Latest HIPAA News

CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks

Ransomware attacks dramatically increased in 2020 and cyberattacks using the file-encrypting malware are showing no sign of abating. Attacks have continued to increase this year to the point where there were almost half the number of attempted ransomware attacks in Q2, 2021 as there were all of 2019.

Most threat actors conducting ransomware attacks are now using double extortion tactics, where ransoms must be paid to obtain the keys to decrypt files but also to prevent the publication of data stolen in the attacks. The theft of data prior to file encryption has not only helped ransomware gangs demand huge ransom payments, but the threat of leaking data has greatly increased to probability of the ransom being paid. Many victims end up paying the ransom to prevent data leakage, even though they have valid backups that will allow them to restore the encrypted data for free.

To help public and private sector organizations deal with the threat of these double-extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance, which includes best practices for preventing cyber threat actors from gaining access to networks, steps that can be taken to ensure sensitive data are protected, and procedures that should be followed when responding to a ransomware attack.

“Ransomware is a serious and increasing threat to all government and private sector organizations, including critical infrastructure organizations,” explained CISA in the guidance. “All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems.”

There are several measures outlined in the document that are important not only preventing ransomware attacks but also limiting their severity. It is essential to maintain offline, encrypted backups of data and to regularly test the backups to make sure file recovery is actually possible. It is also vital that a basic cyber incident response plan, resiliency plan, and associated communications plan are created and maintained, and exercises are conducted to ensure that a rapid response to an attack is possible. To block attacks, steps must be taken to address the key attack vectors, which are phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all organizations should also ensure good cyber hygiene practices are followed.

In order to protect sensitive data, organizations must know where sensitive data reside and who has access to those data repositories. It is also important to ensure that sensitive data are only retained for as long as is strictly necessary. Physical and cybersecurity best practices must be implemented, including restricting access to physical IT assets, encrypting sensitive data at rest and in transit, and to implement firewall and network segmentation to hamper attempts at lateral movement within networks. CISA also recommends ensuring the cyber incident response and communications plans include response and notification procedures for data breach incidents.

A rapid and effective response to a ransomware attack is critical for limiting the harm caused and keeping costs down. The cyber incident response plan should detail all the steps that need to be taken, and the order that they should be taken. The first step is determining which systems have been impacted and immediately isolating them to secure network operations and stop additional data loss. The next step should only be taken if affected devices cannot be removed from the network or the network cannot be temporarily shut down, and that is to power down infected devicesto avoid further spread of the ransomware infection.

Then, triage impacted systems for restoration and recovery, confer with the security team to develop and document an initial understanding of what has occurred, then engage internal and external teams and stakeholders and provide instructions on how they can assist with the response and recovery processes. Organizations should then follow the notification requirements outlined in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breachescan be found on this link.

The post CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks appeared first on HIPAA Journal.

1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack

Around 4 a.m. on Thursday June 17, 2021, St. Joseph’s/Candler (SJ/C) hospital system in Savannah, GA suffered a ransomware attack. Upon detection of suspicious network activity, SJ/C immediately took steps to isolate and secure its systems. The attack prevented access to computer systems and emergency protocols were implemented, with staff reverting to pen and paper to record patient data.

SJ/C notified law enforcement about the security breach and launched an investigation. Assisted by third party cybersecurity firms, SJ/C determined the hackers first gained access to its systems on December 18, 2020 and continued to have access to those systems until June 17, 2021, when the ransomware was deployed.

“Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” explained SJ/C in a statement shortly after the attack was detected. “Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”

As the investigation into the breach continued it became clear that the parts of the network accessible to the hackers contained files that included patients’ protected health information. A comprehensive review of those files was conducted and determined the files contained patient information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member IDs, medical record numbers, dates of service, provider names, and medical and clinical treatment information regarding care received from SJ/C.

SJ/C has now confirmed the protected heath information of 1,400,000 patients was potentially compromised in the ransomware attack. Notification letters started to be sent to affected individuals on August 10, 2021 and complimentary credit monitoring and identity theft protection services are being offered. SJ.C said additional safeguards and technical security measures are being implemented to further protect and monitor its systems.

The post 1.4 Million Individuals Affected by St. Joseph’s/Candler Ransomware Attack appeared first on HIPAA Journal.

Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms

Reposify, a provider of an external attack surface management platform, has published the findings of a study of security vulnerabilities at pharmaceutical firms which shows the vast majority of pharma firms have unresolved vulnerabilities that are putting sensitive data and internal systems at risk of compromise.

