Healthcare Cybersecurity

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials.

Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home.

Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN.

Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow the user to continue to use the VPN to access the network.

The emails appear to have been sent by the IT Support team and include a hyperlink that must be clicked to install the update. The user is told in the email that they will be required to supply their username and password to login to perform the update.

This campaign targets specific organizations and spoofs an internal email to make it appear that the email has been sent from a trusted domain. The hyperlink has anchor text related to the user’s organization to hide the true destination URL to make it appear legitimate. If the user clicks the hyperlink in the email, they will be directed to a website with a realistic Office 365 login prompt. The phishing webpage is hosted on a legitimate Microsoft .NET platform so has a valid security certificate.

Fake VPN Alert Phishing

Source: Abnormal Security

Login credentials entered on the site will be captured by the attacker and can be used to access the individual’s Office 365 email account and obtain sensitive data in emails and attachments, as well as other data accessible using the Office 365 credentials through single sign-on.

Abnormal Security has found a variety of phishing emails that use variations of this message, which have been sent from several different IP addresses. Since the destination phishing URL is the same in each email, it suggests that the emails are part of the same campaign and have been sent by a single attacker.

The post Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign appeared first on HIPAA Journal.

Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis

Cybercriminals have changed their tactics, techniques, and procedures during the COVID-19 health crisis and have been targeting remote workers using COVID-19 themed lures in their phishing campaigns. There has also been a sharp increase in the number of phishing attacks targeting users of mobile devices such as smartphones and tablets, according to a recent report from mobile security company Lookout.

Globally, mobile phishing attacks on corporate users increased by 37% from Q4, 2019 to the end of Q1, 2020 with an even bigger increase in North America, where mobile phishing attacks increased by 66.3%, according to data obtained from users of Lookout’s mobile security software. Phishers have also been targeting remote workers in specific industry sectors such as healthcare and the financial services.

While the sharp increase in mobile phishing attacks has been attributed to the change in working practices due to the COVID-19 pandemic, there has been a steady rise in mobile phishing attacks over the past few quarters. Phishing attacks on mobile device users tend to have a higher success rate, as users are more likely to click links than when using a laptop or desktop as the phishing URLs are harder to identify as malicious on smaller screen sizes.

While the full URL is likely to be displayed on a laptop computer or desktop, a mobile device will only display the last section of the URL, which can be crafted to make the URL appear genuine on mobile devices. When working from home, employees are more likely to resort to using their mobile to perform tasks to stay productive, suggests Lookout, especially employees that do not have a large screen or multiple monitors at home as they do in the office.

Mobile devices typically lack the same level of security as laptops and office computers, making it less likely that phishing messages will be blocked. There are also more ways that phishing URLs can be delivered to mobile devices than laptops and desktops. On a desktop, phishing URLs will mostly be delivered via email, but on mobile devices they can easily be delivered via email, SMS, messaging apps, and social media and dating apps. There is also a tendency for mobile users to act faster and not stop and think about whether a request is legitimate, even though they may be particularly careful on a laptop or desktop.

The rise in phishing attacks targeting mobile users is a security concern and one that should be addressed by employers through education efforts and security awareness training, especially with remote workers. Phishing awareness training should cover the risk of mobile phishing attacks and explain how URLs can be previewed on mobile devices and other steps that should be taken to verify the validity of requests.

“If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication,” said Hank Schless, senior manager of security solutions at Lookout. “In a time of remote work, it’s even more important to validate any sort of strange communication.”

Education alone may not be sufficient. Security software should also be used on mobile devices to better protect end users from phishing and malware attacks.

The post Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis appeared first on HIPAA Journal.

Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA

A Russian hacking outfit called Sandworm (Fancy Bear) is exploiting a vulnerability in the Exim Mail Transfer Agent, which is commonly used for Unix-based systems. The flaw, tracked as CVE-2019-10149, is a remote code execution vulnerability that was introduced in Exim version 4.87.

An update was released on June 5, 2019 to correct the flaw, but many organizations have still not updated Exim and remain vulnerable to attack.

The vulnerability can be exploited by sending a specially crafted email which allows commands to be executed with root privileges. After exploiting the flaw, an attacker can install programs, execute code of their choosing, modify data, create new accounts, and potentially gain access to stored messages.

