Latest HIPAA News

SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign

Posted by HIPAA Journal

Microsoft has discovered a large-scale spear phishing campaign being conducted by the Russian Advanced Persistent Threat (APT) group behind the SolarWinds Orion supply chain attack.

The spear phishing campaign has been active since at least January 2021 and the APT group, tracked by Microsoft as Nobelium. The APT group has been experimenting and has trialed various delivery techniques, including leveraging the Google Firebase platform to deliver a malicious ISO file via HTML email attachments that deliver a variety of malware payloads.

Nobelium escalated the campaign on May 25, 2021 when it started using the Constant Contact mass-mailing service to distribute messages to targets in a wide range of industry verticals. The latest campaign targeted around 3,000 individual accounts across 150 organizations, most of which were in the United States. Each target had its own unique infrastructure and tooling, which has helped the group stay under the radar.

The attackers gained access to the Constant Contact account of the U.S. Agency for International Development (USAID) and delivered spear phishing messages under the guise of a USAID Special Alert. The messages have a reply-to address on the usaid.gov domain and were sent from the in.constantcontact.com domain.

Example Phishing email. Source: Microsoft

The messages claimed “Donald Trump has published new documents on election fraud”, with the messages including a button to click to view the documents. If the recipient clicks the link in the email, they are directed to the legitimate Constant Contact service, and then redirected to a URL under the control of Nobelium that delivers a malicious ISO file. Within the ISO file are a decoy document, a .lnk shortcut that executes a Cobalt Strike Beacon loader, and a malicious DLL file that is a Cobalt Strike Beacon loader and backdoor dubbed NativeZone by Microsoft.

Once the payloads are deployed, Nobelium gains persistent access to compromised systems and can subsequently complete further objectives such as lateral movement, data exfiltration, and the delivery of additional malware.

A previous campaign in May also used the combination of HTML and ISO files, which dropped a .NET first-stage implant – TrojanDownloader:MSIL/BoomBox – that was used for reconnaissance and to download additional malicious payloads from Dropbox.

The phishing campaign is being investigated by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Constant Contact issued a statement confirming that the account credentials of one of its customers were compromised. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said Constant Contact.

Microsoft has warned that the tactics, techniques, and procedures used by Nobelium have had a high rate of evolution. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics,” warned Microsoft.

Microsoft has published Indicators of Compromise (IoCs) and has suggested several mitigations that can reduce the impact of this threat, including the use of antivirus software, enabling network protection to prevent applications or users from accessing malicious domains, and implementing multi-factor authentication to prevent the use of compromised credentials.

The post SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign appeared first on HIPAA Journal.

Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to result multiple violations of the HIPAA Security Rule.

Peachstate is a CLIA-certified laboratory that provides a range of services including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR launched a compliance investigation on August 31, 2026 following a breach of unsecured protected health information reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had contracted with AHC to manage the VA’s Telehealth Services Program. The aim of the OCR investigation was to assess whether the breach was the result of the failure to comply with the HIPAA Privacy and Security Rules.

During the course of the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had acquired Peachstate. OCR then conducted a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance. During that investigation OCR identified multiple potential violations of the HIPAA Security Rule.

Peachstate was discovered not to have conducted an accurate and thorough assessment to identify risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) and had failed to reduce risks and vulnerabilities to a reasonable and appropriate level by implementing appropriate security measures, as required by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and procedural mechanisms had not been implemented to record and examine activity in information systems containing or using ePHI, in violation of 45 C.F. R. § 164.312(b). Policies and procedures had not been implemented to record actions, activities, and assessments demanded by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate agreed to settle the case and pay a $25,000 penalty and will implement an extensive corrective action plan to address all areas of noncompliance identified by OCR during the course of the investigation. Peachstate will be closely monitored by OCR for 3 years to ensure compliance.

“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

The post Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000 appeared first on HIPAA Journal.

FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash notice about ongoing Conti ransomware attacks targeting healthcare and first responder networks. According to the FBI, the Conti ransomware gang has attacked 16 healthcare and first responder organizations in the United States.

In addition to healthcare providers, the gang has attempted ransomware attacks on 911 dispatch centers, emergency medical services, law enforcement agencies and municipalities. The gang is known to have conducted attacks on 400 organizations worldwide, including a recent attack on the Health Service Executive (HSE) and Department of Health (DoH) in Ireland. To date, the gang has claimed 290 victims in the United States.

Conti ransomware is believed to be operated by the Russian cybercrime group Wizard Spider and is a ransomware-as-a-service (RaaS) operation. The threat group is known for attacking large organizations and issuing huge ransom demands, which have been as high as $25 million. The ransom demand set for each victim based on the extent of the encryption and the perceived ability of the victim to pay.

