Healthcare Cybersecurity

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records.

Largest Healthcare Data Breaches in February 2020

The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in.

The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causes of February Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports, accounting for two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The average breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents involved hacked email accounts.

There were 6 unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one involved a portable electronic device. 15,826 records were impermissibly disclosed in those incidents. The average breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents reported, they accounted for 42.78% of breached records. The average breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost paperwork containing the PHI of 5,904 patients and two improper disposal incidents involving paper files containing the PHI of 15,507 patients.

Location of Breached Protected Health Information

As the bar chart below shows, the biggest problem area for healthcare organizations is protecting email accounts. All but one of the email incidents were hacking incidents that occurred as a result of employees responding to phishing emails. The high total demonstrates how important it is to implement a powerful email security solution and to provide regular training to employees to teach them how to recognize phishing emails.

Breaches by Covered Entity Type

26 data breaches were reported by HIPAA-covered entities in February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The average breach size was 50,124 records and the median breach size was 15,010 records.

Healthcare Data Breaches by State

The data breaches reported in February were spread across 24 states. Texas was the worst affected with 4 breaches. Three data breaches were reported in Arkansas, California, and Florida. There were two reported breaches in each of Georgia, Indiana, Michigan, North Carolina, Virginia, and Washington. One breach was reported in each of Arizona, Hawaii, Illinois, Iowa, Maine, Massachusetts, Minnesota, Missouri, New Mexico, New York, Oregon, Pennsylvania, Tennessee, and Wisconsin.

HIPAA Enforcement Activity in February 2020

There was one HIPAA enforcement action reported in February. The HHS’ Office for Civil Rights announced that Steven A. Porter, M.D had agreed to pay a financial penalty of $100,000 to resolve a HIPAA violation case. The violations came to light during an investigation of a reported breach involving the practice’s medical records company, which Dr. Porter claimed was impermissibly using patient medical records by preventing access until payment of $50,000 was received.

OCR found that Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI. The practice had also not reduced risks to a reasonable and appropriate level, and policies and procedures to prevent, detect, contain, and correct security violations had not been implemented.

The post February 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk.

Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes.

One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities.

Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a ransomware attack that affected its website, a source of important information for people about the coronavirus pandemic. A DDoS attack was also conducted on the U.S. Department of Health and Human Services.

Some Threat Groups are Stopping Ransomware Attacks on Healthcare Organizations

While the cyberattacks are continuing, it would appear than at least some threat actors have taken the decision not to attack healthcare and medical organizations currently battling to treat patients and deal with the COVID-19 outbreak.

BleepingComputer reached out to several ransomware gangs that have previously conducted attacks on healthcare organizations to find out if they plan on continuing to conduct attacks during the COVID-19 outbreak.

The threat group behind DoppelPaymer ransomware confirmed they do not tend to conduct attacks on hospitals and nursing homes but said if an error is made and a healthcare organization does have files encrypted, they will be decrypted free of charge. That offer has not been extended to pharmaceutical companies. The Maze ransomware gang has similarly stated that all activity against medical organizations will be stopped until the “stabilization of the situation with the virus.”

Cybersecurity Firms Offer Free Ransomware Assistance During Coronavirus Pandemic

Several cybersecurity firms have announced they are offering free support to healthcare providers that experience ransomware attacks during the coronavirus pandemic, including Emsisoft and Awake Security.

Emsisoft helps ransomware victims recover their files when the decryptors provided by the attackers fail. Coveware is an incident response company that helps ransomware victims negotiate with hackers if the decision is taken to pay the ransom. The two firms will be partnering to help hospitals and other healthcare providers recover if they experience a ransomware attack. The services being provided free of charge include a technical analysis of a ransomware attack, the development of a decryption tool, if possible, and negotiation, transaction handing, and recovery assistance. Emsisoft will also develop a custom decryption tool to replace the one provided by the attackers, which will have a greater chance of success and will lower the probability of file loss.

Awake Security has announced that hospitals and other healthcare providers responding to the coronavirus pandemic will be provided with free access to its security platform for 60 days, with the possibility of an extension.