According to a recent National Security Agency (NSA) alert, Sandworm hackers have been exploiting the flaw by incorporating a malicious command in the MAIL FROM field of an SMTP message. Attacks have been performed on organizations using vulnerable Exim versions that have internet-facing mail transfer agents.

After exploiting the vulnerability, a shell script is downloaded from a remote server under the control of the hackers which is used to add privileged users, update SSH configurations to allow remote access, disable network security settings, and execute an additional script to allow further exploitation. This would potentially allow the hackers to gain full control of the email server. Were that to happen, all incoming and outgoing email could be intercepted and exfiltrated.

Sandworm is part of Russia’s General Staff Main Intelligence Directorate, otherwise known as GRU. The hackers have previously conducted attacks on countries in Europe and the United States. The group has conducted several cyberattacks on foreign governments is believed to have been involved in Russia’s efforts to influence the outcome of the 2016 presidential election.

The NSA has suggested mitigations to prevent exploitation of the flaw, the most important of which is updating Exim immediately to version 4.93 or a later release. The update will correct the CVE-2019-10149 vulnerability and other vulnerabilities that could potentially be exploited. After updating, administrators should make sure that software versions are regularly checked and updated as soon as new versions are released. Exim Mail Transfer Agent software can be updated through the Linux distribution’s package manager or directly from Exim.

If it is not possible to update immediately, it may be possible to detect and block exploit attempts. For instance, “Snort 3 rule 1-50356 alerts on exploit attempts by default for registered users of a Snort Intrusion Detection System (IDS).” Administrators should also routinely verify there have been no unauthorized system modifications such as additional accounts and SSH keys. Modifications would indicate a compromise.

The NSA recommends limiting user access privileges when installing public-facing mail transfer agents and network segmentation should be used to separate roles and requirements. It is important to keep public mail transfer agents separate from sensitive internal resources in a DMZ enclave, and firewall rules should be set to block unexpected traffic from reaching trusted internal resources. It is also important to only permit mail transfer agents to send outbound traffic to necessary ports. All other ports should be blocked.

“If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the Internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated,” explained the NSA in their alert.

The post Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA appeared first on HIPAA Journal.

HHS’ OIG to Scrutinize HHS COVID-19 Response and Recovery Efforts

The HHS’ Office of Inspector General (OIG) has published a strategic plan for oversight of the COVID-19 response and recovery efforts of the Department of Health and Human Services.

OIG will assess how well the HHS has performed in its mission to ensure the health and safety of Americans, determine whether HHS systems and data have been adequately protected, evaluate the effectiveness of the HHS response, and assess whether the $251 billion in COVID-19 funding has been correctly distributed by the HHS.

OIG has a mandate to oversee the activities of the HHS to promote the economy, efficiency, effectiveness, and integrity of HHS programs. OIG explained that “COVID-19 has created unprecedented challenges for the HHS and for the delivery of health care and human services to the American people.” Through audits, risk assessments, and data analytics, OIG will be assessing the HHS’s COVID-19 response and recovery efforts.

The HHS has a responsibility to protect the health and safety of Americans during a public health emergency such as the COVID-19 pandemic and protect beneficiaries that receive services through the HHS health care and human services programs. OIG will be providing the HHS with assistance and will support the HHS’s ongoing COVID-19 response efforts and will assist in fighting fraud and scams that endanger HHS beneficiaries and the public.

OIG will be investigating cases of fraud and will be working closely with law enforcement to protect the public and HHS beneficiaries. OIG will also assess the effectiveness and impact of HHS programs on the health and safety of the public and beneficiaries through audits and evaluations, including the acquisition, management, and distribution of resources from the Strategic National Stockpile, production, approval, and distribution of COVID-19 tests; vaccine and treatment research and development, and HHS health care and human services programs.

OIG’s oversight and enforcement activities include protecting HHS funds from fraud, waste and abuse and promoting transparency and accountability of HHS spending. In May 2020, $251 billion was made available to the HHS for COVID-19 response and recovery. OIG will be assessing whether that funding has been paid out in accordance with program requirements, determining whether recipients of funds met use and reporting requirements, and will investigate and fight fraud and abuse that has diverted COVID-19 funding from its intended purposes.

