Healthcare Data Security

Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016

A new study by Comparitech has shed light on the extent to which ransomware is used to attack healthcare organizations and the true cost of ransomware attacks on the healthcare industry.

The study revealed there have been at least 172 ransomware attacks on healthcare organizations in the United States in the past three years. 1,446 hospitals, clinics, and other healthcare facilities have been affected as have at least $6,649,713 patients.

2018 saw a reduction in the number of attacks, falling from 53 incidents in 2017 to 31 in 2018, but the attacks increased to 2017 levels in 2019 with 50 reported attacks on healthcare organizations.

74% of healthcare ransomware attacks since 2016 have targeted hospitals and health clinics. The remaining 26% of attacks have been on other healthcare organizations such as nursing homes, dental practices, medical testing laboratories, health insurance providers, plastic surgeons, optometry practices, medical supply companies, government healthcare providers, and managed service providers.

Ransom demands can vary considerably from attack to attack. Ransom demands have ranged from around $1,600 to $14 million, with attacks on healthcare organizations seeing demands of $16.48 million in ransoms since 2016. Comparitech confirmed healthcare organizations have paid at least $640,000 to attackers for the keys to unlock encrypted files, but the true cost is likely to be considerably higher as many victims prefer not to make that information public.

Attacks often see appointments cancelled and permanent data loss is a real possibility. The time, effort, and cost of remediating attacks can be too high for some smaller healthcare providers. At least two healthcare clinics have shut down their practices as a result of ransomware attacks in 2019.

Ransom payments represent just a small fraction of the total cost of an attack. Restoring systems from backups, or even using the decryption keys provided by the attackers, can take a considerable amount of time. Rebuilding systems and restoring data can take a few hours to several weeks or months and the downtime from ransomware attacks is one of the biggest costs.

For the study, Comparitech used several different healthcare resources, data breach reports, IT news sources, and HHS’ Office for Civil Rights data, along with data from studies on the cost of downtime from ransomware attacks. Based on that information, the researchers produced a low and high estimate of the downtime cost for all 172 confirmed attacks since 2016. The low estimate for the cost of downtime was $157,896,000 and the high estimate was $240,800,000.

“With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike,” wrote the researchers. “Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse… Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.”

The post Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016 appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Average Ransomware Payment Increased Sharply in Q4, 2019

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3.

In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants.

Many of the above ransomware variants are distributed under the ransomware-as-a-service model, where affiliates can sign up and use the ransomware and retain a cut of the ransom payments. The more sophisticated gangs are cautious about who they accept as affiliates whereas some of the smaller ransomware gangs let anyone sign up. Only a handful of affiliates are used to distribute Sodinokibi, with some specializing in different types of attack. One Sodinokibi affiliate has extensive knowledge of remote monitoring and management tools and specializes in attacks on managed service providers.

Ransomware is mostly delivered as a result of brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is used in more than 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software vulnerabilities (13%).

Coveware explained in its report that 98% of victims who paid the ransom were supplied with valid keys and were able to decrypt their files. The probability of success can vary greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not supply valid keys, even after the ransom is paid. Threat groups associated with Rapid, Mr. Dec, and Phobos ransomware were named as being consistent defaulters. Those threat groups were also less selective and tended to work with any affiliate.

Even when valid decryptors are supplied, some data lost can be expected. Out of the companies Coveware helped recover data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More sophisticated attackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not damaged.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is largely due to an increase in attacks on large enterprises, which have complex systems that take much longer to restore.

The figures for the report naturally only include ransomware victims that have used Coveware to negotiate with the attackers and assist with recovery. Many firms chose to deal with their attackers directly or use other ransomware recovery firms.

The post Average Ransomware Payment Increased Sharply in Q4, 2019 appeared first on HIPAA Journal.

NIST Seeks Comment on Two Draft Cybersecurity Practice Guides on Ransomware and Other Data Integrity Events

The National Cybersecurity Center of Excellence at NIST (NCCoE) has released two draft cybersecurity practice guides on ransomware and other destructive events. The first guide concerns identifying and protecting assets (SP 1800-25) and the second concerns detection and response to cyberattacks that compromise data integrity (SP 1800-26).