“As more IT and security workers have to operate remotely, we feel strongly that it is our moral duty to ensure the security of the infrastructure they protect,” said Rahul Kashyap, CEO, Awake Security. “We are glad to see many in the security industry step up to tackle this global crisis, and we hope others will join us in the #FightCOVID19 pledge.”

The platform monitors networks and detects threats from non-traditional computing devices, remote users logging in via VPNs, and the core and perimeter networks. The offer also includes free access to its Managed Detection and response solution which provides ongoing threat monitoring, proactive intelligence-driven threat hunting, and access to Awake Security support services.

Akamai is providing 60 days of free access to its Business Continuity Assistance Program, 1-Password has removed its 30-day free trial limit for business accounts, SentinelOne is offering free endpoint protection and endpoint detection until May 16, 2020, and Cyber Risk Aware is providing free COVID-19 phishing tests for businesses to help them prepare the workforce for coronavirus-themed phishing attacks. To support COVID-19-related healthcare communications, TigerConnect has made its secure healthcare communications platform available free of charge in the United States.

The post Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic appeared first on HIPAA Journal.

Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server

Advisories have been issued about recently discovered vulnerabilities in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server.

Improper Access Control Identified in Insulet Omnipod Insulin Management System

ThirdwayV Inc. has discovered a high severity flaw in the Omnipod Insulin Management System which could allow an attacker with access to a vulnerable insulin pump to access the Pod and intercept and modify data, change insulin pump settings, and control insulin delivery.

The vulnerable insulin pumps communicate with an Insulet manufactured Personal Diabetes Manager device using wireless RF. The researchers discovered the RF communication protocol does not implement authentication or authorization properly.

The following versions are affected:

  • Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160
  • UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)

The vulnerability is tracked as CVE-2020-10597 and has been assigned a CVSS v3 base score of 7.3 out of 10. There have been no reported cases of exploitation of the vulnerability.

Patients should not connect any third-party devices or use unauthorized software and should be attentive to pump notifications, alarms and alerts. Patients should monitor their blood glucose levels carefully and any unintended boluses should be cancelled at once. Insulet recommends updating to the latest model of the insulin pump, which has greater cybersecurity protections.

Patients using one of the vulnerable products have been advised to contact Insulet Customer Care or their healthcare provider for further information on the risk posed by the vulnerability.

Cross-Site Scripting Vulnerability Found in Systech NDS-5000 Terminal Server

An NDS-5000 Terminal Server cross-site scripting vulnerability has been identified that could allow an attacker to perform privileged operations on behalf of the users, access sensitive data, limit system availability, and potentially remotely execute arbitrary code. The vulnerability can be exploited remotely and requires only a low level of skill to exploit.

The vulnerability is tracked as CVE-2020-7006 and has been assigned a CVSS v3 base score of 6.8 out of 10 (medium severity). The vulnerability affects DS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30 and has been corrected in firmware version 02F.6.

Uses of the affected product should contact Systech Technical Support for further information on updating the firmware to prevent exploitation.

The vulnerability was identified by Murat Aydemir, Critical Infrastructure Penetration Test Specialist at Biznet Bilisim A.S.

The post Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server appeared first on HIPAA Journal.

CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers

In an effort to prevent the spread of the coronavirus, many employers are telling their employees to work from home. While this measure is important for reducing the risk of contracting Coronavirus Disease 2019 (COVID-19), working from home introduces other risks.

In order to protect against cyberattacks, enterprise-class virtual private networks (VPN) solutions should be used to connect remotely to the network. VPNs secure the connection between a user’s device and the network, allowing them to access and share healthcare information securely.

While VPNs will improve security, many VPN solutions have vulnerabilities that can be exploited by cybercriminals. If those vulnerabilities are exploited, sensitive data can be intercepted, and an attacker could even take control of affected systems. Cybercriminals are actively searching for vulnerabilities in VPNs to exploit, and the increase in remote workers as a result of the coronavirus gives them many more targets to attack.

