Latest HIPAA News

Cyber Incident Notification Act of 2021 Introduced in the Senate

Posted by HIPAA Journal

In June, a bipartisan group of senators circulated a draft federal breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and organizations considered critical to U.S. national security to report data breaches and security incidents to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. On Wednesday this week, an amended bill was formally introduced in the Senate.

The draft bill was introduced by Senators Mark Warner (D-VA) and Marco Rubio (R-FL), and Susan Collins (R-ME). Another 12 senators across both parties have now added their names to the bill.

The bill seeks to address some of the key issues that have come to light in the wake of recent cyberattacks that impacted U.S. critical infrastructure, including the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline.

“The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” said Sen. Warner. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, with the bill enabling the development of a common operating picture of national-level cyber threats.

Security incidents that warrant notifications to be sent to CISA are those that:

  • Involve or are believed to involve a nation state.
  • Involve or are believed to involve an Advanced Persistent Threat (APT) actor.
  • Involve or are believed to involve a transnational organized crime group.
  • Could harm U.S. national security interests, foreign relations, or the U.S. economy.
  • Likely to be of significant national consequence.
  • Has potential to affect CISA systems.
  • Involve ransomware

Reportable ransomware attacks are those that are assessed to involve a nation state actor, advanced persistent threat (APT) actor, transnational organized crime group, or an attack that has the potential to result in demonstrable harm to national security, foreign relations, the economy of the United States, the public confidence, civil liberties, or public health and safety of U.S. residents.

When reporting a security incident or cyber threat, organizations are required include a description of the incident, detail the systems and networks affected, provide an estimate of when the incident is likely to have occurred, provide information about any vulnerabilities that were exploited, any tactics, techniques, and procedures (TTPs) known to have been used. Actionable cyber threat information will be made available to government and private sector entities and the public to allow prompt action to be taken to counter threats. The bill gives CISA 48 hours to respond to reports of an intrusion and request information about the security incident.

To encourage organizations to report data breaches, the bill includes liability protections for breached entities to protect against potential lawsuits that could arise from disclosing security breaches and allows anonymized personal data to be submitted when reporting breaches.

The bill requires the Department of Homeland Security to work with other federal agencies to draw up a set of reporting criteria and to harmonize those criteria with the regulatory requirements in effect on the date of enactment.

The failure to report a security incident to CISA can attract a financial penalty, which will be determined by the Administrator of the General Services Administration. The maximum financial penalty will be 0.5% of gross revenue for the previous fiscal year. Other possible sanctions include removal from federal contracting schedules.

“It is critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible,” said Sen. Rubio.

The post Cyber Incident Notification Act of 2021 Introduced in the Senate appeared first on HIPAA Journal.

June 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year.

United States healthcare data breaches in the past 12 months

While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June.

records Exposed in U.S. healthcare data breaches in the past 12 months

More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month.

Largest Healthcare Data Breaches in June 2021

There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare organizations, with 6 of the top 10 breaches confirmed as ransomware attacks. Several healthcare organizations reported ransomware attacks in June that occurred at third-party vendors, with the number of healthcare providers confirmed as being affected by the ransomware attacks on vendors Elekta, Netgain Technologies, and CaptureRx continuing to grow.

The largest healthcare data breach to be reported in June was a phishing attack on the medical payment billing service provider MultiPlan. A threat actor gained access to an email account containing the protected health information of 214,956 individuals.

Northwestern Memorial HealthCare and Renown Health were affected by the ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc., That attack is known to have affected a total of 42 healthcare providers in the United States.

