Healthcare Cybersecurity

57% Rely on Multi-Factor Authentication to Improve Security but MFA is Not Infallible

Posted by HIPAA Journal

A recent study conducted by the password manager provider LastPass has revealed only 57% of businesses use multi-factor authentication, even though it is one of the best ways of ensuring stolen credentials cannot be used to gain access to email accounts and corporate networks.

Multi-factor authentication requires a second factor to authenticate users in addition to a password. In the event of credentials being stolen, via a phishing attack for example, they could not be used to access an account unless the attacker also has an additional authentication factor – A one-time code sent to a mobile phone or a token, for example.

The study, which was conducted on 47,000 businesses, showed use of multi-factor authentication has increased by 12% since last year. According to the report, 95% of companies that have implemented multi-factor authentication use a software-based system such as a mobile app. 4% use a hardware-based multi-factor authentication solution, and 1% use biometrics such as a fingerprint scan. Software-based solutions are usually the most cost-effective to implement which accounts for the high percentage of businesses that use this MFA method.

The threat from phishing can be reduced through anti-phishing solutions such as spam filters and susceptibility to phishing attacks can be reduced by providing user security awareness training and conducting phishing simulation exercises. Multi-factor authentication should also be implemented as an additional security layer to protect against phishing attacks.

According to Microsoft’s Director of Identity Security, Alex Weinert, companies that implement multi-factor authentication are 99.9% less likely to be compromised than companies that do not use MFA. Considering how effective MFA can be at preventing data breaches, it is surprising that Microsoft’s figures show fewer than 10% of enterprise users per month use MFA on their accounts.

While MFA can certainly reduce the risk of a data breach, it can give companies a false sense of security. Multi-factor authentication is not infallible and should not be seen as a substitute for end user training on social engineering and phishing attacks.

Knowledge-based MFA authentication can be bypassed by obtaining information via social engineering scams and since MFA tokens are stored somewhere, they could be stolen and be used by attackers to access resources. MFA tokens can also be manipulated through techniques such as SIM swapping. The FTC has recently issued guidance on SIM swapping following an increase in attacks.

As the number of organizations using multi-factor authentication has increased, so too have attacks that bypass MFA. The rise in attacks prompted the FBI to warn businesses that they should not rely on MFA to secure their accounts. In a Private Industry Notification issued in September, the FBI explained that cybercriminals are managing to bypass multi-factor authentication using a variety of different methods.

The advice of the FBI is to use biometric methods of authenticating users rather than software-based MFA solutions, tokens, or one-time codes. Biometric means of authenticating users is the most secure MFA method, provided that all biometric information used for authentication is stored securely.

The post 57% Rely on Multi-Factor Authentication to Improve Security but MFA is Not Infallible appeared first on HIPAA Journal.

FBI Issues Warning About E-Skimming Threats and Tips for Reducing Risk

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning about e-skimming threats, following an increase in attacks on small and medium sized businesses and government agencies.

E-skimming is the introduction of malicious code on websites that process online payments. The code captures debit and credit card information when it is entered into payment portals and the information is silently transmitted to an attacker-controlled domain in real-time.

Attacks can be performed on any company that has an online payment system, most commonly on companies in the retail, travel, and entertainment industries and utility companies. Attacks are also conducted on third-party vendors, such as those that provide web analytics and online advertisements.

Recently, an e-skimming attack was reported by a healthcare organization – Mission Health in Western North Carolina. Code had been loaded onto its e-commerce websites which allowed the attackers to obtain the credit card information of individuals when they purchased health products. The malicious code was active on the websites for three years before it was detected.

There are several methods that attackers use to access to a website to load their malicious code. An attack could start with a phishing email containing a link to a website that captures login credentials to the company’s e-commerce platform. Access could also be gained using brute force tactics to guess the e-commerce system password, or vulnerabilities in the e-commerce platform or website could be exploited. Attacks could also occur through compromised supply chains or via a third-party vendor with access to the e-commerce platform, such as an IT company or managed service provider.

These attacks often come to light when multiple complaints are received from customers who have suffered financial losses after using an e-commerce website. Credit card companies may identify patterns in fraud and trace them back to a specific online payment portal, or companies may identify a suspicious domain in their website code or notice that JavaScript code on the website has been edited.

