Healthcare Cybersecurity

DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years

Posted by HIPAA Journal

The U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) has updated its list of the 25 most dangerous software vulnerabilities. This is the first time in the past 8 years that the list has been updated.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors was first created in 2011. The list is an important tool for improving cybersecurity resiliency and is valuable to software developers, testers, customers, security researchers, and educators as it provides insights into the most prevalent and serious security threats in the software industry.

The list was originally compiled by analysts using a subjective approach for assessing vulnerabilities. Security researchers were interviewed, and industry experts were surveyed to find out which vulnerabilities were believed to be the most serious. HSSEDI, which is run by MITRE, used a different approach for assessing vulnerabilities: One that is based on real-world vulnerabilities that have been reported by security researchers.

“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” explained CWE project leader Chris Levendis. “We will continue to mature the methodology as we move forward.”

25,000 common software vulnerabilities and exposures detailed in the National Vulnerability Database over the past two years were assessed and ranked. The new approach takes the prevalence of flaws, their severity, potential for harm, and the likelihood of the flaws being exploited into account. While many serious vulnerabilities exist, if their impact is low or they are very rarely exploited, they were excluded from the list.

Prior to the update, Improper Neutralization of Special Elements used in an SQL Command (SQL injection) topped the list, but in the revised version it has fallen to position 6. The change in position does not reflect a change in the severity of SQL injection, as it still has the highest severity score (9.129 out of 10). The overall score is 24.54 out of 10, due to other factors such as prevalence and frequency of exploitation.

Top position now goes to Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), which has a score of 75.56 out of 100 and a severity score of 8.045 out of 10. This is where software performs operations on a memory buffer but can read or write to memory outside of that memory buffer. That can allow operations to be performed on memory locations that are associated with other variables, data structures, or internal program data, which could lead to the remote execution of arbitrary code, alteration of information flow, or system crashes.

Second spot was taken by Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting – CWE-79). The vulnerability has a relatively low severity score (5.778 out of 10), but its overall score was 45.69 out of 100 due to the high probability of exploitation, its prevalence in reports, and exploitation allowing attackers to run unauthorized code.

Third spot went to Improper Input Validation (CWE-20), which has an overall score of 43.61 out of 100. The high score is due to the high probability of exploitation and potential for harm. This vulnerability has a severity score of 7.242 out of 10 and can be exploited to cause denial of service attacks, execution of unauthorized code, and allows reading and modification of memory.

The updated list can be viewed on the MITRE website.

The post DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attacks at Highest Level Since 2016

Posted by HIPAA Journal

According to the Q3, 2019 Phishing Activity Trends Report from the Anti-Phishing Working Group, phishing attacks are now occurring at a rate not seen since 2016.

266,387 unique phishing sites were detected in Q3, 2019, an increase of 46% from Q2, 2019. Almost twice the number of phishing sites were detected in Q3, 2019 than in the last quarter of 2018.

APWG received data on 277,693 unique phishing campaigns from its members. That is the highest number of detected phishing campaigns since Q4, 2016. APWG also collates information from phishing attacks reported by consumers and the general public. 122,359 unique reports were received from the public in Q3, 2019, up 9.09% from Q2.

The phishing campaigns detected in Q3, 2019 impersonated more than 400 different companies, up from 313 in Q2, 2019. The types of company most commonly impersonated in the attacks are webmail and software-as-a-service providers. The main aim of the attacks on these firms is to obtain credentials that can be used to gain access to corporate email and SaaS accounts. The targets of attacks are largely unchanged from previous quarters.

Many attacks are focused on obtaining Office 365 credentials. Stolen Office 365 credentials are extremely valuable to Business Email Compromise (BEC) scammers. Once access is gained to a corporate email account, it is used to send further phishing emails to other individuals in the breached organization. The aim of many attacks is to gain access to the CEO’s email account or the account of another executive. Those accounts are then used to send emails to individuals with access to corporate bank accounts to request wire transfers and payroll changes.

While CEO fraud is still common, there has been a shift in tactics and vendors and suppliers are now being targeted much more often. The potential returns from a CEO fraud scam are higher, but attacks on vendors and suppliers can be more lucrative. One vendor or supplier account compromise allows the attacker to target all of their customers.

