Healthcare Cybersecurity

83% of Medical Devices Run on Outdated Operating Systems

Posted by HIPAA Journal

The current state of IoT device security has been investigated by the Unit 42 team at Palo Alto Networks which identified major risks to the confidentiality, integrity and availability of healthcare data and serious vulnerabilities that could easily be exploited in devastating cyberattacks.

The Unit 42 team analyzed more that 1.2 million IoT devices of 8,000 different types across a range of industry sectors for the 2020 IoT Threat Report. Data was gathered from its Zingbox IoT inventory and management service, which included 73.2 billion network sessions.

The researchers found high numbers of IoT devices that use legacy protocols and unsupported operating systems, a problem that has now got worse since support for Windows 7 stopped in January 2020. Unit 42’s research revealed only 17% of devices have active support for their underlying operating systems. In healthcare, 83% of IoT devices were running on unsupported operating systems, which increased 56% from last year following the end of support for Windows 7. 27% of IoT medical devices are still running on Windows XP and decommissioned versions of Linux.

51% of all cyberthreats in healthcare concern imaging devices, attacks on which can disrupt the care provided to patients. Exposure of sensitive data is a real issue, especially considering 98% of IoT device traffic is not encrypted. Sensitive data is transmitted in plaintext and can be intercepted by anyone who knows where to look.

Network segmentation has improved since last year when the study was last conducted. The Unit 42 team found that the number of hospitals that had more than 20 VLANs had tripled since last year to 44%. However, 72% of healthcare VLANs include standard IT assets as well as IoT devices. An attack on a vulnerable IoT device could allow malware to be transferred to computers and servers on the same network. A doctor opening a malicious email attachment could see malware transferred to medical devices such as infusion pumps, MRI machines, and other medical imaging systems.

The researchers found 57% all IoT devices are vulnerable to high or medium severity attacks. It is common for default passwords to remain in place, even though the passwords can easily be found online. When passwords are changed, they are often changed to easy to remember passwords which are vulnerable to brute force attacks. Patching was found to be poor and the use of unsupported operating systems means patches are no longer released to correct known vulnerabilities.

IoT devices used to be attacked and added to botnets to conduct DDoS attacks but is now it is common for the devices to be attacked to give cybercriminals a foothold in healthcare networks. Once a device has been compromised the attackers move laterally and compromise other systems on the network, either manually or through worm-like attacks.

IoT devices are also not being monitored so compromised devices are often not identified. The Unit 42 team identified a mammogram machine that was infected with the Conficker worm – a malware variant that was first identified in November 2008.

Unit 42 recommends action be taken to ensure vulnerabilities are identified and addressed to make the devices harder to attack. That process must start with a complete inventory of all IoT devices on the network. A recently published report from the Enterprise Strategy Group revealed 77% of organizations do not have full visibility into all of the IoT devices on their networks.

Patches should be implemented on all devices that can be patched, with priority given to the types of devices that carry the highest level of risk – medical devices – and those with the most vulnerabilities – security cameras and printers.

Networks segmentation is necessary to make it harder for attackers to move laterally, with IoT devices kept separate from standard IT assets. IoT devices should also be monitored to detect attacks in progress.

The post 83% of Medical Devices Run on Outdated Operating Systems appeared first on HIPAA Journal.

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

Posted by HIPAA Journal

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attack was very or extremely disruptive.

Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked.

The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked about their current email security deployments, only half had a high level of confidence that their email security measures would block email-based threats.

When asked about the email threats they had experienced and which were the most disruptive, 61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive. The main losses caused by the attacks were productivity (55%), data (34%) and financial (17%).

Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them. Internet and web protection measures had only been implemented by 64% of surveyed healthcare organizations.

These technical solutions are important, but it is important not to forget the human element. Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.

“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Matthew Gardiner, director of enterprise security at Mimecast. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

It is alarming considering the number of email-based attacks that 11% of respondents said they conduct security awareness training less frequently than once a year, only during onboarding, or only after a major event such as a phishing attack or data breach.

“To better prepare, information technology and security professionals must strengthen their email security programs by combining the best technical controls with knowledgeable staff and resilient business processes to avoid disruption from email-borne attacks,” said Gardiner.

The post 90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year appeared first on HIPAA Journal.

Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released

Posted by HIPAA Journal

A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine.

This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server.

The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). It has not yet been confirmed if earlier Windows versions such as Windows 8 and Windows Server 2012 are also vulnerable.

Both Fortinet and Cisco Talos published blog posts summarizing the SMBV3 vulnerability, although Cisco Talos later took down the post. A patch for the flaw was expected to be released by Microsoft on March 2020 Patch Tuesday, but a full fix was not ready in time.

Proof of concept exploits for the flaw have not been published online at the time of writing and there have been no reported cases of exploitation of the vulnerability in the wild; however, Microsoft recommends Windows administrators should take steps to protect against exploitation until a patch is released to correct the flaw.

Workarounds:

  • Disable SMBv3 compression
  • Block TCP port 445 on the network perimeter firewall

Blocking port 445 is the best defense against internet-based attacks, but it will not prevent exploitation from within the enterprise firewall.