The risks associates with VPNs and the increase in the number of remote workers due to the coronavirus has prompted the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to issue an alert advising organizations to increase VPN security and adopt cybersecurity best practices to protect against cyberattacks.

Several vulnerabilities have been discovered in popular VPN solutions in the past 12 months, including VPN applications from Palo Alto Networks, Pulse Secure, and FortiGuard. While patches have been released to address the vulnerabilities, many organizations have not updated their software to the latest version. The failure to patch negates the protection provided by the VPN.

A campaign was detected in January 2020 targeting the CVE-2019-11510 remote code execution vulnerability in Pulse Secure Connect and Pulse Policy Secure to deliver REvil ransomware. By exploiting the vulnerability, an attacker could potentially gain access to all active users and obtain their credentials in plaintext and execute arbitrary commands on VPN clients as they connect to the server. A patch to correct the vulnerability was released by Pulse Secure on April 24, 2019, yet 9 months later, many organizations are still using vulnerable versions of the VPN.

Updating VPNs can be difficult because they are often in use 24/7; however, it is essential that updates are applied due to the high risk of exploitation of unpatched vulnerabilities. CISA is urging all organizations to ensure that VPN patches are prioritized.

It is also important to make sure that users only have access to systems that are critical to perform their work duties. Ensuring remote workers have low level privileges will reduce the harm that can be caused if their credentials are compromised. IT teams should also step up monitoring of their networks and should be reviewing access logs to identify potential compromises.

CISA has also warned about an increase in phishing attacks targeting remote workers to obtain VPN credentials. Email security solutions need to be in place to capture these messages before they are delivered, and multifactor authentication should be implemented for remote access to prevent stolen credentials from being used. CISA warns that organizations that fail to implement MFA will be at greater risk from phishing attacks.

IT teams also need to make sure their systems can cope with the increased number of remote workers. CISA warns that organizations may find they only have a limited number of VPN connections, and when they are all in use some users will be prevented from accessing systems to conduct telework. “With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks,” warns CISA.

The HHS’ Centers for Medicare and Medicaid Services (CMS) has expanded Medicare telehealth benefits to help in the fight against the COVID-19 and the HHS’ Office for Civil Rights has announced it will be exercising enforcement discretion in relation to telehealth. This will allow more healthcare workers to work remotely over the coming weeks. It is therefore critical that VPN best practices are followed.

The post CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers appeared first on HIPAA Journal.

Department of Health and Human Services Targeted in Cyberattack

The U.S. Department of Health and Human Services (HHS) has been targeted by cybercriminals in what appears to be an attempt to overwhelm its website with millions of hits. According to a statement issued by HHS spokesperson, Caitlin B. Oakley, the HHS detected “a significant increase in activity on HHS cyber infrastructure” in what appears to have been an attempted Distributed Denial of Service (DDoS) attack.

The individuals responsible for the attack were unsuccessful thanks to additional protections put in place to mitigate DDoS attacks as part of HHS preparation and response to the COVID-19 pandemic. “HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities,” explained Oakley.

No data breach was experienced and the HHS and federal networks are continuing to function normally. Federal cybersecurity professionals are continuing to monitor HHS computer networks and will take appropriate actions to protect those networks and mitigate any further attacks should they occur. The federal government is investigating the attack and at this stage it is unclear who was responsible.

“We have extremely strong barriers, we had no penetration into our networks, no degradation of the functioning of our networks, we had no limitation on the ability or capacity of our people to telework, we’ve taken very strong defensive actions,” said HHS Secretary, Alex Azar.

The White House National Security Council (NSC) sent a tweet on Sunday warning about a disinformation campaign which suggests President Trump is about to order a national quarantine and that the country will be placed on lockdown, as has been the case in Italy and Spain. The NSC tweet explained that these text message rumors are fake. It is unclear if the attempted DDoS attack and text message campaign are related.

There are also several phishing campaigns being conducted that are using fear about SARS-CoV-2 and COVID-19 to spread malware and obtain sensitive information. The malicious email campaigns are likely to increase as the pandemic develops. If you receive any email communication related to SARS-Cov-2 and COVID-19, verify the validity of the message before taking any actions.