The attackers often spend a considerable amount of time gathering information on potential targets before the BEC attacks commence. During the research phase, rules are often set up to forward all emails sent to and from the compromised email accounts to the attackers. The attackers learn about potential targets, typical invoice amounts, and normal payment dates to maximize the chance of success. Following an email account compromise, it can be several weeks or months before the account is used for BEC attacks

Another growing trend is a shift from wire transfer requests to gift card scams. Wire transfer requests in Q3, 2019 ranged from $2,530 to $850,790. The average payment was $52,325 and the median payment was $24,958. The average gift card scam was for $1,571, with scams requesting between $200 and $8,000.

The returns from gift card scams may be lower, but it is much easier for the scammers to cash out and they offer greater anonymity. Fraudulent bank transfers are often questioned, payments can be reversed, and money mules are required. In Q3, 2019, 56% of all BEC attacks involved gift cards, 25% involved payroll diversion, and 19% involved direct bank transfers.

In Q3, SaaS and webmail accounted for 33% of attacks, followed by the payment industry (e.g PayPal) with 21% of attacks, and financial institutions (19%). Attacks on cloud storage and file hosting sites were far less popular.

An increasing number of companies have switched from HTTP to HTTPS and consumers are now much more likely to check that a website starts with HTTPS before disclosing any sensitive information such as login credentials. Cybercriminals have had to follow suit. In Q3, 68% of phishing sites were hosted on HTTPS, up from 54% in Q2, 2019.

The post Phishing Attacks at Highest Level Since 2016 appeared first on HIPAA Journal.

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Posted by HIPAA Journal

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states.

The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it cannot afford to pay.

According to Brian Krebs of KrebsonSecurity, who spoke to VCP owner and CEO Karen Christianson, the attack has affected virtually all of the company’s core offerings, including internet access, email, stored patient records, clients’ phone systems, billing, as well as the VCP payroll system.

The attack has meant acute care facilities and nursing homes cannot view or update patient records and order essential drugs to ensure they are delivered in time. Several small facilities are unable to bill for Medicaid, which will force them to close their doors if systems are not restored before December 5th in time for claims to be submitted. VCP has prioritized restoring its Citrix-based virtual private networking platform to allow clients to access patients’ medical records.

The attack commenced on November 17, 2019 and VCP is still struggling to restore access to client data and cannot process payroll for almost 150 employees. Christianson is concerned that the attack could potentially result in the untimely demise of some patients and may force her to permanently close her business.

KrebsonSecurity reports that the initial attack may date back to September 2018 and likely started with a TrickBot or Emotet infection, with Ryuk deployed as a secondary payload.

The post IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Posted by HIPAA Journal

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.

Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion

Posted by HIPAA Journal

It has been 60 days since Greenbone Networks uncovered the extent to which medical images in Picture Archiving and Communication Systems (PACS) servers are being exposed online. In an updated report, the German vulnerability analysis and management platform provider has revealed the problem is getting worse, not better.

Picture Archiving and Communication Systems (PACS) servers are extensively used by healthcare providers for archiving medical images and sharing those images with physicians for review, yet many healthcare providers are not ensuring their PACS servers have appropriate security. Consequently, medical images (X-Ray, MRI, CT Scans), along with personally identifiable patient information, is being exposed over the Internet. Anyone who knows where to look and how to search for the files can find them, view them and, in many cases, download the images without any authentication required. The images are not accessible due to software vulnerabilities. Data access is possible because of the misconfiguration of infrastructure and PACS servers.

Between July and September 2019, Greenbone Networks conducted an analysis to identify unsecured PACS servers around the globe. The study shed light on the scale of the problem. In the United States, 13.7 million data sets were found on unsecured PACS servers, which included 303.1 million medical images of which 45.8 million were accessible. The discovery was widely reported in the media at the time, and now further information on the scale of the problem has been released.

On Monday, November 18, Greenbone Networks issued an updated report that shows globally, 1.19 billion medical images have now been identified, increasing the previous total of 737 million by 60%. The results of 35 million medical examinations are online, up from 24 million.

In the United States, the researchers found 21.8 million medical examinations and 786 million medical images. 114.5 of those images were accessible and there are 15 systems that allow unprotected Web/FTP access and directory listing. In one PACS alone, the researchers found 1.2 million examinations and 61 million medical images. The researchers had full access to the data, which included the images and associated personally identifiable information. Greenbone Networks has confirmed that in the 24 hours prior to publication of its latest report, data access was still possible. “For most of the systems we scrutinized, we had – and still have – continued access to the personal health information,” explained Greenbone Networks CMS, Dirk Schrader.

