Healthcare Data Security

Alert Issued by Feds to Raise Awareness of Scams Related to COVID-19 Economic Payments

A joint alert issued has been issued by the IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury to raise awareness of the risk of phishing and other cyberattacks related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The CARES Act has made $2 trillion available to support businesses and individuals adversely affected by the COVID-19 pandemic, which will help to reduce the financial burden through economic impact payments to eligible Americans. CARES Act payments are being used as a lure in phishing attacks to obtain personal and financial information and attempts have been made to redirect CARES Act payments. All Americans have been urged to be on the lookout for criminal fraud related to the CARES Act and COVID-19.

The U.S. Government reports that many cybercriminal groups are using stimulus-themed lures in phishing emails and text messages to obtain sensitive information such as bank account information. Financial institutions have been asked to remind their customers to practice good cybersecurity hygiene and to monitor for illicit account use and creation.

Criminals are using CARES Act-themed emails and websites to obtain sensitive information, spread malware, and gain access to computer networks. “Themes for these scams might include economic stimulus, personal checks, loan and grant programs, or other subjects relevant to the CARES Act. These CARES Act related cybercriminal attempts could support a wide range of follow-on activities that would be harmful to the rollout of the CARES Act.”

Threat actors may seek to disrupt the operations of organizations responsible for implementing the CARES Act, including the use of ransomware to interrupt the flow of CARES Act funds and to extort money from victims. Federal, state, local and tribal agencies are being urged to review their payment, banking, and loan processing systems and ramp up security to prevent attacks.

Foreign threat actors have been discovered to be submitting fraudulent claims for COVID-19 relief funds, with one Nigerian business email compromise (BEC) gang known to have submitted more than 200 fraudulent claims for unemployment benefits and CARES Act payments. The gang, known as Scattered Canary, has been submitting multiple claims via state unemployment websites to obtain payments using data stolen in W-2 phishing attacks. The gang has submitted at least 174 fraudulent claims with the state of Washington and more than a dozen with the state of Massachusetts. At least 8 states have been targeted to date.

The U.S. Government has been distributing threat intelligence and cybersecurity best practices to help disrupt and deter criminal activity and the U.S. Secret Service is currently focussed on investigative operations to identify individuals exploiting the pandemic to ensure they are brought to justice and any proceeds of the crimes are recovered.

The IRS has reminded taxpayers that it does not initiate contact with taxpayers via email, text message, or social media channels to request personal and financial information such as bank account numbers, credit card information, and PINs. The IRS has warned Americans that copycat domains that may be set up to obtain sensitive information and to carefully check any domain for transposed letters and mismatched SSL certificates. The IRS is only using is www.irs.gov and the IRS-run site, https://www.freefilefillableforms.com/.

All Americans have been advised to be vigilant and monitor their financial accounts for signs of fraudulent activity and to report any cases of phishing attacks and other scams to the appropriate authorities. They should also alert their employer if they feel they may have fallen for a scam and revealed sensitive information about their organization.

The alert, Avoid Scams Related To Economic Payments, COVID-19, can be viewed on this link.

The post Alert Issued by Feds to Raise Awareness of Scams Related to COVID-19 Economic Payments appeared first on HIPAA Journal.

Web Application Attacks Double as Threat Actors Target Cloud Data

The 2020 Verizon Data Breach Investigations Report shows malware attacks are falling as threat actors target data in the cloud.  This is the 13th year that the report has been produced, which this year contains an analysis of 32,002 security incidents and 3,950 confirmed data breaches from 81 global contributors in 81 countries.

The report confirms that the main motivator for conducting attacks is financial gain. 86% of all security breaches were financially motivated, up from 71% last year. 70% of breaches were due to external actors, with 55% of attacks conducted by cybercriminals.

67% of breaches were the result of credential theft or brute forcing of weak credentials (37%) and phishing and other social engineering attacks (25%). 22% of those breaches involved human error.

Only 20% of breaches were due to the exploitation of vulnerabilities. It should be noted that it is much easier to conduct attacks using stolen credentials rather than exploiting vulnerabilities, so the relatively low number of vulnerability-related attacks may not be due to organizations patching vulnerabilities more promptly.