Name of Covered Entity Covered Entity Type Individuals Affected Breach Cause Business Associate Involvement
MultiPlan Business Associate 214,956 Phishing attack Yes
Northwestern Memorial HealthCare Healthcare Provider 201,197 Elekta ransomware attack Yes
Scripps Health Healthcare Provider 147,267 Ransomware attack No
San Juan Regional Medical Center Healthcare Provider 68,792 Unspecified hacking and data exfiltration incident No
Renown Health Healthcare Provider 65,181 Elekta ransomware attack Yes
Minnesota Community Care Healthcare Provider 64,855 Netgain ransomware attack Yes
Francisco J. Pabalan MD, INC Healthcare Provider 50,000 Hacking/IT Incident (Unknown) No
Prominence Health Plan Health Plan 45,000 Ransomware attack No
NYC Health + Hospitals Healthcare Provider 43,727 CaptureRx ransomware attack Yes
UofL Health, Inc. Healthcare Provider 42,465 Misdirected email No
Peoples Community Health Clinic Healthcare Provider 40,084 Phishing attack No
Reproductive Biology Associates, LLC and its affiliate My Egg Bank, LLC Healthcare Provider 38,000 Ransomware attack No
Hawaii Independent Physicians Association Business Associate 18,770 Phishing attack Yes
UW Medicine Healthcare Provider 18,389 Hacking/IT Incident (Unknown) Yes
Cancer Care Center Healthcare Provider 18,000 Hacking/IT Incident (Unknown) Yes
Temple University Hospital, Inc. Healthcare Provider 16,356 Hacking/IT Incident (Unknown) Yes
Walmart Inc. Healthcare Provider 14,532 Loss of paper/films No
Discovery Practice Management, Inc. Business Associate 13,611 Phishing attack Yes
Jawonio Healthcare Provider 13,313 Phishing attack No

Causes of June 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in June 2021, with ransomware attacks accounting for a large percentage of those breaches. There were 58 reported hacking/IT incidents, in which the protected health information of 1,190,867 individuals was exposed or compromised – 92.24% of all breached records in June. The mean breach size was 20,532 records and the median breach size was 2,938 records.

Causes of June 2021 Healthcare data breaches

There were 9 unauthorized access/disclosure incidents reported that involved the impermissible disclosure of the PHI of 81,764 individuals. The mean breach size was 9,085 records and the median breach size was 5,509 records.

There was one incident reported involving the loss of paperwork containing the PHI of 14,532 individuals, one portable electronic device theft affecting 1,166 patients, and 1 incident involving the improper disposal of 2,662 physical records.

42 hacking incidents involved PHI stored on network servers, most of which were data access and exfiltration incidents involving ransomware. There were 19 email security breaches involving PHI stored in email accounts, most of which were phishing incidents.

Location of breached PHI in June 2021 data breaches

Covered Entities Reporting Data Breaches in June

The breach reports show healthcare providers were the worst affected covered entity type with 53 data breaches. 9 breaches were reported by health plans, and 8 by business associates of HIPAA covered entities. HIPAA-covered entities often report breaches at third party vendors, which can mask the extent to which business associates are being targeted by hackers. Adjusted figures taking this into account show the extent to which business associates are suffering data breaches. There were 36 data breaches reported that involved business associates, as shown in the pie chart below.

June 2021 healthcare data breaches by covered entity type

June 2021 Healthcare Data Breaches by State

There were large healthcare data breaches reported by HIPAA covered entities and business associates based in 32 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State No. Data Breaches
California 8
New York 6
Illinois, Pennsylvania, Washington 4
Georgia, New Jersey, Ohio, Oregon, Texas 3
Arkansas, Kentucky, Michigan, Mississippi, Nevada, Tennessee, Wisconsin 2
Alaska, Arizona, Colorado, Connecticut, Florida, Hawaii, Iowa, Maryland, Massachusetts, Minnesota, Montana, New Mexico, Oklahoma, Rhode Island, South Carolina 1

HIPAA Enforcement Activity in June 2021

The HHS’ Office for Civil Rights announced one HIPAA enforcement action in June under its HIPAA Right of Access enforcement initiative. The Diabetes, Endocrinology & Lipidology Center, Inc. in Martinsburg, West Virginia was ordered to pay a financial penalty of $5,000 to resolve its HIPAA Right of Access case and agreed to adopt a robust corrective action plan to ensure that patients will be provided with timely access to their medical records. There were no confirmed HIPAA enforcement actions by state Attorneys General in June.

The post June 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

U.S. Government Launches New One-Stop Ransomware Website

Posted by HIPAA Journal

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have announced the launch of a new web resource that will serve as a one-stop-shop providing information to help public and private sector organizations deal with the growing ransomware threat.

The new resource – StopRansomware.gov – is an interagency resource that provides guidance on ransomware protection, detection, and response in a single location.

The new resource provides general information about ransomware, including what ransomware is and how it is used by cybercriminals to extort money from public and private sector organizations. Detailed information is provided on how organizations can improve their security posture and defend against attacks, including ransomware best practices, bad practices to avoid, cyber hygiene tips, FAQs, and training material.

