Healthcare Cybersecurity

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Posted by HIPAA Journal

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access.

The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI.

In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality. When the migration of data has been completed, Google will have access to the health data of around 50 million patients.

Google has confirmed it is a business associate of Ascension and has signed a business associate agreement and is fully compliant with HIPAA regulations, but many privacy advocates are concerned about the partnership. Several members of Congress have also expressed concern and are seeking answers about the safeguards that have been put in place to secure patient data and how patient data will be used. The HHS’ Office for Civil Rights has also confirmed it is investigating Google and Ascension to make sure HIPAA Rules have not been violated.

Earlier this month, Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, wrote to Google and Alphabet expressing concern about the partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI.

“As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it,” wrote Rep. Jayapal in her Dec 6, 2019 letter. “I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.”

Rep. Jayapal is particularly concerned about how that information will be used. Google is amassing huge quantities of healthcare data from several sources. Google’s healthcare-focused AI unit, Medical Brain, is actively acquiring health data, Alphabet has partnered with the Mayo Clinic, and Google has acquired the UK startup, DeepMind. NHS data has already been provided to Google. Google is also looking to acquire Fitbit, which holds health-related data on 25 million users of its wearable devices.

“The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling,” wrote Rep. Jayapal.

Rep. Jayapal also pointed out that Google does not have a blemish-free track record when it comes to protecting health and medical information, referencing one incident in which chest X-ray images from the National Institute of Health were almost posted online before Google realized they contained personally identifiable information. She also stated there is an active lawsuit that claims Google companies have obtained patient information from a major medical facility and DeepMind was found to have violated the Data Protection Act in the UK by using patient data to develop new apps.

Rep. Jayapal has given Google and Alphabet until January 5, 2020 to answer her questions, as detailed below:

The post Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership appeared first on HIPAA Journal.

SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites

Posted by HIPAA Journal

The 2018 Verizon Data Breach Investigations Report showed phishing to be the primary method used by cybercriminals to infect healthcare networks with malware and steal financial information. Email was the attack vector in 96% of healthcare data breaches according to the report.

All it takes is for one employee to respond to a phishing email for a data breach to occur, so it is essential for a powerful email security solution to be deployed that will catch phishing emails, malware, ransomware, and other email-based threats.

Email security solutions can vary considerably from company to company. Some may be excellent at blocking email threats but can be difficult to use, others may fall short at detecting zero-day threats, and some fail to block many spam and phishing emails. All of the companies offering email security solutions claim that their products provide excellent protection, so selecting the best solution for your organization can be a challenge. Making the wrong decision can be a costly mistake.

When choosing an email security solution, third party review sites are a godsend and can save you a lot of time in your search. Well respected business software review sites allow verified users of software solutions to provide their feedback on products and let other businesses know which are easy to implement, easiest to use, which are most effective at blocking threats and which companies provide great support when help is required.

It pays to check several different review sites to find the top-rated email security solutions by end users. Our search has highlighted one solution that is consistently rated highly across the leading review platforms: SpamTitan from TitanHQ.

Listed below are some of the many positive reviews from users of SpamTitan Email Security across the top review platforms:

G2 Crowd

G2 Crowd is the largest tech marketplace for business software. The site is used by IT decision makers to learn more about software solutions to help them realize their potential and protect their networks from the full range of cybersecurity threats.

On the G2 Crowd platform, SpamTitan is the top-rated email security solution with scores of 9.0 out of 10 for ease of admin, 9.1 for ease of use, 9.2 for ease of setup and quality of support, and 9.3 for ease of doing business with and meets requirements. The scores are based on 139 reviews from verified users. Across all reviews, SpamTitan achieved a score of 4.6 out of 5.

“I really like the customization that is available for this product. We have total control over the spam filter environment for all our customers. The environment is stable which is very important to us and our customers. The support staff was great when we were getting our environment configured. They were quick to reply to emails and reach out to assist us as needed. The spam filtering is top-notch and much better than other products we have used,” said Jeff Banks, Director of Technology.

Gartner Peer Insights

Gartner Peer Insights is a peer review site that is rigorously vetted by the leading research and advisory company, Gartner.  Gartner provides impartial advice on the top software solutions without bias and with no hidden agenda. Gartner Peer Insights just contains real reviews from real business IT users.

SpamTitan has been rated by 112 users and achieved an average review score of 4.9 out of 5.

