Healthcare Cybersecurity

Why Are Hackers Targeting the Healthcare Industry?

Posted by HIPAA Journal

The healthcare industry is under attack. More data breaches are being reported than ever before, but what is the motivation behind these attacks? Why are hackers targeting the healthcare industry? A new report from FireEye provides some answers.

For the report, FireEye researchers studied recent healthcare cyberattacks and identified the tactics being used, the actions of the hackers post-compromise, and what the ultimate goals of the attacks were.

The researchers were able to classify attacks into two groups: Those concerned with theft of data and disruptive/destructive threats.

Many attacks are focused on obtaining patient data although research data can also be extremely valuable. Cyberattacks concerned with obtaining research information have a low, but noteworthy impact risk to healthcare organizations. These attacks are most commonly associated with nation-state threat actors.

Cybercriminal gangs and nation-state sponsored hacking groups are investing time and resources into targeting specific healthcare organizations that store treasure troves of data. That could be a business associate serving many healthcare organizations or a large healthcare system.

Healthcare providers are susceptible to cyberattacks as many continue to use outdated and unsupported software and operating systems. Many cyberattacks are opportunistic and occur because healthcare providers have failed to address easily exploitable holes in their security defenses. However, it is now increasingly common for healthcare organizations to be targeted based on the amount of data they store.

Disruptive and destructive threats continue to be a major problem in the healthcare industry. Cybercriminals and nation-state threat actors are conducting attacks that aim to disrupt the continuity of operations. These threats include ransomware and wiper malware.

Cyber crime activity is financially motivated and poses a high-frequency, high-impact threat to healthcare organizations.  Personally identifiable information (PII) and protected health information (PHI) are commonly sought and the information can be used for many different malicious purposes, including financial fraud, medical identity theft, identify theft, and for crafting convincing phishing messages. The information is commonly bought and sold on darknet marketplaces and that activity is unlikely to stop.

Attacks are also being conducted to gain access to healthcare networks. Access is then sold to cybercriminal groups, nation state groups, and other threat actors. “In Feb. 6, 2019, on a popular Russian-language forum, “Jendely” advertised access to a U.S.-based medical institution. According to the advertisement, the actor obtained the domain administrator’s access to the network consisting of 3,000 hosts. The access is being auctioned for$9,000–$20,000 USD,” wrote the researchers.

FireEye researchers also observed attacks involving malware distribution, cryptomining, and other extortion attempts.

Nation state threats and cyber espionage is moderately frequent in healthcare but can have a major impact. Several APT groups have been observed conducting attacks on healthcare providers, including those linked to China, Russia, Vietnam. Hacktivism is rare in healthcare and may only have a negligible effect.

FireEye warns that there has been a concerted effort by Chinese APT groups to gain access to medical research data. China is moving toward universal health coverage in 2020 and is concerned about increasing cancer and mortality rates and the cost of providing national healthcare. Medical research can be used to advance drug research in China, lower costs, and could even result in drugs being developed and released in China ahead of companies in the United States that conducted the research.

The report (PDF) can be downloaded here.

The post Why Are Hackers Targeting the Healthcare Industry? appeared first on HIPAA Journal.

Study Raises Awareness of Threat of Lateral Phishing Attacks

Posted by HIPAA Journal

A recent study by the University of San Diego, University of California Berkeley, and Barracuda Networks has shed light on a growing threat to healthcare organizations – Lateral phishing.

In a standard phishing attack, an email is sent containing an embedded hyperlink to a malicious website where login credentials are harvested. The emails contain a lure to attract a click. That lure is often tailored to the organization being attacked. These phishing emails are relatively easy to identify and block because they are sent from outside the organization.

Lateral phishing is the second stage in the attack. When an email account is compromised, it is then used to send phishing emails to other employees within the organization. Phishing emails are also sent to companies and individuals with a relationship with the owner of the compromised account.

This tactic is very effective. Employees are trained to be suspicious of emails from unknown senders. When an email is received from a person in the organization that usually corresponds with the employee via email, there is a much higher chance of a requested action being taken.

Lateral phishing is one of several types of email account takeover attacks. One of the most common is Business Email Compromise (BEC). With BEC, the aim of the attack is to gain access to the credentials of the CEO. The account is then used to request fraudulent wire transfers. Lateral phishing is primarily concerned with credential theft rather than financial fraud. The goal is to compromise as many accounts as possible within an organization.

For the study, the researchers took a detailed look at phishing and lateral phishing attacks at 100 organizations and identified the strategies being used, the sophistication of the attacks, and which techniques were the most successful.

