Healthcare Data Security

HHS Warns Healthcare Sector About Risk of Zero-day Attacks

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level.

A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw.

Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program.

More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it would normally be necessary for an individual to take additional actions after opening a malicious email attachment for malware to be downloaded, by including an exploit for a zero-day vulnerability the threat actors were able to install the Dridex banking Trojan if an individual simply opened an infected email attachment. A zero-day vulnerability was also exploited this year in the 2021 SonicWall ransomware attacks. The vulnerability was identified by the UNC2447 threat group and was exploited to deliver FiveHands ransomware.

The very nature of zero-day vulnerabilities means it is not possible to eliminate risk entirely, as software developers need to develop patches to fix the vulnerabilities, but strategies can be adopted to reduce the potential for zero-day vulnerabilities to be exploited.

The number of detected exploits for zero-day vulnerabilities more than doubled between 2019 and 2021. This is, in part, due to the high value of exploits for zero-day flaws. The price paid for working exploits rose by more than 1,150% between 2018 and 2021. While the market for zero-day exploits was limited to a handful of groups with deep pockets, there are now many threat actors with considerable resources that are willing to pay as they know they can make their money back many times over by using the exploits in their attacks. Now, an exploit for a zero-day vulnerability could be worth more than $1 million.

Zero-day attacks specifically conducted against the healthcare sector are a very real possibility. In August this year, a zero-day vulnerability dubbed PwnedPiper was identified in the pneumatic tube systems used in hospitals to transport biological samples and medications. The vulnerability was identified in the control panel, which would allow unsigned firmware updates to be applied. An attacker could exploit the flaw and take control of the system and deploy ransomware.

In August 2020, four zero-day vulnerabilities were identified that exposed OpenClinic patients’ test results. Unauthenticated attackers could successfully request files containing sensitive documents from the medical test directory, including medical test results.

The best defense against zero-day vulnerabilities is to patch promptly, but patching is often slow, especially in healthcare. In 2019, a survey conducted by the Ponemon Institute revealed the average time to apply, test, and deploy a patch for a zero-day vulnerability was 97 days after the patch was released.

The advice of HC3 is to “patch early, patch often, patch completely.” HC3 provides up-to-date information on actively exploited zero-days and the available patches to fix zero-day flaws. HC3 also suggests implementing a web-application firewall to review incoming traffic and filter out malicious input, as this can prevent threat actors from gaining access to vulnerable systems. It is also recommended to use runtime application self-protection (RASP) agents, which sit inside applications’ runtime and can detect anomalous behavior. Segmenting networks is also strongly recommended.

The TLP: WHITE Zero-Day Threat Brief is available for download on this link.

The post HHS Warns Healthcare Sector About Risk of Zero-day Attacks appeared first on HIPAA Journal.

October 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021.

Healthcare Data Breaches (November 20-October 21)

The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021.

Healthcare records breached (november 20-october 21)

Largest Healthcare Data Breaches in October 2021

There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause
Eskenazi Health IN Healthcare Provider 1,515,918 Hacking/IT Incident Ransomware attack
Sea Mar Community Health Centers WA Healthcare Provider 688,000 Hacking/IT Incident Ransomware attack
ReproSource Fertility Diagnostics, Inc. MA Healthcare Provider 350,000 Hacking/IT Incident Ransomware attack
QRS, Inc. TN Business Associate 319,778 Hacking/IT Incident Unauthorized network server access
UMass Memorial Health Care, Inc. MA Business Associate 209,048 Hacking/IT Incident Phishing attack
OSF HealthCare System IL Healthcare Provider 53,907 Hacking/IT Incident Ransomware attack
Educators Mutual Insurance Association UT Health Plan 51,446 Hacking/IT Incident Unauthorized network access and malware infection
Lavaca Medical Center TX Healthcare Provider 48,705 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance, LLC PA Healthcare Provider 47,173 Unauthorized Access/Disclosure Phishing attack on a vendor
Nationwide Laboratory Services FL Healthcare Provider 33,437 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Michigan, PLLC PA Healthcare Provider 26,054 Unauthorized Access/Disclosure Phishing attack on a vendor
Syracuse ASC, LLC NY Healthcare Provider 24,891 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance of Georgia, PLLC PA Healthcare Provider 23,974 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Florida, LLC PA Healthcare Provider 18,626 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Illinois, PLLC PA Healthcare Provider 16,673 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Healthcare Management, Inc. TN Healthcare Provider 12,306 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Tennessee, LLC PA Healthcare Provider 11,217 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of New York, PLLC PA Healthcare Provider 10,778 Unauthorized Access/Disclosure Phishing attack on a vendor