“TitanHQ claims that SpamTitan “blocks 99.9% of spam, viruses, and other threats that come through” and I can’t argue against it. It’s been running on my machines for a couple of years now and works very well. Rarely does anything useless go through to my inbox.” Information Technology Specialist, Healthcare Industry.

Capterra

Capterra is an online marketplace vendor founded in 1999 and bought by Gartner in 2015. Capterra serves as an intermediary between software buyers and sellers and is one of the leading sites where decision makers can find out more about software solutions from verified users.

There are 379 reviews of SpamTitan on Capterra. SpamTitan received an overall score of 4.6 out of 5 with individual scores of 4.4 for ease of use, 4.4 for features, 4.5 for value for money, and 4.6 for customer service.

“Overall, we are very happy with the product and the customer support. We did have to put some time into this product but now we have a custom-fit solution, with fault-tolerance (two servers at two locations, both locations have both internet and private WAN access to the Exchange server) and we’re saving thousands of dollars versus the managed solution we used to use. We can tighten things up if we wish, we have a lot of flexibility with this product. I rate it an excellent value. So much power, flexibility and fault-tolerance, for so little money.” Mike D Shields, Director of IT and Telecom.

“It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes. I shut off the service for 48 hours just to make sure it easy legit, it was, and I haven’t shut it off again since.” Benjamin Jones, Director Of Information Technology

Google Reviews

112 business users of SpamTitan have submitted reviews of SpamTitan to Google. The email security solution achieved an average score of 4.9 out of 5.

“The Titan Spam filter is by far one of the best email filters I have ever used. It was simple to setup, it allows users to release their own emails from quarantine quick and easy. Thank you for making such a great quality product, and for having excellent technical support.” Joseph Walsh.

“Great product. Spam reduced to almost zero and no user complaints. Configuration is simple and support is awesome. Love it!” George Homme

Software Advice

379 users have left reviews of SpamTitan on the business software review site, Software Advice.  The solution achieved an average score of 4.58 out of 5

“Our previous product was not stable and didn’t filter out spam as well as we wanted. This tool exceeds out expectations!” Jeff, CatchMark Technologies.

Spiceworks

Spiceworks is a professional network specifically for the information technology, providing educational content, product reviews, and feedback from software users. Members of the Spiceworks community similarly rate SpamTitan very highly. The solution has been reviewed by 56 members and has achieved an average score of 4.6 out of 5.

SpamTitan is also the top-rated email security solution on SpamTitanReviews, with a score of 4.9 out of 5.

The post SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites appeared first on HIPAA Journal.

MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant

Posted by HIPAA Journal

A new ransomware variant is being used in targeted attacks on managed service providers, technology, and healthcare firms, according to security researchers at Blackberry Cylance.

Attacks are being conducted on carefully selected, high profile targets using a new variant of VegaLocker/Buran ransomware named Zeppelin. VegaLocker has been around since early 2019 and all variants from this family have been used to attack companies in Russian speaking countries.

The campaigns were broad and used malvertising to direct users to websites hosting the ransomware. The latest variant is being used in a distinctly different campaign that is much more targeted. Attacks have only been detected on companies in Europe, the United States, and Canada so far. If the ransomware is downloaded onto a device in the Russian Federation, Ukraine, Belorussia, or Kazakhstan, the ransomware exits and does not encrypt files.

Ransomware variants from the VegaLocker family have all been offered as ransomware-as-a-service and there are indications that the same is true of Zeppelin ransomware, although the Blackberry Cylance researchers believe different threat actors are responsible for the attacks. There have only been a small number of attacks so far, so this could indicate a limited number of individuals are conducting attacks and targets are being selected carefully.

Zeppelin ransomware is highly customizable and can be deployed as an EXE or DLL file. Samples have also been found that are wrapped in PowerShell loaders. The ransom notes are also customizable and can be changed to suit different campaigns. Several have been detected that incorporate the name of the company being attacked, further demonstrating the highly targeted nature of the campaign.

Attacks have been conducted on multiple tech and health firms as well as managed service providers. Attacks on the latter see MSP files encrypted, and through their remote administration tools, the ransomware is deployed on the systems of their clients. Attacks on service providers are becoming far more common and several threat actors have adopted this tactic, including those behind Ryuk and Sodinokibi ransomware.