The website includes a newsroom with the latest ransomware-related advice, along with alerts from CISA, the FBI, Department of Treasury, and other federal agencies about the ever-evolving tactics, techniques, and procedures used by cybercriminals in their attacks.

Victims of ransomware attacks can report attacks through the website to either the FBI, CISA, or the U.S. Secret Service, with the report of the attack automatically sent to all appropriate agencies to ensure that the incident is investigated, threat information is shared, and steps are taken to identify the perpetrators and bring them to justice.

Organizations are being encouraged to take advantage of the new resource to understand the threat of ransomware, mitigate risk and, in the event of an attack, know what steps to take to limit the harm caused and ensure the fastest possible recovery.

“Cyber criminals have targeted critical infrastructure, small businesses, hospitals, police departments, schools and more.  These attacks directly impact Americans’ daily lives and the security of our nation,” said Secretary Alejandro Mayorkas for the Department of Homeland Security. “I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

The post U.S. Government Launches New One-Stop Ransomware Website appeared first on HIPAA Journal.

CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses

Posted by HIPAA Journal

Managed Service Providers (MSPs) are attractive targets for cybercriminals. They typically have privileged access to their clients’ networks, so a cyberattack on a single MSP can see the attacker gain access to the systems of many, if not all, of their clients.

The recent Kaseya supply chain attack showed just how serious such an attack can be. An REvil ransomware affiliate gained access to Kaseya systems, through which it was possible to access the systems and encrypt data of around 60 of its customers, many of which are MSPs. Through those MSP customers, ransomware was deployed on up to 1,500 downstream businesses.

Small- and mid-sized businesses often do not have staff to manage their own IT systems or may lack the skills or hardware to store sensitive data and support sensitive processes. Many turn to MSPs to provide that expertise. It is often more cost effective for SMBs to scale and support their network environments using MSPs rather than manage their resources themselves.

Outsourcing IT or security functions to an MSP introduces risks, which need to be mitigated by SMBs. MSPs also need to implement safeguards to prevent their networks from being accessed and to limit the harm caused to their customers should their perimeter defenses be breached.

On July 14, 2021, The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) published guidance to help MSPs and SMBs strengthen their defenses to improve resilience to cyberattacks and to limit the harm caused should such an attack succeed.

The CISA Insights report provides mitigations and hardening guidance for MSPs and SMBs, outlining important steps that should be taken to protect MSP network assets and those of their customers to reduce the risk of successful cyberattacks.

The guidance document – CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businessesis available for download here.(PDF)

The post CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses appeared first on HIPAA Journal.

REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown

Posted by HIPAA Journal

The notorious REvil ransomware gang’s Internet and dark web sites have suddenly gone offline, days after President Biden called Vladimir Putin demanding action be taken against ransomware gangs and other cybercriminals conducting attacks from within Russia on U.S. companies.

At around 1 a.m. on Tuesday, the websites used by the gang for leaking data of ransomware victims, their ransom negotiation chat server, and command and control infrastructure went offline and have remained offline since. For one of the gang’s sites, the server IP address is no longer resolvable via DNS queries.

REvil has grown into one of the most prolific ransomware-as-a-service operations. The gang was behind many ransomware attacks in the United States and worldwide, including the recent attack on JBS Foods and the supply chain attack on Kaseya, which saw ransomware used in attacks on around 60 managed service providers and up to 1,500 of their clients on July 2. A ransom demand of $70 million was issued to supply the keys to decrypt all victims’ devices, with the demand falling to $50 million shortly after.

While it is not unusual for ransomware operations to go quiet, or for infrastructure to be temporarily taken offline, the timing of the shutdown suggests either the U.S. or Russian government has taken action. The FBI has not commented on the shutdown of the REvil servers, and the press secretary of the president of the Russian Federation, Dmitry Peskov, told TASS reporters that he had no knowledge of the reason why the servers had gone dark. It is possible that the loss of infrastructure is due to hardware failure or simply the gang deciding to lay low, especially after such a major attack.

Ransomware gangs have faced a great deal of scrutiny following the attack on Colonial Pipeline by the DarkSide ransomware gang. Shortly after the attack, the White House announced that efforts to target ransomware gangs and their infrastructure would be stepped up. Following the attack, the DarkSide RaaS operation shut down, due to a silent takedown of their infrastructure by law enforcement.