The study was conducted to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs and other security issues. Data analyzed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report were collected over a two-week period in March 2021 and covered 18 of the leading pharmaceutical companies worldwide and more than 900 of their subsidiaries.

Pharmaceutical companies hold vast amounts of sensitive personal data and extremely valuable drug and vaccine research data. That has made them an attractive target for cybercriminals. During the COVID-19 pandemic, nation state hackers targeted pharma and biotech firms to gain access to sensitive COVID-19 research and vaccine development data.

According to the 2020 Cost of a Data Breach Report from IBM Security/Ponemon Institute, pharma and biotech firms had a high rate of security incidents in 2020, with 53% of them resulting from malicious activity. The average cost of a pharma data breach in 2020 was $5.06 million and the average time to identify and contain a breach was 257 days.

“With the pandemic causing a rush to scale and digitize, pharmaceutical companies’ digital footprints have further expanded creating many new blind spots where attackers could and did easily break in to access confidential, highly sensitive data,” explained Reposify.

In 2020 there were hundreds of mergers and acquisitions, with larger pharmaceutical firms buying up smaller companies in the sector. These smaller firms were typically focused on fast innovation and agility, which often meant insufficient resources were put into cybersecurity. M&A transactions therefore had significant potential to introduce major security risks.

Reposify researchers analyzed 2020 M&A transactions and found in 70% of cases, the newly acquired subsidiary had a negative impact on the security posture of the parent company. The vulnerabilities introduced were often considerable, “adding tens, or in some cases, hundreds of sensitive exposed and unpatched services.”

The researchers analyzed the prevalence of key risks which are visible externally and could potentially be exploited by cyber threat actors, including misconfigured databases and cloud services and unpatched software vulnerabilities. The median number of high severity security issues per company was 269, with a median of 125 critical severity issues per company.

Key findings from the report include:

  • 92% of pharmaceutical companies had at least one exposed database which was potentially leaking data.
  • 76% had an exposed RDP service.
  • 69% of exposed services discovered were classified as being a part of the unofficial network perimeter.
  • 50% of pharma firms had an exposed FTP with anonymous authentication.
  • 46% of pharma firms had an exposed SMB service.

“Pharmaceutical companies must harden their security and make it more difficult for attackers to gain a foothold in their systems”, said Reposify. “This effort must begin with gaining a clear view of their external attack surface and continuous monitoring and elimination of risky attack vectors.” The report also highlighted the importance of performing pre-acquisition cybersecurity due diligence, including mapping and analysis of the acquisition target’s external attack surface.

The post Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms appeared first on HIPAA Journal.

NIST Updates Guidance on Developing Cyber Resilient Systems

The National Institute of Standards and Technology (NIST) has released a major update to its guidance on developing cyber-resilient systems.

A draft version of the updated guidance – NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been released which includes updates to reflect the changing tactics, techniques, and procedures (TTPs) of cyber threat actors, who are now conducting more destructive attacks, including the use of ransomware.

Organizations used to be able to focus their resources on perimeter defenses and penetration resistance; however, these measures are no longer as effective as they once were at preventing attacks. A modern approach is now required which requires more resilience to be built into IT systems, which requires measures to be taken to limit the ability of an attacker to damage infrastructure and move laterally within networks.

“The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target,” explained NIST.

Hackers can gain access to internal networks even with sophisticated perimeter defenses in place, as recent cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have shown. The initial attack vector could be a phishing email, the exploitation of an unpatched software vulnerability, or even a supply chain attack. All these methods could be used to bypass traditional defenses and gain a foothold in the network. It is therefore critical for safeguards to be implemented to limit the harm that can be caused, which for many organizations will require improvements to their detection, response, and recovery capabilities.

The approach now advocated by NIST is more in line with zero trust, where it must be assumed that an attacker has already gained access to the network, applications, and systems. Organizations therefore need to build in resiliency into their IT systems to ensure that they will continue to function to a sufficient degree to continue to support mission critical business operations.

“What we want to achieve is a system that we call ‘cyber resilient’ or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations – even if it’s not in a perfect state or even in somewhat of a degraded state,” said NIST fellow Ron Ross.

The updates to the guidance cover three key areas:

  • Updated controls that support cyber resiliency, in line with the recommendations detailed in NIST Special Publication SP 800-53, Revision 5 – Security and Privacy Controls for Information Systems and Organizations.
  • The creation of a single threat taxonomy for organizations in line with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK] framework.
  • The addition of detailed mapping and analysis of cyber resiliency implementation which support NIST SP 800-53 controls and the MITRE ATT&CK framework techniques, mitigations, and candidate mitigations.