For up to date information and guidance on SARS-Cov-2 and COVID-19, visit the Centers for Disease Control and Prevention (CDC) website – CDC.gov.

Illinois Public Health Network Suffers Ransomware Attack

Last week, cybercriminals launched a cyberattack on the Champaign-Urbana Public Health District in Illinois and deployed Netwalker (MailTo) ransomware. The attack disabled the public health district’s website on the morning of March 10, 2020. The incident was investigated and was confirmed as a ransomware attack within a couple of hours.

Employees were able to continue to access critical systems during the website outage. No electronic medical records or other sensitive data have been compromised. Medical records were migrated to the cloud 6 months previously. The Champaign-Urbana Public Health District has since been restored.

The post Department of Health and Human Services Targeted in Cyberattack appeared first on HIPAA Journal.

HSCC Publishes Best Practices for Cyber Threat Information Sharing

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk.

The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes.

One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is probable that similar attacks will be performed on others. Through threat information sharing, healthcare organizations can learn from others about attacks and mitigations so they can prepare and improve their own security posture. This is especially important for healthcare organizations with limited resources to devote to cybersecurity as it allows them to crowd source cybersecurity expertise.

The threat landscape evolves at a rapid pace and new attack methods are constantly being developed by cybercriminals. Cyber threat intelligence sharing programs help participants keep abreast of new attack methods and take steps to reduce risk through rapid sharing of actionable intelligence. Cross-organizational collaboration also helps to improve patient safety through the development of trusted networks that help manage potential threats.

The guidance document helps organizations get started by outlining the steps that need to be taken to prepare before joining a threat information sharing program. Preparation requires information sharing goals and objectives to be established, as well as governance models for regulatory compliance. Information sharing assets must be categorized, a governance body must be created, and sanitization rules must be established. HSCC recommends involving the legal department early in the information sharing process and making sure the value and scope of information sharing is understood.

The HSCC cyber threat information sharing guidance details the types of information that should be shared, such as strategic, tactical, operational, and technical intelligence, as well as open source data and incident response information. “While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors – threat intelligence data truly comes in a variety of forms and should encompass all cyber risk that could impact the health industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks,” explained HSCC.

The guidance also details best practices for sharing information, such as using the traffic light protocol and ensuring legal protections are in place to protect against any liability, and also provides advice on who to share threat data with. The document concludes with case studies showing how information can be shared to benefit the information sharing community and protect against attacks.

The HSCC best practices for cyber threat information sharing can be downloaded on this link.

The post HSCC Publishes Best Practices for Cyber Threat Information Sharing appeared first on HIPAA Journal.

83% of Medical Devices Run on Outdated Operating Systems

The current state of IoT device security has been investigated by the Unit 42 team at Palo Alto Networks which identified major risks to the confidentiality, integrity and availability of healthcare data and serious vulnerabilities that could easily be exploited in devastating cyberattacks.

The Unit 42 team analyzed more that 1.2 million IoT devices of 8,000 different types across a range of industry sectors for the 2020 IoT Threat Report. Data was gathered from its Zingbox IoT inventory and management service, which included 73.2 billion network sessions.

The researchers found high numbers of IoT devices that use legacy protocols and unsupported operating systems, a problem that has now got worse since support for Windows 7 stopped in January 2020. Unit 42’s research revealed only 17% of devices have active support for their underlying operating systems. In healthcare, 83% of IoT devices were running on unsupported operating systems, which increased 56% from last year following the end of support for Windows 7. 27% of IoT medical devices are still running on Windows XP and decommissioned versions of Linux.

51% of all cyberthreats in healthcare concern imaging devices, attacks on which can disrupt the care provided to patients. Exposure of sensitive data is a real issue, especially considering 98% of IoT device traffic is not encrypted. Sensitive data is transmitted in plaintext and can be intercepted by anyone who knows where to look.