Ransomware attacks continue to plague healthcare organizations and threaten patient safety. Half of the top 10 data breaches involved ransomware, including the top three data breaches reported in October.

The worst breach of the month was reported by Eskenazi Health. The PHI of more than 1.5 million patients was exposed and patient data is known to have been stolen in the attack. A major ransomware attack was also reported by Sea Mar Community Health Centers. Its systems were first compromised in December 2020, the ransomware attack was identified in March 2021, and Sea Mar was notified about the posting of patient data on a darknet marketplace in June. It took until late October to issue notifications to affected individuals.

Hackers often gain access to healthcare networks through phishing attacks, and phishing remains the leading attack vector in ransomware attacks. Large quantities of sensitive data are often stored in email accounts and can easily be stolen if employees respond to phishing emails. A phishing attack on UMass Memorial Health Care resulted in the exposure of the PHI of 209,048 individuals, and a phishing attack on a vendor used by the Professional Dental Alliance exposed the PHI of more than 174,000 individuals.

Causes of October 2021 Healthcare Data Breaches

Data breaches classified as hacking/IT incidents, which include ransomware attacks, were the main cause of data breaches in October. 57.63% of all breaches reported in the month were classified as hacking/IT incidents and they accounted for 94.14% of all breached records (3,378,842 records). The average size of the data breaches was 99,378 records and the median breach size was 5,212 records.

Causes of October 2021 healthcare data breaches

22 breaches were classified as unauthorized access/disclosure incidents and involved the PHI of 200,887 individuals. Those breaches include the phishing attack that affected the Professional Dental Alliance. The average breach size was 9,131 records and the median breach size was 4,484 records.

There were 4 breaches reported that involved the loss or theft of physical PHI or electronic devices containing PHI, 3 of which were theft incidents and 1 was a lost laptop computer. The PHI of 9,403 individuals was exposed as a result of those incidents. The average breach size was 2,351 records and the mean breach size was 1,535 records.

Location of breached protected health information -October 2021

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected covered entity type with 43 reported breaches. 8 data breaches were reported by business associates of HIPAA-covered entities and 8 were reported by health plans. Many data breaches occur at business associates of HIPAA-covered entities but are reported by the affected covered entity. The pie chart below shows the breakdown of breaches based on where they occurred.

October 2021 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 26 states. Pennsylvania was the worst affected state with 12 reported breaches, although 11 of those breaches were the same incident – the phishing attack on the Professional Dental Alliance vendor that was reported separately by each affected HIPAA-covered entity.

State No. Breaches
Pennsylvania 12
California 5
Illinois, Indiana, & Texas 4
New York & Washington 3
Connecticut, Florida, Massachusetts, New Jersey, North Carolina & Tennessee 2
Alabama, Arkansas, Kansas, Kentucky, Minnesota, Mississippi, Nebraska, Ohio, South Carolina, Utah, Virginia, & West Virginia 1

HIPAA Enforcement Activity in October 2021

There was only one HIPAA enforcement action announced in October. The New Jersey Attorney General agreed to settle an investigation into a data breach reported by Diamond Institute for Infertility and Menopause that resulted in the exposure of the PHI of 14,663 New Jersey residents.

The New Jersey Department of Law and Public Safety Division of Consumer Affairs uncovered violations of 29 provisions of the HIPAA Privacy and Security Rules, and violations of the New Jersey Consumer Fraud Act. In addition to paying $495,000 in civil monetary penalties and investigation costs, Diamond agreed to implement additional measures to improve data security.