NIST’s cyber resiliency techniques were combined with the MITRE ATT&CK framework because of the high level of adoption of the MITRE ATT&CK framework, with the aim being to simplify the approach to building more resilient systems.

The guidance document was updated by NIST Fellow Ron Ross, NIST supervisory computer scientist Victoria Pillitteri, and Richard Graubart, Deborah Bodeau, and Rosalie McQuaid of MITRE.

NIST is seeking feedback on the draft version of the guidance document until September 20, 2021. The final version of the guidance is due to be published before year end.

The post NIST Updates Guidance on Developing Cyber Resilient Systems appeared first on HIPAA Journal.

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

The post Healthcare Industry has Highest Number of Reported Data Breaches in 2021 appeared first on HIPAA Journal.

Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals

Nine critical vulnerabilities have been identified in the Nexus Control Panel of Swisslog Healthcare Translogic Pneumatic Tube System (PTS) stations, which are used in more than 80% of major hospitals in the United States. Pneumatic tube systems are used to rapidly send test samples and medications around hospitals and the vulnerable PTS stations are present in 3,000 hospitals worldwide, including 2,300 in the United States.

The vulnerabilities, collectively named ‘PwnedPiper’, were discovered by researchers at Armis Security. In total, 9 critical flaws were identified in the Nexus Control Panel and the firmware of all current models of Translogic PTS stations are affected.

The vulnerabilities identified by the researchers are common in Internet of Things (IoT) devices but are far more serious in pneumatic tube systems, which are part of hospitals’ critical infrastructure. The Armis researchers pointed out that these systems are prevalent in hospitals, yet they have never been thoroughly analyzed or researched.

The flaws could be exploited by a threat actor to cause denial of service, harvest sensitive data such RFID credentials of employees, and to perform reconnaissance to identify the functions or location of the stations and gain an understanding of the physical layout of the PTS network. The vulnerabilities could also be exploited in a ransomware attack.

The flaws include the use of hard-coded passwords, memory corruption vulnerabilities, privilege escalation flaws, unencrypted connections, unauthenticated firmware updates, and remote code execution vulnerabilities. If exploited, an attacker could gain full control of all Nexus stations in a hospital.

“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare,” said Nadir Izrael, Armis co-founder and CTO. “Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.”

The researchers detailed a scenario in which the flaws could be exploited to deliver ransomware. First an attacker would need a foothold in the hospital network. This could be as simple as exploiting a vulnerability in a low-grade IoT device such as a hospital IP camera. Once network access is gained, the Translogic PTS could be targeted since it is connected to hospital networks. Any of 5 vulnerabilities could then be exploited to achieve remote code execution in an attack that could see all Nexus stations compromised, either using ransomware or simply shutting down stations.

“In this volatile state, the hospital’s operations can be severely derailed,” said the researchers. “Medications supplied to departments, timely delivery of lab samples, and even blood units supplied to operating rooms all depending on constant availability of the PTS.”

Armis presented the findings at Black Hat USA. Swisslog Healthcare has patched 8 of the 9 vulnerabilities in Nexus Control Panel version 7.2.5.7, with the one remaining vulnerability due to be fixed in an upcoming release. The remaining vulnerability, tracked as CVE-2021-37160, affects legacy systems and is due to the lack of firmware validation during a file upload for a firmware update.

There have been no known cases of the vulnerabilities being exploited. Swisslog Healthcare has suggested mitigations and workarounds in its security advisory for hospitals that are unable to upgrade to the latest version of the Nexus Control Panel.

The post Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals appeared first on HIPAA Journal.

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident.

Source: IBM Security

The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches.

According to IBM, data breaches costs were more than $1 million higher when remote work was indicated as a factor in the data breach. When remote work was a factor, the average data breach cost was $4.96 million compared to $3.89 million when remote work was not a factor. Almost 20% of organizations that reported data breaches in 2020 cited remote work as a factor, with the cost of a data breach around 15% higher when remote work was a factor.

To compile the report, IBM conducted an in-depth analysis of data breaches involving fewer than 100,000 records at 500 organizations between May 2020 and March 2021, with the survey conducted by the Ponemon Institute.

The most common root cause of data breaches in the past year were compromised credentials, which accounted for 20% of data breaches. These breaches took longer to detect and contain, with an average of 250 days compared to an overall average of 212 days.