Cyberattacks against the HHS and healthcare organizations have increased considerably during the COVID-19 pandemic, and nation-states have been attempting to obtain sensitive data and intellectual property in relating to SARS-CoV-2 and the COVID-19 response. OIG explained that technologies that have been employed as part of the COVID-19 response could be targeted by threat actors to gain access to sensitive data. It is therefore essential that HHS IT infrastructure is properly protected, and vulnerabilities are proactively identified and addressed.

OIG will be assessing the capabilities of the HHS for detecting and mitigating IT vulnerabilities, will be conducting audits to determine whether vulnerabilities have been mitigated, and will investigate cybersecurity threats and attacks on HHS systems. OIG will provide assistance to the HHS to support a secure and robust infrastructure.

OIG will also be investigating the effectiveness of the HHS’s COVID-19 response and recovery programs and will identify opportunities to increase effectiveness and help ensure recipients of HHS COVID-19 response and recovery funding achieve the program goals. Successful practices and lessons learned during the COVID-19 response and recovery will be used to strengthen HHS programs in the future and improve preparedness planning for future public health emergencies.

The post HHS’ OIG to Scrutinize HHS COVID-19 Response and Recovery Efforts appeared first on HIPAA Journal.

NetWalker Ransomware Gang Targeting the Healthcare Industry

While some threat groups have stated that they will not attack healthcare organizations on the frontline in the fight against COVID-19, that is certainly not the case for the operators of NetWalker ransomware, who have been actively targeting the healthcare industry during the COVID-19 public health emergency .

Recent research conducted by Advanced Intelligence LLC has revealed the operators of the ransomware have been conducting extensive attacks on healthcare industry targets and operations are now being significantly expanded.

Most ransomware attacks conducted by Russian-speaking threat actors involve large-scale phishing campaigns rather that targeted attacks. NetWalker ransomware has been spread in this manner during the COVID-19 pandemic through spam emails claiming to provide information about SARS-CoV-2 and COVID-19 cases. The emails include a Visual Basic script file attachment named CORONAVIRUS_COVID-19.vbs, which downloads the ransomware from a remote server.

While phishing emails are still being used, the group is now moving into large-scale network infiltration. Representatives of the group have been posting advertisements on top-tier darknet forums announcing a new affiliate program under the ransomware-as-a-service model. While many threat groups are not particularly choosy about who they recruit to spread their ransomware, the NetWalker gang is opting for a quality rather than quantity approach and is only looking to recruit capable affiliates who have or are able to gain access to enterprise networks.

The gang is prioritizing affiliates who already have access to enterprise networks and is looking to work with hackers who have extensive experience who are capable of conducting regular attacks. As is common with Russian threat groups, affiliates are forbidden from attacking Russian or CIS targets.

The group claims it has the ability to exfiltrate data prior to data encryption and files stolen from victims will be published on its blog if the ransom is not paid, as is the case with other manual ransomware groups. The group also states that it will always decrypt files when the ransom is paid.

To attract experienced hackers, the group is offering a high percentage of the ransom payment for the affiliate. Many affiliate programs offer a 30/70 split of ransom payments, with the 70% going to the affiliate. NetWalker is offering 80% of all ransom payments if under $300K, and 84% for payments in excess of $300K. The ransoms demanded by the group so far have been significant, ranging from several hundred thousand dollars to millions.

The group has conducted attacks on several healthcare organizations, including the Champaign-Urbana Public Health District in Illinois in March, along with attacks on other major targets such as Toll Group, an Australian shipping firm, and the Australian customer experience firm Stellar.

The group has been using fileless ransomware according to Trend Micro. Fileless ransomware is not written to the disk and only operates in the memory, which makes it hard for security solutions to identify attacks. Microsoft has warned of attacks on healthcare providers in which the attackers used misconfigured IIS-based applications to deploy the Mimikatz credential-stealing tool, and PsExec to deploy NetWalker.

