Healthcare Data Security

Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat

Posted by HIPAA Journal

Malwarebytes has released a new report detailing the current tactics and techniques being used by cybercriminals to gain access to business networks and sensitive data.

Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 was compiled using data collected by its intelligence, and data science teams and telemetry from its consumer and business products between January 1 and March 31, 2019.

The report reveals there has been a 235% increase in cyberattacks on corporate targets in the past 12 months. There has also been a marked decline in cryptomining and other threats on consumers, which fell by 40% in 2018. It is clear from the report that cybercriminals are concentrating their efforts on attacking businesses and SMBs are most at risk as they typically lack the resources to significantly improve their cybersecurity defenses.

The report shows that Trojans are currently the biggest malware threat. Attacks involving Trojans are up 650% from the same time last year and attacks increased by 200% in Q1, 2019. The biggest threat is Emotet, which Malwarebytes describes as the “most fearsome and dangerous threat to businesses today.”

Emotet is now almost exclusively used to attack businesses. Emotet is an information stealer most commonly spread via phishing emails and the EternalBlue exploit. It has self-propagation functionality and can send copies of itself via email to contacts. It can also download other malware variants such as Ryuk ransomware.

While ransomware attacks on businesses declined in 2018, they are now on the rise and increased by 195% in the first quarter of 2019. Compared to this time last year, ransomware detections at businesses are up by more than 500%. Malwarebytes notes that the large increase in detections in 2019 is, to a large extent, due to a massive Troldesh ransomware campaign targeting U.S businesses in Q1. There were 336,634 detections of ransomware at businesses in Q1, 2019. As is the case with Trojans, ransomware attacks on consumers have also declined and are down 33% on this time last year.

Even though ransomware attacks were down in 2018, the FBI’s Internet Crime Complaint Center (IC3) indicates losses are up. $3.6 million in losses were reported to IC3 in 2018, although it should be noted that not all businesses declare ransomware attacks or the losses sustained, so the true figure is likely to be considerably higher. Further, those losses concern ransom payments, not other losses associated with the attacks.

Crytocurrency mining malware is still a major threat for businesses, although attacks on consumers are essentially negligible since CoinHive shut down its operations in March.

The use of adware has increased, in particular on mobile and Mac devices. Mac malware detections were up 60% in Q1, 2019 while adware detections were up 200% on Q4, 2018.

Cybersecurity protections have improved in the healthcare industry, although there is still considerable room for improvement. “The healthcare industry is no longer circling the drain, but it’s still in critical condition,” explained Malwarebytes.

As with other industry sectors, Trojans are the biggest malware threat and account for 79% of malware detections at healthcare organizations. Riskware is the second biggest threat. While riskware is not inherently malicious, it is capable of altering the functionality of other programs and can prevent patches from being installed which leaves healthcare organizations vulnerable to attack.  Ransomware, spyware, and worms each account for 3% of malware detections at healthcare organizations.

Emotet accounted for 37% of all healthcare industry Trojan detections. 34% were Trojans that posed as legitimate Microsoft files.

Cryptocurrency mining malware is also commonly used in attacks on healthcare organizations. Malwarebytes notes that 17% of healthcare systems showed signs of having this type of malware installed.

Ransomware attacks continue to plague the healthcare industry. While many variants are used, what is worrying is that WannaCry (WannaCrypt)  is still in use and is affecting a wide range of industry sectors, including healthcare. This threat can be blocked with the MS17-010 patch that was released in March 2017, yet many healthcare organizations are still vulnerable as the patch has not been applied.

The most common spyware infections were secondary infections that occurred following infection with either Trickbot or Emotet. The spyware serves as information stealers that run in the background and capture keystrokes and send them back to the attackers’ C2 servers.

Worm.Parite is the only worm threat affecting the healthcare sector, which is most commonly distributed via emailed .exe. and .scr files. Worms can spread rapidly across a network and leaves systems vulnerable to further exploitation and malware attacks.

The post Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat appeared first on HIPAA Journal.

OIG Gives HHS Information Security Program Rating of “Not Effective”

Posted by HIPAA Journal

The U.S Department of Health and Human Services’ Office of Inspector General (OIG) has released a report of its annual review of the HHS to assess compliance with the Federal Information Security Management Act of 2014 (FISMA).

