Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries.

The study was conducted by researchers at the University of Birmingham in the UK and the University of Leuven / University Hospital Gasthuisberg Leuven in Belgium.

The researchers discovered at least 10 different commonly used medical devices were vulnerable to these attacks, including pacemakers and the latest generation of implantable cardioverter defibrillators (ICDs). The researchers were able to extract medical records from the devices – including patients’ names – and claim these attacks could be pulled off by a relatively weak adversary.

By repeatedly sending signals to the devices they were able to prematurely drain batteries by preventing the devices going into sleep mode. It was also possible to increase the time that the devices could receive messages, allowing further malicious attacks to be conducted.

The researchers used inexpensive commercial off-the-shelf equipment to intercept and reverse-engineer communications between the devices and their device programmers and base stations. The equipment used to conduct the dummy attacks needed to be in relatively close proximity to the devices – up to 5 meters (around 16 feet) although the researchers said it would be possible to increase that distance by tens or hundreds of times if sophisticated antennas were used.

It was possible to intercept and manipulate signals with no prior understanding of the devices, even though the device manufacturers had taken some steps to obfuscate the data transmitted to and from the devices.

Fortunately, in order for the attacks to be conducted, an attacker would need to hold a magnetic programming head close to the device after it had been implanted in order for the device to be capable of receiving radio signals. Once activated it would be possible to send messages to the device for a period of up to two hours.

According to the researchers, “Our work revealed serious protocol and implementation weaknesses on widely used ICDs, which lead to several active and passive software radio-based attacks that we were able to perform in our laboratory” The researchers also explained that “security-by-obscurity is a dangerous design approach that often conceals negligent designs. Therefore, it is important for the medical industry to migrate from weak proprietary solutions to well-scrutinised security solutions and use them according to the guidelines.”

The findings of the research study will be presented at the Annual Computer Security Applications (ACSAC) conference in Los Angeles this week. The research paper can be viewed on this link.

The post Medical Devices Can Be Hacked Using Black Box Approach appeared first on HIPAA Journal.

A recent survey conducted by Vanson Bourne on behalf of endpoint protection software vendor SentinelOne has cast light on the extent to which ransomware is being used to attack organizations around the globe.

500 cybersecurity decision makers were asked questions about recent ransomware attacks experienced by their organization. 48% of respondents said they had experienced at least one ransomware attack in the past 12 months, and those organizations were attacked an average of six times in the past year. 50% of respondents in the United States said they had experienced a ransomware attack in the past 12 months.

Not all attacks resulted in files being encrypted. 27% of respondents said ransomware was installed, but the attackers were not able to encrypt any data. 25% said some files were encrypted but it was possible to recover the files from backups. 45% said files were encrypted but it was possible for the company to decrypt the files. Only 3% of organizations said attacks resulted in file encryption that their organization was unable to decrypt.

Ransom payments were not always made, although the overwhelming majority of respondents – 94% – said the attacks had an impact on their organizations. U.S. companies that were able to recover encrypted files from backups spent an average of 38 man-hours on the task. 67% said ransomware attacks prompted their organization to increase spending on IT security, while 52% said the attacks had resulted in a change in IT security strategies to focus on mitigation. After being attacked, 45% of respondents said they had lost confidence in their cybersecurity defenses.

A majority of ransomware victims said they were able to identify the attacker. 47% said the attacker was based in Eastern Europe while 45% said attack came from within their own country.

48% said an attack had been conducted by organized cyber criminals and 46% said an attack was performed by an opportunistic hacker. Attacks were also performed by disgruntled employees, dissatisfied customers, rival organizations, protesters, and hacktivists.

While the FBI has urged all organizations to notify law enforcement of a ransomware attack, only 54% of ransomware victims said law enforcement was notified. 61% said they notified the board or CEO, half of respondents said they informed their lawyers, while only 38% would or did alert customers.

