Healthcare Data Security

BD Discloses 2 Vulnerabilities in its Pyxis, Rowa, and Viper LT Products

Posted by HIPAA Journal

Becton, Dickinson and Company (BD) has self-reported two vulnerabilities that affect its BD Pyxis automated medication dispensing systems, BD Rowa pouch packaging systems, and BD Viper LT automated molecular testing systems.

Both vulnerabilities are due to the use of hard-coded credentials. If exploited, the vulnerabilities could allow an unauthorized individual to access, modify, and delete sensitive data, which could include electronic protected health information (ePHI).

The most serious vulnerability, tracked as CVE-2022-22765, affects all versions of the BD Viper LT system from 2.0. The vulnerability has been assigned a CVSS severity score of 8.0 out of 10.

BD is currently working on a fix for the vulnerability, which will be included in the upcoming BD Viper LT system Version 4.80 software release. In the meantime, BD has suggested implementing compensating controls, such as ensuring physical access controls are in place, only permitting authorized individuals to access the system, disconnecting the system from the network access where possible, and if it is not possible to disconnect the system from network access, to implement industry-standard network security policies and procedures.

The second vulnerability, tracked as CVE-2022-22766, affects the BD Pyxis range of products and BD Rowa Pouch Packaging Systems. The vulnerability has been assigned a CVSS severity score of 7.0 out of 10. If exploited, an attacker could gain access to the file system and exploit application files that could be used to decrypt application credentials or gain access to ePHI.

Credentials are BD managed and are not visible to or used by customers to access or use BD Pyxis devices. That means that in order to exploit the vulnerability, threat actors would have to gain access to the hardcoded credentials, infiltrate a facility’s network, and gain access to individual devices.

BD said it is in the process of strengthening credential management capabilities in BD Pyxis devices. In the meantime, compensating controls can be implemented for the affected products. These include limiting physical access to authorized personnel, tightly controlling the management of BD Pyxis system credentials provided to authorized users, isolating products in a secure VLAN or behind firewalls, and monitoring and logging network traffic. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts. Users should work with their BD support team to ensure all patching and virus definitions are up to date.

“BD is committed to transparency with our customers and makes product security information, including vulnerability disclosures, available through the BD Cybersecurity Trust Center,” said BD in a statement. “As part of this commitment, BD posted product security bulletins about the use of hardcoded credentials… Hardcoded credentials are not used directly by customers or end-users to access these systems.”

There have been no reports of the vulnerabilities being exploited in clinical settings. BD self-reported the vulnerabilities to the FDA, ISAOs, and CISA for maximum awareness.

The post BD Discloses 2 Vulnerabilities in its Pyxis, Rowa, and Viper LT Products appeared first on HIPAA Journal.

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

Posted by HIPAA Journal

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry.

2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached.

The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled.

Pino also drew attention to the critical vulnerability identified in the Java-based logging utility Log4J, which has been incorporated into many healthcare applications. The vulnerability was discovered in December 2021 and cybercriminals and other threat groups were quick to exploit it to gain access to servers and networks for a range of malicious purposes.

The vulnerabilities and data breaches show how important it is for healthcare organizations to be vigilant to threats and take prompt action when new risks to the confidentiality, integrity, and availability of protected health information are identified. “With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022,” said Pino.

Pino said OCR investigations and audits have uncovered many cases of noncompliance with the risk analysis and risk management requirements of the HIPAA Rules. “All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope,” explained Pino. “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

OCR’s investigations of data breaches in 2020 showed multiple areas where HIPAA-regulated entities need to take steps to improve compliance with the standards of the HIPAA Security Rule, especially in the following areas:

  • Risk analysis
  • Risk management
  • Information system activity review
  • Audit controls
  • Security awareness and training
  • Authentication

Pino made several recommendations, including reviewing risk management policies and procedures, ensuring data are regularly backed up (and testing backups to ensure data recovery is possible), conducting regular vulnerability scans, patching and updating software and operating systems promptly, training the workforce how to recognize phishing scams and other common attacks, and practicing good cyber hygiene.

“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure”, concluded Pino, who also drew attention to resources that have been made available by CISA and the Office for Civil Rights to help protect against common threats to ePHI.

The post OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture appeared first on HIPAA Journal.

NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST guidance on Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30).