An audit of the HHS information security program was conducted by Ernst & Young LLP in 2018 on behalf of OIG. The audit uncovered several security weaknesses in the HHS information security program, including some areas where security had deteriorated compared to the 2017 review. As a result of those weaknesses, the HHS information security program was determined to be “not effective”.

OIG notes in its report that the HHS has made efforts to strengthen security across the entire agency, but overall, those efforts were insufficient to raise the level of maturity of its information security program to the ‘managed and measurable’ level in the five cybersecurity framework areas: Identify, protect, detect, respond, and recover.

In order to attain the managed and measurable level, it is critical for the HHS to implement a continuous diagnostics and mitigation (CDM) program. The HHS has made some progress in this regard and is working with the Department of Homeland Security to ensure its networks and computer systems are continuously monitored and is documenting its progress toward meeting its goals.

Through the CDM program, the HHS will be able to achieve a higher level of maturity for its information security program in years to come, but at present several weaknesses exist in eight key areas across the five cybersecurity framework function areas:

  • Identify: Risk management
  • Protect: Configuration management, identity and access management, data protection and privacy, and security training;
  • Detect: Information security continuous monitoring;
  • Respond: Incident response
  • Recover: Contingency planning

OIG found the HHS had improved in the Identify and Protect areas, but its maturity rating had reduced in the Respond area.

“HHS needs to continue to build towards a working model where all the functional areas interact with each other in real-time and provide holistic and coordinated responses to security events.,” wrote OIG in its report. “This will be achieved as HHS deploys the CDM tools, continues to modernize their IT processes and optimize their security controls, as a result of the data generated and monitored by the CDM tools.”

OIG provided several recommendations on how the HHS can strengthen its information security program and how security can be augmented at specific operating divisions.

The HHS concurred with all of the OIG recommendations and has provided a detailed plan on how those recommendations will be implemented.

The post OIG Gives HHS Information Security Program Rating of “Not Effective” appeared first on HIPAA Journal.

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

Posted by HIPAA Journal

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information.

The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information.

DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened.

This design feature is part of the reason why the DICOM file format is so useful. However, this feature can also be seen as a flaw. Markel Picado Ortiz, a security researcher at Cylera, discovered the preamble section of the file does not have restrictions on what can be added.

Ortiz has a proof-of-concept exploit for the flaw which allows an arbitrary sequence of executable code to be inserted into the image. Provided that code is less than 128 bytes, it can be inserted without affecting compliance with the DICOM standard, altering the image in any other way, or changing any PHI contained in the file. Ortiz has called the attack method PE/DICOM.

By altering the Preamble of a file, a hacker could insert executable code that masquerades as a DICOM file. The DICOM image would become an executable file, yet it would not have a file extension associated with executable files. Headers could also be added that make the file appear to be another file format, such as an executable.

Any hacker that were to use this method of incorporating malicious code would also benefit from HIPAA regulations. Files containing PHI are usually ignored by anti-malware solutions for compliance reasons. Even if they did, it would be unlikely they would detect the presence of any code in the preamble section of the files.

Detecting the malware would therefore prove difficult. Malicious code could remain undetected, but worse, the infected files would be stored within the healthcare provider’s protected environment. The file may also be shared with other healthcare providers would be unaware the files had been infected with malware.

Since the malware contains executable code, it could download other malware onto the network or give an attacker a launch pad to conduct further attacks. Files could be given worm-like properties that allow malware to be propagated throughout the network.

The potential uses of this flaw are numerous. “This [flaw] enables new and existing malware to evolve into more potent variants, optimized for successful compromise of healthcare organizations, by using the infected patient data to hide, protect and spread itself – three of the primary functions that determine the effectiveness of a malware campaign,” said Ortiz.

Were the malware to be identified, healthcare organizations would have a problem with removing the malware. The hybrid file that is created could not have the malware removed without permanently deleting the file, which would result in the permanent loss of the image and patients’ PHI. Healthcare providers may have to keep the infected file due to HIPAA regulations.

“The fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered,” explained Ortiz.

Unfortunately, since the flaw is present in the DICOM standard itself, it is not possible to issue a patch to correct the flaw. The solution would be for the DICOM standard to be changed to place restrictions on what can be incorporated into the Preamble, but that may prove to be a challenge and would also involve altering a feature of DICOM files that makes them so useful.

