Healthcare Data Security

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Posted by HIPAA Journal

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v 1.6.1.1, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

The post Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets appeared first on HIPAA Journal.

Study Confirms Why Prompt Data Breach Notifications Are So Important

Posted by HIPAA Journal

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential.

When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere.

According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered.

Prompt data breach notifications can make a big difference. Patients and plan members are likely to be much more forgiving if they are informed about a data breach promptly. 90% of respondents said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach, but many organizations are not prepared for the worst.

Previous research conducted by Experian suggests 34% of breach response plans do not include customer notification and only 52% of companies have a data breach crisis or communications plan in place. If the communications team is made aware in advance of notification requirements, the people responsible for the communications are mapped out, and approval processes are planned in advance, it will allow notifications to be issued much more quickly.

While incredibly fast breach notifications are expected, in practice it is often not possible to issue notifications in such a short time frame. A phishing attack that results in an email account being subjected to unauthorized access requires every email in that email account to be checked for PHI. It is not always possible to automate that search effectively and manual checks are often required. It is therefore important to start investigations promptly, yet 84% of businesses did not include forensic analysis in their breach response plans which can lead to delays in issuing notifications.

Slow and ineffective communication is likely to add insult to injury following a data breach. 66% of respondents said slow breach notification and poor communication would likely see them stop doing business with the breached entity, and 45% of respondents would not only seek an alternative service provider, they would also instruct their friends and family members to do the same.

*Data for the report came from an Experian survey of 1,000 adults in the United States by consultancy firm KRC Research in July 2019.

The post Study Confirms Why Prompt Data Breach Notifications Are So Important appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

Posted by HIPAA Journal

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

OCR Offers Advice on Managing Malicious Insider Threats

Posted by HIPAA Journal

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within.

Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain.

There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders.

Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient information for financial gain. Common malicious insider attacks include accessing the medical records of celebrities for financial gain and stealing patient data to commit identity theft and fraud.

These attacks can have grave implications for patients, who may suffer huge losses from identity theft and other misuses of their PHI. The attacks can also cause financial and reputational harm to the healthcare organization and expose the organization to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its employees in 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued advice to healthcare organizations on how they can reduce the risk of insider breaches and ensure they are detected rapidly when they do occur.

In its 2019 Summer Cybersecurity Newsletter, OCR offers tips on overcoming the challenges associated with protecting patient data from attacks from within and explains how risk can be managed to comply with HIPAA Rules.

In order to protect patient data, healthcare providers must know all locations whether patient information is stored and how that information flows throughout the organization. Without such knowledge it is impossible to conduct a thorough and accurate risk analysis to determine all risks to the confidentiality, integrity, and availability of patient data and reduce those risks to a reasonable an appropriate level.

Physical, technical and administrative access controls must be implemented to protect patient data against unauthorized access from within. Role-based access controls can help to reduce risk by preventing employees from accessing resources they are not authorized to use. Those controls should limit access to the minimum necessary information required to perform that individuals work duties.

OCR also reminds covered entities that they should control what individuals are able to do with patient data. If view only access is required, users should not be able to modify, delete, or download data. Controls should be implemented to prevent access from certain devices such as smartphones and the copying of data to portable storage devices such as zip drives.

The complex nature of healthcare IT systems makes it hard to achieve total visibility into the entire network and see every device in use. However, without full visibility, it is difficult to identify unauthorized data access quickly. OCR reminds covered entities that they must overcome the challenges and gain visibility into what users are doing on the network. Security teams must regularly check system, event, application, and audit logs in order to quickly detect suspicious activity and unusual patterns of data access. It may not be possible to prevent insider breaches, but when they occur, they must be identified and rectified promptly. There have been many cases of insiders accessing patient records without authorization for several years before the breach is detected.

Safeguards can be implemented, and policies and procedures developed to reduce risk, but those measures may not remain effective forever. Security is a dynamic process. Safeguards, policies and procedures need to be regularly assessed to ensure they continue to be effective. Access rights should be monitored and changed as appropriate when employees change role or transfer to a different department, and physical and electronic access to data must be terminated quickly when employees leave the organization.