Healthcare delivery organizations have been increasingly adopting telehealth and remote patient monitoring (RPM) systems to improve the care they provide to patients while reducing costs. Patient monitoring systems have traditionally only been used in healthcare facilities but there are advantages to using these solutions in patients’ homes. Many patients prefer to receive care at home, the cost of receiving that care is reduced, and healthcare delivery organizations benefit from freeing up bed space and being able to treat more patients.

While there are advantages to be gained from the provision of virtual care and the remote monitoring of patients in their homes, telehealth and RPM systems can introduce vulnerabilities that could put sensitive patient data at risk and if RPM systems are not adequately protected, they could be vulnerable to cyberattacks that could disrupt patient monitoring services.

Special Publication 1800-30 was developed by NCCoE in collaboration with healthcare, technology, and telehealth partners to form a reference architecture that demonstrates how a standard-based approach can be adopted along with commercially available cybersecurity tools to improve privacy and security for the telehealth and RCM ecosystem.

The project team at NCCoE performed a risk assessment based on the NIST Risk Management Framework on a representative RPM ecosystem in a laboratory environment. The NIST Cybersecurity Framework was applied along with guidance based on medical device standards, and the team demonstrated how healthcare delivery organizations can implement a solution to enhance privacy and better secure their telehealth RPM ecosystem.

SP 1800-30 explains how healthcare delivery organizations can identify cybersecurity risks associated with telehealth and RPM solutions, use the NIST Privacy Framework to broaden their understanding of privacy risks, and apply cybersecurity and privacy controls. How-To guides are provided that include detailed instructions for installing and configuring the products used to build NCCoE’s example solution. NCCoE used solutions from AccuHealth and Vivify, but the principles can be applied to other solutions.

The final guidance and How-To guides can be downloaded from NCCoE here.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance appeared first on HIPAA Journal.

January 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020.

Healthcare data breaches over the past 12 months to January 2022

The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.

Healthcare records breached in the past 12 months to January 2022

 

Largest Healthcare Data Breaches in January 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach Cause
North Broward Hospital District d/b/a Broward Health FL Healthcare Provider 1,351,431 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
Medical Review Institute of America UT Business Associate 134,571 Hacking/IT Incident Network Server Ransomware attack
Medical Healthcare Solutions, Inc. MA Business Associate 133,997 Hacking/IT Incident Network Server Ransomware attack
Ravkoo FL Healthcare Provider 105,000 Hacking/IT Incident Other Cyberattack on cloud prescription portal
TTEC Healthcare Solutions CO Business Associate 86,305 Hacking/IT Incident Network Server Ransomware attack
Advocates, Inc. MA Healthcare Provider 68,236 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
iRise Florida Spine and Joint Institute, LLC FL Healthcare Provider 61,595 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Suncoast Skin Solutions FL Healthcare Provider 57,730 Hacking/IT Incident Network Server Ransomware attack
Hospital Authority of Valdosta and Lowndes County Georgia GA Healthcare Provider 41,692 Unauthorized Access/Disclosure Desktop Computer Unauthorized access and PHI theft by former employee
Family Christian Health Center IL Healthcare Provider 31,000 Hacking/IT Incident Network Server Ransomware attack
Lakeshore Bone & Joint Institute, PC IN Healthcare Provider 23,627 Hacking/IT Incident Email Email account accessed by unauthorized individual
South City Hospital MO Healthcare Provider 21,601 Theft Network Server, Other Burglary
Pace Center for Girls FL Healthcare Provider 18,300 Unauthorized Access/Disclosure Network Server Unspecified hacking and data theft incident
County of Kings, a political subdivision of the State of California CA Healthcare Provider 16,590 Hacking/IT Incident Network Server Misconfigured web server
Philadelphia FIGHT Community Health Centers PA Healthcare Provider 15,000 Hacking/IT Incident Network Server Unspecified hacking incident
Catholic Hospice, Inc. FL Healthcare Provider 14,986 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Houston Area Community Services, Inc. d/b/a Avenue 360 Health and Wellness TX Healthcare Provider 12,186 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Spencer Gifts LLC Health and Welfare Benefit Plan NJ Health Plan 10,023 Hacking/IT Incident Network Server Unspecified hacking and data theft incident

Causes of January 2022 Healthcare Data Breaches

Hacking incidents continue to dominate the breach reports and accounted for 76% of the month’s data breaches and 95.57% of the month’s breached records. The average breach size was 57,962 records and the median breach size was 6,174 records. The largest healthcare data breach of the month resulted in the theft of the protected health information of more than 1.35 million patients of Broward Health in Florida. A hacker gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.