The ease of conducting attacks using stolen or brute forced credentials has seen malware attacks become less popular. That said, ransomware is proving to be an attractive option, which has seen an increase from 24% to 27% of all malware related attacks.

There was a significant increase in web application attacks over the past 12 months, which doubled to 43% of all breaches. 80% of those breaches involved credential theft. With more organizations moving their data from traditional domain controllers and internal infrastructure, it is no surprise that there has been a sizeable increase in attacks on the cloud.

The data collected for the report does not cover the period of the COVID-19 public health emergency, when many organizations accelerated their cloud migration plans to allow more employees to work from home. It is likely that next year’s report will see an even higher percentage of attacks on cloud resources.

“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, CEO, Verizon Business. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”

Attack Trends Over the Past 6 Years

Source: Verizon

Cyberattacks and Insider Breaches in Healthcare

Financially motivated cyberattacks accounted for 88% of healthcare breaches, with many of the attacks involving ransomware. 4% of healthcare cyberattacks were conducted for fun and 3% of attacks were conducted out of convenience.

Verizon reports a significant increase in healthcare data breaches in the past 12 months. Last year’s report included 304 healthcare data breaches but this year the number has increased to 521 breaches. The figure below shows the patterns for cyberattacks in the healthcare industry. Crimeware includes malware and ransomware, which is the most common type of attack on healthcare organizations. As in other industry sectors, attacks on web applications are increasing.

Source: Verizon

The healthcare industry usually has a higher than average number of cases of privilege misuse, where insiders with access to sensitive data abuse their access rights to view or steal data. With so many employees given access to patient data and its high value on the black market, this is to be expected.

There is some good news in this year’s report. For the first time privilege misuse has dropped out of the top three causes of healthcare data breaches. This is part of a trend that can be seen across all industry sectors, which suggests that employees are thinking twice about accessing data without authorization and healthcare providers are getting better at protecting data.

Verizon notes that there has also been a decrease in breaches involving multiple actors, which is usually a third-party such as an identity thief working with an insider who supplies the data. In the 2019 report, 4% of breaches involved multiple actors whereas in 2020 the percentage dropped to 1%. The percentage of breaches caused by internal actors vs external actors also changed significantly. In the 2019 report, 59% of healthcare breaches were caused by internal actors with 42% caused by external attackers. This year’s report sees internal actors responsible for 48% of breaches with external actors accounting for 51% of breaches.

This year, the biggest cause of breaches in healthcare were miscellaneous errors and breaches of web applications. The main cause of those miscellaneous breaches was misdirection, which is the sending of emails to incorrect recipients and mass mailings that see letters sent to incorrect patients, such as happens when there is a mail merge error.

The post Web Application Attacks Double as Threat Actors Target Cloud Data appeared first on HIPAA Journal.

April 2020 Healthcare Data Breach Report

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month.

Healthcare data breaches by month (2019-2020)

While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached.

Healthcare records breached in the past 6 months

Largest Healthcare Data Breaches in April 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email
Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email
Arizona Endocrinology Center Healthcare Provider 74,122 Unauthorized Access/Disclosure Electronic Medical Record
Advocate Aurora Health Healthcare Provider 27,137 Hacking/IT Incident Email, Network Server
Doctors Community Medical Center Healthcare Provider 18,481 Hacking/IT Incident Email
Andrews Braces Healthcare Provider 16,622 Hacking/IT Incident Network Server
UPMC Altoona Regional Health Services Healthcare Provider 13,911 Hacking/IT Incident Email
Colorado Department of Human Services, Office of Behavioral Health Healthcare Provider 8,132 Unauthorized Access/Disclosure Network Server
Agility Center Orthopedics Healthcare Provider 7,000 Hacking/IT Incident Email
Beacon Health Options, Inc. Business Associate 6,723 Loss Other Portable Electronic Device

 

Causes of Healthcare Data Breaches in April

As was the case in March, hacking and IT incidents were the leading causes of healthcare data breaches. Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.

333,838 records were compromised in the 18 reported hacking/IT incidents, which account for 75.37% of all records breached in April. The average breach size was 18,547 records and the median breach size was 4,631 records. There were 16 reported unauthorized access/disclosure incidents in April. The average breach size was 6,171 records and the median breach size was 1,122 records. In total, 98,737 records were breached across those 16 incidents.

