Healthcare Data Security

15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company

Posted by HIPAA Journal

A major data breach has been reported by one of Canada’s largest medical testing and diagnostics companies. Toronto-based LifeLabs said hackers have potentially gained access to the personal and health information of up to 15 million customers, most of whom are in British Columbia and Ontario. The number of people potentially affected makes this one of the largest healthcare ransomware attacks to date. The privacy commissioners in both provinces said the scale of the attack “extremely troubling.”

After gaining access to its systems, the attackers deployed ransomware and encrypted an extensive amount of customer data. The cyberattack is still under investigation, so it is unclear what, if any, data has been stolen. It has been confirmed that the attackers gained access to parts of the system that contained the test results of around 85,000 Ontarians. The test results were from 2016 and earlier. No evidence has been found to suggest more recent test results, or medical test results from customers in other areas, have been compromised.

Some of those test results include highly sensitive health information that could potentially be used for blackmail. Other sensitive data potentially accessed includes names, email addresses, health card numbers, dates of birth, usernames, and passwords. To date, it appears that the compromised information has not been misused and the data does not appear to have been disclosed online. Based on the initial findings of the investigation, the risk to customers is believed to be low.

It is unclear whether LifeLabs had viable backups to restore the data, but the decision was taken to pay the ransom. The amount of the ransom has not been publicly disclosed. “We wanted to get the data back,” said LifeLabs chief executive Charles Brown. “We thought it was the smart thing to do because it was just in the best interests of our customers.”

Cybersecurity and computer forensics experts were engaged to secure its systems and determine the full scope of the attack. It may take some time to discover whether any customer data has been stolen by the attackers.

The attack is believed to have started on or before November 1, 2019, but the cyberattack was only disclosed to the public on December 17, 2019. Affected individuals are now being notified and have been offered one year of complimentary credit monitoring and identity theft protection services.

The post 15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company appeared first on HIPAA Journal.

Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities

Posted by HIPAA Journal

Blue Cross Blue Shield of Minnesota, the largest health insurer in the state, is now taking steps to fix around 200,000 unaddressed vulnerabilities on its servers that, in some cases, are more than a decade old.

In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota discovered patches were not being applied on its servers, even though the vulnerabilities were rated critical or severe. The engineer met with executives at BCBS Minnesota to raise the alarm, yet no action appeared to be taken.

Around a month later, Yardic alerted the BCBS Minnesota board of trustees as a last resort to get action taken to address the flaws, according to a recent report in the Star Tribune.

According to the newspaper report, evidence was obtained that revealed vulnerabilities had not been addressed for many years. There were around 200,000 critical or severe vulnerabilities that had not been addressed on approximately 2,000 servers. Around 44% of the vulnerabilities were more than 3 years old and approximately 12% of the flaws dated back 10 or more years.

Approximately 3.9 million individuals are insured by BCBS Minnesota. The failure to correct the vulnerabilities in a reasonable time frame has placed their sensitive information at risk.

The Star Tribune spoke with officials at BCBS Minnesota who confirmed that work is now underway to correct the flaws and said it is trying to correct as many of the flaws as possible before the end of the year. According to the Star Tribune, “Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities” and said that the number of unaddressed vulnerabilities is now far lower and is much lower on workstations.

It is not surprising that a cybersecurity engineer has taken steps to get the flaws corrected. It is surprising that it took so long, especially following the cyberattacks on Anthem Inc., Premera Blue Cross, and Excellus BCBS in 2015 that resulted in the theft of the protected health information of more than 99.8 million Americans.

Surprisingly, given the sheer number of unaddressed vulnerabilities, BCBS Minnesota has never reported a data breach of its own systems since the HHS Office for Civil Rights started publishing summaries of data breaches on its breach portal in 2009.

The post Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities appeared first on HIPAA Journal.

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Posted by HIPAA Journal

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access.

The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI.

In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality. When the migration of data has been completed, Google will have access to the health data of around 50 million patients.

Google has confirmed it is a business associate of Ascension and has signed a business associate agreement and is fully compliant with HIPAA regulations, but many privacy advocates are concerned about the partnership. Several members of Congress have also expressed concern and are seeking answers about the safeguards that have been put in place to secure patient data and how patient data will be used. The HHS’ Office for Civil Rights has also confirmed it is investigating Google and Ascension to make sure HIPAA Rules have not been violated.

Earlier this month, Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, wrote to Google and Alphabet expressing concern about the partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI.