The change in tactics, techniques and procedures favoring highly targeted attacks, the current affiliate recruitment campaign, and the high percentages offered to affiliates are likely to see NetWalker ransomware become an even bigger threat over the coming months with the group joining other prolific manual ransomware threat groups such as Maze and REvil.

With manual ransomware attacks on healthcare organizations increasing, network defenders should take preemptive measures to reduce risks, such as addressing known vulnerabilities, securing vulnerable internet-facing systems, checking servers and applications for misconfigurations, and monitoring for the use of penetration testing tools, security log tampering, and credential theft activities which could indicate an previous system compromise.

The post NetWalker Ransomware Gang Targeting the Healthcare Industry appeared first on HIPAA Journal.

Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data

Four Senators have written to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in response to the recent alert warning COVID-19 research organizations that hackers with links to China are conducting attacks to gain access to COVID-19 vaccine and research data.

On May 13, 2020, CISA and the FBI issued a joint alert warning organizations in the healthcare, pharmaceutical, and research sectors that they are prime targets for hackers. Hacking groups linked to the People’s Republic of China have been attempting to infiltrate the networks of U.S. companies to gain access to intellectual property, public health data, and information related to COVID-19 testing, potential vaccines, and treatment information.

“China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19,” warned CISA and the FBI. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”

In the letter, Thom Tills (R-NC), Richard Blumenthal (D-CT), John Cornyn (R-TX), and Ben Sasse (R-NE) praised the efforts of both agencies to raise awareness of the threat and investigate attacks. “It is absolutely unacceptable for Chinese government affiliated hackers to attempt to steal or disrupt important research from companies and institutions who are developing essential diagnostics, cures, and treatments,” wrote the Senators.

The Senators reiterated the advice offered by both agencies and have urged all U.S. companies and academic institutions involved in the COVID-19 response to take full advantage of the resources suggested by the agencies to improve their cybersecurity defenses and to also ensure than any attempted attacks are reported to the FBI immediately.

The Senators explained that they stand ready and willing to assist both agencies in their efforts to deal with the threat and prevent the theft of intellectual property from U.S. firms, and have asked how they can best support both agencies.

The Senators have asked what additional statutory tools or authorities the agencies need to combat the state-sponsored hacking of U.S. companies more effectively, and what additional financial resources and appropriations are required to allow the agencies to investigate further attempts by state-sponsored hackers to obtain sensitive research data.

The Senators have also requested information on the steps both agencies are taking to inform U.S. companies and research organizations about the threat of attack, and how the agencies are helping companies and research institutions to improve their cybersecurity defenses and prevent further intrusions and data theft.

The Senators have requested answers to the questions in a classified briefing with their staff no later than June 20, 2020.

The post Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data appeared first on HIPAA Journal.

H-ISAC Publishes Framework for Managing Identity in Healthcare

The Health Information Sharing and Analysis Center (H-ISAC) has published a framework for CISOs to manage identity and defend their organization against identity-based cyberattacks. This is the second white paper to be published by H-ISAC covering the identity-centric approach to security. The first white paper explains why an identity-centric approach to cybersecurity is now needed, with the latest white paper detailing how that approach can be implemented.

By adopting the framework, CISOs will be able to manage the full identity lifecycle of employees, patients, practitioners, and business partners in a way that guards against cyberattacks on identity, lowers risk, and increases operational efficiencies.

The framework has been developed for CISOs at healthcare organizations of all sizes. As such, it does not offer a one-size-fits-all approach. Instead, components of the framework can be applied differently based on different environments and use cases. CISOs will need to assess the resources available and their unique risks and decide how best to apply the framework.

The framework details the different components that are required in a modern identity-centric approach to cybersecurity and outlines how those components integrate and inter-relate to secure the enterprise.

The central concept of the framework is simple. How to allow users to access resources in a way that protects against cyberattack. At the heart of the framework is an identity governance and administration system, which serves as the central nervous system that ties in all the other components and ensures they work seamlessly together.

The identity governance and administration system allows organizations to establish set rules and processes related to the creation, removal, and updating of accounts, manage policies and processes of all aspects of their identity and access management (IAM) system, manage privilege escalation requests, conduct audits for compliance purposes, and take actions to remediate any misuses of the IAM system.

