Individuals

Magellan Rx Management was one of the victims of the ransomware attack on its parent company, Magellan Health, in April. The hackers potentially stole patient data prior to encrypting files.

The Baton Rouge Clinic – 308,169 Individuals

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July involving ransomware. The attackers potentially viewed or obtained patient data prior to the deployment of ransomware.

The post Largest Healthcare Data Breaches in 2020 appeared first on HIPAA Journal.

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

The DHS’ Cybersecurity and infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain.

The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks.

According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto Networks believe the second malware variant, named Supernova, is not associated with the group that deployed the Sunburst/Solarigate backdoor.

Several resources have already been published to help organizations assess the risk associated with the cyber activity and detect and mitigate potential breaches and eliminate the threat actors from their networks. The new website pools the resources and provides easy access to pertinent information on this global incident. The website will be regularly updated as new information becomes available as the investigations into the cyber activity continue.

The APT actor has compromised the networks of a large number of entities and is selectively choosing targets of interest for further network exploitation, but any organization that has installed the compromised software updates is at risk if corrective action is not taken.

It is important for all organizations that use SolarWinds Orion to take action to investigate for signs of compromise. As CISA explained in its latest alert, “If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.” CISA also points out that even if entities have not installed the compromised SolarWinds Orion update, that does not necessary mean they will not be affected. Their managed service providers and partners may have been compromised, which could give the APT actor access to their networks.

The website includes a link to a free tool that has been released by CISA for detecting unusual and potentially malicious activity in Azure/Microsoft Office 365 environments. The new tool provides a narrowly focused view of activity related to the identity- and authentication-based attacks that have been observed across a wide range of sectors following the deployment of the Sunburst/Solarigate backdoor.

The tool – named Sparrow – can be used to narrow down large data sets of investigation modules and telemetry to provide information specific to the attacks on federated identity sources and applications.

The post CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool appeared first on HIPAA Journal.