There were two theft incidents reported in April, both involving portable electronic devices. The records of 3,645 individuals were stored on those devices. There was also one lost portable electronic device containing the records of 6,723 patients.

causes of healthcare data breaches in April 2020

The bar chart below shows the location of breached protected health information. The chart shows email is by far the most common location of breached health information. 48.65% of all reported breaches in April involved PHI stored in emails and email attachments. The majority of those breaches were phishing attacks. Most healthcare data breaches involve electronic data, but one in five breaches involved PHI in paper files and charts.

Location of breached PHI in April 2020

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in April with 30 breaches reported. 4 health plans reported a breach in April, and three breaches were reported by business associates of HIPAA-covered entities. A further 8 breaches had some business associate involvement.

Healthcare Data Breaches by State

April’s data breaches were reported by covered entities and business associates in 22 states. Florida and Texas were the worst affected with 4 breaches each. There were three data breaches reported in Michigan and Pennsylvania, and two breaches affecting covered entities and business associates based in California, Connecticut, Minnesota, Missouri, and Wisconsin. One breach was reported by entities based in Arkansas, Arizona, Colorado, Delaware, Indiana, Massachusetts, Maryland, North Carolina, New Mexico, Nevada, Tennessee, Utah, and Washington.

HIPAA Enforcement Activity in April

There were no financial penalties imposed on covered entities or business associates by state Attorneys General or the HHS’ Office for Civil Rights in April.

The post April 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps

Two privacy bills have been introduced relating to COVID-19 contact tracing apps that are now being considered by Congress. The competing bills, introduced by Republican and Democratic lawmakers, share some common ground and look to achieve similar aims.

The first bill, the COVID-19 Consumer Data Protection Act, was introduced by Republican senators Roger Wicker (R-Miss), John Thune (R-S.D), Jerry Moran, (R-Kan), and Marsha Blackburn (R-Tenn) last month “to protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.”

The bill would make it illegal for personal health information, proximity data, device data, and geolocation data to be collected unless notice was given to consumers about the purpose of collecting data and consumers are required to give their consent to the collection, processing, and transfer of their data. The bill prohibits the collection, use, or transfer of data for any secondary purposes.

The allowed purposed for the collection, processing, and transfer of data is limited to tracking the spread, signs, and symptoms of COVID-19; the collection, processing and transfer of an individual’s data to measure compliance with social distancing guidelines and other requirements related to COVID-19 imposed on individuals; and the collection, processing, or transfer of data for COVID-19 contact tracing purposes.

The bill also requires companies to allow individuals to opt out, provide transparency reports describing data collection activities, establish data minimization and data security requirements, define what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to prevent re-identification; and to require companies to delete collected data when the COVID-19 public health emergency is over.

According to Senator Thune, “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”

The Democratic bill, the Public Health Emergency Privacy Act, was introduced by Representatives Anna G. Eshoo (D-Calif), Jan Schakowsky (D-Ill), Suzan DelBene(D-Wash), and Senators Richard Blumenthal (D-Conn) and Mark Warner (D-Va). The aim of the bill is to ensure there is transparency over the health and location data collected by contact-tracing apps and to give Americans control over the collection and use of their data. The bill also ensures that businesses can be held to account by consumers if their data is used for any activities other than the fight against COVID-19.

The bill requires health data to only be used for public health purposes; prohibits the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising or to gate access to employment, finance, insurance, housing, or education opportunities; prevents misuse of data by government agencies that have no role in public health; ensures meaningful data security and data integrity protections are implemented; prohibits conditioning the right to vote based on a medical condition or use of contact tracing apps; and requires reports to be regularly produced on the impact of digital collection tools on civil rights.

The bill requires the public to be given control over participation in contact tracing through opt-in consent, there must be meaningful transparency, and robust private and public enforcement. The bill also calls for the destruction of data within 60 days of the end of the public health emergency. The bill would not apply to HIPAA-covered entities or their business associates, which would continue to be required to comply with HIPAA Rules.

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights,” said Rep. Jan Schakowsky.