There are several steps that can be taken to reduce risk. The payment software used on an e-commerce site, plugins, and the content management system should be kept up to date and patches issued by payment software companies should be applied as soon as possible. Third-party resource integrity checks should be activated via Content Security Policy (CSP) to limit the loading of JavaScript to trusted domains.

Code integrity checks should be performed regularly to identify any changes to the code on the e-commerce platform and web logs should be monitored and regularly analyzed. Anti-virus software or plugins should be used on websites to help identify malicious code and businesses should ensure they are PCI DSS compliant.

To protect against brute force attacks, strong, unique passwords should be created, and multi-factor authentication should be implemented to help ensure stolen credentials cannot be used to gain access to the e-commerce platform.

The post FBI Issues Warning About E-Skimming Threats and Tips for Reducing Risk appeared first on HIPAA Journal.

Vulnerability Identified in Philips IntelliSpace Perinatal Information Management System

Posted by HIPAA Journal

A vulnerability has been identified in the Philips IntelliSpace Perinatal obstetrics information management system.

The vulnerability – CVE-2019-13546 – could be exploited remotely by an authorized remote desktop session host application user or by an individual with physical access to a locked application screen. The vulnerability affects IntelliSpace Perinatal Versions K and earlier and requires a low level of skill to exploit. The flaw has been assigned a CVSS v3 base score of 6.1 out of 10 (medium severity).

Exploitation of the vulnerability would allow an attacker to break out of the containment of the application and access resources from the Windows operating system as the limited-access Windows user. If an attacker used exploits for vulnerabilities in Windows once access to the operating system had been achieved, the attacker could potentially elevate operating system privileges to administrator level.

Once access to the operating system has been achieved, an attacker could execute software and view, update or delete files, directories, and alter the system configuration. This could compromise the confidentiality, integrity, and availability of the system and application. If the Document Export (DOX) function has been installed on the application server, protected health information would also be at risk of exposure.

The vulnerability was identified by Brian Landrum of Coalfire LABS who reported it to Philips. Under the Philips’ Coordinated Vulnerability Disclosure Policy, an advisory was issued to raise awareness of the flaw and allow users to implement mitigating controls to prevent exploitation.

Philips is assessing whether the vulnerability can be corrected in the next product update, which is scheduled to be released at the end of 2020. In the meantime, Philips has issued guidance on mitigations that can be implemented to reduce the potential for exploitation, which are available to users of the obstetrics information management system through Philips InCenter and on the US-CERT website. Product documentation will also be updated to include details of the mitigations.

The post Vulnerability Identified in Philips IntelliSpace Perinatal Information Management System appeared first on HIPAA Journal.

39% of Cybersecurity Professionals Say Their Company is Under Prepared for a Data Breach

Posted by HIPAA Journal

A survey of cybersecurity and IT executives in the United States has revealed 39% believe their company is under prepared to handle a data breach, even through there is a high risk of a data breach occurring. A separate survey, conducted by the Ponemon Institute, revealed 76% of SMBs have experienced a data breach in the past 12 months.

The latest survey was commissioned by the cybersecurity consulting firm Avertium for the firm’s 2019 Cybersecurity and Threat Preparedness report. The survey was conducted on 223 respondents in the United States at companies with 50 or more employees.

When asked about the main problems they experienced in relation to cybersecurity, the two biggest issues were the increasing complexity of cybersecurity tech stacks, which was rated as a major pain point by 76% of respondents. Added to that is the increasing sophistication of cyberattacks, which was a pain point for 75% of cybersecurity professionals.

66% of respondents said third-party or partner vulnerabilities were a major problem area, and 65% said their jobs have been made much more difficult due to vulnerabilities introduced by their company’s digital transformation. The cost and complexity of regulatory compliance was also rated as a pain point by 65% of respondents.

The types of cyberattack that are causing the greatest concern are phishing and malware attacks, which were rated as a major area of concern by 81% and 67% of respondents respectively.

There is a tendency for businesses to rely on new technology to identify and block cyberattacks. While these cybersecurity solutions are certainly important, many attacks bypass these technical controls and target employees. Investment in training is therefore essential to ensure that the workforce is prepared and knows how to identify phishing emails and other common threats.

