Healthcare Cybersecurity

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

Posted by HIPAA Journal

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% increase in the number of reported breaches and a 174.5% increase in the number of breached records.

The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States.

The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches.

“It appears hacking incidents, particularly ransomware incidents, are on the rise; hackers are getting more creative in how they exploit healthcare organizations and patients alike,” explained Protenus in the report.

There has been a significant increase in healthcare ransomware attacks in 2019 and worrisome new trends are emerging. Prior to file encryption, some ransomware gangs have started exfiltrating patient data and threats are being issued to publish that data if the ransom is not paid. There have been several cases where data has been published to encourage victims to pay. One threat group even sent ransom demands to patients demanding payment to prevent the publication of their data, in addition to a ransom demand sent to the covered entity.

The largest data breach of the year was the hacking of American Medical Collection Agency. That single breach impacted multiple healthcare providers and resulted in the theft of more than 20 million patients’ PHI. The 7-month breach was only discovered when patient data was found listed for sale on a dark web marketplace.

Insider data breaches, due to human error and insider wrongdoing, fell by 20% in 2019. Protenus has attributed the reduction to increased adoption of healthcare compliance analytics to detect anomalous behavior as well as improvements to employee education on how to prevent privacy violations.

While this is encouraging, the severity of insider incidents increased in 2019 with 3,800,312 records exposed in insider breaches compared to 2,793,607 records in 2018. 72 of the incidents were confirmed as the result of insider error and 35 incidents were due to insider wrongdoing. 3,659,962 records were breached as a result of human error and 136,566 records were breached in insider wrongdoing incidents.

Healthcare organizations are getting better at detecting breaches. The average time to discover a breach was 255 days in 2018. In 2019, it took an average of 225 days.  The median detection time was 44 days. Several insider breaches took more than 4 years to discover, highlighting the need for AI-based solutions that can detect abnormal user activity.

The HIPAA Breach Notification Rule requires data breaches to be reported within 60 days of discovery, yet in 2019 it took an average of 80 days for breaches to be reported, up from 73 days in 2018.

The post 2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents appeared first on HIPAA Journal.

Vulnerabilities Reported Affecting Spacelabs Xhibit Telemetry Receiver and GE Healthcare Ultrasound Products

Posted by HIPAA Journal

A critical vulnerability has been identified in the Xhibit Telemetry Receiver and GE Healthcare has issued an advisory about a flaw in its ultrasound products.

Xhibit Telemetry Receiver Vulnerable to Critical BlueKeep Windows Vulnerability

The Xhibit Telemetry Receiver (XTR), Model number 96280, v1.0.2 and all versions of the now unsupported Xhibit Arkon (99999) are vulnerable to the critical BlueKeep Remote code execution vulnerability.

The vulnerability – CVE-2019-0708 – affects the Remote Desktop Protocol feature of the underlying Microsoft Windows operating system. The flaw can be exploited by sending specially crafted packets to Windows operating systems that have RDP enabled. The vulnerability is pre-authentication and no user interaction is required to exploit the flaw. The BlueKeep vulnerability is also worm-able. Malware could be developed to exploit the vulnerability allowing propagation to other vulnerable systems, as was the case with the WannaCry ransomware attacks in 2017.

Successful exploitation would allow a remote attacker to add accounts with full user rights, view, change, or delete data, install programs, and execute arbitrary code on vulnerable systems. The BlueKeep vulnerability is present in Windows 2000, Windows 7, Windows Vista, Windows XP, and Windows Server 2003, 2003 R2, 2008, and 2008 R2.

Microsoft discovered the vulnerability and SpaceLabs reported the flaw to CISA. The flaw has been assigned a CVSS V3 base score of 9.8 out of 10.

All deployed XTR hardware appliances can be updated and should be running the latest software release, v1.2.1 or later. However, the unsupported Arkon products are not designed to be updated and cannot be patched. For these products, SpaceLabs recommends blocking TCP Port 3389 at the enterprise perimeter firewall. TCP Port 3389 is required to initiate RDP sessions. Blocking the port will prevent exploitation but will also block legitimate RDP sessions. This mitigation will not prevent exploitation of the flaw from inside the network so physical controls must also be implemented to restrict access to the products to authorized personnel.