1 in 7 of the organizations studied had experienced a lateral phishing attack and 180 lateral phishing attacks were identified. In 11% of attacks, further email accounts within the organization were compromised. The researchers note that in 42% of cases, the lateral phishing emails were not reported to the IT department or security team. This failure to report could mean an account breach remains undetected and the compromised email account can continue to be used.

55% of the attacks targeted individuals with a personal or work relationship with the company and almost all emails were sent during regular working hours.

The attackers followed four main strategies when conducting attacks. The most common, used in 45% of attacks, was the sending of generic phishing messages. The most common lures were “shared document” and “account problem.” 63% of all lateral phishing emails were commonplace messages, 30% were refined messages, and 7% were highly targeted.

In 29% of attacks, the email account was used to send tailored messages to close and recent contacts. 25% of attacks involved sending messages to dozens to hundreds of employees. Only 1% of attacks were on business associates of the organization.

In 31% of cases, the phishers use stealth tactics to add realism to their campaigns and evade detection. It is common for emails to be deleted from the sent folder in the compromised account to ensure an account compromise is not detected by the account owner. The researchers found that emails were also deleted from the recipient’s account. This tactic was used in 19.5% of hijacked accounts. In 17.5% of cases, the attackers responded to replies from the recipient of the phishing email to convince them that the request was genuine.

Defending against these attacks requires a three-pronged approach. Security awareness training for employees is essential. All employees should be made aware of the threat of phishing from within the organization.

Two-factor authentication will help to ensure that even in the event that credentials are obtained, they cannot be used to remotely access an email account.

Finally, organizations should invest in advanced detection techniques and solutions that can identify and delete phishing emails before they reach end users’ inboxes.

The post Study Raises Awareness of Threat of Lateral Phishing Attacks appeared first on HIPAA Journal.

32% of Healthcare Employees Have Received No Cybersecurity Training

Posted by HIPAA Journal

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches.

The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada.

The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace.

Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA.

Even when training is provided, it is often insufficient. 11% of respondents said they received cybersecurity training when they started work but had not received any training since. 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but did not feel they had been trained enough.

32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy.  40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.

Training on HIPAA also appears to be lacking. Kaspersky Lab found significant gaps in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware what the Security Rule meant and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.

Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.

It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA.

It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and cause a costly data breach.

The post 32% of Healthcare Employees Have Received No Cybersecurity Training appeared first on HIPAA Journal.

NIST Releases New Guidance on Securing IoT Devices

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released a new guide for manufacturers of Internet of Things (IoT) devices to help them incorporate appropriate cybersecurity controls to ensure the devices are protected against threats when users connect them to the Internet.

The guide is the second in a series of publications on the security of IoT devices. The first document outlined the risks posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – is intended to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and severity of IoT device compromises.  

The draft document defines a core baseline of cybersecurity features which should be incorporated into all IoT devices, along with additional features that should be considered to provide a level of protection over and above the baseline that is appropriate for most customers.

The manufacturers of IoT devices have a responsibility to ensure that their devices have at least a basic level of security and for software updates to be released to address vulnerabilities discovered during the lifespan of the products. It is also the responsibility of users of IoT devices to make sure those security controls are activated and software updates are downloaded and applied promptly.

The guidance is aimed at a technical audience, although it is hoped that it will be used by consumers as well as IoT device manufacturers. It includes six security recommendations for IoT device manufacturers to incorporate into their devices. Those recommendations can also be used as a checklist for organizations to make sure a device can be secured before a purchase is made.

Those features are:

  • A device identification feature to allow an individual device to be identified or for a unique address to be used to connect to the network
  • The ability for an authenticated user to perform a software or firmware upgrade
  • A clear demonstration of how the device stores and transmits data
  • The ability to limit access to local and network interfaces
  • A secure and configurable method for updating software and firmware
  • A log feature that records all cybersecurity events

IoT devices connect to and are visible on network, yet they may not have an interface through which security settings can be applied and software updated. If appropriate security controls are not incorporated by manufacturers and activated by users, the devices will remain a security risk and vulnerabilities could be exploited by unauthorized individual to gain access to home and business networks

NIST is accepting comments on the draft guidance until September 30, 2019.

The post NIST Releases New Guidance on Securing IoT Devices appeared first on HIPAA Journal.

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

Posted by HIPAA Journal

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures.

Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks.

The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies.

The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the study.

There were deficiencies in the development of a cybersecurity risk management plan. 16 agencies had not fully established a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully established an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been established at 11 agencies. 13 agencies had not established a process for coordinating between cybersecurity and ERM programs for managing all major risks.

Until policies and procedures are changed and the security failures are addressed, federal agencies will face an elevated risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all agencies should incorporate into their risk management processes, including specific recommendations for certain agencies.

Federal agencies have faced several challenges assessing and managing cybersecurity risks. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as a problem by all 23 agencies.