The post October 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

Posted by HIPAA Journal

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations.

The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare.

The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months.

Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data loss as a top concern, with attacks on hospital operations rated as a major concern by 23% of healthcare IT pros.

Defending against cyberattacks is becoming increasingly difficult due to the expanding attack surface. Armis says there are now 430 million connected healthcare devices worldwide, and that number is continuing to rise. When asked about the riskiest systems and devices, building systems such as HVAC were the biggest concern with 54% of IT professionals rating them as a major cybersecurity risk. Imaging machines were rated as among the riskiest by 43% of respondents, followed by medication dispensing equipment (40%), check-in kiosks (39%), and vital sign monitoring equipment (33%). While there is concern about the security of these systems and medical devices, 95% of IT professionals said they thought their connected devices and systems were patched and running the latest software.

The increase in cyberattacks on the healthcare sector is influencing healthcare decisions. 75% of IT professionals said recent attacks have had a strong influence on decision making and 86% of respondents said their organization had appointed a CISO; however, only 52% of respondents said their organization was allocating more than sufficient funds to cover IT security.

The survey of patients revealed a third had been the victim of a healthcare cyberattack, and while almost half of patients (49%) said they would change healthcare provider if it experienced a ransomware attack, many patients are unaware of the extent of recent cyberattacks and how frequently they are now being reported. In 2018, healthcare data breaches were reported at a rate of 1 per day. In the past year, there have been 7 months when data breaches have been reported at a rate of more than 2 per day.

Despite extensive media reports about healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients said they had not heard about any healthcare cyberattacks in the past two years, clearly showing many patients are unaware of the risk of ransomware and other cyberattacks. However, patients are aware of the impact those attacks may have, with 73% of potential patients understanding a cyberattack could impact the quality of care they receive.

When potential patients were asked about their privacy concerns, 52% said they were worried a cyberattack would shut down hospital operations and would potentially affect patient care, and 37% said they were concerned about the privacy of information accessible through online portals.

There certainly appears to be trust issues, as only 23% of potential patients said they trusted their healthcare provider with their sensitive personal data. By comparison, 30% said they trusted their best friend with that information.

The post Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft appeared first on HIPAA Journal.

Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities

Posted by HIPAA Journal

13 vulnerabilities have been identified in the Siemens Nucleus RTOS TCP/IP stack that could potentially be exploited remotely by threat actors to achieve arbitrary code execution, conduct a denial-of-service attack, and obtain sensitive information.

The vulnerabilities, dubbed NUCLEUS:13, affect the TCP/IP stack and related FTP and TFTP services of the networking component (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS), which is used in many safety-critical devices. In healthcare, Nucleus is used in medical devices such as anesthesia machines and patient monitors.

One critical vulnerability has been identified that allows remote code execution which has a CVSS v3 severity score of 9.8 out of 10. Ten of the vulnerabilities are rated high severity flaws, with CVSS scores ranging from 7.1 to 8.8. There are also two medium-severity flaws with CVSS scores of 6.5 and 5.3.

The vulnerabilities were identified by security researchers at Forescout Research Labs, with assistance provided by researchers at Medigate.

The vulnerabilities affect the following Nucleus RTOS products:

  • Capital VSTAR: All versions
  • Nucleus NET: All versions
  • Nucleus ReadyStart v3: All versions prior to v2017.02.4
  • Nucleus ReadyStart v4: All versions prior to v4.1.1
  • Nucleus Source Code: All versions

Identifying where vulnerable code has been used is a challenge. The researchers attempted to estimate the impact of the vulnerabilities based on evidence collected from the official nucleus website, the Shodan search engine, and the Forescout device cloud. Healthcare is the worst affected industry, with 2,233 vulnerable devices. 1,066 government devices were identified as vulnerable, with other vulnerable devices found in retail (348), financial (326), manufacturing (317), with 1,176 vulnerable devices found in other industry sectors. 76% of the vulnerable devices are used for building automation, 13% are used in operational technology, 4% for networking, 5% IoT, and 2% were computers running Nucleus.