81% of respondents said the attacker had installed the ransomware via phishing emails or social media websites. 50% said an attack had occurred via a drive-by download from a compromised website, while 40% said an infection had occurred via a computer that was part of a botnet.

71% of respondents said they needed a new solution to deal with the ransomware threat, while 65% said traditional cybersecurity defenses were ineffective against ransomware and the latest forms of malware. 44% said antivirus software is now dead and is not offering protection against the latest threats, although 85% of respondents said they still installed antivirus software on static endpoints. In many cases, as a checkbox option to satisfy industry regulations.

The post 50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months appeared first on HIPAA Journal.

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry.

40% of the most affected organizations are now in the healthcare sector. This signifies a change in targeting, as previously the Trojan has been primarily used to attack insurance companies. While 40% of attacks have not been attributed to any industry sector, the next most targeted industries – which each account for 5% of attacks – are the automotive, education, gambling, and construction.

It is currently unclear how the attackers are using the malware to profit from infections, although it is believed that healthcare companies are being targeted due to the value of their stored data. Gatak is primarily an information stealer

There are two components of the malware. One component performs detailed fingerprinting of the victim and is capable of installing a range of additional payloads. Those payloads can include ransomware. The downloader has been discovered to install Shylock; an old form of ransomware. Symantec suggests that older forms of malware may be installed when the group believes their attack has been detected “to throw investigators off the scent.”

The main module is the information stealing component. Gatak is particularly dangerous because it is difficult to detect and can remain dormant for long periods. Gatak is also capable of moving laterally across a network and infecting multiple devices. According to Symantec, this usually occurs within two hours of infection.

Symantec reports that lateral movement does not appear to be automatic, instead other devices are attacked manually. Symantec does not believe the attackers are using sophisticated tools to spread the infection, but are instead exploiting weak security and poor passwords.

While many forms of malware are inadvertently installed via malicious websites or spam email; Gatak appears to be almost exclusively spread via shadow IT: Programs that have been installed on computers by employees without the knowledge of the IT department. In some cases, pirated software is actually installed by IT departments to automate IT tasks. The infections do not occur as a result of the installation of the pirated software, but with the keygen that is used to generate the license key.

Trojan is bundled with the Keygen. When the executable is run, the Trojan is silently installed. Symantec notes that the keygens used by the group behind Gatak do not generate genuine product keys. The group behind Gatak is targeting companies by supplying fake keygens for software typically used in professional environments.

These include HDClone – a hard disk cloning program; PremiumSoft Navicat Premium – Database administration software; Originlab Originpro – Data analysis software; and Symantec System Recovery – Backup and data recovery software. The latter could pose the biggest threat to healthcare organizations that are attempting to improve defenses against ransomware attacks by using pirated backup software.

Symantec notes that its products protect against the threat, but advises IT departments, particularly those in the healthcare industry, to conduct regular audits of software installed on their networks. Symantec also suggests reminding employees not to install pirated and/or unauthorized software.

The post Healthcare Industry Targeted with Gatak Trojan appeared first on HIPAA Journal.

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data.

In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection was removed. A ransom demand of $17,000 was issued and was paid by the Medical Center after attempts to recover files from backups failed. The attack is understood to have involved Locky ransomware.

Locky encrypts a wide range of file types including office documents, pdf files, databases, and images. Files are renamed and new extensions are added to make it harder for victims to identify which files have been encrypted. Windows Shadow Copies are also deleted. Locky can spread laterally through a network and is capable of encrypting files on portable storage devices, such as those used for backing up data.

The actors behind Locky distribute the ransomware using exploit kits, spam email, and malvertising campaigns. Exploit kit activity has fallen in recent months with spam email now the main attack vector. However, this month has seen exploit kit activity increase. Locky is now being distributed using the Bizarro Sundown exploit kit. Two versions of Bizarro Sundown have been identified that are being used to distribute two versions of Locky – Odin and Zepto – via the Shadowgate malvertising campaign.