Zeppelin ransomware incorporates several layers of obfuscation to evade security solutions, including the use of encrypted strings, pseudo-random keys, and code of different sizes. The encryption routine can also be delayed avoid detection by heuristic analyses and fool sandboxes. The ransomware can also stop backup services and delete backup files and shadow copies to hamper recovery without paying the ransom.

After encryption the original file name and extension are retained. File tags are used that include the word Zeppelin. The encryption routine uses symmetric file encryption with randomly generated keys for each file, (AES-256 in CBC mode) along with asymmetric encryption for the session key, using a custom RSA implementation.

Some ransomware samples obtained by Blackberry Cylance researchers only encrypt the first 1000 bytes of a file. This is sufficient to render the files unusable but also speeds up the file encryption process so there is less chance of the attack being detected and stopped before file encryption has been completed.

As is common in these targeted attacks, a ransom note is dropped that provides email addresses for the victims to make contact with the attackers. This allows the attackers to set ransom payments on the perceived ability of the victim to pay.

It is unclear what methods are being used to distribute Zeppelin ransomware. The researchers have found a sample on water-holed websites, with the ransomware payload hosted on Pastebin but several distribution methods may be used.

Protecting against attacks requires a combination of security solutions and the adoption of cybersecurity best practices. Block open ports, change all default passwords, disable RDP if possible, use an advanced spam filtering solution, apply patches promptly, and keep operating systems and software up to date. Ensure staff are trained and are following security best practices and make sure backups are regularly created and tested to make sure file recovery is possible. It is also essential for one backup copy to be stored securely on a device that is not connected to the network.

The post MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant appeared first on HIPAA Journal.

Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss

Posted by HIPAA Journal

Cybersecurity firm Emsisoft has issued a warning about a recently discovered bug in the decryptor used by Ryuk ransomware victims to recover their data. A bug in the decryptor app can cause certain files to be corrupted, resulting in permanent data loss.

Ryuk ransomware is one of the most active ransomware variants. It has been used in many attacks on healthcare organizations in the United States, including DCH Health System in Alabama and the recent attack on the IT service provider Virtual Care Provider.

Ryuk ransomware is distributed in several ways. Scans are conducted to identify open Remote Desktop Protocol ports, brute force attacks on RDP are also conducted, and the ransomware is downloaded by exploiting unpatched vulnerabilities. Ryuk ransomware is also installed as a secondary payload by Trojans such as TrickBot.

There is no free decryptor for Ryuk ransomware, so recovery depends of whether viable backups have been made, otherwise victims must pay a sizeable ransom for the keys to decrypt their files.

When Ryuk ransomware victims pay the ransom, they are provided with a decryptor app and the keys to decrypt their files. However, the decryptor app will not allow all files to be recovered. Large files can be corrupted during the decryption process.

This is due to a recent change in the encryption process. Ryuk ransomware no longer encrypts the entire file if the file is larger than 54.4 megabytes. The change was made to speed up the encryption process to make it less likely that the attack will be detected before file encryption has been completed.

Due to the bug, the footer in large files is not correctly calculated. This can cause the decryptor to truncate large files and lose the last byte. This is not a problem for many file types as the last byte often just contains padding and no data. However, some file types, including Oracle database files and virtual disk files (VHD/VHDX), use the last byte. Without that last byte the file will be corrupted and recovery will be rendered impossible.

Further, the original encrypted file is deleted if the decryptor determines that the file has been successfully decrypted, even if decryption has resulted in file corruption. That means that once the decryptor has run, it will not be possible to recover corrupted files.

Prior to decryption, it is important to make a copy of all encrypted files. Decryptors do not always work as expected and some file loss may occur. If copies of the encrypted files are made, if the decryption process doesn’t work as expected it will be possible to try again. Emsisoft can assist with file recovery and will develop a decryptor for Ryuk ransomware that does not have the bug. Due to the amount of work required by its engineers, the bug-free decryptor is not provided free of charge.

The post Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss appeared first on HIPAA Journal.

Deadline for Upgrading Windows 7 Devices is Fast Approaching

Posted by HIPAA Journal

Healthcare organizations still using Windows 7 and Windows 2008 only have a few days to upgrade the operating systems before Microsoft stops providing support. Support for both operating systems will come to an end on January 14, 2019.

