Healthcare Information Technology

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

Posted by HIPAA Journal

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management.

The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks.

HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry.

HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the identification of unique IOCs.

HITRUST has been trying to improve its threat information sharing program to better serve the healthcare industry. HITRUST has identified a number of key areas where improvements can be made, including speeding up the collection, analysis and delivery of threat information, advancing its threat hunting capabilities and improving reporting, integration, education and collaboration.

After assessing costs, skill sets, available resources and current capabilities, HITRUST determined the best way to improve its service was through a partnership with an established and well-qualified cyber research lab. Trend Micro was the natural choice.

One of the key areas where the Cyber Threat Management and Response Center will be able to help is ensuring threat information is shared in a format that can be easily consumed and leveraged by all healthcare organizations to mitigate risk.

HITRUST points out that through the HITRUST CTX, threat information was shared with healthcare organizations about both the WannaCry and NotPetya attacks. The outreach to organizations occurred soon after the threat was detected, with threat indicators shared 14 days before the first organization reported it had experienced an attack. The information allowed many healthcare organizations to take proactive steps to mitigate risk. However, HITRUST found that some healthcare organizations were unable to consume the information it shared.

Through the Cyber Threat Management and Response Center HITRUST “will deliver capabilities to address cyber threat management, defense, and response based on an organization’s cyber maturity level.”

“The HITRUST CTX has established itself as a leader in the collection of threat indicators. Now the focus needs to be ensuring organizations of any cyber maturity can leverage this information in a timely manner,” said Kevin Charest, DSVP and CISO, Health Care Service Corp. He explained that “Information sharing has no value if people can’t quickly act upon it, making the HITRUST CTX transition to cyber threat management a crucial step for industry.”

HITRUST has outlined the first phase of expanding its resources through the Cyber Threat Management and Response Center and says the new partnership with Trend Micro will allow it to offer:

  • Access to the world’s best threat research lab will enable HITRUST to collect and distribute a much broader range of IOCs
  • Analyses and research will be disseminated much more rapidly and geared to organizations at all levels of maturity
  • The center will have access to more healthcare industry specific vulnerabilities and threat information
  • Vulnerability information and IOC and TTP linkage with the HITRUST Threat Catalogue will be expanded
  • The center will have the resources to enable more responsive community engagement and assistance, including inquiry response and IOC submission analysis
  • HITRUST will improve tracking and monthly reporting of cyber threats targeting healthcare data and healthcare organizations

HITRUST has confirmed that it will continue to provide basic access to the HITRUST CTX and the new HITRUST Cyber Threat Management and Response Center at no cost, with the new center to be made available from October 1, 2017.

The post HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management appeared first on HIPAA Journal.

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

Posted by HIPAA Journal

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks.

The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase.

While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the products. Many medical devices have been found to contain a slew of vulnerabilities that could be exploited by cybercriminals.

Yesterday, The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning about vulnerabilities in Siemens CT and PET scanner systems. The four vulnerabilities could all be exploited remotely and ICS-CERT said attacks would require a low skill level.

In March last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion. The drug cabinet system was found to have 1,418 vulnerabilities.

Last year flaws were discovered in St. Jude Medical devices that if exploited, would cause the devices to malfunction.

Medical devices are coming to market that have not been adequately tested for security flaws. The problem is widespread. Earlier this year, researchers from security firm WhiteScope conducted an analysis of implantable cardiac devices and programmers. The researchers discovered more than 8,000 security flaws in multiple devices.

A new form of MedJack malware was discovered earlier this year. The malware was developed specifically to attack medical devices such as heart monitors and MRI machines. An earlier version of the malware was used to attack medical devices at three hospitals in 2016.

As Blumenthal correctly points out, “The security of medical devices is in critical condition.” The new bill seeks to address the problem and improve the security of medical devices and increase transparency. If passed, the Medical Device Cybersecurity Act would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.

Blumenthal points out in a recent blog post, “My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The Medical Device Cybersecurity Act of 2017 would amend the Federal Food, Drug and Cosmetic Act. Some of the key changes detailed in the Medical Device Cybersecurity Act of 2017 are:

Require all medical devices to be thoroughly tested for vulnerabilities before sale. A cyber report card would be created for devices that would detail the tests that have been performed.

Remote access protections would need to be incorporated into devices to prevent unauthorized access from inside and outside of hospitals.

The bill would require crucial cybersecurity fixes and updates to remain free and not require FDA recertification.

Manufacturers would be required to issue guidance for end-of-life of the devices, detailing how the devices should be disposed of to avoid the exposure of sensitive data. Blumenthal also proposes that ICS-CERT’s responsibilities are expanded to include medical devices.