SMBv3 compression can be disabled on SMBv3 servers by using the following PowerShell command. No reboot is required after making the change.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Microsoft says disabling SMBv3 compression will not prevent exploitation of SMB clients.

It is essential to apply the patch as soon as it is released by Microsoft. No timescale has been released on when the patch will be made available. Due to the severity of the flaw it is probable that an out-of-band patch will be released.

The post Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released appeared first on HIPAA Journal.

Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign

Posted by HIPAA Journal

Researchers at Proofpoint have identified a new phishing campaign targeting healthcare providers, insurance firms and pharmaceutical companies. The intercepted emails impersonate Vanderbilt University Medical Center and claim to include the results of a recent HIV test.

The emails have the subject line “Test result of medical analysis” and include an Excel spreadsheet attachment – named TestResult.xlsb – which the recipient must open to view the HIV test results. When the spreadsheet is opened, the user is advised the data is protected. To view the test result it is necessary to enable content. If content is enabled and macros are allowed to run, malware will be downloaded onto the user’s computer.

This is a relatively small-scale campaign being used to distribute the Koadic RAT, a program used by network defenders and pen testers to take control of a system. According to Proofpoint, Koadic is popular with nation state-backed hacking groups in Russia, China, and Iran. Koadic allows attackers to take control of a computer, install and run programs, and steal sensitive personal and financial data.

Proofpoint has also intercepted several Coronavirus-themed phishing emails in the past few weeks that are being used to distribute a range of malware variants including the Emotet Trojan, AZORult information stealer, the AgentTesla keylogger, and the NanoCore RAT. Several campaigns have been identified that use fake DocuSign, Office 365, and Adobe websites for harvesting credentials.

Several coronavirus-themed phishing lures have been identified. Many claim to offer further information about local COVID-19 cases or claim to include important information to prevent infection. One campaign claimed there was a vaccine and a cure for COVID-19 and it was being withheld by the government. Some of the phishing emails are extremely well written and are highly convincing and impersonate authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).

Researchers at Checkpoint have been tracking coronavirus-themed domains and report more than 4,000 new coronavirus-themed domains have been registered since January 2020. 5% of those domains are suspicious and 3% have been confirmed as malicious and are being used in phishing campaigns or for malware distribution.

“Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links, explained Proofpoint. “If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

The post Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign appeared first on HIPAA Journal.

Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers

Posted by HIPAA Journal

Ransomware attacks on healthcare providers increased by 350% in Q4, 2019, according to a recently published report from Corvus. The attacks show no sign of letting up in 2020. Already in 2020 attacks have been reported by NRC Health, Jordan Health, Pediatric Physician’s Organization at Children’s, and the accounting firm BST & Co., which affected the medical group Community Care Physicians.

To identify ransomware trends in healthcare, Corvus’s Data Science team studied ransomware attacks on healthcare organizations since Q1, 2017. Between Q1, 2017 and Q2, 2019, an average of 2.1 ransomware attacks were reported by healthcare organizations each quarter. In Q3, 2019, 7 attacks were reported, and 9 attacks were reported in Q4, 2019. Corvus identified more than two dozen ransomware attacks on U.S. healthcare organizations in 2019 and predicts there will be at least 12 ransomware attacks on healthcare organizations in Q1, 2020.

Reports from other cybersecurity firms similarly show an increase in ransomware attacks on healthcare providers in the second half of the year. One report from Emsisoft suggested ransomware attacks had affected 764 U.S. healthcare providers in 2019.

The analysis by Corvus shows healthcare organizations have a smaller attack surface than the web average, which makes it easier to defend against attacks; however, attacks are still succeeding showing healthcare organizations are struggling to block the main attack vectors used by cybercriminals to deliver their ransomware payloads.

There are two main ways that threat actors gain access to healthcare networks to deploy ransomware: Remote Desktop Protocol (RDP) and email. Threat actors search for healthcare organizations with exposed RDP ports and use brute force tactics to guess passwords. Corvus calculated that having an open RDP port increases the likelihood of a ransomware attack by 37%. Healthcare organizations had an average of 9 open ports, with the lowest number in hospitals and the highest number in medical groups.

Email is the main attack vector, which is used in the majority of ransomware attacks on healthcare organizations. 91% of ransomware attacks were the result of phishing exploits according to Corvus.

Email security solutions capable of scanning emails, hyperlinks, and email attachments can identify and block many email-based threats; however, 75% of hospitals do not use those tools. Across the healthcare industry as a whole, only 14% of healthcare organizations used email scanning and filtering solutions.

Corvus’s research suggests that when email scanning and filtering tools are implemented there is a 33% lower chance of experiencing a ransomware attack. Risk can be further reduced by providing regular security awareness training to employees to help them identify phishing emails and malware threats. Email authentication measures should also be implemented. If email credentials are compromised, 2-factor authentication can prevent stolen credentials from being used to gain access to internal resources.

The post Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers appeared first on HIPAA Journal.

March 2020 Deadline for Compliance with New York SHIELD Act Data Security Requirements

Posted by HIPAA Journal

In July 2019, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law. The New York SHIELD Act expanded the breach notification requirements for businesses that collect the personal information of New York residents. On March 21, 2020, the data security provisions of the New York SHIELD Act come into effect.