Preventing and detecting attacks by malicious insiders is certainly a challenge, but by recognizing the risks and implementing appropriate safeguards, the risk of a breach can be managed and reduced to an acceptable level.

The post OCR Offers Advice on Managing Malicious Insider Threats appeared first on HIPAA Journal.

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

Posted by HIPAA Journal

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records.

The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks.

The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack.

PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client.

Some dental practices have reported file loss as a result of the attack and others have said the decryption process did not work. With the attack coming so close to the end of the month, several dental practices have expressed concern that the attack would prevent them from processing payroll payments. At the time of writing, around 100 dental practices have successfully recovered their files.

Since there is no free decryptor for REvil ransomware available through the NoMoreRansom project, it is highly probably that the ransom was paid. That has not been confirmed publicly by either company, although Brian Krebs of Krebs on Security said several sources have confirmed that PerCSoft paid the ransom to obtain the decryptor.

The ransom amount is unknown, but one Reddit user claims PerCSoft – or its insurer – paid $5,000 per client for the decryptor. That would put the total ransom demand at $2.5 million, which is the same as the demand for the coordinated Sodinokibi ransomware attack that affected 22 government entities in Texas earlier this month.

Both attacks impacted multiple entities by attacking a software provider or managed service provider (MSP). This appears to be the modus oprandi of the threat actors behind the attack. Another attack in June targeted the MSP platform, Webroot SecureAnywhere, which allowed REvil/Sodinokibi ransomware to be deployed on clients’ systems.

The threat actors behind REvil ransomware are running a ransomware-as-a-service operation using a limited number of affiliates to distribute the ransomware. By using a small number of experienced affiliates, the threat actors hope to stay under the radar.

On hacking forums, the threat actors have been trying to recruit affiliates, five of whom have been guaranteed earnings of $50,000. Other affiliates have been told they will earn a minimum of $10,000. The threat actors are offering affiliates 60% of any ransom payments they generate and claim to be experienced, ‘professional’ ransomware developers that have been working in the field for the past five years.

While the code for REvil ransomware differs significantly from other ransomware variants, Tesorion researchers have found code similarities with the now defunct GandCrab ransomware, which was decommissioned this year. The threat actors behind GandCrab claimed to have retired after earning so much money from their ransomware-as-a-service operation over the past 18 months, although Tesorion researchers suspect at least some of the individuals involved in GandCrab may have got involved with or are responsible for REvil ransomware.

Regardless of who is behind the attacks, they are unlikely to windup such a profitable operation any time soon. As long as ransom demands continue to be paid by businesses and their insurers, the attacks will continue.

The post Ransomware Attack Impacts More Than 400 U.S. Dental Practices appeared first on HIPAA Journal.

OMB Audit Confirms HHS Information Security Program is “Not Effective”

Posted by HIPAA Journal

The Office of Management and Budget (OMB) has submitted its annual report to Congress on the state of cybersecurity in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA).

For the report, OMB assessed 4 of the 12 operating divisions of the Department of Health and Human Services (HHS) to assess compliance with FISMA and determined the HHS security program was ‘not effective.’ The agency had not achieved a Managed and Measurable level of maturity for the Identify, Protect, Detect, Respond and Recover functional areas.

The HHS was determined to be managing risk in the ‘Detect’ functional area but was at risk in the other four functional areas.

The HHS has been working on improving its security posture and progress has been made, but there is still a long way to go. OMB found major weaknesses in multiple areas, including identity and access management, risk management, contingency planning, and incident response.

OMB notes that since the HHS is operating in a federated environment, there are many challenges in achieving a ‘Managed and Measurable’ maturity level across all operating divisions.

While vulnerabilities exist in multiple areas, OMB determined that the HHS was aware of opportunities to strengthen its security program and ensure that its policies and procedures are implemented at all operating divisions across all areas of its security program.

The HHS is also working closely with the Department of Homeland Security and is implementing a Department-wide Continuous Diagnostics and Mitigation (CDM) program to ensure its networks and systems are constantly monitored, and progress toward addressing and implementing its security strategies is documented and reports are sent to DHS.

OMB explained that in order to achieve a Managed and Measurable maturity level, the HHS must ensure its CDM program is fully implemented. For the HHS that is likely to present many challenges.