Causes of January 2022 Healthcare Data Breaches

Ransomware is still being extensively used in cyberattacks on healthcare organizations. 5 of the month’s top 10 data breaches were reported as ransomware attacks, with several others likely to have involved ransomware. Ransomware attacks have become highly sophisticated, with the attackers using a variety of methods to gain access to healthcare networks. CISA, the FBI, and the NSA recently issued a joint threat brief warning about the increased risk of ransomware attacks on critical infrastructure firms and provided mitigations that can be implemented to improve resilience to ransomware attacks.

Phishing attacks are also common. 12 of the month’s data breaches involved compromised email accounts. Combatting phishing attacks requires a combination of email security solutions and end user training. While HIPAA does not specify anti-phishing training for employees, HIPAA-regulated entities should go beyond the requirements of HIPAA and ensure the workforce receives regular security awareness training, including instruction on how to identify phishing emails. When combined with phishing simulation exercises, susceptibility to phishing attacks can be significantly reduced.

There were 11 unauthorized access/disclosure incidents reported to OCR in January, across which the protected health information of 80,456 individuals was impermissibly accessed or disclosed. One of the incidents reported in January involved the theft of the protected health information of 41,692 patients by a former employee. That individual was arrested and charged in connection to the incident. The average size of these breaches was 7,314 records, and the median breach size was 1,125 records. There was also one theft incident reported – a burglary – involving the theft of a network server that contained the protected health information of 21,601 patients.

January 2022 healthcare data breaches - location of breached PHI

Data Breaches by HIPAA-Regulated Entity Type

Data breaches were reported by 31 healthcare providers, 6 health plans, and 13 business associates in January; however, a further 5 breaches occurred at business associates but were reported by the HIPAA-covered entity. The pie chart below shows the adjusted figures for where the data breach occurred.

January 2022 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states, with Florida the worst affected with 7 data breaches.

State Number of Reported Data Breaches
Florida 7
Pennsylvania 6
California 4
Illinois, Massachusetts, New Jersey & New York 3
Colorado, Georgia, Ohio, Tennessee, Texas, & Utah 2
Arkansas, Connecticut, Idaho, Indiana, Minnesota, Missouri, Oklahoma, South Carolina, & Wisconsin 1

HIPAA Enforcement in January 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in January 2022.

The post January 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure

Posted by HIPAA Journal

A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health.

The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including healthcare and medical, financial services and markets, higher education and research, and energy.

In the cybersecurity advisory, the CISA, the FBI, and the NSA share information about ransomware trends observed in 2021 ransomware attacks and the tactics, techniques, and procedures known to be used by ransomware gangs to gain access to networks, move laterally, and increase the impact of their attacks and suggest mitigations that can reduce the likelihood of a ransomware attack succeeding and the impact of a successful attack.

2021 Ransomware Attack Trends

In the United States, the first half of 2021 saw ransomware gangs target ‘big game’ targets such as Colonial Pipeline, Kaseya, JBS Foods; however, the increased scrutiny on ransomware gangs following these attacks saw them shift their focus to mid-sized targets; however, big game targeting continued throughout 2021 in the United States and Australia.

In Europe, ransomware gangs have been sharing victim information with other ransomware operations and cybercriminal groups. The BlackMatter ransomware operation shutdown and transferred existing victims to the LockBit 2.0 infrastructure and the Conti ransomware gang is known to have sold access to victims’ networks to other cybercriminal groups.

While double extortion tactics have become the norm, 2021 saw an increase in tripe extortion attacks where, in addition to encryption, files are exfiltrated and a demand is issued for payment to prevent the publication of the stolen data, Internet access is disrupted, and threats are issued to inform partners, shareholders, and suppliers about the attack.

Methods Used to Gain Access to Victims’ Networks

CISA, the FBI, and the NSA say ransomware gangs have increasingly sophisticated technological infrastructure and the ransomware threat is increasing globally. Ransomware gangs are using many methods to gain access networks, which makes implementing defensive measures to block the attacks a major challenge.

Initial access to networks is gained through phishing attacks to obtain credentials, using stolen Remote Desktop Protocol (RDP) credentials, brute force tactics to guess weak credentials and the exploitation of known vulnerabilities that have yet to be patched. CISA has identified several new vulnerabilities that are being actively targeted by ransomware gangs which have been added to its Known Exploited Vulnerabilities Catalog, which now includes 368 vulnerabilities. These attack vectors have proven successful due to the increased attack surface due to remote working and schooling as a result of the pandemic, which has made it difficult for IT security teams to patch vulnerabilities and address security weaknesses while supporting their remote workers and learners.