Given the similarity of both bills and their common goals, it may be possible for some consensus to be reached on the content of any new legislation and for both sides to work together to get a bill passed to protect the privacy of Americans and ensure that data collected by COVID-19 contact tracing apps is not misused.

The post Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps appeared first on HIPAA Journal.

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data.

The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches.

Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their ability to conduct attacks.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” explains CISA and FBI in the alert.

CISA and the FBI hope the list will help organizations to prioritize patching and are urging all organizations to invest more time and resources into patching and develop a program that will keep all system patching up to date moving forward.

Top 10 Routinely Exploited Vulnerabilities

The top 10 list of routinely exploited vulnerabilities includes flaws in Microsoft Office, Microsoft Windows, Microsoft SharePoint, Microsoft .NET Framework, Apache Struts, Adobe Flash Player, and Drupal. Out of the top ten, most nation state hacking groups have concentrated on just three vulnerabilities – CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 – all of which concern Microsoft’s OLE technology. Microsoft’s Object Linking and Embedding (OLE) allows content from other applications to be embedded in Word Documents. The fourth most commonly exploited vulnerability – CVE-2017-5638 – is present in the web framework, Apache Struts. These vulnerabilities have been exploited to deploy a range of different malware payloads including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBos, China Chopper, DOGCALL, WingBird, FinFisher, and Kitty.

Priority Vulnerability Affected Products
1 CVE-2017-11882 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2 CVE-2017-0199 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3 CVE-2017-5638 Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4 CVE-2012-0158 Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
5 CVE-2019-0604 Microsoft SharePoint
6 CVE-2017-0143 Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7 CVE-2018-4878 Adobe Flash Player before 28.0.0.161
8 CVE-2017-8759 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9 CVE-2015-1641 Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10 CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

 

A warning has also been issued about two vulnerabilities that have been exploited in attacks in 2020. These vulnerabilities both concern Virtual Private Network (VPN) solutions and have been exploited by nation state hackers and cybercriminal groups: The Citrix vulnerability CVE-2019-19781 and the Pulse Secure VPN vulnerability CVE-2019-11510.

The rush to implement cloud collaboration services such as Microsoft Office 365 to allow employees to work remotely due to COVID-19 has given hackers new options for attacking organizations. Hasty deployments of these solutions have led to oversights in security configurations which makes them vulnerable to attack. Cybersecurity weaknesses are also being targeted, such as poor employee education about phishing and social engineering. A lack of system recovery and contingency plans has also placed organizations at risk of ransomware attacks.

The post CISA and FBI Publish List of Top 10 Exploited Vulnerabilities appeared first on HIPAA Journal.

AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities

The American Medical Association (AMA) has published a set of privacy principles for non-HIPAA-covered entities to help ensure that the privacy of consumers is protected, even when healthcare data is provided to data holders that do not need to comply with HIPAA Rules.

HIPAA only applies to healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates of those entities. HIPAA requires those entities to protect the privacy of patients and implement security controls to keep their healthcare data private and confidential. When the same healthcare data is shared with an entity that is not covered by HIPAA, those protections do not need to be in place. HIPAA also gives patients rights over their health data, but those rights do not apply to health data sent to a non-HIPAA-covered entity.

The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONS) have recently published rules to prevent information blocking and improve sharing of healthcare data. One requirement is to allow patients to have their health data sent to a third-party app of their choice. In most cases, the developers of those apps are not HIPAA-covered entities.

Discussions are taking place in Congress about new federal regulations covering healthcare data provided to non-HIPAA-covered entities and several legislative acts have been proposed, although none have so far attracted sufficient support.

The new privacy principles developed by the AMA are intended to give consumers greater control over their healthcare data when it is held by a non-HIPAA-covered entity and to inform discussions about new legislation to better protect privacy when health data is shared with third-parties outside of the healthcare system.

In a recent blog post announcing the new privacy principles, the AMA explained that patients’ confidence in the privacy and security of their data has been shaken. The business models of many tech companies involve gathering extensive information about consumers personal lives, in many cases with a lack of transparency and consent. There have been many scandals over personal data which have made consumers nervous about sharing data not only with tech companies but also with their healthcare providers.