To help reduce the risk of phishing and malware attacks, 93% said they had implemented a formal employee education program; however, only 63% of firms said they incorporate cybersecurity training into their employee induction programs and just 46% provide annual security awareness training sessions. 74% of respondents said they send regular communications via email providing tips for identifying the latest phishing scams and 58% conduct regular phishing simulation exercises.

Even though technologies exist to automate many cybersecurity tasks, many processes are still being conducted manually, which is stretching IT departments to breaking point. Only 36% of respondents said they had implemented new technologies such as AI-based and machine learning-based cybersecurity solutions to lower the burden on their security staff.

52% said plans are underway to hire new skilled cybersecurity staff in 2020 and, on average, investment in cybersecurity is set to increase by 36% in 2020.

The post 39% of Cybersecurity Professionals Say Their Company is Under Prepared for a Data Breach appeared first on HIPAA Journal.

76% of SMBs Have Experienced a Data Breach in the Past Year

Posted by HIPAA Journal

A recent survey conducted by the Ponemon Institute on behalf of Keeper Security has revealed 76% of small and medium sized businesses in the United States have experienced a data breach in the past 12 months.

The survey was conducted on 2,391 IT and IT security professionals in the United States, United Kingdom, and Western Europe for Keeper Security’s 2109 Global State of Cybersecurity report.

The survey revealed SMBs in the United States are more extensively targeted than in other countries. Globally, 66% of SMBs have experienced a data breach in the past year. The frequency of attacks has also increased. Since 2016, the number of cyberattacks on SMBs has risen by 20%. 69% of respondents said cyberattacks have become much more targeted.

The main methods used by cybercriminals to attack SMBs are phishing and social engineering, which were behind 57% of SMB cyberattacks in the past 12 months. 30% of attacks involved other forms of credential theft, and 33% of breaches were due to compromised or stolen devices. 70% of surveyed SMBs said they had experienced incidents in past 12 months in which employee passwords were either lost or stolen.

The root causes of most breaches differed from country to country. In Scandinavia, Austria, Germany, and Switzerland, phishing and social engineering attacks were the most common causes of data breaches, whereas in the United States, United Kingdom, Belgium, Netherlands, and Luxembourg breaches were most commonly due to employee negligence.

63% of respondents globally and 69% in the United States said a data breaches had resulted in the loss or theft of sensitive information, which is 50% higher than in 2016.

Many businesses have implemented an intrusion detection system to prevent and detect breaches, yet 69% of businesses reported that at least one attack had circumvented that system.

There has been a major rise in the use of mobile devices by SMBs and those devices are often used to access business-critical applications. 48% of respondents said they use mobile devices for that purpose and the same number said they do so even though it poses a security risk.

It is important for strong passwords to be set to reduce the potential for password guessing or brute force attacks. While many businesses had password policies in place, 54% said they had no visibility into the password practices of their employees.

There is also a lack of oversight of third parties with whom sensitive data is shared. 70% of respondents said they did not maintain a comprehensive record of the third parties with whom sensitive data was shared. Unless that information is recorded, it is impossible to conduct comprehensive assessments to determine whether business associates are implementing appropriate controls to keep confidential information secure.

45% of SMBs believed they cybersecurity defenses were ineffective at mitigating cyberattack and 39% said they had no incident response procedures in place to deal with data breaches when they occurred. Given the lack of incident response plans it is no surprise that only 26% of respondents said they had managed to decrease their response time to cyberattacks. 39% said their response times had increased.

The post 76% of SMBs Have Experienced a Data Breach in the Past Year appeared first on HIPAA Journal.

TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative

Posted by HIPAA Journal

Cloud security vendor and HIPAA Journal sponsor, TitanHQ, has enjoyed impressive growth in Q3, 2019, registering the busiest quarter for MSP business in the company’s 20+ year history.

From humble beginnings, the company has grown into the leading provider of cloud-based email and web security solutions for managed service providers that service the SMB market. Initially, the firm sold anti-spam appliances to local businesses in Galway, Ireland. Today, the company is a global provider of cloud-based network security solutions for SMBs and MSPs.

The company’s cloud-based network security solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – are used by more than 8,200 businesses around the world and the firm has over 2,200 MSP partners.