The guides consist of three volumes, an executive summary; approach, architecture and security characteristics; and how to guides. They are intended to be used by executives, chief Information security officers, system administrators, or individuals who have a stake in protecting their organizations’ data, privacy, and overall operational security.

The first guide concerns the first two core functions of the NIST Cybersecurity Framework: Identify and Protect. Organizations need to take steps to protect their assets from ransomware, destructive malware, malicious insiders, and accidental data loss. In order to protect assets, organizations must first identify where they are located. Only then can the necessary steps be taken to secure those assets and protect against a destructive data event.

To develop the first guide, NCCoE explored different methods that can be used to identify and protect assets from different types of data integrity attacks in a range of environments. An example solution was built in the NCCoE lab using commercially available solutions to mitigate attacks before they occur. The example solution uses solutions that that provide secure storage, create backups for data, VMs, and file systems, generate event logs, assist with asset inventory, and provide integrity checking mechanisms.

By using the cybersecurity guide, organizations can identify their assets, assess vulnerabilities, and baseline the integrity and activity of systems to prepare for an attack. Backups can then be created and protected to ensure data integrity. The guide also helps organizations manage health by assessing machine posture.

The second guide concerns the Detect and Respond core functions of the NIST Cybersecurity Framework. The guide details how organizations can monitor data integrity and respond quickly to a security incident in real time. Fast action is necessary to contain a data integrity incident to minimize the harm caused. A fast response can greatly limit the damage caused and will help to ensure a quick recovery.

The guide covers event detection, vulnerability management, reporting capabilities, mitigation and containment, and provides detailed information on methods, tool sets to use, and strategies to adopt to aid the security team’s response to a data integrity event. The example solution consists of multiple systems working together to detect and respond to data corruption events in standard enterprise components such as mail servers, databases, endpoints, VMs, and file share servers.

NCCoE is seeking feedback from industry stakeholders on the new publications until February 26, 2020.

The post NIST Seeks Comment on Two Draft Cybersecurity Practice Guides on Ransomware and Other Data Integrity Events appeared first on HIPAA Journal.

65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019

The 2020 State of the Phish report from the cybersecurity firm Proofpoint shows 65% of U.S. organizations (55% globally) had to deal with at least one successful phishing attack in 2019.

For the report, Proofpoint drew data from a third-party survey of 3,500 working adults in the United States, United Kingdom, Australia, France, Germany, Japan, Spain along with a survey of 600 IT security professionals in those countries. Data was also taken from 9 million suspicious emails reported by its customers and more than 50 million simulated phishing emails in the past year.

Infosec professionals believe the number of phishing attacks remained the same or declined in 2019 compared to the previous year. This confirms what may cybersecurity firms have found: Phishing tactics are changing. Cybercriminals are now focusing on quality over quantity.

Standard phishing may have declined, but spear phishing attacks are more common. 88% of organizations said they faced spear phishing attacks in 2019 and 86% said they faced business email compromise (BEC) attacks.

Phishing attacks are most commonly conducted via email, but phishing via SMS messages (Smishing), social media sites, and voice phishing over the telephone (vishing) are also commonplace. 86% of respondents said they experienced a social media phishing attack in the past 12 months, 84% experienced a smishing attack, and 83% experienced a voice phishing attack.

Source: Proofpoint State of the Phish Report, 2020.

Proofpoint’s report indicates there has been a decline in ransomware attacks since 2017, but IT professionals reported an increase in ransomware infections via phishing emails. This is due to the rise in popularity of ransomware-as-a-service, which allows individuals without the skills to develop their own ransomware variants to conduct attacks using ransomware developed by others.

When a ransomware attack is suffered, paying the ransom does not guarantee recovery of encrypted data. Only 69% of companies that paid the ransom regained access to their data after the first payment. 7% were issued with further demands which they refused to pay, resulting in data loss. 2% paid those extra demands and regained access to their files, and 22% said they did not recover data encrypted in the attacks.