Warning Issued About Vulnerability Affecting GE Healthcare Ultrasound Products

A vulnerability has been identified in certain GE Healthcare ultrasound products which could allow an attacker to escape protections and access the underlying operating system.

The vulnerability is tracked as CVE-2020-6977 and has been assigned a CVSS V3 base score of 6.8 out of 10.

The following GE Healthcare products are affected by the vulnerability:

  • Vivid products, all versions
  • LOGIQ, all versions, not including LOGIQ 100 Pro
  • Voluson, all versions
  • Versana Essential, all versions
  • Invenia ABUS Scan station, all versions
  • Venue, all versions, not including Venue 40 R1-3 and Venue 50 R4-5

The flaw cannot be exploited remotely, but an individual with physical access to the affected products could exploit the vulnerability to escape Kiosk Mode.

To protect against exploitation, physical access to vulnerable devices should be restricted and, if possible, the “system lock” password should be enabled in the Administration GUI menu. With system lock enabled, a password must be entered to access the system.

The vulnerability was identified by Marc Ruef and Rocco Gagliardi of scip AG, with further information provided by Michael Aguilar of Secureworks and Jonathan Bouman of Protozoan.nl.

The post Vulnerabilities Reported Affecting Spacelabs Xhibit Telemetry Receiver and GE Healthcare Ultrasound Products appeared first on HIPAA Journal.

Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016

Posted by HIPAA Journal

A new study by Comparitech has shed light on the extent to which ransomware is used to attack healthcare organizations and the true cost of ransomware attacks on the healthcare industry.

The study revealed there have been at least 172 ransomware attacks on healthcare organizations in the United States in the past three years. 1,446 hospitals, clinics, and other healthcare facilities have been affected as have at least $6,649,713 patients.

2018 saw a reduction in the number of attacks, falling from 53 incidents in 2017 to 31 in 2018, but the attacks increased to 2017 levels in 2019 with 50 reported attacks on healthcare organizations.

74% of healthcare ransomware attacks since 2016 have targeted hospitals and health clinics. The remaining 26% of attacks have been on other healthcare organizations such as nursing homes, dental practices, medical testing laboratories, health insurance providers, plastic surgeons, optometry practices, medical supply companies, government healthcare providers, and managed service providers.

Ransom demands can vary considerably from attack to attack. Ransom demands have ranged from around $1,600 to $14 million, with attacks on healthcare organizations seeing demands of $16.48 million in ransoms since 2016. Comparitech confirmed healthcare organizations have paid at least $640,000 to attackers for the keys to unlock encrypted files, but the true cost is likely to be considerably higher as many victims prefer not to make that information public.

Attacks often see appointments cancelled and permanent data loss is a real possibility. The time, effort, and cost of remediating attacks can be too high for some smaller healthcare providers. At least two healthcare clinics have shut down their practices as a result of ransomware attacks in 2019.

Ransom payments represent just a small fraction of the total cost of an attack. Restoring systems from backups, or even using the decryption keys provided by the attackers, can take a considerable amount of time. Rebuilding systems and restoring data can take a few hours to several weeks or months and the downtime from ransomware attacks is one of the biggest costs.

For the study, Comparitech used several different healthcare resources, data breach reports, IT news sources, and HHS’ Office for Civil Rights data, along with data from studies on the cost of downtime from ransomware attacks. Based on that information, the researchers produced a low and high estimate of the downtime cost for all 172 confirmed attacks since 2016. The low estimate for the cost of downtime was $157,896,000 and the high estimate was $240,800,000.

“With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike,” wrote the researchers. “Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse… Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.”

The post Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016 appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

$1.77 Billion Was Lost to Business Email Compromise Attacks in 2019

Posted by HIPAA Journal

The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) has published its 2019 Internet Crime Report which shows losses to cybercrime exceeded $3.5 billion in 2019. In 2019, IC3 received 467,361 complaints about internet and cybercrime at a rate of nearly 1,300 per day.