Ransomware gangs are now operating more like professional businesses and are increasingly outsourcing certain functions to specialist cybercriminal groups, who assist with payments, negotiations, arbitration, and provide 24/7 help centers for victims.

Increasing the Impact of Ransomware Attacks

2021 has seen an increase in the severity of ransomware attacks. The attacks are conducted to cause as much disruption as possible to increase the likelihood of the ransom being paid. Ransomware gangs are targeting cloud infrastructures and are exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. There has been an increase in attacks on managed service providers and their downstream clients, and industrial processes and the software supply chain are being targeted. Attacks are often conducted at the weekend or during holidays when there are likely to be fewer network defenders and support personnel on hand to identify and respond to attacks.

Defending Against Ransomware Attacks

The security advisory details a long list of mitigations to reduce the likelihood of a successful attack and the severity of an attack should perimeter defenses be breached, including limiting the ability of threat actors to learn about an organization’s IT environment and move laterally.

You can view the list of recommended mitigations here.

The post CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure appeared first on HIPAA Journal.

Immediate Patching Required to Fix Critical SAP Vulnerabilities

Posted by HIPAA Journal

The German business software provider SAP has released patches to fix a set of critical vulnerabilities that affect SAP applications that use the SAP Internet Communications Manager (ICM). The vulnerabilities were identified by researchers at Onapsis Research Labs, who dubbed the flaws ICMAD (Internet Communications Manager Advanced Desync). All three of the flaws could be exploited to achieve remote code execution, which would allow remote attackers to fully compromise vulnerable SAP applications.

The vulnerabilities affect the following SAP applications:

  • SAP NetWeaver AS ABAP
  • ABAP Platform
  • SAP NetWeaver AS Java
  • SAP Content Server 7.53
  • SAP Web Dispatcher

The flaws could be exploited to steal victim sessions and credentials in plaintext, change the behavior of applications, obtain PHI and sensitive business data, and cause denial-of-service. The vulnerability CVE-2022-22536 is the most serious of the three and has been assigned the maximum CVSS severity score of 10/10. Onapsis said the flaw can be easily exploited by an unauthenticated attacker on SAP applications in the default configuration by sending a single request through the commonly exposed HTTP(S) service.

When business applications allow HTTP(S) access, the most common configuration is for an HTTP(S) proxy to be sitting between clients and the backend SAP system, and this configuration allows the flaw to be exploited. The second vulnerability, tracked as CVE-2022-22532 (CVSS 8.1) can also be exploited in this configuration, and even in the absence of proxies. The third vulnerability, tracked as CVE-2022-22533 (No CVSS score at present) can also lead to remote code execution.

The vulnerabilities were identified while researching HTTP smuggling techniques, which the researchers determined could be leveraged using requests that closely mirror legitimate HTTP requests. As such, these attacks would be difficult for security teams to detect. Further, the vulnerabilities are also very easy to exploit.

SAP applications are extensively used by businesses, including in the healthcare industry. When vulnerabilities are discovered, they are quick to be exploited by hackers to gain access to applications to steal data or cripple business systems. Oftentimes, the first exploits of SAP vulnerabilities occur within 72 hours of patches being released.

SAP applications are used to manage business processes and in healthcare, the applications often contain protected health information. Vulnerabilities in SAP applications could therefore be exploited to steal patient data.

SAP and Onapsis have urged all businesses using vulnerable SAP applications to apply the patches immediately to prevent exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory about the vulnerabilities urging immediate patching. Organizations should prioritize patching affected systems that are exposed to untrusted networks, such as the Internet. Onapsis has released a free, open source scanning tool that can be used by businesses to discover if they are vulnerable to ICMAD exploits.

The post Immediate Patching Required to Fix Critical SAP Vulnerabilities appeared first on HIPAA Journal.

Latest Phishing Kits Allow Multi-Factor Authentication Bypass

Posted by HIPAA Journal

Phishing attacks allow threat actors to obtain credentials, but multi-factor authentication (MFA) makes it harder for phishing attacks to succeed. With MFA enabled, in addition to a username and password, another method of authentication is required before account access is granted. Microsoft has previously said multi-factor authentication blocks 99.9% of automated account compromise attacks; however, MFA does not guarantee protection. A new breed of phishing kit is being increasingly used to bypass MFA.