Consumers are now less willing to provide health information to physicians, as they are worried that the information may not remain private and confidential and may even be shared with tech companies. The AMA is particularly concerned that the recent CMS and ONC rule changes will make it even more likely that patients will feel that they should withhold certain healthcare data from their healthcare providers.

The privacy principles will help to ensure that guardrails are placed around healthcare data and patients are given meaningful control over their healthcare data and will be told, in clear and easy to understand language, exactly how their health data will be used and with whom that information will be shared. The privacy principles also cover data that has not historically been considered to be personally identifiable such as IP addresses and mobile phone advertising identifiers but could in fact be used to identify an individual.

The privacy principles detail rights that individuals should have over their healthcare data and protections that need to be implemented to protect against healthcare data being used to discriminate against individuals. The AMA is also attempting to shift the responsibility for privacy from individuals to data holders, who must be responsible stewards of any data provided to them. In cases where privacy is violated, the AMA is calling for tough penalties to be imposed and for there to be robust enforcement of any new national privacy legislation. Robust enforcement will help to maintain trust in digital health tools, including smartphone apps that can be used to access healthcare data.

The privacy principles establish 12 rights that individuals should have over their health data, equity factors that must be taken into account in any privacy laws, and the responsibilities of data holders to protect the privacy of consumers. Also included are a set of requirements for enforcement of new privacy regulations covering health data.

“The AMA privacy principles set a framework for national protections that provide patients with meaningful control and transparency over the access and use of their data,” said AMA President Patrice A. Harris, M.D., M.A. “Preserving patient trust is critical if digital health technologies are to facilitate an era of more accessible, coordinated, and personalized care.

You can view the AMA’s privacy principles on this link.

The post AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities appeared first on HIPAA Journal.

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Zoom reached an agreement with the New York Attorney General’s office and has committed to implementing better privacy and security controls for its teleconferencing platform. New York Attorney General Letitia James launched an investigation into Zoom after researchers uncovered a number of privacy and security issues with the platform earlier this year.

Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge.

Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images.

Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end encryption, but it was discovered that Zoom had used AES 128 bit encryption rather than AES 256 bit encryption and its end-to-end encryption claim was false. Zoom was also discovered to have issued encryption keys through data centers in China, even though meetings were taking place between users in the United States.

Zoom used Facebook’s SDK for iOS to allow users of the iOS mobile app to login through Facebook, which meant that Facebook was provided with technical data related to users’ devices each time they opened the Zoom app. While Zoom did state in its privacy policy that third-party tools may collect information about users, data was discovered to have been passed to Facebook even when users had not used the Facebook login with the app.  There were also privacy issues associated with the LinkedIn Sales Navigator feature, which allowed meeting participants to view the LinkedIn profiles of other meeting participants, even when they had taken steps to remain anonymous by adopting pseudonyms. The Company Directory feature of the platform was found to violate the privacy of some users by leaking personal information to other users if they had the same email domain.

Zoom responded quickly to the privacy and security issues and corrected most within a few days of discovery. The firm also announced that it was halting all development work to concentrate on privacy and security. The company also enacted a CISO Council and Advisory Board to focus on privacy and security and Zoom recently announced that it has acquired the start-up firm Keybase, which will help to implement end-to-end encryption for Zoom meetings.

Under the terms off the settlement with the New York Attorney General’s office, Zoom has agreed to implement a comprehensive data security program to ensure its users are protected. The program will be overseen by Zoom’s head of security. The company has also agreed to conduct a comprehensive security risk assessment and code review and will fix all identified security issues with the platform. Privacy controls will also be implemented to protect free accounts, such as those used by schools.

Under the terms of the settlement, Zoom must continue to review privacy and security and implement further protections to give its users greater control over their privacy. Steps must also be taken to regulate abusive activity on the platform.

“This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call,” said Attorney General James.

The post Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues appeared first on HIPAA Journal.

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware.

The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted.

The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that install malware. A wide range of malware variants have been used by the gang, including information stealers such as Lokibot, Pony, and PredatorPain and remote administration tools to maintain persistent access to compromised systems. The gangs use malware to steal sensitive information and gain access to bank accounts and payroll systems. BEC attacks are also conducted to obtain fraudulent wire transfer payments.