There are also exemptions for small businesses, which are deemed to be businesses with fewer than 50 employees, businesses with less than $3 million in gross revenues for each of the past 3 fiscal years, or businesses with less than $5 million in year-end total assets. In these cases, their data security program can be scaled according to the size and complexity of the business, the nature of business activities, and the sensitivity of the personal data collected.

For most HIPAA-covered entities, compliance will be relatively straightforward. Entities in compliance with the Health Insurance Portability and Accountability Act (HIPAA) are deemed to be in compliance with the New York SHIELD Act.

New York SHIELD Act Requirements for HIPAA Covered Entities

Compliance with HIPAA does not guarantee compliance with the New York SHIELD Act. While there is some overlap, the New York SHIELD Act covers different data types to HIPAA. HIPAA-covered entities that collect the personal data of New York State residents will need to ensure they are in compliance with the Act’s data security provisions for those data types.

One notable example of when the SHIELD Act applies and HIPAA does not, is for information technology systems that contain employee data but no protected health information. Employees’ social security numbers or driver’s license numbers, for example. While the data is not covered by HIPAA, the SHIELD Act requires reasonable technical, administrative, and physical safeguards to be implemented to ensure the data is safeguarded. The data security provisions of the SHIELD Act are detailed below.

The post March 2020 Deadline for Compliance with New York SHIELD Act Data Security Requirements appeared first on HIPAA Journal.

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

Posted by HIPAA Journal

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies.

The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare.

UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States.

UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer systems were severely impacted at times, patient care was not affected and patient safety was not put at risk.

An internal investigation was launched and third-party computer forensics specialists were engaged to assist with the investigation. University spokesman Jay Blanton said it is hard to determine whether any sensitive data was viewed or downloaded. The belief is that the malware attack was solely conducted to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency.

UK has taken steps to improve cybersecurity, including installing CrowdStrike security software. More than $1.5 million has been spent ejecting the hackers from the network and bolstering security.

Arkansas Children’s Hospital Reboots Systems to Deal with ‘Cybersecuirty Threat’

Arkansas Children’s Hospital in Little Rock has experienced a cyberattack that has impacted Arkansas Children’s Hospital and Arkansas Children’s Northwest. Its IT systems have been rebooted in an attempt to deal with the cyberthreat and a third-party digital forensics firm has been engaged to assist with the investigation.

The exact nature of the threat has not yet been disclosed and it is currently unclear when the attack will be resolved. All facilities are continuing to provide medical services to patients, but some non-urgent appointments may have to be rescheduled.

The investigation into the attack is ongoing, but at this stage, no evidence has been found to suggest patient information has been affected.

The post University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack appeared first on HIPAA Journal.

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

Posted by HIPAA Journal

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past and 53% have experienced a breach of protected health information in the past 12 months.

The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry.

Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%).

Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only one third of IT and IT security professionals in the healthcare industry said they had enough budget to mount a strong defense to prevent cyberattacks. 90% of healthcare organizations devote less than 20% of their IT budget to cybersecurity, with an average allocation of just 13%. 87% said they did not have the personnel to achieve a more efficient cybersecurity posture. Even though emergency planning is a requirement of HIPAA, less than one third of respondents said they had a plan for responding to cyberattacks.

When asked about the importance of passwords for preventing data breaches, 66% of healthcare organizations agreed that good password security was an important part of their security defenses, but fewer than half of surveyed organizations have visibility into the password practices of their employees.

A second study conducted by the Ponemon Institute, on behalf of Censinet, shows healthcare vendors are also being targeted and are struggling to defend against cyberattacks. That survey revealed 54% of healthcare vendors have experienced at least one data breach in the past, and 41% of those respondents have experienced six or more data breaches in the past 2 years. For healthcare vendors, the average size of a data breach is over 10,000 records and the average cost of a breach is $2.75 million

When healthcare vendors experience a data breach it is common for customers to take their business elsewhere. 54% of healthcare vendors said a single data breach would result in a loss of business and 28% of healthcare vendors said they lost a customer when security gaps were discovered.

It is common for security gaps to go unnoticed, as 42% of respondents said healthcare providers do not require them to provide proof they are in compliance with privacy and data protection regulations. Even when security gaps are discovered, 41% of healthcare vendor respondents said they were not required to take any action.

Risk assessments are a requirement of HIPAA, but they are costly and time consuming to perform. Vendors spend an average of $2.5 million a year conducting risk assessments, but only 44% believe risk assessments improve their security posture which Censinet believes could be due to 64% of vendors finding risk assessments confusing and ambiguous.

59% of healthcare vendors said risk assessments become out of date within 3 months of being conducted, yet only 18% of respondents said their healthcare clients require them to complete risk assessments more than once a year.

“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.” The solution could be automation. 61% of vendors believe workflow automation would streamline the risk assessment process and 60% believe workflow automation would reduce the cost of risk assessments by up to 50%.

The post 53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months appeared first on HIPAA Journal.

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

Posted by HIPAA Journal

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.