From January 14, 2020, no more patches and updates will be released by Microsoft so the operating system will potentially be vulnerable to attack. Cyberattacks are unlikely to start the second support is stopped, but any vulnerabilities in the operating system discovered after January 14 will remain unaddressed. Exploits could therefore be developed to exploit Windows 7 flaws and through those compromised devices, attacks could be launched on other devices on the network. As the number of vulnerabilities grow, the risk of a cyberattack will increase.

According to Forescout the healthcare industry has the largest percentage of Windows 7 devices of any industry. A report earlier this year suggested 56% of healthcare organizations are still using Windows 7 on at least some devices and 10% of devices used by healthcare organizations are running Windows 7 or modified versions of the operating system. It has been estimated that approximately 70% of all IoT and medical devices will still be using Windows 7 or other unsupported operating systems by January 14, 2020.

The continued use of unsupported operating systems is a violation of HIPAA. If a vulnerability in Windows 7 is exploited after the January 14 deadline and protected health information is exposed, healthcare organizations could face a regulatory fine.

Healthcare organizations unable to upgrade before January 14 have one option available. Microsoft will be continuing to offer extended security updates to enterprise Windows 7 users for an annual per device fee. Extended support will be costly. Microsoft will be charging $25 per device in 2020, $50 per device in year 2021, and $100 per device in 2022. Extended security updates for fee paying enterprises will come to an end in January 2023.

The post Deadline for Upgrading Windows 7 Devices is Fast Approaching appeared first on HIPAA Journal.

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

Posted by HIPAA Journal

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed.

The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom.

In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware.

Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to ongoing system outages.

KrebsonSecurity reports that some of those practices are trying to negotiate with the attackers to obtain keys to unlock their own data.

Recovery has been complicated in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after paying the ransom demand. That has meant paying again for further keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental practice had 50 devices encrypted and received more than 20 ransom notes. Multiple payments had to be made to recover records.

The attack is similar to the one that was conducted on the Wisconsin firm PerCSoft, through which around 400 dental offices were attacked with ransomware in August 2019. PerCSoft provides digital data backup services for dental offices. Sodinokibi ransomware was also used in that attack.

It is becoming increasingly common for ransomware gangs to target managed service providers. A single attack on a managed service provider can allow the attackers to attack hundreds of other companies, making the returns far higher.

A recent report by Kaspersky Lab also confirmed that ransomware attackers are targeting backups and Network Attached Storage (NAS) devices to make it much harder for victims to recover their files for free without paying the ransom.

The latest attack shows just how important it is not only to ensure that backups of all critical data are made, but why it is essential for at least one copy of a backup to be stored securely off site, on a non-networked device that is not accessible over the internet.

The post Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices appeared first on HIPAA Journal.

Microsoft Issues Advice on Defending Against Spear Phishing Attacks

Posted by HIPAA Journal

Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable.

There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%.

The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns.

These attacks are more profitable as some credentials are more valuable than others. Spear phishing campaigns often target Office 365 admins. Their accounts can allow an attacker to gain access to the entire email system and huge quantities of sensitive data. New accounts can be set up on a domain with admin credentials, and those accounts can be used to send further phishing emails. New accounts are only used by the attacker, so there is a lower chance of the malicious email activities being discovered.

Spear phishers also seek the credentials of executives, as they can be used in business email compromise attacks in which employees with access to company bank accounts to tricked into making fraudulent wire transfers. Fraudulent wire transfers of tens of thousands, hundreds of thousands, or even millions may be made, malware can be installed, or the attacker can gain access to large quantities of highly sensitive data.

Spear phishers spend time researching their targets on social media networks and corporate websites. They learn about relationships between employees and different departments and impersonate other individuals in the company. They may even already have compromised one or more company email accounts in past phishing campaigns before going for the big phish on a big fish in the company. This is often referred to as a whaling attack. Spear phishing emails are often professional, credible, and are difficult to identify by end users.

As difficult as these spear phishing emails are to spot, there are steps that healthcare organizations can take to reduce risk. Many of these measures are the same as the steps that need to be taken to detect and block more general phishing campaigns.

The best place to start is with employee education. Security awareness training should be provided to everyone in the organization who uses email. Many of these spear phishing attacks start with a more general phishing campaign to gain a foothold in the email system.