Researchers at Proofpoint explained in a recent blog post that phishing kits are now being used that leverage transparent reverse proxy (TRP), which allows browser man-in-the-middle (MitM) attacks. The phishing kits allow the attackers to compromise browser sessions and steal credentials and session cookies in real-time, allowing a full account takeover without alerting the victim.

There are multiple phishing kits that can often be purchased for a low cost that allow MFA to be bypassed; some are simple with no-frills functionality, while others are more sophisticated and incorporate multiple layers of obfuscation and have modules for performing a range of functions, including the theft of sensitive data such as passwords, Social Security numbers, credit card numbers, and MFA tokens.

With standard phishing attacks, the attackers create a fake login page to trick visitors into disclosing their credentials. Oftentimes the phishing page is a carbon copy of the site it impersonates, with the URL the only sign that the phishing page is not genuine. One of the MitM phishing kits identified by the Proofpoint team does not use these fake pages, instead, it uses TRP to present the genuine landing page to the visitor. This approach makes it impossible for victims to recognize the phishing scam. When a user lands on the page and a request is sent to that service, Microsoft 365 for instance, the attackers capture the username and password before they are sent and steal the session cookies that are sent in response in real-time.

The researchers refer to a study of MitM phishing kits by Stony Brook University and Palo Alto Networks which identified more than 1,200 phishing sites using MitM phishing kits. Worryingly, these phishing sites are often not detected and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not included on popular blocklists, such as those maintained by VirusTotal. Further, while standard phishing pages typically only have a lifespan of around 24 hours before they are blocked, MitM phishing pages last much longer. 15% of those detected lasted for longer than 20 days before they were added to blocklists.

The use of these phishing kits is increasing, albeit relatively slowly, however, the Proofpoint researchers believe that MitM phishing kits will be much more widely adopted by threat actors in response to the increased use of MFA. “[MitM phishing kits] are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions,” said Proofpoint.

The post Latest Phishing Kits Allow Multi-Factor Authentication Bypass appeared first on HIPAA Journal.

HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a report providing insights into the May 2021 Conti ransomware attack on the Health Service Executive (HSE) in Ireland, and advice for the healthcare and public health (HPH) sector to help prepare, respond, and recover from ransomware attacks.

The report provides information on the vulnerabilities and weaknesses that were exploited by the Conti ransomware gang, and how the HSE’s lack of preparedness for ransomware attacks hampered its efforts to detect, respond and remediate the attack and contributed to the long and expensive recovery process.

The Conti ransomware gang, believed to be a reincarnation of the notorious Ryuk ransomware operation, first gained access to the HSE network on May 7, 2021, and the networks of six voluntary hospitals and one statutory hospital were compromised between May 8, 2021, and May 12, 2021. One of the affected hospitals detected the attack on May 10, and the HSE was alerted to the cyberattack on May 12. Between May 12 and May 13, the attacker accessed files and folders on HSE systems. The Department of Health and one hospital prevented attacks on their networks on May 13, but in the early hours of May 14, 2021, other hospitals and the HSE started to have files encrypted. The HSE said around 80% of its network was encrypted in the attack.

The attackers issued a ransom demand; however, a week after files were encrypted the gang provided the keys to decrypt files for free, but then insisted the HSE pay the ransom to prevent the publication or sale of the stolen data. It took until September 21, 2021 – four months after files were encrypted – to restore 100% of HSE servers and 99% of its applications. Recovery from the ransomware attack cost the HSE hundreds of millions of dollars and the attack could have been even more costly and damaging had the Conti ransomware gang not provided the decryption keys.

The Conti ransomware gang has conducted at least 40 ransomware attacks in 2021 in the United States, Columbia, Europe, India, and Australia, including attacks on HPH entities in at least 20 U.S. states. Attacked healthcare entities include biotech firms, health/medical clinics, home healthcare services, hospices/elderly care, hospitals, pharma firms, healthcare industry services, and public health entities.

In December 2021, the HSE released a 157-page report of an independent post-incident review by PricewaterhouseCoopers (PwC) that detailed the background to the attack, the timeline, the recovery process, cybersecurity failures, and provided many recommendations. The PwC report was the reference for the HC3 report.