More than half of the losses were due to business email compromise (BEC) attacks. BEC, also known as email account compromise (EAC), involves the impersonation of a legitimate person or company to obtain money via email.

These sophisticated scams often start with a phishing attack on an executive to obtain email credentials. The email account is then used to send a wire transfer request to an individual in the company with access to corporate bank accounts. Sometimes this step is skipped and the attackers simply spoof an individual’s email account.

While BEC attacks mostly involve wire transfer requests, in 2019 there was an increase in attacks on human resources and payroll departments to divert employee payroll funds to attacker-controlled pre-paid card accounts. The potential profit from such an attack is lower than a wire transfer request, but changes to payroll are less likely to be queried and the attacks have a greater chance of success.

BEC/EAC attacks are popular with cybercriminals as they require little skill, are easy to execute, and the potential rewards from a successful attack are considerable. Wire transfer payments of tens or hundreds of thousands of dollars are common. Out of the 467,361 complaints, only 6.47% (23,775) were BEC/EAC attacks, yet the losses to those attacks were $1.77 billion, making these attacks the most financially damaging type of cyberattack. The average loss to a BEC/EAC attack in 2019 was $75,000.

“Criminals are getting so sophisticated,” said IC3 chief, Donna Gregory. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

BEC attacks may result in the highest losses, but phishing attacks are more numerous. In 2019, 114,702 phishing attacks were reported to IC3. Phishing attacks – which include vishing (voice), smishing (SMS), and pharming (website redirects) – resulted in losses of $57,836,379. The average loss to a phishing attack was $504. Email is still the most common form of phishing, but SMS- and voice-based phishing attacks have increased.

Ransomware attacks certainly made the headlines in 2019 with scores of reported attacks on businesses, government agencies, healthcare organizations, cities, and municipalities. Several of those attacks saw ransomware demands issued in excess of $500,000. Even so, the losses to those attacks were relatively small, accounting for just $8,965,847 in ransom payments across 2,047 reported attacks. The average ransom payment in 2019 was $4,400. In 2018, IC3 figures show a decline in ransomware attacks and an increase in losses. In 2019, ransomware attacks increased by more than 37% and losses increased by more than 147.5%.

It should be noted that the actual losses due ransomware attacks are considerably higher as the IC3 figures do not include downtime, lost business, and remediation costs. Also, many victims of ransomware attacks quietly pay the ransom and do not report the attacks to IC3.

In the report, IC3 emphasized the importance of reporting cyberattacks and how prompt reporting can help law enforcement stop fraudulent transactions and trace the perpetrators of an attack.

“Information reported to the IC3 plays a vital role in the FBI’s ability to understand our cyber adversaries and their motives, which, in turn, helps us to impose risks and consequences on those who break our laws and threaten our national security,” said Matt Gorham, assistant director of the FBI’s Cyber Division.

The post $1.77 Billion Was Lost to Business Email Compromise Attacks in 2019 appeared first on HIPAA Journal.

Draft Cyber Supply Chain Risk Management Guidance Published by NIST

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has published a new draft guidance document on cyber supply chain risk management to help organizations implement an effective cyber supply risk management program.

Organizations now rely on other organizations to provide critical products and services, yet they often lack visibility into their supply ecosystems. Using third parties for products and services brings many benefits, but also introduces risks. Vulnerabilities in supply chains can be exploited by threat actors and attacks on supply chains are on the rise.

In the second half of 2018, the Operation ShadowHammer supply chain attack saw the software update utility of ASUS compromised. Up to 500,000 users of the ASUS Live Update utility were impacted before the cyberattack was discovered.

The DragonFly threat group, aka Energetic Bear, compromised the update site used by several industrial control system (ICS) software producers and added a backdoor to ICS software. Three ICS software producers are known to have been compromised, resulting in companies in the energy sector being infected with malware.