The vulnerabilities were reported to Siemens under responsible disclosure guidelines and Siemens has made patches available to fix all of the identified vulnerabilities. Siemens said some of the flaws had been identified and addressed in previously released versions, but no CVEs were issued.

Applying patches to fix the vulnerabilities can be a challenge, especially for embedded devices and those of a mission-critical nature, such as devices used in healthcare settings.

If patches cannot be applied, Forescout and Siemens recommend implementing mitigating measures to reduce the potential for exploitation. Siemens recommends protecting network access to devices with appropriate mechanisms and ensuring the devices operate within protected IT environments that have been configured in accordance with Siemens’ operational guidelines.

Forescout has released an open-source script that uses active fingerprinting to detect devices running Nucleus for discovery and inventory purposes. After identifying devices, Forescout recommends enforcing segmentation controls and practicing proper network hygiene, including restricting external communication paths and isolating or containing vulnerable devices in zones until they can be patched.

In addition, all network traffic should be monitored for malicious traffic and progressive patches released by vendors of affected devices should be monitored. A remediation plan should be developed for all vulnerable assets that balances risk with business continuity requirements.

Specific mitigations recommended by Forescout are detailed in the table below:

Nucleus 13 Mitigations recommended by Forescout.

The post Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities appeared first on HIPAA Journal.

HS3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors.

Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector.

Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets.

Cobalt Strike includes a spear phish tool that can be used to create and send fake emails using arbitrary message templates. If a message is imported, Cobalt Strike will replace links/text and create and send convincing phishing emails and track users that click.

The Beacon tool is used to discover client-side applications and versions and allows the loading of malleable command and control profiles, uses HTTP/HTTPS/DNS to egress a network, and named pipes to control Beacons, peer-to-peer, over SMB for covert communications. Beacon can also be used for post-exploitation and can execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other malicious payloads. Cobalt Strike also uses attack packages to allow attacks to progress through their many stages and has the capability to transform innocent files into a Trojan horse.

Cobalt Strike uses browser pivoting, which can be used to bypass 2-factor authentication and access sites as the target. Cookies, authenticated HTTP sessions, and client SSL certifications can be leveraged to hijack a compromised user’s authenticated web sessions. Using the Cobalt Strike team server, attackers can share data, communicate in real-time, and take full control of compromised systems.

Cobalt Strike is a powerful penetration testing tool and since it is an entire framework, it has many more capabilities than most malware variants, which makes it a valuable tool for black hat hackers, and many nation-state hacking groups and cybercriminal organizations have been using Cobalt Strike in attacks on the healthcare sector in the United States.

Given the extent to which the framework is used in cyberattacks, healthcare organizations should work on the assumption that Cobalt Strike will be used in an attack and should therefore focus on prevention and detection strategies and follow the MITRE D3FEND framework.

Cobalt Strike is delivered by many different infection vectors, so defending against attacks can be difficult. There is also no single containment technique that is effective against the framework as a whole.

Cobalt Strike is often delivered via malware downloaders such as BazarLoader, which are often delivered using phishing emails containing malicious Office files. It is therefore important to implement advanced email security defenses that can block phishing threats and provide ongoing security awareness training to the workforce to teach employees to identify malicious messages containing malware downloaders such as BazarLoader.

Threat actors often exploit known vulnerabilities in software and operating systems to gain access to healthcare networks. It is therefore important to ensure a full inventory of devices and software is maintained, and patches or other mitigating measures are implemented to address vulnerabilities promptly. Healthcare organizations should also improve their defenses against attacks abusing their remote access capabilities.

Detecting Cobalt Strike once installed can be a challenge. HC3 recommends using signatures for intrusion detection and endpoint security systems and Yara Rules. Further information can be found in the HC3 Cobalt Strike White Paper.

The post HS3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations appeared first on HIPAA Journal.

High Severity Vulnerabilities Identified in Philips Tasy EMR

Posted by HIPAA Journal

Two high severity vulnerabilities have been identified in the Philips Tasy EMR that could allow sensitive patient data to be extracted from the database. The vulnerabilities can be exploited remotely, there is a low attack complexity, and exploits for the vulnerabilities are in the public domain.