“HHS also needs to continue to build towards a working model where all the functional areas interact with each other in real-time and provide holistic and coordinated responses to security events,” wrote OMB. “This will help to strengthen all aspects of its information security program in order for HHS to achieve its mission through an effective and coordinated information security program.”

The post OMB Audit Confirms HHS Information Security Program is “Not Effective” appeared first on HIPAA Journal.

July 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

 

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Integrated Regional Laboratories 29,644 29,644
21 Penobscot Community Health Center 13,000 13,299
9 West Hills Hospital and Medical Center / United West Labs 10,650 10,650
10 Seacoast Pathology, Inc 10,000 8,992
11 Arizona Dermatopathology 7,000 5,903
12 Western Pathology Consultants 4,550 4,079
13 Natera 3,000 3,035
14 Sunrise Medical Laboratories 427,000 TBC
15 BioReference Laboratories/Opko Health 422,600 TBC
16 CBLPath Inc. 148,900 TBC
17 CompuNet Clinical Laboratories 111,000 TBC
18 Austin Pathology Associates 46,500 TBC
19 South Texas Dermatopathology PLLC 16,100 TBC
20 Pathology Solutions 13,300 TBC
22 Laboratory of Dermatology ADX, LLC 4,240 TBC

 

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Optum360, LLC Business Associate 11,500,000 Hacking/IT Incident Network Server
Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10,251,784 Hacking/IT Incident Network Server
Clinical Pathology Laboratories, Inc. Healthcare Provider 1,733,836 Unauthorized Access/Disclosure Network Server
CareCentrix, Inc. Healthcare Provider 467,621 Hacking/IT Incident Network Server
Bayamon Medical Center Corp. Healthcare Provider 422,496 Hacking/IT Incident Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409,789 Unauthorized Access/Disclosure Network Server
Laboratory Medicine Consultants, Ltd. Healthcare Provider 140,590 Hacking/IT Incident Network Server
Imperial Health, LLP Healthcare Provider 116,262 Hacking/IT Incident Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC Healthcare Provider 99,943 Hacking/IT Incident Network Server
Ameritas Life Insurance Corp. Health Plan 39,675 Hacking/IT Incident Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Why Are Hackers Targeting the Healthcare Industry?

Posted by HIPAA Journal

The healthcare industry is under attack. More data breaches are being reported than ever before, but what is the motivation behind these attacks? Why are hackers targeting the healthcare industry? A new report from FireEye provides some answers.

For the report, FireEye researchers studied recent healthcare cyberattacks and identified the tactics being used, the actions of the hackers post-compromise, and what the ultimate goals of the attacks were.

The researchers were able to classify attacks into two groups: Those concerned with theft of data and disruptive/destructive threats.

Many attacks are focused on obtaining patient data although research data can also be extremely valuable. Cyberattacks concerned with obtaining research information have a low, but noteworthy impact risk to healthcare organizations. These attacks are most commonly associated with nation-state threat actors.

Cybercriminal gangs and nation-state sponsored hacking groups are investing time and resources into targeting specific healthcare organizations that store treasure troves of data. That could be a business associate serving many healthcare organizations or a large healthcare system.

Healthcare providers are susceptible to cyberattacks as many continue to use outdated and unsupported software and operating systems. Many cyberattacks are opportunistic and occur because healthcare providers have failed to address easily exploitable holes in their security defenses. However, it is now increasingly common for healthcare organizations to be targeted based on the amount of data they store.

Disruptive and destructive threats continue to be a major problem in the healthcare industry. Cybercriminals and nation-state threat actors are conducting attacks that aim to disrupt the continuity of operations. These threats include ransomware and wiper malware.

Cyber crime activity is financially motivated and poses a high-frequency, high-impact threat to healthcare organizations.  Personally identifiable information (PII) and protected health information (PHI) are commonly sought and the information can be used for many different malicious purposes, including financial fraud, medical identity theft, identify theft, and for crafting convincing phishing messages. The information is commonly bought and sold on darknet marketplaces and that activity is unlikely to stop.

Attacks are also being conducted to gain access to healthcare networks. Access is then sold to cybercriminal groups, nation state groups, and other threat actors. “In Feb. 6, 2019, on a popular Russian-language forum, “Jendely” advertised access to a U.S.-based medical institution. According to the advertisement, the actor obtained the domain administrator’s access to the network consisting of 3,000 hosts. The access is being auctioned for$9,000–$20,000 USD,” wrote the researchers.