Hospitals are also being targeted via spam email. The latest campaigns use social engineering techniques to lure end users into opening malicious email attachments. One of the latest email variants appears to have been sent by the organization’s Internet service provider. The emails claim computers are being used to distribute spam email. If the attached zip file is extracted and the executable file is run, Locky will be downloaded.

Malvertising, exploit kits, and spam email have been used to distribute Locky ransomware since its release in February; however, now the actors behind the ransomware have changed tactics once again and are using a new vector to infect users: Facebook Messenger.

The Facebook Messenger campaign bypasses whitelisting and other security controls used by the social media giant. Messages are sent containing an image – a Scalable Graphics (SVG) File – that has malicious JavaScript embedded. Opening the image file will direct the user to a spoofed YouTube site. The user will be required to install a codec (a Chrome extension) to allow the video to run.

Installing that codec/Chrome extension will result in Nemucod being downloaded to the victims computer. Nemucod is a malware downloader that can install a wide range of malicious software, including Locky.

The attackers are constantly changing Locky and releasing new variants. Attack vectors and delivery methods are also frequently changed. Protecting against Locky ransomware attacks therefore requires multi-layered defenses to be deployed, including next generation firewalls, intrusion detection systems, and antivirus and antimalware software.

Healthcare organizations can reduce the risk from exploit kits and malware by implementing a web filtering solution to control the websites that can be visited by end users. Web filters can also be used to block Facebook Messenger. Spam filters can be used to intercept malicious email messages and prevent them from being delivered to end users. Security awareness training is also essential to ensure end users are taught security best practices.

However, these controls are not infallible. It is therefore essential that organizations segment networks to reduce the damage that is caused if ransomware is installed. All critical data should be regularly backed up on air-gapped devices or in the cloud, and multiple backups should be performed.

The post New Attack Vector Used to Spread Locky Ransomware appeared first on HIPAA Journal.

The Office of Inspector General (OIG) has announced that it will be continuing to assess the information security controls of the Department of Health and Human Services (HHS) in 2017 to ensure those controls meet federal information security standards.  

Audits will be conducted to assess the network security posture of the HHS. The main focus of the audits will be access controls and physical security. The audits will also look at web application and database security.

The OIG has announced that next year’s HHS audits will include penetration tests to check for vulnerabilities that could potentially be exploited by hackers to gain access to HHS systems.

State-sponsored hacking groups have been attacking government agencies with increased frequency in recent years. It is therefore essential to thoroughly assess security controls to ensure that networks and applications are not susceptible to cyberattacks.

Penetration testing will allow the OIG to assess how hackers could potentially gain access to networks and sensitive data and well as the tools and techniques that could potentially be used to attack the HHS.

The HHS will be notified of any security weaknesses that are identified to allow them to be mitigated before they can be exploited by hackers.

The OIG will also assess HHS security controls to track prescription drug reimbursements and HHS’ applications that are used to track the disbursement of prescription drugs. The OIG will also start assessing some of the privacy and security issues surrounding the use of Internet of Things devices. 

According to the OIG, The Federal Information Security Modernization Act (FISMA) requires “agencies and their contractors maintain programs that provide adequate security for all information collected, processed, transmitted, stored, or disseminated in general support systems and major applications.” The HHS’ FISMA compliance program will also be reviewed in 2017.

The OIG’s 2017 work plan can be viewed on this link.

The post OIG to Conduct Penetration Tests to Assess HHS Application Security appeared first on HIPAA Journal.

The adoption of cloud services continues to increase, with 68% of organizations now using at least one cloud service, up from 43% last year. However, the security of data stored in the cloud is still a major concern, according to the second annual Cloud Security Report from Netwrix.

For the global Cloud Security Report, Netwrix surveyed 660 companies spread across more than 30 industries. The research shows that while cloud service providers are committing more resources to protecting their infrastructure and customers’ data, they are struggling to convince IT security professionals that adequate protections have been put in place.