“As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it,” wrote Rep. Jayapal in her Dec 6, 2019 letter. “I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.”

Rep. Jayapal is particularly concerned about how that information will be used. Google is amassing huge quantities of healthcare data from several sources. Google’s healthcare-focused AI unit, Medical Brain, is actively acquiring health data, Alphabet has partnered with the Mayo Clinic, and Google has acquired the UK startup, DeepMind. NHS data has already been provided to Google. Google is also looking to acquire Fitbit, which holds health-related data on 25 million users of its wearable devices.

“The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling,” wrote Rep. Jayapal.

Rep. Jayapal also pointed out that Google does not have a blemish-free track record when it comes to protecting health and medical information, referencing one incident in which chest X-ray images from the National Institute of Health were almost posted online before Google realized they contained personally identifiable information. She also stated there is an active lawsuit that claims Google companies have obtained patient information from a major medical facility and DeepMind was found to have violated the Data Protection Act in the UK by using patient data to develop new apps.

Rep. Jayapal has given Google and Alphabet until January 5, 2020 to answer her questions, as detailed below:

The post Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership appeared first on HIPAA Journal.

SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites

Posted by HIPAA Journal

The 2018 Verizon Data Breach Investigations Report showed phishing to be the primary method used by cybercriminals to infect healthcare networks with malware and steal financial information. Email was the attack vector in 96% of healthcare data breaches according to the report.

All it takes is for one employee to respond to a phishing email for a data breach to occur, so it is essential for a powerful email security solution to be deployed that will catch phishing emails, malware, ransomware, and other email-based threats.

Email security solutions can vary considerably from company to company. Some may be excellent at blocking email threats but can be difficult to use, others may fall short at detecting zero-day threats, and some fail to block many spam and phishing emails. All of the companies offering email security solutions claim that their products provide excellent protection, so selecting the best solution for your organization can be a challenge. Making the wrong decision can be a costly mistake.

When choosing an email security solution, third party review sites are a godsend and can save you a lot of time in your search. Well respected business software review sites allow verified users of software solutions to provide their feedback on products and let other businesses know which are easy to implement, easiest to use, which are most effective at blocking threats and which companies provide great support when help is required.

It pays to check several different review sites to find the top-rated email security solutions by end users. Our search has highlighted one solution that is consistently rated highly across the leading review platforms: SpamTitan from TitanHQ.

Listed below are some of the many positive reviews from users of SpamTitan Email Security across the top review platforms:

G2 Crowd

G2 Crowd is the largest tech marketplace for business software. The site is used by IT decision makers to learn more about software solutions to help them realize their potential and protect their networks from the full range of cybersecurity threats.

On the G2 Crowd platform, SpamTitan is the top-rated email security solution with scores of 9.0 out of 10 for ease of admin, 9.1 for ease of use, 9.2 for ease of setup and quality of support, and 9.3 for ease of doing business with and meets requirements. The scores are based on 139 reviews from verified users. Across all reviews, SpamTitan achieved a score of 4.6 out of 5.

“I really like the customization that is available for this product. We have total control over the spam filter environment for all our customers. The environment is stable which is very important to us and our customers. The support staff was great when we were getting our environment configured. They were quick to reply to emails and reach out to assist us as needed. The spam filtering is top-notch and much better than other products we have used,” said Jeff Banks, Director of Technology.

Gartner Peer Insights

Gartner Peer Insights is a peer review site that is rigorously vetted by the leading research and advisory company, Gartner.  Gartner provides impartial advice on the top software solutions without bias and with no hidden agenda. Gartner Peer Insights just contains real reviews from real business IT users.

SpamTitan has been rated by 112 users and achieved an average review score of 4.9 out of 5.

“TitanHQ claims that SpamTitan “blocks 99.9% of spam, viruses, and other threats that come through” and I can’t argue against it. It’s been running on my machines for a couple of years now and works very well. Rarely does anything useless go through to my inbox.” Information Technology Specialist, Healthcare Industry.

Capterra

Capterra is an online marketplace vendor founded in 1999 and bought by Gartner in 2015. Capterra serves as an intermediary between software buyers and sellers and is one of the leading sites where decision makers can find out more about software solutions from verified users.

There are 379 reviews of SpamTitan on Capterra. SpamTitan received an overall score of 4.6 out of 5 with individual scores of 4.4 for ease of use, 4.4 for features, 4.5 for value for money, and 4.6 for customer service.