FireEye researchers also observed attacks involving malware distribution, cryptomining, and other extortion attempts.

Nation state threats and cyber espionage is moderately frequent in healthcare but can have a major impact. Several APT groups have been observed conducting attacks on healthcare providers, including those linked to China, Russia, Vietnam. Hacktivism is rare in healthcare and may only have a negligible effect.

FireEye warns that there has been a concerted effort by Chinese APT groups to gain access to medical research data. China is moving toward universal health coverage in 2020 and is concerned about increasing cancer and mortality rates and the cost of providing national healthcare. Medical research can be used to advance drug research in China, lower costs, and could even result in drugs being developed and released in China ahead of companies in the United States that conducted the research.

The report (PDF) can be downloaded here.

The post Why Are Hackers Targeting the Healthcare Industry? appeared first on HIPAA Journal.

Study Raises Awareness of Threat of Lateral Phishing Attacks

Posted by HIPAA Journal

A recent study by the University of San Diego, University of California Berkeley, and Barracuda Networks has shed light on a growing threat to healthcare organizations – Lateral phishing.

In a standard phishing attack, an email is sent containing an embedded hyperlink to a malicious website where login credentials are harvested. The emails contain a lure to attract a click. That lure is often tailored to the organization being attacked. These phishing emails are relatively easy to identify and block because they are sent from outside the organization.

Lateral phishing is the second stage in the attack. When an email account is compromised, it is then used to send phishing emails to other employees within the organization. Phishing emails are also sent to companies and individuals with a relationship with the owner of the compromised account.

This tactic is very effective. Employees are trained to be suspicious of emails from unknown senders. When an email is received from a person in the organization that usually corresponds with the employee via email, there is a much higher chance of a requested action being taken.

Lateral phishing is one of several types of email account takeover attacks. One of the most common is Business Email Compromise (BEC). With BEC, the aim of the attack is to gain access to the credentials of the CEO. The account is then used to request fraudulent wire transfers. Lateral phishing is primarily concerned with credential theft rather than financial fraud. The goal is to compromise as many accounts as possible within an organization.

For the study, the researchers took a detailed look at phishing and lateral phishing attacks at 100 organizations and identified the strategies being used, the sophistication of the attacks, and which techniques were the most successful.

1 in 7 of the organizations studied had experienced a lateral phishing attack and 180 lateral phishing attacks were identified. In 11% of attacks, further email accounts within the organization were compromised. The researchers note that in 42% of cases, the lateral phishing emails were not reported to the IT department or security team. This failure to report could mean an account breach remains undetected and the compromised email account can continue to be used.

55% of the attacks targeted individuals with a personal or work relationship with the company and almost all emails were sent during regular working hours.

The attackers followed four main strategies when conducting attacks. The most common, used in 45% of attacks, was the sending of generic phishing messages. The most common lures were “shared document” and “account problem.” 63% of all lateral phishing emails were commonplace messages, 30% were refined messages, and 7% were highly targeted.

In 29% of attacks, the email account was used to send tailored messages to close and recent contacts. 25% of attacks involved sending messages to dozens to hundreds of employees. Only 1% of attacks were on business associates of the organization.

In 31% of cases, the phishers use stealth tactics to add realism to their campaigns and evade detection. It is common for emails to be deleted from the sent folder in the compromised account to ensure an account compromise is not detected by the account owner. The researchers found that emails were also deleted from the recipient’s account. This tactic was used in 19.5% of hijacked accounts. In 17.5% of cases, the attackers responded to replies from the recipient of the phishing email to convince them that the request was genuine.

Defending against these attacks requires a three-pronged approach. Security awareness training for employees is essential. All employees should be made aware of the threat of phishing from within the organization.

Two-factor authentication will help to ensure that even in the event that credentials are obtained, they cannot be used to remotely access an email account.

Finally, organizations should invest in advanced detection techniques and solutions that can identify and delete phishing emails before they reach end users’ inboxes.

The post Study Raises Awareness of Threat of Lateral Phishing Attacks appeared first on HIPAA Journal.