Unit 42 researchers have tracked the activity of three threat actors from the group over the past 3 months who, between them, have conducted 10 COVID-19 themed malware campaigns on organizations involved in the national response to COVID-19 in Australia, Canada, Italy, the United Kingdom, and the United States.

Recent targets have included government healthcare agencies, local and regional governments, medical publishing companies, research firms, insurance companies, and universities with medical programs and medical centers. 170 distinct phishing emails have been identified by the researchers, several of which related to supplies of face masks and other personal protective equipment.

SilverTerrier attacks increased by 172% in 2019 and Palo Alto Networks reports there is no indication that the attacks will slow in 2020. “In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programs to apply extra scrutiny to Covid-19-related emails containing attachments,” said the researchers. Since the attacks are mostly conducted by email, the best defense is training for staff to help them identify spear phishing emails and an advanced spam filtering solution to prevent the emails from being delivered to inboxes. It is also important to check to make sure that the CVE-2017-11882 Microsoft Office vulnerability and to continue to apply patches promptly.

 

The post Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers appeared first on HIPAA Journal.

HHS Has Been Slow to Address GAO High Priority Recommendations

The Department of Health and Human Services has been slow to address high priority recommendations from the Government Accountability Office (GAO). Out of the 54 high priority recommendations outlined in a GAO March 2019 report, only 13 (24%) have been addressed so far.

GAO explained in a letter to HHS’ Secretary Alex Azar that its November 2019 report showed that government-wide, 77% of GAO recommendations made 4 years ago had been implemented, but the implementation rate at the HHS was only 61%. As of April 2020, there were 405 outstanding recommendations.

The March 2019 report identified 54 high priority recommendations and a further 18 high priority recommendations have been made. The total number of outstanding high priority recommendations now stands at 55. Several of the outstanding recommendations relate to enhancing cybersecurity and fraud risk reduction.

GAO says there are nine open priority recommendations related to public health related programs and issues “that would help ensure that relevant federal agencies are coordinating, managing risks, and have the resources they need to respond to biological threats such as the COVID-19 pandemic.” Some of these recommendations would also help the HHS improve oversight of nursing homes to better protect residents from abuse.

Critical infrastructure in the United States, which includes healthcare, is heavily reliant on computer systems and electronic data, but serious cyber threats to that infrastructure continue to grow. There are currently at least 7 open priority recommendations related to cybersecurity that need to be addressed.

GAO reports that the HHS has not yet developed a cybersecurity risk management strategy that includes key risk-related elements. The Centers for Medicare and Medicaid Services (CMS) has yet to develop processes and procedures to ensure that researchers and other qualified entities have implemented information security controls effectively throughout their agreements with CMS. Progress also needs to be made toward implementing IT enhancements to establish the electronic public health situation awareness network.

Several of the recommendations have only been partially addressed. GEO explains that recommendations were made in July 2019 for HHS to develop a cybersecurity risk management strategy and establish processes for conducting an organization-wide security risk assessment. The HHS reported in January 2020 that it was “drafting a drafting a new cybersecurity risk management memo that will provide additional details of its cybersecurity risk management strategy,” which would also define process for the cybersecurity risk assessment.

“To fully address our recommendations, HHS must ensure that its strategy includes key elements, including a statement of risk tolerance and information on how the agency intends to assess, respond to, and monitor cybersecurity risks,” wrote GAO in the report. “In addition, HHS needs to establish a risk assessment process to allow the agency to consider the totality of risk derived from the operation and use of its information systems.”

Seven outstanding recommendations relate to the prevention of fraud. GAO points out that estimates of improper payment in the Medicare and Medicaid programs is unacceptably high and totaled more than $103 billion in fiscal year 2019. The GAO recommendations would help to significantly reduce that figure and are of critical importance. Those recommendations include assessing documentation requirements, taking steps to minimize program risks, and conducting prepayment claims reviews.

GAO recognizes the HHS and its component agencies are focused on the response to the coronavirus pandemic and has urged the HHS to address the high priority recommendations as soon as it is able to refocus its efforts. If the recommendations are implemented, GAO says they could “substantially improve HHS’s operations.”

The post HHS Has Been Slow to Address GAO High Priority Recommendations appeared first on HIPAA Journal.