At the Geneva summit, President Biden spoke with Vladamir Putin about cyberattacks conducted on U.S. companies from cybercriminal groups operating within Russia and urged him to take steps to disrupt the gangs, even though the attackers were not sponsored by the state.

A few days ago, President Biden called Putin demanding action be taken against ransomware gangs operating out of Russia. Biden told reporters after the call that the United States would be taking steps to get the servers of ransomware gangs taken down if Russia did not.

Some news outlets, such as the BBC, have reported the shutdown was due to action taken by the United States to disrupt the group’s infrastructure. A BBC reporter spoke to one individual, allegedly an REvil affiliate, who said the group had shut down its infrastructure following a partial takedown by federal law enforcement and increasing pressure from the Kremlin.

Bitali Kremez of Advanced Intel said “Upon uncorroborated information, REvil server infrastructure received a [Russian] government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed.”

It is too early to tell what has happened and whether the shut down will be temporary or permanent. As is often the case following the shutdown of a Ransomware-as-a-Service operation, the gang may simply return under a different name, as REvil has done in the past.

This story will be updated as further information becomes available.

The post REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown appeared first on HIPAA Journal.

Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack

Posted by HIPAA Journal

Kaseya has announced a security update has been released for the Kaseya KSA remote management and monitoring software solution to fix the zero-day vulnerabilities recently exploited by the REvil ransomware gang in attacks on its customers and their clients.

The vulnerabilities exploited in the attack were part of a batch of seven flaws that were reported to Kaseya in April 2021 by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had developed patches to correct four of the seven vulnerabilities in its Virtual System Administrator solution and released these as part of its April and May security updates; however, before patches could be released for the remaining three vulnerabilities, one or more of them were exploited by an REvil ransomware affiliate.

The attack affected approximately 60 customers who had deployed the Kaseya VSA on-premises, many of which were managed service providers (MSPs). The REvil ransomware gang gained access to their servers, encrypted them, and pushed their ransomware out to approximately 1,500 business clients of those companies.

Following the July 2, 2021 attack, Kaseya advised its customers to shut down their on-premises VSA servers until the exploited vulnerabilities were addressed and its SaaS servers were shut down as the SaaS solution also had vulnerabilities, although its cloud-based service was not affected by the attack. Those servers are now being restarted incrementally and the final three patches have been released in the VSA 9.5.7a (9.5.7.2994) update.

The three vulnerabilities addressed in the latest security update are a credential leak and business logic flaw tracked as CVE-2021-30116, a cross site scripting vulnerability – CVE-2021-30119 – and a 2FA bypass vulnerability – CVE-2021-30120. Kaseya says a further three vulnerabilities in the solution have also been addressed by the update. These are a failure to use a secure flag for user portal session cookies, a flaw that allowed files to be uploaded to a VSA server, and an issue where a password hash was exposed, which made weak passwords vulnerable to brute force attacks.

Kaseya has recommended a process for applying the update to minimize risk. This involves ensuring the VSA server is isolated and not connected to the Internet, searching for Indicators of Compromise (IoCs) to determine if servers or endpoints have already been compromised, then applying the update.

The full process for updating on-premises VSA servers and securing them is detailed in the Kaseya On Premises Startup Readiness Guide.

The post Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack appeared first on HIPAA Journal.

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

Posted by HIPAA Journal

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide.

The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure.

It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed.

Fast Response Limited Extent of the Attack

The fast response of Kaseya limited the extent of the attack. Over the weekend, Kaseya’s chief executive, Fred Voccola, said the software update was pushed out to around 40 customers and only affected on-premise customers who were running their own data centers and that its cloud-based services were not affected. The number of affected customers is now thought to be closer to 60.

Many of the victims were MSPs. In addition to their systems being encrypted, ransomware code was pushed out to their clients. More than 1,000 MSP clients are known to have been affected and had REvil ransomware installed. Sophos has reported that it is aware of 70 MSPs that have been affected, along with around 350 companies that use their services.

Kaseya has been issuing regular updates since the attack. In a Sunday morning update, Kaseya said there had been no further compromises since the Saturday evening report which suggests the measures implemented following the discovery of the attack have been successful. While no further ransomware attacks are believed to be occurring, the victim count will undoubtedly grow over the coming days.