The post Medical Device Cybersecurity Act Takes Aim at Medical Device Security appeared first on HIPAA Journal.

Warning Issued Over Vulnerabilities in Siemens CT and PET Scanners: Exploits Publicly Available

Posted by HIPAA Journal

Warnings have been issued about four vulnerabilities in Siemens CT and PET scanner systems following the discovery of four publicly available exploits. Siemens is currently developing patches to address the vulnerabilities.

The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7.

The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied. Siemens rated the flaws as highly critical, giving them a CVSS score of 9.8 out of 10 and suggests the devices should be run in standalone mode until the patches are applied.

To protect the systems from attack, healthcare organizations should ensure the systems are not be accessible over the Internet and are isolated from other networks and located behind firewalls.

If remote access is required, Virtual Private Networks (VPNs) should be used, although the use of VPNs is not without risks. Many VPNs also have vulnerabilities that could be remotely exploited. ICS-CERT says if remote access is unavoidable, the latest versions of VPNs should be used.

One of the vulnerabilities concerns improper restriction of operations within the bounds of a memory buffer, two are code injection vulnerabilities with one exploiting permissions, privileges and access controls. All the vulnerabilities are remotely exploitable.  The code injection vulnerabilities can be exploited by sending a specially crafted HTTP request to over port 80 and 443 to the Microsoft IIS webserver. The remaining two vulnerabilities could be exploited by sending a specially crafted request to the HP Client automation service.

ICS-CERT says exploiting the vulnerabilities would only require a low skill level.

The post Warning Issued Over Vulnerabilities in Siemens CT and PET Scanners: Exploits Publicly Available appeared first on HIPAA Journal.

Only One Third of Patients Use Patient Portals to View Health Data

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals.

The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information.

GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource.

Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information online, yet only 15% of hospital patients and 30% of other providers’ patients accessed their data online.

When patient portals are used to access health data it is usually preceding a medical appointment or soon afterwards to view medical test results. Information is also commonly accessed in order to share health data with a new healthcare provider. However, mostly, patients were using the portals to schedule appointments, set reminders or order medication refills.

The problem does not appear to be a lack of interest in viewing or obtaining health information, rather it is one of frustration. The process of setting up access to patient portals and viewing health data is time consuming. Patients usually have multiple healthcare providers and must repeat the process for each provider. In order to view all their health information, they must use a different portal for each provider and manage separate login information for each. Further, patient portals are not standardized. Each requires patients to learn how to access their information and familiarize themselves with the portal.

When the patient portals have been set up, patients often discover incomplete or inaccurate information, with information inconsistent among different providers. It would make life easier if all information could be transferred electronically between each provider or aggregated in one place, yet patients were confused by the process and were unaware if this was possible, and if so, how it could be done. Many patients did not even know if their health information could be downloaded or transmitted.

GAO pointed out that while the HHS has been encouraging healthcare providers to give patients access to health data via patient portals, there does not appear to have been any follow up. GAO says the HHS appears to be unaware of how effective its program has been. GAO has recommended HHS set up some performance measures to determine whether its efforts are actually working.

The post Only One Third of Patients Use Patient Portals to View Health Data appeared first on HIPAA Journal.

Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms

Posted by HIPAA Journal

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians.

The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database.

Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images.

Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems have been implemented, they were not widely used by clinicians. Only 7.3% of respondents said a secure messaging system was being used by most clinicians.

Pagers remain the most commonly used communication systems and are still used by 79.8% of hospitals to communicate with clinicians. 49% of respondents said they use pagers for patient care–related (PCR) communications.

The survey also revealed that standard text messages are being extensively used, often to communication PHI, even though sending PHI over the SMS network is a violation of HIPAA Rules. Standard text messages are not encrypted, do not have access controls and can easily result in the accidental disclosure of PHI to unauthorized individuals.

52.9% of clinicians said they received standard text messages for PCR communications at least once a day and 21.5% of respondents said they received standard text messages including the individually identifiable information of patients. 41.3% said they received some identifiable information such as patients initials along with health care related information. 21% said text messages regarding urgent healthcare information were received at least once a day.

Text messages are a convenient method of communication for use in hospitals. The majority of physicians carry mobile phones at work, although without a secure messaging platform, there is considerable potential for a HIPAA violation.

The HHS’ Office of the National Coordinator for Health IT has made it clear that standard text messaging is not secure and should not be used to communicate PHI since there is no encryption or access controls.

ONC suggests, “Implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”

The post Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms appeared first on HIPAA Journal.

Is Google Drive HIPAA Compliant?

Posted by HIPAA Journal

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant?

Is Google Drive HIPAA Compliant?

The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules.

G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users.

G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.