“Overall, we are very happy with the product and the customer support. We did have to put some time into this product but now we have a custom-fit solution, with fault-tolerance (two servers at two locations, both locations have both internet and private WAN access to the Exchange server) and we’re saving thousands of dollars versus the managed solution we used to use. We can tighten things up if we wish, we have a lot of flexibility with this product. I rate it an excellent value. So much power, flexibility and fault-tolerance, for so little money.” Mike D Shields, Director of IT and Telecom.

“It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes. I shut off the service for 48 hours just to make sure it easy legit, it was, and I haven’t shut it off again since.” Benjamin Jones, Director Of Information Technology

Google Reviews

112 business users of SpamTitan have submitted reviews of SpamTitan to Google. The email security solution achieved an average score of 4.9 out of 5.

“The Titan Spam filter is by far one of the best email filters I have ever used. It was simple to setup, it allows users to release their own emails from quarantine quick and easy. Thank you for making such a great quality product, and for having excellent technical support.” Joseph Walsh.

“Great product. Spam reduced to almost zero and no user complaints. Configuration is simple and support is awesome. Love it!” George Homme

Software Advice

379 users have left reviews of SpamTitan on the business software review site, Software Advice.  The solution achieved an average score of 4.58 out of 5

“Our previous product was not stable and didn’t filter out spam as well as we wanted. This tool exceeds out expectations!” Jeff, CatchMark Technologies.

Spiceworks

Spiceworks is a professional network specifically for the information technology, providing educational content, product reviews, and feedback from software users. Members of the Spiceworks community similarly rate SpamTitan very highly. The solution has been reviewed by 56 members and has achieved an average score of 4.6 out of 5.

SpamTitan is also the top-rated email security solution on SpamTitanReviews, with a score of 4.9 out of 5.

The post SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites appeared first on HIPAA Journal.

MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant

Posted by HIPAA Journal

A new ransomware variant is being used in targeted attacks on managed service providers, technology, and healthcare firms, according to security researchers at Blackberry Cylance.

Attacks are being conducted on carefully selected, high profile targets using a new variant of VegaLocker/Buran ransomware named Zeppelin. VegaLocker has been around since early 2019 and all variants from this family have been used to attack companies in Russian speaking countries.

The campaigns were broad and used malvertising to direct users to websites hosting the ransomware. The latest variant is being used in a distinctly different campaign that is much more targeted. Attacks have only been detected on companies in Europe, the United States, and Canada so far. If the ransomware is downloaded onto a device in the Russian Federation, Ukraine, Belorussia, or Kazakhstan, the ransomware exits and does not encrypt files.

Ransomware variants from the VegaLocker family have all been offered as ransomware-as-a-service and there are indications that the same is true of Zeppelin ransomware, although the Blackberry Cylance researchers believe different threat actors are responsible for the attacks. There have only been a small number of attacks so far, so this could indicate a limited number of individuals are conducting attacks and targets are being selected carefully.

Zeppelin ransomware is highly customizable and can be deployed as an EXE or DLL file. Samples have also been found that are wrapped in PowerShell loaders. The ransom notes are also customizable and can be changed to suit different campaigns. Several have been detected that incorporate the name of the company being attacked, further demonstrating the highly targeted nature of the campaign.

Attacks have been conducted on multiple tech and health firms as well as managed service providers. Attacks on the latter see MSP files encrypted, and through their remote administration tools, the ransomware is deployed on the systems of their clients. Attacks on service providers are becoming far more common and several threat actors have adopted this tactic, including those behind Ryuk and Sodinokibi ransomware.

Zeppelin ransomware incorporates several layers of obfuscation to evade security solutions, including the use of encrypted strings, pseudo-random keys, and code of different sizes. The encryption routine can also be delayed avoid detection by heuristic analyses and fool sandboxes. The ransomware can also stop backup services and delete backup files and shadow copies to hamper recovery without paying the ransom.

After encryption the original file name and extension are retained. File tags are used that include the word Zeppelin. The encryption routine uses symmetric file encryption with randomly generated keys for each file, (AES-256 in CBC mode) along with asymmetric encryption for the session key, using a custom RSA implementation.

Some ransomware samples obtained by Blackberry Cylance researchers only encrypt the first 1000 bytes of a file. This is sufficient to render the files unusable but also speeds up the file encryption process so there is less chance of the attack being detected and stopped before file encryption has been completed.

As is common in these targeted attacks, a ransom note is dropped that provides email addresses for the victims to make contact with the attackers. This allows the attackers to set ransom payments on the perceived ability of the victim to pay.