The framework uses identity directories as an authoritative identity store for an organization, which detail roles, accounts, attributes, and the privileges associated with different roles and accounts. The white paper details three guiding principles for authorization: Granting privileges, managing privileges, and reviewing privileges. Privileges must be tightly controlled and assigned based on roles, rights, and responsibilities. Processes must be defined to manage privileges and update them as circumstances change. Reviews should also be conducted to ensure that users have only been assigned rights that are appropriate for their role and responsibilities.

A few years ago, all that was required to gain access to resources was a password, but threat actors are now adept at stealing passwords and as a result the security utility of passwords has diminished. H-ISAC therefore recommends multi-factor authentication. The framework takes MFA one step further and includes device authentication, human authentication, analytics, and privileged access management to enable continuous, risk-based authentication.

Device authentication ensures only trusted devices are granted access to resources. Human authentication is then required to ensure that the correct person is using that device. Analytics are then used to identify anomalies that could indicate attempts by unauthorized individuals to access resources, such as a device being used to access resources from California and then five minutes later being used in New York. Privileged access management solutions should also be used for session monitoring and to implement additional layers of authentication to prevent credential compromise and limit privilege escalation.

The framework also outlines four different use cases: On-boarding new employees, managing users and changing privileges when an employee’s role changes, credentialing a third-party business partner for limited systems access, and credentialing new patients.

The post H-ISAC Publishes Framework for Managing Identity in Healthcare appeared first on HIPAA Journal.

Web Application Attacks Double as Threat Actors Target Cloud Data

The 2020 Verizon Data Breach Investigations Report shows malware attacks are falling as threat actors target data in the cloud.  This is the 13th year that the report has been produced, which this year contains an analysis of 32,002 security incidents and 3,950 confirmed data breaches from 81 global contributors in 81 countries.

The report confirms that the main motivator for conducting attacks is financial gain. 86% of all security breaches were financially motivated, up from 71% last year. 70% of breaches were due to external actors, with 55% of attacks conducted by cybercriminals.

67% of breaches were the result of credential theft or brute forcing of weak credentials (37%) and phishing and other social engineering attacks (25%). 22% of those breaches involved human error.

Only 20% of breaches were due to the exploitation of vulnerabilities. It should be noted that it is much easier to conduct attacks using stolen credentials rather than exploiting vulnerabilities, so the relatively low number of vulnerability-related attacks may not be due to organizations patching vulnerabilities more promptly.

The ease of conducting attacks using stolen or brute forced credentials has seen malware attacks become less popular. That said, ransomware is proving to be an attractive option, which has seen an increase from 24% to 27% of all malware related attacks.

There was a significant increase in web application attacks over the past 12 months, which doubled to 43% of all breaches. 80% of those breaches involved credential theft. With more organizations moving their data from traditional domain controllers and internal infrastructure, it is no surprise that there has been a sizeable increase in attacks on the cloud.

The data collected for the report does not cover the period of the COVID-19 public health emergency, when many organizations accelerated their cloud migration plans to allow more employees to work from home. It is likely that next year’s report will see an even higher percentage of attacks on cloud resources.

“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, CEO, Verizon Business. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”

Attack Trends Over the Past 6 Years

Source: Verizon

Cyberattacks and Insider Breaches in Healthcare

Financially motivated cyberattacks accounted for 88% of healthcare breaches, with many of the attacks involving ransomware. 4% of healthcare cyberattacks were conducted for fun and 3% of attacks were conducted out of convenience.

Verizon reports a significant increase in healthcare data breaches in the past 12 months. Last year’s report included 304 healthcare data breaches but this year the number has increased to 521 breaches. The figure below shows the patterns for cyberattacks in the healthcare industry. Crimeware includes malware and ransomware, which is the most common type of attack on healthcare organizations. As in other industry sectors, attacks on web applications are increasing.

Source: Verizon

The healthcare industry usually has a higher than average number of cases of privilege misuse, where insiders with access to sensitive data abuse their access rights to view or steal data. With so many employees given access to patient data and its high value on the black market, this is to be expected.