Anti-malware solutions could be developed to check for the presence of malicious code inside DICOM images, but that does not solve the issue of what is done with the files if they are determined to contain malware.

While the flaw is serous, in order for it to be exploited, an attacker would first need to have permissions to access the system on which DICOM images are stored and would also need to have permissions to execute commands. Valid Active Directory credentials would therefore be required. That said, there have been many cases of credentials being compromised that have given hackers access to healthcare networks. The flaw could also be exploited by a malicious insider with access to the network.

All healthcare organizations can do to protect against the flaw in the short term is to adopt standard cybersecurity best practices to prevent access to the network being gained, such as changing default credentials, securing the perimeter, and scanning for and addressing vulnerabilities. Network segregation will help to prevent the spread of any malware and intrusion detection systems could detect an attack before DICOM images could be changed.

What is clear is that correcting the flaw and preventing abuse is going to be a major challenge and one that will not easily be solved.

The post Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI appeared first on HIPAA Journal.

Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers

Posted by HIPAA Journal

Two vulnerabilities have been identified in Fujifilm computed radiography cassette readers. If exploited, an attacker could gain access to the operating system, execute arbitrary code, render the devices inoperable, alter functionality, and cause image loss.

The vulnerabilities are present in the following Fujifilm computed radiography cassette readers:

  • CR-IR 357 FCR Capsula X
  • CR-IR 357 FCR Carbon X
  • CR-IR 357 FCR XC-2

The most serious vulnerability – CVE-2019-10950 – is due to improper access controls on telnet services. A remote attacker with a relatively low level of skill could exploit the vulnerability to gain access to the operating system and remotely execute code and affect the functionality of the device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The second vulnerability – CVE-2019-10948 – is due to uncontrolled resource consumption. An overflow of TCP packets could be caused in a denial of service (DoS) attack. If exploited, a DoS attack could render the device in operable and would require a reboot to restore functionality. The vulnerability has been assigned a CVSS v3 base score of 7.5.

The vulnerabilities were identified by Marc Ruef and Rocco Gagliardi of Scip AG.

To prevent exploitation of the vulnerabilities, users can configure the CR-IR-357 system with ‘Secure Host functionality.’ This configuration instructs the CR-IR-357 system to ignore network traffic other than from the IP address of the image acquisition console.

This mitigation will only be an option for users that have one image acquisition console using the CR-IR-357 Reader Unit. With this configuration activated, multiple image acquisition consoles cannot share the Reader Unit as network traffic will only be accepted from a single IP address. If Reader Unit sharing has been implemented, Fujifilm should be contacted for further information on other possible mitigations.

Users should also ensure that appropriate administrative and technical controls are implemented to prevent unauthorized devices and users from connecting to the network. Fujifilm also recommends segmenting the network or using a VLAN to segregate public traffic from the private network.

The post Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

Posted by HIPAA Journal

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has been slow to implement recommendations made by the Government Accountability Office. In total. 392 recommendations have yet to be addressed, including 42 which GAO rated as high priority.

Over the past four years, GAO has made hundreds of recommendations, but the HHS has only addressed 75% of them, 2% less than other government agencies.

The poor implementation rate was outlined in a March 28, 2019 letter from the GAO to HHS secretary Alex Azar.

GAO explained that healthcare is part of the nation’s critical infrastructure and relies heavily on computerized systems and electronic data to function. Those systems are regularly targeted by a diverse range of threat actors, so it is essential they are secured and protected from unauthorized access.

GAO drew attention to four high priority recommendations covering health IT and cybersecurity that are still outstanding.

“The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health records programs and progress made toward goals; encourage adoption of important cybersecurity processes and procedures among healthcare entities; protect Medicare beneficiary data accessed by external entities; and ensure progress is made toward the implementation of IT enhancements needed to establish the electronic public health situation awareness network,” wrote GAO in the letter.

GAO explained that in March 2018, it recommended that the administrator of Centers for Medicare and Medicaid Services (CMS) should develop and implement policies and procedures to ensure entities that use claims data should evaluate the performance of Medicare service and equipment providers and ensure they have implemented appropriate security controls.

While CMS has agreed to engage a contractor to review the current data security framework and provide recommendations on specific controls and implementation requirements, GAO notes that CMS must also develop appropriate processes and procedures for implementing those controls.