The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) prior to the service being used with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid users only.

Prior to use of any Google service with PHI, it is essential for a covered entity to review, sign and accept the business associate agreement (BAA) with Google. It should be noted that PHI can only be shared or used via a Google service that is specifically covered by the BAA. The BAA does not cover any third-party apps that are used in conjunction with G Suite. These must be avoided unless a separate BAA is obtained from the provider/developer of that app.

The BAA does not mean a HIPAA covered entity is then clear to use the service with PHI. Google will accept no responsibility for any misconfiguration of G Suite. It is down to the covered entity to make sure the services are configured correctly.

Covered entities should note that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, additional controls will be required to protect data on devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is turned off.

To avoid a HIPAA violation, covered entities should:

  • Obtain a BAA from Google prior to using G Suite with PHI
  • Configure access controls carefully
  • Use 2-factor authentication for access
  • Use strong passwords
  • Turn off file syncing
  • Set link sharing to off
  • Restrict sharing of files outside the domain (Google offers advice if external access is required)
  • Set the visibility of documents to private
  • Disable third-party apps and add-ons
  • Disable offline storage for Google Drive
  • Disable access to apps and add-ons
  • Audit access and account logs and shared file reports regularly
  • Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
  • Back up all data uploaded to Google Drive
  • Ensure staff are training on the use of Google Drive and other G Suite apps
  • Never put PHI in the titles of files

To help HIPAA-covered entities use G Suite and Google Drive correctly, Google has released a Guide for HIPAA Compliance with G Suite to assist with implementation.

The post Is Google Drive HIPAA Compliant? appeared first on HIPAA Journal.

ONC Offers Help for Covered Entities on Medical Record Access for Patients

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case.

Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other healthcare providers, they can find it difficult to find the information they need.

The Office of the National Coordinator for Health Information Technology (ONC) has recently published a report detailing some of the problems faced by healthcare providers when providing medical record access for patients. The report offers useful tips for healthcare organizations to help them provide medical record access for patients quickly and easily.

For the report- Improving the Health Records Request Process for PatientsONC spoke to 17 consumers to find out about the challenges they faced when attempting to gain access to their medical records. The report includes three examples of patients and caregivers that have experienced difficulties when attempting to exercise their right to access medical data. The personas are fictional, although the challenges faced by those personas were taken from real world examples.

ONC also looked at the medical record release forms used by 50 large healthcare systems across 32 states and spoke to stakeholders and health system professionals about the challenges faced when trying to provide patients with copies of their health records. ONC discovered the process of providing electronic copies of health records is often hampered by inefficient systems and limited resources.

The research has allowed ONC to develop tips to help healthcare providers create a streamlined, transparent, and electronic records request process. Making the suggested changes will allow health systems to improve the process of providing access to health data. Patients will then suffer less frustration and be able to obtain their records faster, allowing them to coordinate their care more effectively and have greater control over their health and wellbeing.

The post ONC Offers Help for Covered Entities on Medical Record Access for Patients appeared first on HIPAA Journal.

AMIA Urges HHS to Provide More Information on Common Rule Updates

Posted by HIPAA Journal

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated.

The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use.

The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified.

Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented.

The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication to stakeholders on the status of the Common Rule updates. It is unclear whether the proposed effective date of January 19, 2018 will be met.

The American Medical Informatics Association (AMIA) is concerned over the lack of progress and has recently voiced its concerns in a letter to the Department of Health and Human Services and the Office of Management and Budget.

In its letter, AMIA strongly encourages federal officials to keep the original effective date due to the pressing need for changes to the Common Rule, although AMIA has recommended moving the compliance date forward to June 19, 2018 to give researchers more time “to harmonize old and new provisions”.

The lack of any further information is a concern. AMIA suggests an official announcement should be made about the Common Rule updates immediately.

In the letter, AMIA says, “Over the last several years, a paradigm shift has occurred in the nature, scope and frequency of research involving human subjects, their biospecimens, and their data. Combined with rapid adoption of electronic health records (EHRs) by care providers and dramatic improvements in computing technology, we believe the final revisions to the Common Rule are necessary to improve discovery of new health insights and advance healthcare transformation.”

The Common Rule updates include new protections for individuals who choose to take part in research studies, but the updates will also reduce administrative burdens, particularly for low-risk research studies. For example, exemptions have been included when low risk studies are conducted by HIPAA-covered entities. This would also allow more secondary research of EHR data. The administrative burden is further reduced by eliminating the need for a continuous review for many studies.

The changes also allow researchers to obtain broad consent which will greatly improve availability of biospecimens and patient-reported data for secondary research. Important changes are also made to consent, requiring the most important information to be communicated to participants clearly and concisely in a way that a reasonable person would understand.