An Incident Threat Report published by Carbon Black in 2019 found “island hoping” was involved in 50% of attacks. Island hopping is the term given to cyberattacks on an organization and its clients and partners.

The November 2018 Data Risk in the Third-Party Ecosystem study conducted by the Ponemon Institute revealed 59% of companies had been impacted by a data breach at one of their third party suppliers, and a CrowdStrike report published in July 2018 indicated 66% of respondents to its survey had been impacted by a software supply chain attack.

With supply chain attacks on the rise it is more important than ever for organizations to develop and implement an effective cyber supply chain risk management program, but many organizations don’t know where to start and a significant number that have implemented such a program do not believe it to be effective.

NIST has been conducting research on the challenge of securing supply chains and has published several guidance documents and case studies over the past 10 years to help organizations assess and manage supply chain risks. The aim of the latest guidance document is to help organizations get started with Cyber Supply Chain Risk Management (C-SCRM).

The document includes a basic set of C-SCRM key practices, which are based on industry case studies conducted in 2015 and 2019, past NIST research and guidance, and industry best practice documents. Once the basic key practices have been adopted, more extensive standards, guidelines, and best practices can then be applied to further improve supply chain security.

The new guidance document – Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (Draft NISTIR 8276) – can be downloaded on this link. NIST is accepting comments on the draft guidance document until March 4, 2020.

The post Draft Cyber Supply Chain Risk Management Guidance Published by NIST appeared first on HIPAA Journal.

Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices

Posted by HIPAA Journal

The medical device manufacturer Medtronic has issued patches to correct flaws in its CareLink 2090 and CareLink Encore 29901 programmers, implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy defibrillators (CRT-Ds).

The vulnerabilities were first identified by security researchers in 2018 and 2019. When Medtronic was informed about the vulnerabilities, mitigations were quickly published to reduce the risk of exploitation of the vulnerabilities and allow customers to continue to use the affected products safely. The development and release of patches for these complex and safety-critical devices has taken a long time due to the required regulatory approval process.

“Development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality,” explained Medtronic.

In 2018, Security researchers Billy Rios and Jonathan Butts identified three vulnerabilities in Medtronic’s CareLink 2090 and CareLink Encore 29901 devices, prompting an advisory to be issued in February 2018. The devices are used to program and manage implanted cardiac devices. The vulnerabilities would allow an attacker to alter the firmware via a man-in-the-middle attack, access files contained in the system, obtain device usernames and passwords, and remotely control implanted Medtronic devices.

Several researchers were credited with the discovered two further vulnerabilities in 2019 in the Medtronic Conexus telemetry protocol, prompting a second Medtronic advisory in March 2019. The vulnerabilities concern the lack of encryption, authentication, and authorization. If exploited, an attacker could intercept, replay, and modify data, and change the configuration of implanted devices, programmers, and home monitors. One of the vulnerabilities, CVE-2019-6538, was rated critical and was assigned a CVSS v3 base score of 9.3 out of 10.

The latest patches correct the flaws in CareLink monitors and programmers and MyCareLink monitors. Patches have also been released for approximately half of the affected Medtronic implantable devices impacted by the Conexus vulnerabilities:

  • Brava™ CRT-D, all models
  • Evera MRI™ ICD, all models
  • Evera™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Primo MRI™ ICD, all models
  • Viva™ CRT-D, all models

Patches for all the remaining vulnerable devices will be released later this year.

To prevent exploitation of the flaws, Medtronic disabled the software development network (SDN) that was used to deliver device updates, so software needed to be updated manually via a secured USB. Now that patches have been released, the SDN has been reactivated and it can be used by customers to update their devices.

Medtronic has been monitoring for exploitation of the vulnerabilities and says there have been no cyberattacks or privacy breaches as a result of the vulnerabilities and no patients have been harmed.

The post Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices appeared first on HIPAA Journal.