Philips says the vulnerabilities affect Tasy EMR HTML5 3.06.1803 and prior versions, with the affected products used primarily in South and Central America. The vulnerabilities were identified and publicly disclosed by a security researcher who did not follow responsible disclosure protocols and failed to coordinate with Philips.

The two flaws are both SQL injection vulnerabilities that have been assigned a CVSS v3 severity score of 8.8 out of 10. Both are due to improper neutralization of special elements in SQL commands.

The first flaw, tracked as CVE-2021-39375, allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. The second, tracked as CVE-2021-39376, allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.

By exploiting the flaws, a remote attacker could expose patient data, extract information from the database, or trigger a denial-of-service condition.

Philips says it reported the vulnerabilities to CISA and has fixed both vulnerabilities in Tasy EMR HTML5 to Version 3.06.1804. All healthcare providers using a vulnerable version of the EMR system should update to version 3.06.1804. or later as soon as possible to prevent exploitation. Prior to upgrading to the latest version, CISA recommends performing an impact analysis and risk assessment.

The post High Severity Vulnerabilities Identified in Philips Tasy EMR appeared first on HIPAA Journal.

FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion

Posted by HIPAA Journal

Ransomware gangs often use double extortion tactics to encourage victims to pay the ransom. In addition to file encryption, sensitive data are stolen and a threat is issued to sell or publish the data if the ransom is not paid. The Federal Bureau of Investigation (FBI) has recently issued a private industry notification warning of a new extortion tactic, where ransomware gangs target companies and organizations that are involved in significant time-sensitive financial events, steal sensitive financial data, then threaten to publish that information if payment is not made.

Ransomware gangs conduct extensive research on their victims before launching an attack, which includes gathering publicly available data and nonpublic material. The attacks are then timed to coincide with the release of quarterly earnings reports, SEC filings, initial public offerings, and merger and acquisition activity, with the release of information having the potential to significantly affect the victim’s stock value.

“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” explained the FBI. “Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

Several ransomware operations are known to steal sensitive data and sift through that information to find potentially damaging material. The REvil and Darkside ransomware gangs have both issued threats to contact stock exchanges such as NASDAQ to advise them about a current ransomware attack and provide damaging information to tank share prices.

“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information,” said the Darkside ransomware gang in an April 2021 post on their blog site.

The FBI lists some attacks where companies have been targeted that were undergoing mergers or acquisitions. For example, in early 2020, a ransomware actor with the moniker “Unknown” posted on the Russian “Exploit” hacking forum that a good way to force victims to pay the ransom was to reference their presence on the NASDAQ stock exchange and threaten to leak data to NASDAQ to tank share prices. That advice was followed by several threat actors. Between March 2020 and July 2020, at least three publicly traded US companies that were actively involved in mergers and acquisitions were targeted, two of which were undergoing private negotiations.

Threat actors known to deploy the Pyxie Remote Access Trojan (RAT) before using the Defray777 and RansomEXX ransomware variants were searching for information on victims’ current and near-future stock values in the initial phases of the attacks. A November 2020 analysis of the Trojan revealed keyword searches for terms such as 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.

To prevent attacks and ensure data recovery is possible without paying a ransom, the FBI recommends regularly backing up data and storing it offline, installing and regularly updating antivirus software, making sure all software is kept up to date, adopting the least privilege approach and network segmentation, only using secure networks for connections, and implementing multi-factor authentication.

The FBI doesn’t recommend paying a ransom as it emboldens adversaries to target additional organizations, encourages other threat actors to conduct ransomware attacks, and there is no guarantee that payment will result in data recovery. However, the FBI understands that businesses faced with an inability to function will likely evaluate all options to protect their shareholders, employees, and customers. Regardless of the decision taken, the FBI encourages all ransomware victims to report attacks to their local FBI field office.

The post FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion appeared first on HIPAA Journal.

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Posted by HIPAA Journal

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data.

The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It.

The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats.