When the attack was detected, Kaseya shut down its hosted and SaaS VSA servers and told all customers to switch off their own VSA servers while the attack was mitigated. Customers have been told to keep the servers switched off until further notice. Kaseya is working closely with CISA, the FBI, and cybersecurity forensics firms to investigate the incident and to determine the extent of the attack.

“Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service,” said Kaseya in a July 4, 2021, statement about the attack. “We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24–48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”

Supply chain attacks such as this can have a huge impact globally. Attackers compromise one company, then gain access to the networks of thousands of others, as was the case with the SolarWinds Orion supply chain attack in 2020. In that attack, malware was distributed through the software update mechanism which gave the attackers access to the systems of around 18,000 companies that received the update.

Kaseya Was Developing Patches for the Exploited Vulnerabilities

The REvil ransomware gang gained access to Kaseya’s systems by exploiting recently discovered vulnerabilities that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD). Those vulnerabilities had not been publicly disclosed and Kaseya was in the process of developing patches to correct the vulnerabilities when the REvil gang struck.

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” said Victor Gevers, chairman of DIVD.

Kaseya said patches are being developed to correct the flaws and will be released as soon as possible.

One of the Largest Ransomware Attacks to Date

The REvil gang is believed to operate out of Eastern Europe or Russia and is one of the most prolific ransomware-as-a-service operations. Recent attacks conducted by the gang include JBS Foods, computer giant Acer, Pan-Asian retail giant Dairy Farm, UK clothing company French Connection (FCUK), French pharmaceutical company Pierre Fabre, and Brazilian healthcare company Grupo Fleury to name but a few. The latest attack is one of the largest ransomware attacks ever seen.

The gang is known to exfiltrate data prior to file encryption and demands payment of a ransom for the keys to decrypt encrypted files and to prevent the exposure or sale of data stolen in the attack. It is currently unclear if these attacks involved data theft.

Businesses and organizations affected by the latest attack have been issued with ransom demands ranging from $50,000 to $5 million according to Sophos malware analyst Mark Loman and Emsisoft CTO Fabian Wosar. The REvil gang has asked for a payment of $70 million to supply a universal decryptor that will unlock all systems that have been encrypted in the attack.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” wrote the gang on its data leak site.

“We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized,” said Kaseya.

President Biden Orders Federal Investigation

After learning of the attack, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, stating on Saturday that it was unclear who was responsible for the attack. President Biden spoke with Vladamir Putin at the June 16 Geneva summit and urged him to crack down on cybercriminal gangs operating out of Russia and warned of consequences should the ransomware attacks continue. “The initial thinking was it was not the Russian government but we’re not sure yet,” President Biden told reporters on a Saturday visit to Michigan. He also confirmed the U.S. would respond if it is determined Russia was to blame for the attack.

CISA Issues Guidance for MSPs and MSP Customers Affected by the Kaseya VSA Supply Chain Attack

Kaseya issued a Compromise Detection Tool on July 3, 2021, which was rolled out to around 900 customers. The tool can be used to quickly determine if a customer’s VSA server has been compromised in the attack. The U.S. Cybersecurity and Infrastructure Security Agency is urging all Kaseya MSP customers to download and run the Compromise Detection Tool as soon as possible.

Kaseya MSP customers have also been advised to enable and enforce multi-factor authentication on every single account and, as far as is possible, to enable and enforce MFA for customer-facing services.

CISA also says MSPs should “implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

MSP customers affected by the attack have been advised to implement cybersecurity best practices, especially MSP customers who do not currently have their RMM service running due to the Kaseya attack. CISA recommends the following measures:

  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
  • Implement:
    • Multi-factor authentication; and
    • Principle of least privilege on key network resources admin accounts.

The post Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies appeared first on HIPAA Journal.

HHS: Take Action Now to Secure Vulnerable PACS Servers

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP:White Alert warning about vulnerabilities in the Picture Archiving Communication Systems (PACS) used by hospitals, clinics, small healthcare practices, and research institutions for sharing patient data and medical images.

The HC3 Sector Alert warns that PACS vulnerabilities are exposing sensitive patient data and placing systems at risk of compromise. Vulnerable Internet-exposed PACS servers can easily be identified and compromised by hackers, threatening not just the PACS servers but also any systems to which those servers connect.