The CEO and executives must also be trained, as they are the big fish that the spear phishing campaigns most commonly target. Any individual with access to corporate bank accounts or highly sensitive information should be given more training, and the training should be role-specific and cover the threats they are most likely to encounter.

Employees should be taught not just to check the true sender of an email, but specifically look at the email address to see if something is not quite right. Phishing emails usually have a sense of urgency and usually a “threat” if no action is taken (account will be closed/suspended).

They often contain out-of-band requests that go against company policy such as fast-tracking payments, sending unusual data via email, or bypassing usual checks or procedures. The messages often contain unusual language or inconsistent wording.

When suspicious emails are received, there should be an easy mechanism for employees to report them to their security teams. A one-click email add-on for reporting messages is useful. Spear phishing campaigns are often sent to key people in a department simultaneously, so speaking to peers about messages is also useful. Policies should also be implemented that require checks to be performed before any large bank transfers are made. It should be company policy to double check atypical requests by phone, for instance.

Technical measures should also be introduced to detect and block attacks. An advanced spam filtering solution is a must. Do not rely on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft or a third-party solution for Office 365 should be implemented for greater protection, one which incorporates sandboxing, DMARC, and malicious URL analysis will provide greater protection.

Multi-factor authentication is also essential. MFA blocks more than 99.9% of email account compromise attacks. If credentials are compromised in an attack, MFA can prevent them from being used by the attacker.

Spear phishing is the principle way that cybercriminals attack organizations and it often gives them the foothold they need for more extensive attacks on the organization. Spear phishing is a very real threat. It is therefore critical that organizations take these and other steps to combat attacks.

The post Microsoft Issues Advice on Defending Against Spear Phishing Attacks appeared first on HIPAA Journal.

HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks used to be conducted indiscriminately, with the file-encrypting software most commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid.

Healthcare providers are a prime target for cybercriminals. They have large quantities of sensitive data, low tolerance for system downtime, and high data availability requirements. They also have the resources to pay ransom demands and many are covered by cybersecurity insurance policies. Insurance companies often choose to pay the ransom as it is usually far lower than the cost of downtime while systems are rebuilt, and data is restored from backups.

With attacks increasing in frequency and severity, healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack.

Ransomware attacks are increasing in sophistication and new tactics and techniques are constantly being developed by cybercriminals to infiltrate networks and deploy ransomware, but the majority of attacks still use tried and tested methods to deliver the ransomware payload. The most common methods of gaining access to healthcare networks is still phishing and the exploitation of vulnerabilities, such as flaws that have not been patched in applications and operating systems. By finding and correcting vulnerabilities and improving defenses against phishing, healthcare providers will be able to block all but the most sophisticated and determined attackers and keep their networks secure and operational.

In its Fall 2019 Cybersecurity Newsletter, the Department of Health and Human Services explains that it is possible to prevent most ransomware attacks through the proper implementation of HIPAA Security Rule provisions. Through HIPAA compliance, healthcare organizations will also be able to ensure that in the event of a ransomware attack they will be able to recover in the shortest possible time frame.

There are several provisions of the HIPAA Security Rule that are relevant to protecting, mitigating and recovering from ransomware attacks, six of the most important being:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

A risk analysis is one of the most important provisions of the HIPAA Security Rule. It allows healthcare organizations to identify threats to the confidentiality, integrity, and availability of ePHI, which allows those threats to be mitigated. Ransomware is commonly introduced through the exploitation of technical vulnerabilities., such as unsecured, open ports, outdated software, and poor access management/provisioning. It is essential that all possible attack vectors and vulnerabilities are identified.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified during the risk analysis must be managed and reduced to a low and acceptable level. That will make it much harder for attackers to succeed. Risk management includes the deployment of anti-malware software, intrusion detection systems, spam filters, web filters, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

If an organization’s defenses are breached and hackers gain access to devices and information systems, intrusions need to be quickly detected. By conducting information system activity reviews, healthcare organizations can detect anomalous activity and take steps to contain attacks in progress. Ransomware is not always deployed as soon as network access is gained. It may be days, weeks, or even months after a network is compromised before ransomware is deployed, so a system activity review may detect a compromise before the attackers are able to deploy ransomware. Security Information and Event Management (SIEM) solutions can be useful for conducting activity reviews and automating the analysis of activity logs.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks are often effective as they target employees, who are one of the weakest links in the security chain. Through regular security awareness training, employees will learn how to identify phishing emails and malspam and respond appropriately by reporting the threats to the security team.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In the event of an attack, a fast response can greatly limit the damage caused by ransomware. Written policies and procedures are required and these must be disseminated to all appropriate workforce members so they know exactly how to respond in the event of an attack. Security procedures should also be tested to ensure they will be effective in the event of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