Managing competing priorities between operations and cybersecurity, establishing and implementing consistent policies and procedures, establishing and implementing standardized technology capabilities, and receiving quality risk data were also common problems.

GAO has recommended that the DHS and OMB develop methods for sharing best practices and successful methods for addressing some of the common challenges faced when implementing consistent cybersecurity risk management practices to ensure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly improved.

The post GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies appeared first on HIPAA Journal.

VA OIG Report Highlights Risk of Medical Device Workarounds

Posted by HIPAA Journal

A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies.

Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation.

The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection.

The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes which risked the accidental disclosure of sensitive patient information.

Inspectors discovered 9 out of 12 medical devices lacked an interface with the EHR system, including a high-resolution esophageal manometry (HRM) medical device. The interface with the VHA EHR stopped functioning when the medical center upgraded to Windows 7 from Windows XP in 2013. Biomed and IT had provided assistance initially when problems were first experienced, but additional software interface issues remained unaddressed.

The gastroenterology (GI) provider told the inspectors that the facility’s biomedical engineering and IT departments were involved in the decision to continue using the equipment even though there was no working interface. The GI provider developed two workarounds that were not in line with VHA and VA policies covering sensitive personal information. Those workarounds placed patient information at risk of exposure.

Those methods involved the use of the GI provider’s personal computer and the transfer of sensitive information via unencrypted email, the cloud, and a non-VA-issued unencrypted flash drive. Staff in the GI laboratory, pulmonary/sleep laboratory, and neurology departments had also developed workarounds as a result of interface issues following the operating system upgrade.

Staff were aware of the importance of patient privacy and securing patient information, and one staff member ensured information was only sent via secure, encrypted email. However, other staff members sent email using personal email accounts, unsecured devices, and via SMS text messages.

VA OIG found 99% of the emails sent from the GI provider’s email account contained sensitive patient information as did 91.7% of SMS text messages sent to staff. Inpatient and nursing staff were also discovered to be using non-secure methods of communicating patient information. The medical center was also discovered to still be using logbooks to record equipment taken home by staff, which is against VHA policy.

The report involved one VA medical center, but the findings are not surprising. Similar problems are experienced by many healthcare providers, which also use workarounds to solve software compatibility issues, even though those workarounds can introduce considerable risk.

The VA OIG has made several recommendations on how the medical center can correct the violations and improve security. Those recommendations include taking steps to ensure staff members only use secure methods to communicate patient information, and for the medical center director to conduct a review of communications processes between staff and IT/biomedical engineering and to take action to address interface issues and improve communication.  The medical center is currently in the process of implementing those recommendations.

The post VA OIG Report Highlights Risk of Medical Device Workarounds appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

Posted by HIPAA Journal

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

Posted by HIPAA Journal

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Posted by HIPAA Journal

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse.

States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors.

In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks.

The statement was issued primarily to state, local, territorial and tribal governments, although the recommendations are equally relevant to the healthcare industry and businesses in other industry sectors.

Taking the three steps detailed in the statement (and outlined below) will improve defenses against ransomware and will help to ensure that in the event of an attack, recovery can be made in the shortest possible time frame.

Ransomware Recommendations

  • Backup systems now (and daily)
  • Reinforce cybersecurity awareness training
  • Revise and refine cyber incident response plans

Without valid data backups, ransomware victims will be at the mercy of their attackers. As has already been seen on several occasions this year, payment of the ransom does not guarantee file recovery. Even when keys are supplied to unlock encrypted data, some data loss can be expected.

It is therefore essential to ensure that all critical data, agency and system information is backed up daily, with the backups stored on a separate, non-networked, offline device. Backups and the restoration process must be tested to ensure file recovery is possible. The joint statement instructs all partners to backup systems immediately and daily.

Ransomware is most commonly installed inadvertently by employees as a result of responding to a phishing email or visiting a malicious website. It is therefore important to ensure that the workforce is made aware of the threat and is taught how to recognize suspicious emails, links, and other threats.

Even if training has already been given to staff, refresher training sessions are recommended. The staff should also be made aware of the actions to take if a potential threat is received or if an attack is believed to be in progress, including being advised of out-of-band communication paths.

It may not be possible to prevent all attacks, so it is essential for a ransomware response plan to be developed that can be immediately implemented in the event of an attack. The response plan should include plans that can be implemented if internal capabilities become overwhelmed and instructions and contact information for external cyber first responders, state agencies, and other parties that may be required to assist in the wake of an attack.

The guidance document can be viewed/downloaded on this link (PDF).

The post DHS Issues Best Practices to Safeguard Against Ransomware Attacks appeared first on HIPAA Journal.