Three other high priority health IT and cybersecurity recommendations have yet to be implemented.

The HHS has yet to develop performance measures that allow it to assess whether the Meaningful use program (now the Promoting Interoperability Program) is actually improving outcomes and patient safety.

GAO recommended in 2018 that the HHS and the Secretary of Agriculture should collaborate with the Department of Homeland Security and NIST and develop methods for determining the level and type of cybersecurity framework adoption required to improve the critical infrastructure of the healthcare industry. While some work has been completed in this area, GAO wrote that the HHS is still trying to identify applicable methods 12 months on.

GAO also recommended that the HHS should instruct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes when establishing the network and should act under the leadership of the HHS CIO. GAO notes that little has been done to enhance national public health situational awareness network capabilities that would allow officials to view real-time information about emerging health threats.

GAO explained that it is essential for these and other recommendations to be implemented promptly. Further, GAO believes that fully implementing all of its recommendations will significantly improve HHS operations.

The post HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations appeared first on HIPAA Journal.

March 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In March 2019, healthcare data breaches continued to be reported at a rate of almost one a day. 30 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is 11% higher than the average of the past 60 months.

HEalthcare data breaches by month

The number of reported breaches fell by 6.67% month over month and there was a 58% decrease in the number of breached healthcare records. March saw the healthcare records of 883,759 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.

healthcare records exposed by month

Causes of March 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 83.69% of all compromised records (739,635 records).

There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.

The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.

Causes of March 2019 healthcare data breaches

Largest Healthcare Data Breaches Reported in March 2019

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Navicent Health, Inc. Healthcare Provider 278,016 Hacking/IT Incident Email
2 ZOLL Services LLC Healthcare Provider 277,319 Hacking/IT Incident Network Server
3 LCP Transportation, Inc Business Associate 54,528 Unauthorized Access/Disclosure Email
4 Superior Dental Care Alliance Business Associate 38,260 Hacking/IT Incident Email
5 Superior Dental Care Health Plan 38,260 Hacking/IT Incident Email
6 St. Francis Physician Services Healthcare Provider 32,178 Hacking/IT Incident Network Server
7 Palmetto Health Healthcare Provider 23,811 Hacking/IT Incident Email
8 Gulfport Anesthesia Services, PA Healthcare Provider 20,000 Theft Other
9 Women’s Health USA, Inc. Business Associate 17,531 Hacking/IT Incident Desktop Computer, Email
10 Verity Medical Foundation Healthcare Provider 14,894 Hacking/IT Incident Email

 

Location of Breached Protected Health Information

Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 7 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.

causes of march 2019 healthcare data breaches

March 2019 Healthcare Data Breaches by Covered Entity

Healthcare providers reported the most healthcare data breaches in March with 21 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates.  A further three breaches had some business associate involvement.

March 2019 healthcare data breaches by covered entity type

Healthcare Data Breaches by State

Healthcare organizations/business associates based in 18 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, New York, and Oklahoma.

HIPAA Enforcement in March 2019

The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.

Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.

There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.

The post March 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Data Security Incident Response Analysis Published by BakerHostetler

Posted by HIPAA Journal

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018.

BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches.

In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered.

This has led many companies to create committees to help manage data breaches, which include stakeholders with expertise in each of the above areas.

Most Common Causes of Data Breaches

An analysis of 2018 incidents shows phishing remains the most common cause of data breaches, accounting for 37% of all incidents managed by the law firm in 2018. The most common type of phishing attack seeks Office 365 credentials. 34% of phishing attacks in 2018 resulted in an Office 365 account being accessed by the attacker.

  1. Phishing Attacks – 37%
  2. Network Intrusions – 30%
  3. Accidental Disclosures – 12%
  4. Lost/stolen devices and records – 10%
  5. System Misconfiguration – 4%

30% of successful phishing attacks saw the attackers peruse the network to find accessible data. 12% of intrusions resulted in the deployment of ransomware, and 8% resulted in a fraudulent wire transfer. In 1% of cases, a successful phishing attack resulted in the deployment of malware other than ransomware.

55% of successful attacks occurred as a result of a mistake by employees, 27% were due to a non-vendor unrelated third party, 11% were due to a vendor, 5% of attacks involved a malicious insider, 3% were due to a non-vendor related third party, and 2% were due to an unrelated third party.