There is some good news in this year’s report. For the first time privilege misuse has dropped out of the top three causes of healthcare data breaches. This is part of a trend that can be seen across all industry sectors, which suggests that employees are thinking twice about accessing data without authorization and healthcare providers are getting better at protecting data.

Verizon notes that there has also been a decrease in breaches involving multiple actors, which is usually a third-party such as an identity thief working with an insider who supplies the data. In the 2019 report, 4% of breaches involved multiple actors whereas in 2020 the percentage dropped to 1%. The percentage of breaches caused by internal actors vs external actors also changed significantly. In the 2019 report, 59% of healthcare breaches were caused by internal actors with 42% caused by external attackers. This year’s report sees internal actors responsible for 48% of breaches with external actors accounting for 51% of breaches.

This year, the biggest cause of breaches in healthcare were miscellaneous errors and breaches of web applications. The main cause of those miscellaneous breaches was misdirection, which is the sending of emails to incorrect recipients and mass mailings that see letters sent to incorrect patients, such as happens when there is a mail merge error.

The post Web Application Attacks Double as Threat Actors Target Cloud Data appeared first on HIPAA Journal.

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Joint guidance on has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic.

Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector.

The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin.

The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare industry and government cybersecurity experts and is intended to help healthcare organizations develop a tactical response for managing cybersecurity threats that increase during emergencies and to help them improve their level of preparedness.

During the COVID-19 crisis, cyber threat actors have conducted a range of attacks on healthcare organizations including phishing attacks, domain attacks, and malware and ransomware attacks. The attacks came at a time when healthcare organizations were attempting to provide care for highly infectious patients, deploy remote diagnostic and treatment services, and transition to teleworking to prevent the spread of COVID-19. The change in working practices significantly increased the attack surface and introduced new vulnerabilities and attack vectors.

“For each gain delivered by automation, interoperability, and data analytics, the vulnerability from malicious cyber-actors increases as well,” explained HSCC/H-ISAC in the guidance document. “To thwart these attacks before they occur, it is essential for healthcare organizations to establish, implement, and maintain current and effective cybersecurity practices.”

The guidance document can be used by healthcare organizations of all sizes to improve their cybersecurity programs and prepare for emergency situations. Smaller healthcare organizations can use the guidance to help them choose appropriate measures to improve their security posture, while larger organizations that have already planned their tactical crisis response can use the guide as a checklist to ensure nothing has been missed.

The guidance document divides techniques, practices, and activities into four main sections: Education and Outreach; Enhance Prevention Techniques; Enhance Detection and Response; and Take Care of the Team.

The cybersecurity response to a crisis is largely dependent on technical controls, but HSCC/H-ISAC explains that education and outreach play an important part in the success of the response strategy. In emergency situations, even the best laid plans can come unstuck without proper education and outreach. Organizations that communicate their plans effectively will reduce confusion, improve response times, and maximize the effectiveness of their cybersecurity plan. The guide explains how to develop a communication plan and conduct policy and procedure reviews effectively.

Preventing cyberattacks is critical. Most healthcare organizations will have implemented a range of measures to thwart cyberattacks prior to the public health emergency, but HSCC/H-ISAC suggests three practices should be reviewed: Limiting the potential attack surface, bolstering remote access, and leveraging threat intelligence feeds.

Reducing the attack surface requires effective vulnerability management, accelerated patching, securing medical devices and endpoints, and managing third party network access. The guidance document suggests some of the ways that remote access can be secured, and how to leverage threat intelligence feeds to prevent attacks and accelerate the response.

Many attacks are difficult to prevent, so it is critical for mechanisms to be developed and implemented to detect successful attacks and respond quickly. The guidance document suggests some of the steps that can be taken to enhance detection and response to attacks.

It is also important to take care of the team. In crisis situations, health, well-being, job security, and financial stability are all key concerns for healthcare employees. It is important for organizations to communicate effectively with their workers and address these concerns and share how the organization will support employees during the crisis.

You can view and download the guidance document on this link. A second guidance document was released by HSCC earlier this month that details steps healthcare organizations can take to protect trade secrets and research. The guidance document is available for download here.

The post Guidance on Managing the Cybersecurity Tactical Response in a Pandemic appeared first on HIPAA Journal.