Exposed Medical Images on PACS Servers. Source: Greenbone Networks

Earlier in November, Sen. Mark. R. Warner wrote to HHS’ Office for Civil Rights Director, Roger Severino, expressing concern over the apparent lack of action from OCR over the exposed files. Far from the situation improving following the announcement about the exposed data, it appears that very little is being done to secure the PACS servers and stop further data exposure.

The types of information in the images, which is classed as Protected Health Information (PHI) under HIPAA, includes names, dates of birth, examination dates, scope of the investigations, imaging procedures performed, attending physicians’ names, location of scan, number of images and, for 75% of the images, Social Security numbers.

The exposure of this data places patients at risk of identity theft and fraud, although there are other risks. Previously, security researchers have shown that flaws in the DICOM image format allows the insertion of malicious code. Images could therefore be downloaded, have malicious code inserted, and be uploaded back to the PACS. This could all be down without the knowledge of the data owner. For the purpose of the study, Greenbone Networks only investigated reading access, not image manipulation and upload.

Images were accessed and viewed using the RadiAnt DICOM Viewer. Instructions on configuration to view images using the RadiAnt DICOM Viewer are freely available online, as is the viewer and the list of IPs where the images are stored.

Greenbone Networks estimates that the exposed medical images and PHI has a value in excess of $1 billion dollars. The data could be used for a variety of nefarious purposes including identity theft, social engineering and phishing, and blackmail.

The exposure of the data is in violation of the Health Insurance Portability and Accountability Act (HIPAA), the EU’ s General Data Protection Regulation (GDPR), and many other data privacy and security laws. The data relates to more individuals in more than 52 countries.

The post Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion appeared first on HIPAA Journal.

Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs

Posted by HIPAA Journal

A vulnerability has been identified in the Philips IntelliBridge EC40/80 hub which could allow an attacker to gain access to the hub and execute software, modify files, change the system configuration, and gain access to identifiable patient information.

Philips IntelliBridge EC40/80 hubs are used to transfer medical device data from one format to another, based on set specifications. The hub does not alter the settings or parameters of any of the medical devices to which it connects.

The vulnerability could be exploited by an attacker to capture and replay a session and gain access to the hub. The flaw is due to the SSH server running on the affected products being configured to allow weak ciphers.

The vulnerability would only require a low level of skill to exploit, but in order to exploit the flaw an attacker would need to have network access. The flaw – CVE-2019-18241 – has a CVSS v3 base score of 6.3 out of 10 – Medium severity.

The flaw was reported to Philips by New York-Presbyterian Hospital’s Medical Technology Solutions team, and under its responsible vulnerability disclosure policy, Philips reported the vulnerability to the DHS Cybersecurity Infrastructure Security Agency.

The vulnerability is present in all versions of the EC40 and EC80 hubs and will be addressed in a new release, which will not be available until the end of Q3, 2020.

Until Philips issues the new release, users of the affected hubs have been advised to implement the following mitigation measures to reduce the potential for exploitation.

  1. Only operate the hub within Philips authorized specifications, using Philips approved software, configurations, system services, and security configurations
  2. There is no clinical requirement for these devices to communicate outside the Philips clinical network. The devices should be logically or physically separated from the hospital network.
  3. Users should block access to the SSH port. SSH is not meant to be used for clinical purposes, only for product support.
  4. Use a long and complex SSH password and make sure password distribution is controlled to ensure SSH is used via physical access only.

The post Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs appeared first on HIPAA Journal.

Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity

Posted by HIPAA Journal

The Proofpoint Q3 2019 Threat Report has been released. The report provides insights into the main threats in Q3, 2019 and reveals the changing tactics, techniques, and procedures used by cybercriminals.

The data for the report comes from an analysis of more than 5 billion email messages, hundreds of millions of social media posts, and over 250 million captured malware samples.

The report reveals scammers now favor embedded hyperlinks over attachments for spreading malware. 88% of malicious emails that were used to install malware used malicious URLs. This tactic is preferred as it makes it easier to bypass email security defenses.

Proofpoint notes that ransomware still poses a significant threat, but it was noticeably absent from most email campaigns. Proofpoint suggests that the fall in the value of cryptocurrencies is making it harder for threat actors to monetize their ransomware campaigns. Greater rewards can be gained through other types of malware, such as remote access Trojans (RATs) and banking Trojans.