Network segmentation has improved since last year when the study was last conducted. The Unit 42 team found that the number of hospitals that had more than 20 VLANs had tripled since last year to 44%. However, 72% of healthcare VLANs include standard IT assets as well as IoT devices. An attack on a vulnerable IoT device could allow malware to be transferred to computers and servers on the same network. A doctor opening a malicious email attachment could see malware transferred to medical devices such as infusion pumps, MRI machines, and other medical imaging systems.

The researchers found 57% all IoT devices are vulnerable to high or medium severity attacks. It is common for default passwords to remain in place, even though the passwords can easily be found online. When passwords are changed, they are often changed to easy to remember passwords which are vulnerable to brute force attacks. Patching was found to be poor and the use of unsupported operating systems means patches are no longer released to correct known vulnerabilities.

IoT devices used to be attacked and added to botnets to conduct DDoS attacks but is now it is common for the devices to be attacked to give cybercriminals a foothold in healthcare networks. Once a device has been compromised the attackers move laterally and compromise other systems on the network, either manually or through worm-like attacks.

IoT devices are also not being monitored so compromised devices are often not identified. The Unit 42 team identified a mammogram machine that was infected with the Conficker worm – a malware variant that was first identified in November 2008.

Unit 42 recommends action be taken to ensure vulnerabilities are identified and addressed to make the devices harder to attack. That process must start with a complete inventory of all IoT devices on the network. A recently published report from the Enterprise Strategy Group revealed 77% of organizations do not have full visibility into all of the IoT devices on their networks.

Patches should be implemented on all devices that can be patched, with priority given to the types of devices that carry the highest level of risk – medical devices – and those with the most vulnerabilities – security cameras and printers.

Networks segmentation is necessary to make it harder for attackers to move laterally, with IoT devices kept separate from standard IT assets. IoT devices should also be monitored to detect attacks in progress.

The post 83% of Medical Devices Run on Outdated Operating Systems appeared first on HIPAA Journal.

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attack was very or extremely disruptive.

Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked.

The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked about their current email security deployments, only half had a high level of confidence that their email security measures would block email-based threats.

When asked about the email threats they had experienced and which were the most disruptive, 61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive. The main losses caused by the attacks were productivity (55%), data (34%) and financial (17%).

Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them. Internet and web protection measures had only been implemented by 64% of surveyed healthcare organizations.

These technical solutions are important, but it is important not to forget the human element. Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.

“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Matthew Gardiner, director of enterprise security at Mimecast. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

It is alarming considering the number of email-based attacks that 11% of respondents said they conduct security awareness training less frequently than once a year, only during onboarding, or only after a major event such as a phishing attack or data breach.

“To better prepare, information technology and security professionals must strengthen their email security programs by combining the best technical controls with knowledgeable staff and resilient business processes to avoid disruption from email-borne attacks,” said Gardiner.

The post 90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year appeared first on HIPAA Journal.

Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released

A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine.

This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server.

The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). It has not yet been confirmed if earlier Windows versions such as Windows 8 and Windows Server 2012 are also vulnerable.

Both Fortinet and Cisco Talos published blog posts summarizing the SMBV3 vulnerability, although Cisco Talos later took down the post. A patch for the flaw was expected to be released by Microsoft on March 2020 Patch Tuesday, but a full fix was not ready in time.

Proof of concept exploits for the flaw have not been published online at the time of writing and there have been no reported cases of exploitation of the vulnerability in the wild; however, Microsoft recommends Windows administrators should take steps to protect against exploitation until a patch is released to correct the flaw.

Workarounds:

  • Disable SMBv3 compression
  • Block TCP port 445 on the network perimeter firewall

Blocking port 445 is the best defense against internet-based attacks, but it will not prevent exploitation from within the enterprise firewall.

SMBv3 compression can be disabled on SMBv3 servers by using the following PowerShell command. No reboot is required after making the change.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Microsoft says disabling SMBv3 compression will not prevent exploitation of SMB clients.

It is essential to apply the patch as soon as it is released by Microsoft. No timescale has been released on when the patch will be made available. Due to the severity of the flaw it is probable that an out-of-band patch will be released.

The post Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released appeared first on HIPAA Journal.