PACS was initially developed to help with the transition from analog to digital storage of medical images. PACS servers receive medical images from medical imaging systems such as magnetic resonance imaging (MRI), computed tomography (CT), radiography, and ultrasound and store the images digitally using the Digital Imaging and Communications in Medicine (DICOM) format. DICOM is now three decades old and was discovered to have vulnerabilities that could easily be exploited.

The vulnerabilities were first described by security researchers in September 2019, who showed it is possible for the flaws to be exploited to gain access to medical images and patient data. Thousands of vulnerable PACS were identified worldwide, with a second study several months later uncovering even more PACS that were exposed to the Internet and vulnerable to attack.

In June 2021, a study by ProPublica revealed millions of medical images have been exposed via the Internet via vulnerable PACS. 130 health systems were found to have exposed around 8.5 million case studies involving more than 2 million patients, with more than 275 million medical images from their examinations placed at risk along with any associated protected health information. Exposed protected health information included patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations, and Social Security numbers.

Successful exploitation of the vulnerabilities could result in an attacker obtaining sensitive data, but it would also be possible to exploit vulnerabilities in the DICOM protocol to install malicious code, manipulate diagnoses, falsify scans, sabotage research, or install malware. Once access to PACS systems is gained, an attacker could move laterally and spread to other parts of the network undetected.

The main issue is PACS servers have been exposed to the Internet without applying basic security principles. These include:

  • Checking and validating connections to ensure the systems can only be accessed by authorized individuals.
  • Configuring the systems in accordance with manufacturer documentation.
  • Restricting network access to vulnerable systems and ensuring, where possible, that they are not accessible over the Internet.
  • Placing PACS systems behind firewalls, whenever possible.
  • Ensuring a Virtual Private Network (VPN) must be used to access PACS systems remotely.
  • Ensuring traffic between Internet connected systems and physicians/patients is encrypted by enabling HTTPS.
  • Ensuring default passwords are changed to strong, unique passwords.
  • Closing all unused ports on affected systems.
  • Where possible, discontinuing or limiting the use of third-party software on affected systems to decrease the attack surface.
  • Ensuring patches are applied promptly.
  • Logging and monitoring all network traffic attempting to reach vulnerable systems.

HC3 says there are still several PACS servers that are currently visible and vulnerable. All healthcare organizations have been advised to review their inventory to determine if they are running any PACS servers and to take the steps outlined in the guidance to ensure those systems are secured.

The Department of Homeland Security has produced a list of GE Healthcare PACS that are known to have vulnerabilities that need to be addressed. The list is not all-inclusive so security measures should be assessed for all PACS servers, regardless of whether there are known vulnerabilities.

The post HHS: Take Action Now to Secure Vulnerable PACS Servers appeared first on HIPAA Journal.

CISA Releases Ransomware Readiness Assessment Audit Tool

Posted by HIPAA Journal

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new tool that can be used by organizations to assess how well they are equipped to defend and recover from a ransomware attack.

The threat from ransomware has gown significantly over the past year. The Verizon Data Breach Investigations Report shows 10% of cyberattacks now involve the use of ransomware, with SonicWall reporting a 62% global increase in ransomware attacks since 2019 and a 158% spike in attacks in North America during the same period. BlackFog predicts loses due to ransomware attacks will increase to $6 trillion in 2021, up from $3 trillion in 2015.

The Ransomware Readiness Assessment (RRA) audit module has been added to CISA’s Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides network defenders through a step-by-step process of assessing their cybersecurity practices for both their information technology (IT) and operational technology (OT) networks. CSET can be used to perform a comprehensive evaluation of an organization’s cybersecurity posture using recognized government and industry standards and recommendations.

The RRA can be used to evaluate cybersecurity defenses specifically relating to ransomware. CISA says the RRA tool has been developed for organizations at all levels of cybersecurity maturity and will allow network defenders to evaluate their defenses against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner.

The RRA guides asset owners and operators through a systematic process to evaluate cybersecurity practices against ransomware threats and provides an analysis dashboard with graphs and tables displaying the results of the assessment, both in summarized and detailed form.

The RRA tool is available through CSET, which should first be downloaded and correctly installed. The installation file and instructions on installing CSET and starting the ransomware readiness assessment is available on GitHub on this link.

CISA is urging all organizations to install the CSET tool and conduct a Ransomware Readiness Assessment to evaluate their cybersecurity defenses.

The post CISA Releases Ransomware Readiness Assessment Audit Tool appeared first on HIPAA Journal.