The most common types of data exposed in data breaches were customers’ personal data such as names, email addresses, passwords, and healthcare data. 44% of all data breaches included those types of data. A data breach involving email addresses, usernames, and passwords can easily have a spiral effect, as hackers can use the compromised data in further attacks. According to the Ponemon Institute survey, 82% of individuals reuse passwords across multiple accounts.

Breaches involving customers’ personally identifiable information (PII) were more expensive than breaches involving other types of data, with a cost per record of $180 when PII was involved compared to $161 per record for other types of data.

Data breach costs were lower at companies that had implemented encryption, security analytics, and artificial intelligence-based security solutions, with these three mitigating factors resulting in data breach cost savings of between $1.25 million and $1.49 million per data breach.

Adopting a zero-trust approach to security makes it easier for organizations to deal with data breaches. Organizations with a mature zero trust strategy had an average data breach cost of $3.28 million, which was $1.76 million lower than those who had not deployed this approach at all.

“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, Vice President and General Manager, IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero-trust approach – which may pay off in reducing the cost of these incidents further down the line.”

Security automation greatly reduces data breach costs. Organizations with a “fully deployed” security automation strategy had average breach costs of $2.90 million per incident, compared to $6.71 million at organizations that had no security automation.

Companies with an incident response team that had tested their incident response plan had 54.9% lower breach costs than those that had neither. The average data breach cost was $3.25 million compared to $5.71 million when neither were in place.

The cost of a data breach was $750,000 (16.6%) higher for companies that had not undergone any digital transformation due to COVID-19. Cloud-based data breach costs were lower for organizations that had adopted a hybrid cloud approach, with an average cost of $3.61 million at organizations with hybrid cloud infrastructure compared to $4.80 million for organizations with a primarily public cloud and $4.55 million for those that had adopted a private cloud approach. Data breach costs were 18.8% higher when a breach was experienced during a cloud migration project.

Organizations that were further into their cloud migration plan were able to detect and respond to data breaches far more quickly – on average 77 days more quickly for organizations that were at a mature state of their cloud modernization plan than those in the early stages.

Mega data breaches – those involving between 50 million and 65 million records – cost an average of $401 million per incident, which is more than 100 times the cost of breaches involving between 1,000 and 100,0000 records.

The post The Average Cost of a Healthcare Data Breach is Now $9.42 Million appeared first on HIPAA Journal.

Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019.

With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek.

To compile the reportThe State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF conformance. 75% of healthcare organizations improved overall NIST conformance in 2020; however, 64% of healthcare organizations fell short of the 80% NIST conformance level considered to be the passing grade. Most of the improvements made in 2020 were only small.

As the graph below shows, 53 healthcare organizations improved NIST conformance year over year, 32 of those were considerably below the 80th percentile and 17 healthcare organizations saw NIST conformance decline year-over- year.

Year-over-Year Improvements in NIST CSF Conformance. Source: CynergisTek State of Healthcare Privacy and Security Report.

In order to improve resilience to ransomware and other cyberattacks, it is essential for healthcare organizations to improve their security posture. It will not be possible to stay one step ahead of threat actors if organizations do not take steps to improve NIST CSF and HIPAA Security Rule conformance.

While good conformance scores are a good indication of security posture, they do not necessarily reflect the extent to which healthcare organizations have reduced risk. For this year’s report, CynergisTek placed less emphasis on conformance scores and assessed the measures healthcare organizations had taken to identify which core functions of the NIST CSF appeared to be really driving long term security improvements, with the goal of identifying the best opportunities for both short- and long-term success.

The Identity function provides the foundation on which the rest of the core functions are based, but 73% of healthcare organizations were rated low performers in this function. Asset management and supply chain risk management were two of the key areas that need to be addressed. The healthcare supply chain is a universal issue and the weak link in healthcare. Many healthcare organizations struggle to validate whether or not third-party vendors meet specific security requirements. 76% of healthcare organizations failed to secure their supply chains.

The Protect function requires safeguards to be implemented to protect critical infrastructure and data. One of the main areas where organizations were falling short is protection of data using encryption. “An organization’s default for storing protected data of any kind and transmitting it should include encryption – it clearly does not”, explained CynergisTek. High performers achieved 90% conformance for protection of data at rest, whereas the rest of the sector was in the low 30th percentile.

In the Detect function, there was a major difference between high and low performers, but overall there were good levels of implementation; however, to be considered a high performer it is necessary to get the detect function substantially implemented and to ensure there is significant automation of security monitoring.

The Respond function concerns an organization’s ability to quickly implement appropriate activities when a cybersecurity event is detected, and this is an area where significant improvements need to be made. Only the highest performers are actively investigating notifications from detection systems, and only high performers were consistently and substantially mitigating incidents.