It is unclear what methods are being used to distribute Zeppelin ransomware. The researchers have found a sample on water-holed websites, with the ransomware payload hosted on Pastebin but several distribution methods may be used.

Protecting against attacks requires a combination of security solutions and the adoption of cybersecurity best practices. Block open ports, change all default passwords, disable RDP if possible, use an advanced spam filtering solution, apply patches promptly, and keep operating systems and software up to date. Ensure staff are trained and are following security best practices and make sure backups are regularly created and tested to make sure file recovery is possible. It is also essential for one backup copy to be stored securely on a device that is not connected to the network.

The post MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant appeared first on HIPAA Journal.

Microsoft Issues Advice on Defending Against Spear Phishing Attacks

Posted by HIPAA Journal

Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable.

There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%.

The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns.

These attacks are more profitable as some credentials are more valuable than others. Spear phishing campaigns often target Office 365 admins. Their accounts can allow an attacker to gain access to the entire email system and huge quantities of sensitive data. New accounts can be set up on a domain with admin credentials, and those accounts can be used to send further phishing emails. New accounts are only used by the attacker, so there is a lower chance of the malicious email activities being discovered.

Spear phishers also seek the credentials of executives, as they can be used in business email compromise attacks in which employees with access to company bank accounts to tricked into making fraudulent wire transfers. Fraudulent wire transfers of tens of thousands, hundreds of thousands, or even millions may be made, malware can be installed, or the attacker can gain access to large quantities of highly sensitive data.

Spear phishers spend time researching their targets on social media networks and corporate websites. They learn about relationships between employees and different departments and impersonate other individuals in the company. They may even already have compromised one or more company email accounts in past phishing campaigns before going for the big phish on a big fish in the company. This is often referred to as a whaling attack. Spear phishing emails are often professional, credible, and are difficult to identify by end users.

As difficult as these spear phishing emails are to spot, there are steps that healthcare organizations can take to reduce risk. Many of these measures are the same as the steps that need to be taken to detect and block more general phishing campaigns.

The best place to start is with employee education. Security awareness training should be provided to everyone in the organization who uses email. Many of these spear phishing attacks start with a more general phishing campaign to gain a foothold in the email system.

The CEO and executives must also be trained, as they are the big fish that the spear phishing campaigns most commonly target. Any individual with access to corporate bank accounts or highly sensitive information should be given more training, and the training should be role-specific and cover the threats they are most likely to encounter.

Employees should be taught not just to check the true sender of an email, but specifically look at the email address to see if something is not quite right. Phishing emails usually have a sense of urgency and usually a “threat” if no action is taken (account will be closed/suspended).

They often contain out-of-band requests that go against company policy such as fast-tracking payments, sending unusual data via email, or bypassing usual checks or procedures. The messages often contain unusual language or inconsistent wording.

When suspicious emails are received, there should be an easy mechanism for employees to report them to their security teams. A one-click email add-on for reporting messages is useful. Spear phishing campaigns are often sent to key people in a department simultaneously, so speaking to peers about messages is also useful. Policies should also be implemented that require checks to be performed before any large bank transfers are made. It should be company policy to double check atypical requests by phone, for instance.

Technical measures should also be introduced to detect and block attacks. An advanced spam filtering solution is a must. Do not rely on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft or a third-party solution for Office 365 should be implemented for greater protection, one which incorporates sandboxing, DMARC, and malicious URL analysis will provide greater protection.

Multi-factor authentication is also essential. MFA blocks more than 99.9% of email account compromise attacks. If credentials are compromised in an attack, MFA can prevent them from being used by the attacker.

Spear phishing is the principle way that cybercriminals attack organizations and it often gives them the foothold they need for more extensive attacks on the organization. Spear phishing is a very real threat. It is therefore critical that organizations take these and other steps to combat attacks.

The post Microsoft Issues Advice on Defending Against Spear Phishing Attacks appeared first on HIPAA Journal.

HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks used to be conducted indiscriminately, with the file-encrypting software most commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid.

Healthcare providers are a prime target for cybercriminals. They have large quantities of sensitive data, low tolerance for system downtime, and high data availability requirements. They also have the resources to pay ransom demands and many are covered by cybersecurity insurance policies. Insurance companies often choose to pay the ransom as it is usually far lower than the cost of downtime while systems are rebuilt, and data is restored from backups.

With attacks increasing in frequency and severity, healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack.