Healthcare data breaches are the costliest of any industry at an average of $9.23 million per incident and data breaches such as ransomware attacks put patient safety at risk. 62% of healthcare organizations said they thought a data breach would be costly, with 54% saying a data breach would have a major impact on their reputation. 56% of surveyed healthcare organizations said they have previously experienced a data breach, and 29% said they had experienced a data breach in the previous 12 months.

Due to the need to comply with HIPAA, healthcare organizations were better equipped than other industries to prevent and deal with security incidents, with 65% of surveyed healthcare organizations saying they have the appropriate information security tools and resources. While the healthcare industry was significantly more likely than any other industry to have an incident response plan, 42% of respondents said an incident response plan had not been implemented, even though having an incident response plan has been shown to shorten the recovery time and reduce the cost of a data breach.

75% of healthcare organizations said information security is a top priority at their organization, and 61% said they have hired a third-party security expert to evaluate their security practices. However, only 64% employ information security policies, less than half (48%) have regular infrastructure auditing, and only a third (33%) perform vulnerability assessments.

The survey revealed 22% of data breaches were the result of errors by employees. The biggest barriers to employees following information security policies and procedures were a lack of understanding of the threats and risks (49%), lack of accessibility or understanding of policies (41%), and a lack of consistent training and security awareness programs (10%).

While the healthcare industry is better prepared than many other industries, the survey shows there is significant room for improvement. Shred-It suggests healthcare organizations should develop a comprehensive plan covering all data, employ a data minimization strategy, take advantage of the cloud, invest in endpoint detection and response technology, develop an incident response plan, and encrypt all data on-premises, in the cloud, and in transit.

The post 42% of Healthcare Organizations Have Not Developed an Incident Response Plan appeared first on HIPAA Journal.

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections that they have implemented to secure their legacy IT systems and devices.

A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks.

Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices.

Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy system without disrupting critical services, compromising data integrity, or preventing ePHI from being available.

HIPAA-covered entities should ensure that all software, systems, and devices are kept fully patched and up to date, but in healthcare, there are often competing priorities and obligations. If the decision is made to continue using legacy systems and devices, it is essential for security to be considered and for safeguards to be implemented to ensure those systems and devices cannot be hacked. That is especially important if legacy systems and devices can be used to access, store, create, maintain, receive, or transmit electronic protected health information (ePHI).

It is not a violation of the HIPAA Rules to continue using software and devices that have reached the end of life, provided compensating controls are implemented to ensure ePHI is protected. “Despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked,” said OCR in its cybersecurity newsletter, which would violate the HIPAA Rules.

In healthcare, there may be many legacy systems and devices in use that need to be protected. Healthcare organizations need to have full visibility into the legacy systems that reside in their organization, as if the IT department is unaware that legacy systems are in use, compensating controls will not be implemented to ensure they are appropriately protected.

It is vital for a comprehensive inventory to be created that includes all legacy systems and devices and for a security risk assessment to be performed on each system and device. “The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems,” explained OCR in its recent cybersecurity newsletter.

Risks must be identified, prioritized, and mitigated to reduce them to a low and acceptable level. Mitigations include upgrading to a supported version or system, contracting with a vendor to provide extended support, migrating the system to a supported cloud-based solution, or segregating the system from the network.

If HIPAA-covered entities choose to continue maintaining a legacy system existing security controls should be strengthened or compensating controls should be implemented. OCR says consideration should be given to the burdens of maintenance, as they may outweigh the benefits of continuing to use the legacy system and plans should be made for the eventual removal and replacement of the legacy system.

In the meantime, OCR suggests the following controls for improving security:

  • Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
  • Restrict access to the legacy system to a reduced number of users.
  • Strengthen authentication requirements and access controls.
  • Restrict the legacy system from performing functions or operations that are not strictly necessary
  • Ensure backups of the legacy system are performed, especially if strengthened or compensating controls impact prior backup solutions.
  • Develop contingency plans that contemplate a higher likelihood of failure.
  • Implement aggressive firewall rules.
  • Implement supported anti-malware solutions.

The post OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance appeared first on HIPAA Journal.