As is common now with ransomware attacks, the Conti ransomware gang exfiltrates sensitive data prior to file encryption and threatens to sell or publish the data if the ransom is not paid. Victims are given 8 days to make payment, although if attempts have not been made by the victims to get in touch with the gang, contact is often made using Voice Over Internet Protocol (VOIP) services or encrypted email such as ProtonMail after 2-8 days to pressure victims into paying.

Attacks usually start with phishing emails that include weaponized hyperlinks or email attachments or the use of stolen Remote Desktop Protocol (RDP) credentials. Prior to the disruption of the Emotet botnet, the attackers used malicious Word documents with embedded PowerShell scripts, first to stage Cobalt Strike and then to deploy the Emotet Trojan onto the network, which allowed the threat group to deliver their ransomware payload. The group has also been known to use the TrickBot Trojan in their attacks. The time from the initial compromise to the deployment of ransomware is usually between 4 days and 3 weeks, with the ransomware payload often delivered using dynamic link libraries (DLLs).

The threat group uses living-off-the-land techniques to escalate privileges and move laterally within networks, such as Sysinternals and Mimikatz. After encrypting files, the gang often remains in the network and beacons out using Anchor DNS. Remote access tools used by the gang beacon out to domestic and international VPS infrastructure over posts 80, 443, 8443, with port 53 often used for persistence. Indicators of attacks in progress include the creation of new accounts and the installation of tools such as Sysinternals, along with disabled detection and constant HTTP and DNS beacons.

The FBI does not recommend paying ransoms as payment does not guarantee the recovery of files nor the sale or publication of stolen data. The FBI has requested all victims of Conti ransomware attacks share information about the attacks with the FBI including boundary logs showing communications to and from foreign IP addresses, Bitcoin wallet information, decryptor files and/or benign samples of encrypted files.

The FBI has published several mitigations that can be implemented to harden defenses against Conti and other ransomware attacks.  These include:

  • Regularly back up data, test backups, and store backups on air-gapped devices.
  • Retain multiple copies of sensitive and proprietary data on servers that are physically separate and cannot be accessed from the systems where data resides.
  • Implement network segmentation.
  • Use multi-factor authentication.
  • Patch and update systems, software, and firmware promptly.
  • Use strong passwords and regularly change passwords for network systems and accounts.
  • Disable hyperlinks in inbound email.
  • Add email banners to all inbound emails from external sources.
  • Conduct regular user account audits for accounts with administrative privileges.
  • Only use secure networks and avoid public Wi-Fi networks.
  • Use a VPN for remote access.
  • Ensure all members of the workforce are provided with regular security awareness training.

The post FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders appeared first on HIPAA Journal.

April 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations

Posted by HIPAA Journal

The DarkSide ransomware gang has notified its affiliates that it has shut down its ransomware-as-a-service (RaaS) operation. The announcement came after the group’s public infrastructure was taken offline in what appears to be a law enforcement operation.

On May 13, the DarkSide data leak site went offline along with much of the group’s public infrastructure, including the payment server used to obtain ransom payments from victims and its breach data content delivery network. The gang also said its cryptocurrency wallets had been emptied and the funds transferred to an unknown account.

Intel 471 obtained a copy of a note written by the gang explaining to its affiliates that part of its public infrastructure was lost, its servers could not be accessed via SSH, and its hosting panels had been blocked. The group said its hosting company did not provide any further information other than the loss of the servers was “at the request of law enforcement.”

The group explained that it will be releasing the decryptors for all companies that have been attacked but have not paid the ransom; however, those decryptors are being released to the affiliates who conducted the attacks, not to the attacked companies. It will be up to individual affiliates whether to provide them to their victims or attempt to obtain payment.

“In view of the [loss of servers] and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” wrote the gang.

The same day that the group’s infrastructure was taken down, President Biden held a press conference about the Colonial Pipeline ransomware attack explaining the efforts made by the government to limit disruption and promising action would be taken against the DarkSide ransomware gang.

“We don’t believe the Russian government was involved in this attack,” said President Biden. “We do have strong reason to believe that the criminals who did the attack are living in Russia.” Biden went on to say that the United States was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and that the U.S. would “pursue a measure to disrupt their ability to operate.” President Biden also confirmed that the U.S. Department of Justice has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.

Prior to the shutdown, the hacking community had started to shun the DarkSide group. One of the two top-tier dark web forums used by the DarkSide gang to advertise its RaaS operation deleted the DarkSide account along with two threads about its ransomware operation, according to Gemini Advisory. Gemini Advisory also claims to have heard from several credible sources that the group no longer has a presence on the dark web. One top-tier dark web forum often used by ransomware gangs has also imposed sanctions on ransomware operations and has banned them entirely from the forum, claiming ransomware has become too toxic.

Intel 471 reports that it is not only the DarkSide operation that has been shut down. Several other ransomware operations have halted their operations, although it is unclear whether this is a permanent shut down or if the ransomware gangs are simply laying low and will start up their operations again under a different name. The Babuk ransomware operators claim to have provided their source code to another team and are pulling out of ransomware attacks. They said their ransomware will be operated by a different group under a different name.