Annual Cost of Insider Cybersecurity Incidents Has Risen 31% in 2 Years

Posted by HIPAA Journal

The frequency of cybersecurity incidents caused by insiders has increased by 47% in the past two years and the average annual global cost of those cybersecurity incidents has increased by 31% over the same period, according to new research conducted by the Ponemon Institute. The average annual cost of insider incidents is now $11.45 million.

The research was conducted for the 2020 Cost of Insider Threats study on behalf of the Proofpoint company, ObserveIT. 964 IT and security professionals at 204 organizations in North America, Europe, Africa, the Middle East and Asia-Pacific were surveyed for the study.

Insider incidents were divided into three categories: Incidents that resulted from mistakes made by employees (negligent insiders); incidents deliberately caused by employees and contractors to harm the company (criminal insiders); and incidents involving the use of insiders’ login details to gain access to applications, systems, and data (credential insiders).

In the past 12 months, 4,716 insider incidents occurred. Incidents caused by credential insiders were the costliest to resolve. The average cost of credential insider attacks was $871,000 per incident and $2.79 million per year. Attacks by criminal insiders cost an average of $756,000 per incident and $4.08 million a year, and incidents caused by negligent insiders cost an average of $307,000 per incident and $4.58 million per year. Negligent insiders were behind 62% of incidents, 23% of incidents were attributed to credential insiders, and 14% were due to criminal insiders.

Organizations are spending 60% more dealing with insider incidents than they were three years ago, and costs have increased by 25% since 2018. The fastest rising cost is investigating insider incidents, with this cost center increasing by 86% in the past three years. The study revealed the highest cost is containing attacks, with an average organization cost of $211,533 per year.

On average it takes 77 days to contain an incident and the longer it takes, the higher the cost. Incidents that took less than 30 days to contain cost an average of $7.12 million and incidents that took longer than 90 days to contain cost an average of $13.71 million.

The cost of the incidents increases with the size of the company. Organizations with more than 75,000 employees faced the highest costs from insider incidents with an average of $17.92 million spent dealing with insider incidents in the past 12 months. Organizations with 500 or fewer employees spent an average of $7.68 million dealing with insider incidents.

The annual costs of insider incidents varied considerably by industry sector. Organizations in the financial services sector spent an average of $14.5 million in the past year on insider incidents and the lowest costs were in education and research, with annual costs of $8.85 million. The health and pharmaceutical sector spent an average of $10.81 million in the past year on insider incidents.

The post Annual Cost of Insider Cybersecurity Incidents Has Risen 31% in 2 Years appeared first on HIPAA Journal.

Average Ransomware Payment Increased Sharply in Q4, 2019

Posted by HIPAA Journal

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3.

In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants.

Many of the above ransomware variants are distributed under the ransomware-as-a-service model, where affiliates can sign up and use the ransomware and retain a cut of the ransom payments. The more sophisticated gangs are cautious about who they accept as affiliates whereas some of the smaller ransomware gangs let anyone sign up. Only a handful of affiliates are used to distribute Sodinokibi, with some specializing in different types of attack. One Sodinokibi affiliate has extensive knowledge of remote monitoring and management tools and specializes in attacks on managed service providers.

Ransomware is mostly delivered as a result of brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is used in more than 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software vulnerabilities (13%).

Coveware explained in its report that 98% of victims who paid the ransom were supplied with valid keys and were able to decrypt their files. The probability of success can vary greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not supply valid keys, even after the ransom is paid. Threat groups associated with Rapid, Mr. Dec, and Phobos ransomware were named as being consistent defaulters. Those threat groups were also less selective and tended to work with any affiliate.

Even when valid decryptors are supplied, some data lost can be expected. Out of the companies Coveware helped recover data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More sophisticated attackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not damaged.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is largely due to an increase in attacks on large enterprises, which have complex systems that take much longer to restore.

The figures for the report naturally only include ransomware victims that have used Coveware to negotiate with the attackers and assist with recovery. Many firms chose to deal with their attackers directly or use other ransomware recovery firms.

The post Average Ransomware Payment Increased Sharply in Q4, 2019 appeared first on HIPAA Journal.