TitanHQ’s success in the MSP, OEM, and service provider markets can be attributed to several factors. Many other companies have only considered MSPs after products have been developed, with additional functionality added to appeal to the MSP market. With TitanHQ, MSPs have always been at the core of the design of its security solutions.

The company operates a transparent and flexibility pricing policy with highly competitive margins to help MSPs profit from offering TitanHQ’s core cloud-based network security products to their customers and grow their business.

When MSPs join the TitanShield partner program they are provided with extensive sales enablement and marketing support. Each MSP has a dedicated account manager, engineers, and a highly capable support team to help ensure success. By making it as easy as possible for its partners to succeed, the company has reaped the rewards.

The successes of Q3, 2019 look set to continue in Q4 with the launch of a new sales initiative. The Q4 program has been aptly named Margin Marker for MSPs – A disruptive price package covering both its email and web security platforms.

TitanHQ is offering an exclusive ‘once-in-a-lifetime’ price on an email and web security package that protects the two most mission critical vectors, email and the web, from malware, ransomware, botnets, phishing and spear phishing attacks.

The package includes security and breach protection for MSPs, their employees, and MSP clients, which is provided in two private clouds that can be customized to meet the needs of MSP partners. The package will ensure MSPs can build profitability instantly in Q4.

UK-based MSP, OpalIT, is already reaping the benefits of the new initiative. OpalIT operates out of Newcastle and Edinburgh and has recently transitioned from Vade and Barracuda and is now offering its clients all three TitanHQ solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – to its 6,000+ customer base and is reaping the rewards.

“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making,” explained Rocco Donnino, EVP Strategic Alliances, TitanHQ. “Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach”

MSPs are encouraged to meet the TitanHQ team at key MSP events in October and November to learn more about the Margin Maker for MSPs initiative and the TitanShield partner program.

The post TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative appeared first on HIPAA Journal.

September 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month.

1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks.

Largest Healthcare Data Breaches in September 2019

The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident involving 439,753 records of Intramural Practice Plan members. The exact nature of the breach is unclear.

Those four breaches accounted for 85.80% of the healthcare records breached in September.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
Magellan Healthcare Business Associate 55637 Hacking/IT Incident Email
CHI Health Orthopedics Clinic -Lakeside Healthcare Provider 48000 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
Kilgore Vision Center Healthcare Provider 40000 Hacking/IT Incident Network Server
Peoples Injury Network Northwest Healthcare Provider 27000 Hacking/IT Incident Network Server
Sweetser Healthcare Provider 22000 Hacking/IT Incident Email
Perfect Teeth Yale, P.C. Healthcare Provider 15000 Loss Other Portable Electronic Device

Causes of September 2019 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in September with 24 incidents reported. There were 9 unauthorized access/disclosure incidents and three cases of loss/theft of physical and electronic records.

1,917,657 healthcare records were compromised in the 24 hacking/IT incidents which accounted for 97.98% of breached records in September. The mean breach size was 958,829 records and the median breach size was 5,255 records.

Unauthorized access/disclosure incidents in September accounted for 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents involving 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.

Location of Breached Protected Health Information

Phishing continues to be a major problem area for the healthcare industry. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.

September 2019 Healthcare Data Breaches by Covered Entity Type

28 data breaches were reported by healthcare providers in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered entities. A further four breaches had some business associate involvement but were reported by the covered entity.

States Affected by September 2019 Healthcare Data Breaches

September’s data breaches were reported by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst affected with three breaches each. There were two breaches reported by entities based in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.

HIPAA Enforcement Activity in September 2019

In September 2019, the HHS’ Office for Civil Rights announced its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was issued with an $85,000 financial penalty for the failure to provide a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took 9 months and multiple attempts by the patient before she was provided with the records.

This month, OCR Director Roger Severino gave an update on OCR’s main enforcement priorities and confirmed that noncompliance with the HIPAA right of access is still a major focus for OCR. Further financial penalties can be expected over the coming weeks and months for healthcare organizations that fail to provide individuals with copies of their health information within a reasonable time frame and at a reasonable cost.

There were no financial penalties issued by state attorneys general in September over HIPAA violations.

The post September 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy

Posted by HIPAA Journal

A new project has been launched by Microsoft and the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop guidance on developing and implementing an effective patch management strategy.