7 out of 10 organizations expressed concern about the privacy and security of cloud technology and fewer than half of organizations (44%) that use cloud services believed adequate protections had been implemented by their cloud service providers.

The biggest concern was unauthorized data access by employees and third parties. 69% of respondents expressed concern about unauthorized access. The other two main concerns were malware and Denial of Service attacks, rated as a top concern by 37% and 34% of survey respondents respectively.

The survey shows that many organizations are frustrated by the lack of visibility, not only by privileged users but also their own employees. While misuse of cloud services by privileged users is a worry, organizations are more concerned about insider misuse. 24% of respondents complained about the inability to view the activities of privileged users, while 29% said they would like to be able to monitor the activities of their own employees.

When asked about the importance of visibility, an overwhelming majority said visibility into user activities was an important part of security guarantees. Just 5% of respondents said visibility did not have any impact on cloud data security.

The perceived lack of security is stopping many organizations from adopting cloud services. Out of the respondents who were pessimistic about the cloud, 56% said better security mechanisms would be likely to change their mind about cloud technology adoption. Data security concerns are high, but confidence in cloud data security is improving. Last year when the same question was asked, 64% said better security would change their minds.

Cost was also a major concern. 54% of respondents said lower costs would help to change their minds about cloud technology and services, which is unsurprising considering 33% of respondents said cloud technology did not meet their budgetary expectations.

18% of IT security professionals said nothing would change their mind about cloud technologies and that they would consider incorporating them into their IT landscapes.

Of the respondents that had already adopted cloud services, 41% claimed the use of the cloud had improved security while 30% said cloud adoption had made no change to the security of their IT infrastructure or data. Only 11% thought cloud adoption had had a negative impact on infrastructure or data security.

According to the survey, the most popular cloud models were software-as-a-service (SaaS), followed by infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS). 73% of organizations use SaaS, 34% use IaaS, and 26% use PaaS, with a growing trend for businesses to adopt a hybrid cloud model – A combination of private and public clouds. The decision to opt for the hybrid model was to help balance costs, ensure sensitive data was appropriately secured, and to get the maximum business benefits.

The post 69% of IT Security Pros Concerned About Unauthorized Cloud Data Access appeared first on HIPAA Journal.

On Tuesday this week at the Splunk GovSummit in Washington D.C., The National Institute of Standards and Technology (NIST) unveiled its Systems Security Engineering guidelines (NIST SP 800-160) – A set of detailed guidelines to help security engineering and other engineering professionals better protect Internet-connected devices.

The NIST guidelines are the product of four years of research and development. They have been available in draft form since 2014, although the document has only just been finalized. The guidelines were initially scheduled to be released in December, although NIST took the decision to bring forward the release date and published the finished document a month early.

According to NIST, “the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States.”

Currently, Internet-connected devices are coming to market without adequate security controls. Only when hackers succeed in compromising those devices do the risks become abundantly clear.

Improving device security is a complex task that cannot simply involve bolting on additional protections as an afterthought. Security needs to be considered when developing products and must be factored in to all stages of the product lifecycle. That is a complex task, hence the need for detailed guidance.

As NIST explains, “Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks.”

The guidelines apply not only to systems, but also the components that make up those systems and the services which depend on those systems. The 242-page document details 30 separate processes covering the entire life cycle of products from the initial planning stages through to disposal along with the actions that must be taken to ensure more defensible and survivable systems are developed.

NIST used International Standards for systems and software engineering as a base, and built on those standards by including a range of systems security engineering methods, practices, and techniques. The new guidelines use a security engineering approach to prevent penetration and limit damage if systems are breached.

NIST fellow, Ron Ross Ross says, “The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders.”

According to U.S. Chief Information Officer Tony Scott, who joined Ross at the Summit announcing the release of the guidelines, the document “will change the national dialogue from one of victims to one of a group of people who can do something about this.”

The post NIST Releases Guidelines for Securing Internet-Connected Devices appeared first on HIPAA Journal.