Ransomware attacks are increasing in sophistication and new tactics and techniques are constantly being developed by cybercriminals to infiltrate networks and deploy ransomware, but the majority of attacks still use tried and tested methods to deliver the ransomware payload. The most common methods of gaining access to healthcare networks is still phishing and the exploitation of vulnerabilities, such as flaws that have not been patched in applications and operating systems. By finding and correcting vulnerabilities and improving defenses against phishing, healthcare providers will be able to block all but the most sophisticated and determined attackers and keep their networks secure and operational.

In its Fall 2019 Cybersecurity Newsletter, the Department of Health and Human Services explains that it is possible to prevent most ransomware attacks through the proper implementation of HIPAA Security Rule provisions. Through HIPAA compliance, healthcare organizations will also be able to ensure that in the event of a ransomware attack they will be able to recover in the shortest possible time frame.

There are several provisions of the HIPAA Security Rule that are relevant to protecting, mitigating and recovering from ransomware attacks, six of the most important being:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

A risk analysis is one of the most important provisions of the HIPAA Security Rule. It allows healthcare organizations to identify threats to the confidentiality, integrity, and availability of ePHI, which allows those threats to be mitigated. Ransomware is commonly introduced through the exploitation of technical vulnerabilities., such as unsecured, open ports, outdated software, and poor access management/provisioning. It is essential that all possible attack vectors and vulnerabilities are identified.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified during the risk analysis must be managed and reduced to a low and acceptable level. That will make it much harder for attackers to succeed. Risk management includes the deployment of anti-malware software, intrusion detection systems, spam filters, web filters, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

If an organization’s defenses are breached and hackers gain access to devices and information systems, intrusions need to be quickly detected. By conducting information system activity reviews, healthcare organizations can detect anomalous activity and take steps to contain attacks in progress. Ransomware is not always deployed as soon as network access is gained. It may be days, weeks, or even months after a network is compromised before ransomware is deployed, so a system activity review may detect a compromise before the attackers are able to deploy ransomware. Security Information and Event Management (SIEM) solutions can be useful for conducting activity reviews and automating the analysis of activity logs.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks are often effective as they target employees, who are one of the weakest links in the security chain. Through regular security awareness training, employees will learn how to identify phishing emails and malspam and respond appropriately by reporting the threats to the security team.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In the event of an attack, a fast response can greatly limit the damage caused by ransomware. Written policies and procedures are required and these must be disseminated to all appropriate workforce members so they know exactly how to respond in the event of an attack. Security procedures should also be tested to ensure they will be effective in the event of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

A contingency plan must be developed to ensure that in the event of a ransomware attack, critical services can continue and ePHI can be recovered. That means that backups must be made of all ePHI. Covered entities must also test those backups to ensure that data can be recovered. Backups systems have been targeted by ransomware threat actors to make it harder for covered entities to recover without paying the ransom, so at least one copy of a backup should be stored securely on a non-networked device or isolated system.

The post HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks appeared first on HIPAA Journal.

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Posted by HIPAA Journal

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes.

In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data.

Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity.

Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019, but if the current attack trends continue, it is likely to be placed even higher next year.

Healthcare organizations are an attractive target for cybercriminals as they store a large volume of valuable data in EHRs which is combined, in many cases, with the lack of a sophisticated security model. Healthcare organizations also have a large attack surface to defend, with large numbers of endpoints and other vulnerable networked devices. Given the relatively poor defenses and high value of healthcare data on the black market it is no surprise that the industry is so heavily targeted.

Detection of threats on healthcare endpoints were up 45% in Q3, 2019, increasing from 14,000 detections in Q2 to 20,000 in Q3. Threat detections are also up 60% in the first three quarters of 2019 compared to all of 2018.

Many of the detections in 2019 were Trojans, notably Emotet in early 2019 followed by TrickBot in Q3. TrickBot is currently the biggest malware threat in the healthcare industry. Overall, Trojan detections were up 82% in Q3 from Q2, 2019. These Trojans give attackers access to sensitive data but also download secondary malware payloads such as Ryuk ransomware. Once data has been stolen, ransomware is often deployed.

Trojan attacks tend to be concentrated on industry sectors with large numbers of endpoints and less sophisticated security models, such as education, the government, and healthcare.  Trojans are primarily spread through phishing and social engineering attacks, exploits of vulnerabilities on unpatched systems, and as a result of system misconfigurations. Trojans are by far the biggest threat, but there have also been increases in detections of hijackers, which are up  98% in Q3, riskware detections increased by 85%, adware detections were up 34%, and ransomware detections increased by 15%.