The changes will also mean potential research participants are screened more effectively, which will help identify patients who qualify for new treatments and ensure those individuals learn about their options.

AMIA President and CEO Douglas B. Fridsma, said, “Patients expect researchers to leverage their data for improved care in responsible ways. The updated Common Rule enables and encourages better transparency so that new discoveries are possible.”

Peter J. Embi, MD, MS, President and CEO Regenstrief Institute, Inc., said, “It is critical that we adopt these changes for the sake of our national research enterprise,” Embi went on to explain, “We need to know that important aspects of the finalized Common Rule will proceed as planned. Without such a clear signal, the revised Common Rule’s new benefits will be delayed, leaving in place a 26-year old rule that doesn’t serve the needs of research participants or the research community.”

The post AMIA Urges HHS to Provide More Information on Common Rule Updates appeared first on HIPAA Journal.

U.S. Healthcare Providers Affected by Global Ransomware Attack

Posted by HIPAA Journal

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below.

NotPetya Ransomware Attacks Spread to the United States

Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems.

Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities.

While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected

The health system’s communications director, Suzanne Sakson said, “Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the health system.”

No evidence has been uncovered to suggest protected health information has been accessed, although an investigation into the incident is ongoing.

West Virginia’s Princeton Community Hospital has also been affected with many of the hospital’s computers taken out of action following infection with ransomware. An investigation has been launched to determine whether patient health information was potentially accessed. Hospital spokesperson Rick Hypes said the hospital has implemented its protocols for cyberattacks and patient care is continuing to be provided.

The New Jersey-based pharmaceutical firm Merck has also been affected.

While it was initially believed the attacks involved Petya ransomware, security researchers believe this is a Petya-like ransomware variant from the same family. It has already attracted a variety of names including NotPetya, SortaPetya, GoldenEye, Petna, Nyeta and ExPetr.

Decryption Unlikely, Even if the Ransom is Paid

The ransomware variant deletes and replaces the Master File Table (MFT) which prevents computers from being able to locate files. The attackers have collected some ransom payments, although recovering systems by paying the ransom may not be possible.

The attacker was using an email account through a German email provider; however, that email account has been suspended. The email account was used to verify payment of a ransom. Without access to that email account, payment verification would be prevented.

Security researchers at Kaspersky Lab have also discovered a flaw in the ransomware which prevents data recovery, even if the ransom is paid. Kaspersky Lab issued a statement saying “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

Some security researchers have suggested that the goal of the attack was therefore not extortion but sabotage. Matt Suiche suggested in a recent analysis of the attack that “The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” However, also likely is a mistake by the attackers when developing their ransomware.

The number of victims has been steadily rising, with Kaspersky Lab identifying 2,000 attacks on Tuesday, while Microsoft now reports there has been at least 12,500 infections across 65 countries.

The attacks have hit multinational companies hard, with infections first occurring in European facilities but then subsequently spreading across networks to other geographical locations. Shipping firm Maersk had its Danish facilities infected, followed by infections in Ireland, the UK and other countries.

How to Prevent Infection with NotPetya Ransomware

Two exploits released by Shadow Brokers have been used to spread infections – EternalBlue and EternalRomance – both of which were addressed with the MS17-010 patch issued by Microsoft in March, which was subsequently expanded for use on non-supported Windows versions such as Windows XP following the WannaCry ransomware attacks last month.

However, if one computer on a network has not been patched the machine can be infected. The infection can then spread across a network to patched computers.

Even if all vulnerable machines have been patched, infection may still occur. The attackers are using multiple attack vectors including spam emails containing malicious attachments.

To protect against these NotPetya ransomware attacks – and other similar attacks – the MS17-010 patch must be applied to all Windows devices. Since data recovery may not be possible it is essential for data to be backed up, with multiple copies made, including one copy on an air-gapped machine that is not exposed via the Internet.

Rapid7 recommends organizations should “employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.” Additionally, “if possible, block 445 inbound to all internet-facing Windows systems.”

PsExec and wmic.exe should also be disabled to limit the ability of the ransomware to spread.

Since infection can occur via email, organizations should send alerts to company employees alerting them to the risk of attack from infected email attachments, specifically – but not exclusively – Microsoft Excel spreadsheets.

Security researcher Amit Serper at Cyberreason suggests it is possible to ‘vaccinate’ computers to prevent encryption, with his method confirmed by a number of firms such as Emisoft and PT security.

Serper says, “Create a file called perfc in the C:\Windows folder and make it read only.” Details of how to do this are available on Beeping Computer.

The post U.S. Healthcare Providers Affected by Global Ransomware Attack appeared first on HIPAA Journal.