Incident Response, Investigation and Recovery

In 2018, 74% of breaches were discovered internally and 26% were identified by a third-party.

The average time to detect a breach across all industry sectors was 66 days. It took an average of 8 days to contain the breach and 28 days for a forensic investigation to be completed. The average time to issue notifications was 56 days.

Healthcare data breaches took an average of 36 days to discover, 10 days to contain, 32 days to complete a forensic investigation, and 49 days to issue notifications. Healthcare data breaches required an average of 5,751 notification letters to be sent.

There was an increase in investigations by OCR and state Attorneys General in 2018. 34% of breaches resulted in an investigation by an Attorney General and 34% were investigated by OCR. Out of 397 breach notifications issued, 4 lawsuits were filed.

There has been an increase in the use of forensic investigators following a breach. 65% of breaches involved some kind of forensic investigation compared to 41% of incidents in 2017. The average cost of a forensic investigation was $63,001 and $120,732 for network intrusion incidents.

The average ransom payment that was paid was $28,920 and the maximum was $250,000. In 91% of cases, payment of the ransom resulted in the attacker supplying valid keys to decrypt files.

70% of breaches required credit monitoring services to be offered, in most cases due to the exposure of Social Security numbers.

BakerHostetler also notes that following a data breach there is often an increase in access right requests. It is therefore important for companies to have established and scalable access right request processes in place to ensure they can cope with the increase following a security breach.

Interactive Data Breach Notification Map

Healthcare organizations are required to comply with the HIPAA Breach Notification Rule which requires breach notification letters to be issued to affected individuals within 60 days of the discovery of a breach of PHI.

States have also introduced their own breach notification laws, which differ from HIPAA and may, in some cases, require notifications to be issued more rapidly. To help companies find out about the breach notification requirements in each state, BakerHostetler has compiled an interactive data breach notification map.

Using this interactive tool, organizations can find out about the breach reporting requirements in each state. The interactive data breach notification map can be viewed on this link.

The post Data Security Incident Response Analysis Published by BakerHostetler appeared first on HIPAA Journal.

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter.

Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals.

Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation.

There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits.

An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain access to information systems. These attacks are often sophisticated, but even relatively simple attacks are dangerous due to their persistence.

The aim of the attacks is to stealthily gain access to information systems and steal information over a long period of time. “Advanced” comes from the techniques used to access networks and remain undetected, such as the use of malware. “Persistent” refers to the length of time that systems are accessed and information is stolen. Several APT groups have succeeded in gaining access to healthcare IT systems in the United States and have used that access to steal sensitive patient information and propriety healthcare data.

Zero-day exploits – or zero-day attacks – involve the use of previously unknown vulnerabilities to attack organizations. By their very nature, these types of attacks can be difficult to prevent. Since the vulnerabilities are only known to hackers, no patches exist to correct the flaws.

Oftentimes, vulnerabilities are discovered as a result of them being exploited. Patches are promptly released to correct the flaws, but hackers will continue to take advantage of the vulnerabilities until systems are patched. It is therefore essential to apply patches promptly and ensure that all operating systems and software are kept up to date.

Once a zero-day vulnerability is publicly disclosed it doesn’t take long for an exploit to be developed. Oftentimes, exploits for recently discovered vulnerabilities are developed and used in attacks within days of a patch being released.

If patches cannot be applied promptly, such as if extensive testing is required, it is important to implement workarounds or other security controls to prevent the vulnerabilities from being exploited. The use of encryption and access controls can help to ensure that even if access to a network is gained through the exploitation of a vulnerability, damage is minimized.

OCR has warned of the danger of combination attacks involving APTs and zero-day exploits, such as the use of the NSA’s EternalBlue exploit. Within days of the exploit being made available online, it was incorporated into WannaCry ransomware which infected hundreds of thousands of computers around the world. A patch for the vulnerability that EternalBlue exploited was released by Microsoft 2 months before the WannaCry attacks. Organizations that patched promptly were protected against the exploit and WannaCry.

Healthcare organizations and their business associates can Improve their defenses against zero-day exploits and APTs by implementing measures outlined in the HIPAA Security Rule. OCR has draw attention to the following requirements of the Security Rule which can help prevent and mitigate zero-day exploits and APTs:

The post OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits appeared first on HIPAA Journal.