Following the (Not)Petya wiper attacks in 2017, Microsoft embarked on a voyage of discovery into why companies had failed to exercise basic cybersecurity hygiene and had not patched their systems, even though patches had been released months previously and could have protected against the attacks.

Over the past 12 months, feedback has been sought from the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the Center for Internet Security on the risk of exploitation and patch management strategies. Microsoft has also sat down with customers to find out more about the challenges they face applying patches and to discover exactly why patching is often delayed and why in some cases patches are not applied.

These meetings revealed many companies were unsure about what they should be doing in terms of patch testing. In some cases, patch testing appeared to consist only of asking questions on online forums to see if anyone had experienced any problems with recently released patches. Many customers were unsure about how fast patches needed to be applied.

The meetings prompted Microsoft to form a partnership with NCCoE to develop an enterprise patch management strategy to help companies plan and implement an effective patching strategy. The aim of the initiative is to devise industry guidance and standards to help companies improve their patch management processes.

The project is just about to commence and will involve developing common patch management architectures and processes. Appropriate vendors will assist by building and validating implementation instructions in the NCCoE lab and the project will ultimately result in a new NIST Special Publication 1800 practice guide on patch management.

An invitation has now been extended to vendors with technology offerings that can help with patch management, such as scanning, reporting, deployment, and risk measurement. Individuals and organizations willing to share patch management tips and tactics, and the lessons they have learned are also welcome to participate.

Any vendor, organization, or individual that wishes to participate should contact the project team on at cyberhygiene@nist.gov

The post Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy appeared first on HIPAA Journal.

Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices

Posted by HIPAA Journal

Internet of Medical Things (IoMT) technology is helping to increase efficiency, improve the quality of healthcare, and lower healthcare costs; however, IoMT introduces risks. The failure to reduce those risks to a low and acceptable level leaves IoMT devices vulnerable to cyberattacks. Those attacks can be expensive to resolve, which drives up the cost of healthcare and can result in patients coming to harm.

Not only must the devices be secured, cybersecurity must also be managed throughout the entire lifespan of the devices. Software and firmware must be kept up to date, patches must be applied promptly to fix vulnerabilities, and the devices need to be returned when they reach end of life and support comes to an end. Without a thorough understanding of the risks, securing IoMT devices can be a major challenge.

The U.S. Department of Veteran Affairs (VA) has taken steps to improve the safety and security of IoMT devices and has been seeking solutions for securing large-scale IoMT device deployments to better protect the 9 million people under its care. The VA, in conjunction with the global safety science organization, UL, launched a Cooperative Research and Development Agreement (CRADA) Program for medical device cybersecurity in 2016. This week, the VA announced that the program has now been completed.

The program was conducted between 2016 and 2018 and used the UL 2900 Series of Standards as a benchmark to identify critical medical device cybersecurity vulnerabilities in large-scale connected medical device deployments, including lifecycle management and created baseline cybersecurity requirements for medical device manufacturers.

“This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefiting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers,” explained Anura Fernando, UL’s chief innovation architect, Life and Health Sciences.

Throughout the two years, the VA and UL tested hypotheses to expand their understanding of medical device cybersecurity and identify security gaps between in-facility and in-home care and ensure product functionality for FIPS 140-2 compliance. A simulated hacking attack was also conducted on a UL 2900 certified medical device at the Veterans Health Administration (VHA) site in Tampa, FL.

The report shows adoption of standards helps to ensure the safety and security of new medical devices. The findings of the study have resulted in the creation of a series of actionable steps that can be taken by healthcare organizations to improve the security of their medical devices.

“The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem,” said Marc Wine, Director, Technical Integration Support and Industry Liaison, U.S. Department of Veterans Affairs.

CRADA findings included:

  • Use of UL 2900 Series of Standards and product testing/certification accelerated adoption of innovative healthcare technologies through improved pre-procurement product vetting and post-procurement product management.
  • Testing and certification improved confidence in product development processes, security control design evaluation, post market patch management support provided by device manufacturers.
  • Compliance with UL 2900 enhanced endpoint security resulted in improved allocation of cybersecurity resources allowing them to be focused on critical threats to veterans’ safety and security.

The post Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices appeared first on HIPAA Journal.