Malwarebytes identified three key attack vectors that have been exploited in the majority of attacks on the healthcare industry in the past year: Phishing, negligence, and third-party supplier vulnerabilities.

Due to the high volume of email communications between healthcare organizations, doctors, and other healthcare staff, email is one of the main attack vectors and phishing attacks are rife. Email accounts also contain a considerable amount of sensitive data, all of which can be accessed following a response to a phishing email. These attacks are easy to perform as they require no code or hacking skills. Preventing phishing attacks is one of the key challenges faced by healthcare organizations.

The continued use of legacy systems, that are often unsupported, is also making attacks far too easy. Unfortunately, upgrading those systems is difficult and expensive and some machines and devices cannot be upgraded. The problem is likely to get worse with support for Windows 7 coming to an end in January 2020. The sow rate of patching is why Malwarebytes is still detecting WannaCry ransomware infections in the healthcare industry. Many organizations have still not patched the SMB vulnerability that WannaCry exploits, even though a patch was released in March 2017.

Negligence is also a key problem, often caused by the failure to prioritize cybersecurity at all levels of the organization and provide appropriate cybersecurity training to employees. Malwarebytes notes that investment in cybersecurity is increasing, but it often doesn’t extend to brining in new IT staff and providing security awareness training.

As long as unsupported legacy systems remain unpatched and IT departments lack the appropriate resources to address vulnerabilities and provide end user cybersecurity training, cyberattacks will continue and the healthcare industry will continue to experience high numbers of data breaches.

The situation could also get a lot worse before it gets better. Malwarebytes warns that new innovations such as cloud-based biometrics, genetic research, advances in prosthetics, and a proliferation in the use of IoT devices for collecting healthcare information will broaden the attack surface even further. That will make it even harder for healthcare organizations to prevent cyberattacks. It is essential for these new technologies to have security baked into the design and implementation or vulnerabilities will be found and exploited.

The post Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018 appeared first on HIPAA Journal.

DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years

Posted by HIPAA Journal

The U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) has updated its list of the 25 most dangerous software vulnerabilities. This is the first time in the past 8 years that the list has been updated.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors was first created in 2011. The list is an important tool for improving cybersecurity resiliency and is valuable to software developers, testers, customers, security researchers, and educators as it provides insights into the most prevalent and serious security threats in the software industry.

The list was originally compiled by analysts using a subjective approach for assessing vulnerabilities. Security researchers were interviewed, and industry experts were surveyed to find out which vulnerabilities were believed to be the most serious. HSSEDI, which is run by MITRE, used a different approach for assessing vulnerabilities: One that is based on real-world vulnerabilities that have been reported by security researchers.

“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” explained CWE project leader Chris Levendis. “We will continue to mature the methodology as we move forward.”

25,000 common software vulnerabilities and exposures detailed in the National Vulnerability Database over the past two years were assessed and ranked. The new approach takes the prevalence of flaws, their severity, potential for harm, and the likelihood of the flaws being exploited into account. While many serious vulnerabilities exist, if their impact is low or they are very rarely exploited, they were excluded from the list.

Prior to the update, Improper Neutralization of Special Elements used in an SQL Command (SQL injection) topped the list, but in the revised version it has fallen to position 6. The change in position does not reflect a change in the severity of SQL injection, as it still has the highest severity score (9.129 out of 10). The overall score is 24.54 out of 10, due to other factors such as prevalence and frequency of exploitation.

Top position now goes to Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), which has a score of 75.56 out of 100 and a severity score of 8.045 out of 10. This is where software performs operations on a memory buffer but can read or write to memory outside of that memory buffer. That can allow operations to be performed on memory locations that are associated with other variables, data structures, or internal program data, which could lead to the remote execution of arbitrary code, alteration of information flow, or system crashes.

Second spot was taken by Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting – CWE-79). The vulnerability has a relatively low severity score (5.778 out of 10), but its overall score was 45.69 out of 100 due to the high probability of exploitation, its prevalence in reports, and exploitation allowing attackers to run unauthorized code.

Third spot went to Improper Input Validation (CWE-20), which has an overall score of 43.61 out of 100. The high score is due to the high probability of exploitation and potential for harm. This vulnerability has a severity score of 7.242 out of 10 and can be exploited to cause denial of service attacks, execution of unauthorized code, and allows reading and modification of memory.

The updated list can be viewed on the MITRE website.

The post DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years appeared first on HIPAA Journal.