Layered defenses are essential for combatting the threat from phishing, malware, and ransomware, but Proofpoint points out that technical defenses only go so far. What is also required is regular security awareness training for the workforce.

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.

95% of surveyed organizations said they provide security awareness training to the workforce and 94% of those that do provide training more frequently than once a year. The figures are good, but there is still considerable room for improvement. Only 60% of companies that provide training do so through formal cybersecurity education and 30% said they only provide training to a portion of their user base.

Training certainly appears to be having a positive effect, as there was a 67% increase in reported phishing emails in 2019 compared to 2018, so employees are taking training on board, are getting better at identifying threats, and are taking the correct action – reporting suspicious emails to their security teams.

The post 65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019 appeared first on HIPAA Journal.

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.

Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.

Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.

CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.

CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.

CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.

CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.

CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.

CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.

According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:

  • ApexPro Telemetry Server, Versions 4.2 and prior
  • CARESCAPE Telemetry Server, Versions 4.2 and prior
  • Clinical Information Center (CIC), Versions 4.X and 5.X
  • CARESCAPE Telemetry Server, Version 4.3
  • CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
  • B450, Version 2.X
  • B650, Version 1.X; Version 2.X
  • B850, Version 1.X; Version 2.X

GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.

Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.

If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.

The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.

Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.

Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.

The post Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products appeared first on HIPAA Journal.

Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories

The operators of Maze ransomware are following through on their threats to publish data stolen from the victims of ransomware attacks when the ransom is not paid.

In December, the Carrollton, GA-based wire and cable manufacturer Southwire refused to pay a 200 BTC ransom ($1,664,320) and the threat actors went ahead and published some of the stolen data. Southwire filed a lawsuit in the Northern District of Georgia against the Maze team and the ISP hosting the Maze Team’s website. The case was won, and the website was taken offline; however, the website was back online with a different hosting provider a few days later.

Listed on the webpage are the names of the companies that have been attacked and refused to pay the ransom demand, along with some of the data stolen in the attacks.

One of those companies is New Jersey-based Medical Diagnostic Laboratories (MDLab). According to the Maze Team, MD Lab was attacked on December 2, 2019. MD Lab made contact with the Maze team, but negotiations stalled, and no ransom was paid.

According the Maze website, 231 workstations were encrypted in the attack. When MD Lab refused to negotiate, the Maze team went ahead and published 9.5GB of the company’s private research data, including immunology research. The Maze Team then advertised the stolen data on a hacking forum in an attempt to restart negotiations with the company. According to Bleeping Computer, 100GB of data was stolen in the attack. The Maze team have demanded a ransom payment of 100 BTC ($832,880) for the keys to unlock the encrypted files and a further 100 BTC payment to destroy the stolen data.

While threats have been issued in the past to publish data stolen in ransomware attacks, there have been no confirmed cases of attackers following through on their threats until the Maze gang started publishing data in December 2019. Currently, 29 companies are listed on the website as not having paid, along with samples of data stolen in the attacks.

Earlier this month, The Center for Facial Restoration, Inc. announced it had suffered a similar fate following a November 8, 2019 ransomware attack. The attackers stole patient data before deploying ransomware and issued ransom demands to the healthcare provider as well as 10-20 patients. Photographs and personal information of up to 3,500 are believed to have been stolen in the attack.

In order to steal data, access to the network must first be gained and the attackers then need to search for sensitive data and exfiltrate it without being detected. Since these types of attacks require more skill to pull off than a standard ransomware attack, they are likely to remain relatively limited. That said, these data theft incidents are becoming more common. Several ransomware operators, including the Sodinokibi and Nemty gangs, have now adopted this tactic and have been threatening to publish or sell stolen data to pressure victims into paying.

The post Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories appeared first on HIPAA Journal.

Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities

Microsoft has issued patches for several critical vulnerabilities in all supported Windows versions that require urgent attention to prevent exploitation. While there have been no reports of exploitation of the flaws in the wild, the seriousness of the vulnerabilities and their potential to be weaponized has prompted both the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to issue emergency directives about the vulnerabilities.