The recover function identifies activities required to return to normal operations after a cybersecurity incident. While there were gaps among the high performers, conformance was generally very good, but significant improvements need to be made by low performers. Around two-thirds (66%) of healthcare organizations are underperforming in recovery planning.

CynergisTek identified several aspects of security that healthcare organizations need to focus on over the coming 12 months:

  • Improve automation of security functions
  • Validate technical controls for people and processes
  • Perform exercises and drills at the enterprise level to test all components of the business
  • Secure the supply chain
  • Look beyond the requirements of the HIPAA Rules and further enhance privacy and security measures

The researchers found notable improvements had been made in organizations’ HIPAA privacy programs in 2020, with some healthcare organizations making exceptional progress. However, there is still room for improvement. CynergisTek identified several privacy areas that should be focused on in 2021.

These measures include implementing user access monitoring tools and engaging in proactive rather than reactive monitoring, addressing defective HIPAA authorizations, preventing violations of the Minimum Necessary Rule by defining criteria to limit PHI disclosure, updating insufficient privacy policies and procedures and ensuring the new policies are implemented, and addressing inappropriate Hybrid Entity designations.

The post Report: The State of Privacy and Security in Healthcare appeared first on HIPAA Journal.

The Average Ransomware Payment Fell by 38% in Q2, 2021

The average ransom payment made by victims of ransomware attacks fell by 38% between Q1 and Q2, 2021, according to the latest report from ransomware incident response company Coveware. In Q2, the average ransom payment was $136,576 and the median payment decreased by 40% to $47,008.

Average Ransom Payments by Quarter. Source: Coveware

One of the key factors driving down ransom payments is a lower prevalence of attacks by two key ransomware operations, Ryuk and Clop, both of which are known for their large ransom demands. Rather than the majority of attacks being conducted by a few groups, there is now a growing number of disparate ransomware-as-a-service brands that typically demand lower ransom payments. In Q2, Sodinokibi (REvil) was the most active RaaS operation conducting 16.5% of attacks, followed by Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk only accounted for 3.7% of attacks and Clop 3.3%.

The Sodinokibi gang has now gone silent following the attack on Kaseya and appears to have been shut down; however, the group has shut down operations in the past only to restart with a new ransomware variant. Even if the operators have retired, the affiliates used to conduct the attacks are likely to just switch to an alternative RaaS operation so attack volume may not be affected.

The most common vectors used in attacks has been fluctuating over the past few months. In Q1, 2021 there was an increase in brute force attacks on Remote Desktop Protocol (RDP) and the exploitation of software vulnerabilities, with phishing attacks falling. In Q2, RDP compromises and software vulnerability exploits both declined and email phishing increased, with phishing and RDP compromises now equally common. The exploitation of software vulnerabilities is the attack vector of choice for targeted attacks on large enterprises, and those attacks tend to be conducted only by the most sophisticated RaaS operations with large operating budgets that allow them to purchase single day exploits or buy access to large networks.

In Q2, more than 75% of ransomware attacks were on businesses with fewer than 1,000 employees. This is because these smaller companies are less likely to invest in security awareness training for the workforce and email security to block phishing attacks. They are also more likely to expose RDP to the Internet. Smaller businesses are also more likely to outsource security to MSPs. MSPs remain a major target, as an attack on an MSP will allow the attacker to then attack all MSP’s clients.

The report indicates a fall in the effectiveness of double extortion tactics. This is where prior to file encryption, sensitive data are exfiltrated. A demand is issued for the key to decrypt data and a second payment is required to prevent the exposure or sale of stolen data. In Q2, 81% of attacks involved data exfiltration prior to file encryption, up from 76% in Q1.

However, payment to ensure data deletion is now much less likely. In 2020, 65% of victims that were able to recover data from backups paid the attackers to prevent the exposure of stolen data, but in Q2, 2021 the percentage was just 50%.

The most attacked industry sectors in Q2 were the public sector (16.2%), professional services (13.3%), and healthcare (10.8%). Coveware suggests that these industries may not be specifically targeted, instead they are simply the easiest to attack. For instance, the number of attacks on law firms increased but that was largely down to the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately used by law firms.

Coveware reports that the average downtime from a ransomware attack declined by 15% in Q2, with victims typically having 23 days of downtime following at attack; however, this was attributed to an increase in data only attacks where there was no material business interruption.

The post The Average Ransomware Payment Fell by 38% in Q2, 2021 appeared first on HIPAA Journal.