RATs and banking Trojans were the main malware threats in Q3, 2019, accounting for 15% and 45% of all malware attacks, up from 6% and 23% respectively from the previous quarter. The most common banking Trojans were The Trick (37%), IcedID (26%), Ursnif (20%) and Dridex (14%). The most commonly used RATs were FlawedAmmyy (45%), FlawedGrace (30%), NanoCore RAT (12%), and LimeRAT (5%).

In contrast to ransomware, these malware variants are much quieter, have persistence, and can be used for extended periods to steal data, send spam email, and mine cryptocurrencies. Downloaders accounted for 13% of the total malicious payloads, followed by botnets (12%), and keyloggers (7%) and credential stealers (7%).

The change in spam stats can be attributed, in the main, to the disappearance of the Emotet botnet in May. Spamming activity did not recommence until the third week in September, which was the main reason why the total volume of malicious messages fell by 39% in Q3, 2019. Despite being absent for most of the quarter, the Emotet botnet still accounted for almost 12% of malicious payloads for the entire quarter.

Q3, 2019 saw an increase in web-based threats and malvertising redirects to exploit kits such as RIG and Fallout. A high percentage of traffic to the exploit kits came through the Keitaro traffic distribution system (TDS). Proofpoint notes that Keitaro abuse is driving the increase in exploit kit activity. It can also intelligently route traffic to legitimate websites if sandbox signals are detected to prevent the detection of malicious redirects. Confirming that HTTPS does not mean a website is genuine, 26% of malicious domains had valid SSL certificates, up from 20% in Q1, 2019.

Sextortion scams are still widely used. While these scams use social engineering techniques to scare people into making a payment, Proofpoint notes the emergence of malware that is capable of recording users’ online activities, which suggests that future campaigns may feature actual evidence of adult activity> That would greatly increase the attackers’ success rate.

One malware variant that has been tooled for this is PsiBot. PsiBort has had a new PornModule added. This module contains a list of words associated with adult content and monitors the open window titles in browsers. When there is a match, audio and video via the microphone and webcam are recorded and saved in an AVI file that is exfiltrated to the attacker’s C2.

The post Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity appeared first on HIPAA Journal.

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

Posted by HIPAA Journal

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations.

Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches.

His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS).

The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, which revealed almost 400 million medical images could be freely downloaded from the internet without authentication.  Sen. Warner pointed out that at the time of writing the letter, “for all U.S. territories there are 114.5 million images accessible, 22.1 million patient records, and 400,000 Social Security numbers, impacting an estimated 5 million patients in 22 states.”

Sen. Warner stated in the letter that the exposure of the medical images not only has potential to cause harm to individuals, it is also damaging to national security. The types of exposed information could potentially be used by cybercriminals in phishing campaigns and for other malicious attacks, such as those aimed at spreading malware. Flaws in the DICOM protocol could be exploited to incorporate malicious code into medical images. Nation state actors or cybercriminal groups could have downloaded the images, inserted malicious code, and then uploaded the images without being detected.

One of the U.S. firms implicated in the ProPublica report was TridentUSA Health Services and one of its affiliates, MobileX USA. In September 2019, following publication of the report, Sen. Warner wrote to TridentUSA Health Services demanding answers about its cybersecurity practices and how the data of millions of Americans, which the company was responsible for keeping private, came to be exposed online and required no password or other means of authentication to access.

In his letter to OCR, Sen. Warner explained that TridentUSA Health Services, a HIPAA-covered entity, responded to his letter and stated it had passed an HHS Security Rule audit in March 2019. That audit was passed even though at the time of the audit medical images under its control were exposed online and could be freely accessed over the internet.

“As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling,” wrote Warner.

The exposure of PACS data was reported to US-CERT by the German Federal Office for Information Security. US-CERT made contact with Greenbone Networks and confirmed the exposed data had been received and said that the matter would be reported to the HHS. Greenbone Networks had no contact from HHS and no further contact from US-CERT.

The researchers in Germany also demonstrated to Sen. Warner that even on October 15, 2019, several US-based PACS have open ports that support unencrypted communications protocols. Those unsecured PACS could be accessed without authentication and a wide range of medical images could be viewed and downloaded, including X-rays and mammograms that contain sensitive patient information such as names and Social Security numbers. Those images and personal information were still accessible freely online on the date of writing the letter (Nov 8, 2019).

“As of writing this letter, TridentUSA Health Services is not included on your breach portal website and I have seen no evidence that, once contacted by US-CERT, you acted on that information in a meaningful way,” wrote Sen. Warner.

Sen. Warner has demanded answers to 5 questions:

The post Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach appeared first on HIPAA Journal.