A contingency plan must be developed to ensure that in the event of a ransomware attack, critical services can continue and ePHI can be recovered. That means that backups must be made of all ePHI. Covered entities must also test those backups to ensure that data can be recovered. Backups systems have been targeted by ransomware threat actors to make it harder for covered entities to recover without paying the ransom, so at least one copy of a backup should be stored securely on a non-networked device or isolated system.

The post HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks appeared first on HIPAA Journal.

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Posted by HIPAA Journal

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes.

In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data.

Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity.

Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019, but if the current attack trends continue, it is likely to be placed even higher next year.

Healthcare organizations are an attractive target for cybercriminals as they store a large volume of valuable data in EHRs which is combined, in many cases, with the lack of a sophisticated security model. Healthcare organizations also have a large attack surface to defend, with large numbers of endpoints and other vulnerable networked devices. Given the relatively poor defenses and high value of healthcare data on the black market it is no surprise that the industry is so heavily targeted.

Detection of threats on healthcare endpoints were up 45% in Q3, 2019, increasing from 14,000 detections in Q2 to 20,000 in Q3. Threat detections are also up 60% in the first three quarters of 2019 compared to all of 2018.

Many of the detections in 2019 were Trojans, notably Emotet in early 2019 followed by TrickBot in Q3. TrickBot is currently the biggest malware threat in the healthcare industry. Overall, Trojan detections were up 82% in Q3 from Q2, 2019. These Trojans give attackers access to sensitive data but also download secondary malware payloads such as Ryuk ransomware. Once data has been stolen, ransomware is often deployed.

Trojan attacks tend to be concentrated on industry sectors with large numbers of endpoints and less sophisticated security models, such as education, the government, and healthcare.  Trojans are primarily spread through phishing and social engineering attacks, exploits of vulnerabilities on unpatched systems, and as a result of system misconfigurations. Trojans are by far the biggest threat, but there have also been increases in detections of hijackers, which are up  98% in Q3, riskware detections increased by 85%, adware detections were up 34%, and ransomware detections increased by 15%.

Malwarebytes identified three key attack vectors that have been exploited in the majority of attacks on the healthcare industry in the past year: Phishing, negligence, and third-party supplier vulnerabilities.

Due to the high volume of email communications between healthcare organizations, doctors, and other healthcare staff, email is one of the main attack vectors and phishing attacks are rife. Email accounts also contain a considerable amount of sensitive data, all of which can be accessed following a response to a phishing email. These attacks are easy to perform as they require no code or hacking skills. Preventing phishing attacks is one of the key challenges faced by healthcare organizations.

The continued use of legacy systems, that are often unsupported, is also making attacks far too easy. Unfortunately, upgrading those systems is difficult and expensive and some machines and devices cannot be upgraded. The problem is likely to get worse with support for Windows 7 coming to an end in January 2020. The sow rate of patching is why Malwarebytes is still detecting WannaCry ransomware infections in the healthcare industry. Many organizations have still not patched the SMB vulnerability that WannaCry exploits, even though a patch was released in March 2017.

Negligence is also a key problem, often caused by the failure to prioritize cybersecurity at all levels of the organization and provide appropriate cybersecurity training to employees. Malwarebytes notes that investment in cybersecurity is increasing, but it often doesn’t extend to brining in new IT staff and providing security awareness training.

As long as unsupported legacy systems remain unpatched and IT departments lack the appropriate resources to address vulnerabilities and provide end user cybersecurity training, cyberattacks will continue and the healthcare industry will continue to experience high numbers of data breaches.

The situation could also get a lot worse before it gets better. Malwarebytes warns that new innovations such as cloud-based biometrics, genetic research, advances in prosthetics, and a proliferation in the use of IoT devices for collecting healthcare information will broaden the attack surface even further. That will make it even harder for healthcare organizations to prevent cyberattacks. It is essential for these new technologies to have security baked into the design and implementation or vulnerabilities will be found and exploited.

The post Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018 appeared first on HIPAA Journal.