The PwC and HC3 reports detail many cybersecurity failures that contributed to the slow detection of the attack, the inability to respond quickly to security alerts and implement mitigations, and the extensive recovery time. Despite the high risk of ransomware attacks on the healthcare industry, the HSE was simply not prepared to deal with a ransomware attack. There was no single owner for cybersecurity at a senior executive or management level, no dedicated committee providing direction and oversight of cybersecurity activities, multiple weaknesses and gaps in cybersecurity controls, no cybersecurity forum to discuss and document risks, no centralized cybersecurity function to manage cybersecurity risks and controls, and the teams responsible for cybersecurity were known to be under-resourced.

The technology used by the HSE was overly complex, which increased vulnerability to cyberattacks. There was a large and unclear security boundary, the effective security boundary did not align with its ability to mandate cybersecurity controls, and there was no effective monitoring of the capability to detect and respond to attacks.  High-risk gaps were identified in 25 of the 28 cybersecurity controls that are most effective at detecting and preventing human-operated ransomware attacks, and the HSE was overly reliant on antivirus software for protecting endpoints. The HSE had no documented cyber incident response plan and had not performed exercises of the technical response to an attack. The HSE was therefore heavily reliant on third parties in the weeks following the attack to provide structure to its response activities.

While many ransomware actors are stealthy, the Conti ransomware attack was not. On May 7, 2021, the HSE’s antivirus detected Cobalt Strike on six servers, two hospitals identified an intrusion before the ransomware was deployed, and two organizations prevented the deployment of ransomware, but there was no centralized response from the HSE.

The report highlights the consequences of not having an effective cybersecurity strategy, the need to prepare thoroughly for an attack, and the importance of governance and cybersecurity leadership. As serious as the attack was, some good can come out of it. Healthcare organizations around the world can learn from the attack and apply the lessons learned by the HSE to prevent attacks on their own IT infrastructure, and ensure they are properly prepared to respond to a ransomware attack should their defenses be breached.

The post HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive appeared first on HIPAA Journal.

FBI Shares Technical Details of Lockbit 2.0 Ransomware

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has released indicators of compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) associated with Lockbit 2.0 ransomware.

Lockbit is a ransomware-as-a-service (RaaS) operation that has been active since September 2019. In the summer of 2021, a new version of the ransomware – Lockbit 2.0 – was released that had more advanced features, including the ability to automatically encrypt files across Windows domains via Active Directory group policies, and a Linux based malware was also developed that could exploit vulnerabilities in VMware ESXi virtual machines.

The affiliates working for the ransomware operation use a  range of TTPs in their attacks, which makes prevention, detection, and mitigation a challenge for security teams. Initial access is gained by exploiting unpatched vulnerabilities, using zero-day exploits, and purchasing access to business networks from initial access brokers (IABs). Shortly after the relaunch of the RaaS, the threat actor started advertising on hacking forums trying to recruit insiders who could provide network access in exchange for a cut of any ransom payment that is generated.

Once access to a network has been gained, the threat actors use a range of publicly available tools for lateral movement, privilege escalation, and exfiltrating sensitive data. Stolen data are used as leverage to pressure victims into paying the ransom. If victims refuse to pay the ransom, stolen data are published on the Lockbit 2.0 data leak site.

The infection process sees log files and shadow volume copies deleted, and system information is enumerated such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Affiliates are able to specify the file types to exfiltrate from the admin panel, and those files are then copied to an attacker-controlled server via HTTP. Some affiliates use other methods to achieve the same purpose, such as rclone and MEGAsync, as well as publicly available file-sharing services. After data exfiltration, the ransomware encrypts files on local and remote devices, leaving core system files intact. The ransomware then deletes itself from the disk and creates persistence at startup. Lockbit 2.0 will exit without infection if Russian or any languages of the former Soviet republics are detected.

Like several other RaaS operations, the group claims it will not conduct ransomware attacks on healthcare organizations; however, other groups have made similar claims yet have still attacked the healthcare sector. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has advised all organizations in the HPH sector to read and apply the information contained in the FBI’s TLP: White Flash Alert and take steps to reduce their attack surface to the greatest extent possible.

Measures that should be taken include setting strong, unique passwords for all accounts, implementing multi-factor authentication, keeping software and operating systems up to date, removing unnecessary access to administrative shares, segmenting networks, and implementing a host-based firewall and robust data backup program.

The post FBI Shares Technical Details of Lockbit 2.0 Ransomware appeared first on HIPAA Journal.