One of the vulnerabilities was discovered by the National Security Agency (NSA), which took the unusual step of reporting the vulnerability to Microsoft. This is the first time that a vulnerability has been reported by the NSA to a software vendor.

Windows CryptoAPI Vulnerability Requires Immediate Patching

The NSA-discovered vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Server 2016/2019 systems. The vulnerability is due to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. The flaw would allow a remote attacker to sign malicious code with an ECC certificate to make it appear that the code has been signed by a trusted organization.

The vulnerability could also be exploited in a man-in-the-middle attack. Malicious certificates could be issued for a hostname that did not authorize it and applications and browsers that rely on the Windows’ CryptoAPI would not issue any warnings or alerts. A remote attacker could exploit the flaw and decrypt, modify, or inject data on user connections undetected.

There are no reported cases of exploitation of the vulnerability, but the NSA believes it will not take long for advanced persistent threat (APT) groups to understand the underlying flaw and weaponize the vulnerability, hence the decision to report the flaw to Microsoft.

According to the NSA, “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Critical RCE Vulnerabilities in Windows Remote Desktop

Three pre-authentication vulnerabilities in Windows Remote Desktop have been patched by Microsoft. Two of the vulnerabilities – CVE-2020-0609 and CVE-2020-0610 – could allow a remote attacker to connect to servers and remotely execute arbitrary code without any user interaction. After exploiting the flaws they could install programs, view, change, or delete data, or create new accounts with full admin rights. The flaws could be exploited by sending a specially crafted request to a vulnerable server.

The third vulnerability – CVE-2020-0612 – could be exploited in a similar fashion and could allow an attacker to perform a denial of service attack and crash the RDP system.

The vulnerabilities are present in the RDP Gateway Server and Windows Remote Desktop Client and affect all supported versions of Windows and Windows Server.

Emergency Directives Issued by DHS and OCR

The Department of Homeland Security has determined the vulnerabilities to pose an unacceptable risk to the Federal enterprise and has issued an emergency directive (20-02) to all federal agencies calling for the patches to be applied on all affected endpoints within 10 business days and for technical and/or management controls to be put in place for newly provisioned or previously disconnected endpoints.

The seriousness of the vulnerabilities has prompted the HHS’ Office for Civil Rights to issue an emergency directive of its own to the healthcare industry and public sector. All healthcare and public health entities have been advised to apply the patches as soon as possible to ensure the vulnerabilities are not exploited.

The post Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities appeared first on HIPAA Journal.

DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Pulse Secure customers urging them to patch the 2019 Pulse Secure VPN vulnerability, CVE-2019-11510.

Pulse Secure VPN servers that have not been patched are continuing to be attacked by cybercriminals. The threat actors behind Sodinokibi (REvil) ransomware are targeting unpatched Pulse Secure VPN servers and are exploiting CVE-2019-11510 to install ransomware. Several attacks have been reported in January 2020. In addition to encrypting data, the attackers are stealing and threatening to publish victims’ sensitive information. Last week data belonging to Artech Information Systems was published when the ransom was not paid.

CISA continues to see widespread exploitation of the flaw by multiple threat actors, including nation-state sponsored advanced persistent threat actors, who are exploiting the flaw to steal passwords, data, and deploy malware.

Exploitation of the vulnerability can allow a remote, unauthenticated attacker to gain access to all active VPN users and obtain their plain-text passwords. According to CISA, an attacker may also be able to execute arbitrary code on VPN clients when they successfully connect to an unpatched Pulse Secure VPN server.

Pulse Secure issued an advisory about the vulnerability on April 24, 2019 and patches were released to fix the flaw on all affected Pulse Connect Secure and Pulse Policy Secure versions, yet many organizations have been slow to apply the patches. Since there are no mitigations or workarounds that can be implemented to prevent exploitation of the vulnerability, the only solution is to apply the patches released by Pulse Secure.

CISA has urged all organizations to apply the patches as soon as possible to prevent exploitation of the vulnerability. It has been estimated that around 10% of Pulse Secure customers have not yet applied the patch and are vulnerable to attack.

The post DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability appeared first on HIPAA Journal.