The REvil ransomware gang, one of the most prolific ransomware operations, has also announced that it will no longer be promoting its ransomware operation on dark web forums and expects to make its operation private. Both REvil and Avaddon have taken the decision to stop their affiliates from attacking companies in certain sectors. Both ransomware gangs released statements confirming new rules have been introduced for affiliates that prohibit them from conducting attacks on the government, healthcare, charities, and educational institutions in any country. They also require their affiliates to obtain approval from the group before any attack. Should any affiliate attack a prohibited target, the victim will be provided with the decryptor free of charge and the affiliate will be permanently kicked out of the RaaS program.

Intel 471 also reports that the cryptocurrency mixing service, BitMix, which was used by REvil and Avaddon to launder the cryptocurrency generated from ransomware attacks has also been shut down.

The post DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

Posted by HIPAA Journal

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation.

The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure.

President Biden is planning to lead by example and is urging the private sector and critical infrastructure firms to follow the lead of the Federal government in improving resilience to cyberattacks and preparing for attacks to ensure that disruption to operational capabilities is kept to a minimum.

The key elements of the Executive Order on Improving the Nation’s Cybersecurity are:

  • Removing barriers to threat information sharing to make it easier for private sector companies to report threats and data breaches that could potentially have an impact on Federal networks.
  • Modernizing and implementing stronger cybersecurity standards in the Federal government. This includes widespread use of multifactor authentication, more extensive use of data encryption, the adoption of a zero-trust architecture, and a more rapid transition to secure cloud services.
  • The creation of a standard cyber incident response playbook. Government departments and agencies need to know, in advance, how to respond to threats. The playbook will ensure a rapid and uniform response to any cybersecurity incident.
  • Improvements to investigative and remediation capabilities. Detailed security event logs must be maintained by federal departments and agencies to ensure that cyberattacks can be easily investigated and remediated. Breach investigations have previously been hampered due to the lack of robust and consistent logging.
  • Improving software supply chain security. All software sold to the U.S. government will need to adhere to new security standards. Developers will be required to maintain greater visibility into their software solutions and make security data publicly available. The government will also launch a pilot “energy star” label program to demonstrate whether software was developed securely.
  • A Cybersecurity Safety Review Board will be created that consists of government and private sector leads that will meet following any significant security breach to analyze what has happened. Recommendations can then be made and implemented to ensure similar attacks are prevented in the future.
  • Improvements to cyber incident detection capabilities. A government-wide endpoint detection and response system will be implemented, along with robust intra-governmental information sharing.

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” explained the Biden Administration in a statement about the Executive Order. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

The post Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

Posted by HIPAA Journal

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Posted by HIPAA Journal

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.

CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the attack on the fuel pipeline company Colonial Pipeline.

The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel.

The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or social disruption. The group also said it would be vetting future ransomware attacks by its affiliates and partners to avoid social consequences in the future.

The joint advisory from CISA and the FBI includes technical details of the attack along with several mitigations to reduce the risk of compromise in DarkSide ransomware attacks and ransomware attacks in general. All critical infrastructure owners and operators are being urged to implement the mitigations to prevent similar attacks.

Previous attacks by DarkSide partners have gained initial access to networks via phishing emails and the exploitation of vulnerabilities in remotely accessible accounts and systems and Virtual Desktop Infrastructure. The group is known to use Remote Desktop Protocol (RDP) to maintain persistence. As with many other human-operated ransomware operations, prior to the deployment of ransomware the attackers exfiltrate sensitive data and threaten to sell or publish the data if the ransom is not paid.

Preventing DarkSide and other ransomware attacks requires steps to be taken to block the initial attack vectors. Strong spam filters are required to prevent phishing emails from reaching inboxes and multi-factor authentication should be enabled for email accounts to prevent the stolen credentials from being used. MFA should also be implemented on all remote access to operational technology (OT) and information technology (IT) networks. An end user training program should be implemented to train employees how to recognize spear phishing emails and to teach cybersecurity best practices.

Network traffic should be filtered to prohibit communications with known malicious IP addresses, and web filtering technology used to prevent users from accessing malicious websites. It is vital for software and operating systems to be kept up to date and for patches to be applied promptly. CISA recommends using a centralized patch management system and a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.

Access to resources over networks should be restricted, especially RDP, which should be disabled if not operationally necessary. If RDP is required, MFA should be implemented. Steps should also be taken to prevent unauthorized execution of code, including disabling Office Macros and implementing application allowlisting to ensure only authorized programs can be executed in accordance with the security policy.

Inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected should be monitored and/or blocked and signatures should be deployed to block inbound connection from Cobalt Strike servers and other post exploitation tools.

It may not be possible to block all attacks, so steps should be taken to limit the severity of a successful attack to reduce the risk of severe business or functional degradation. These measures include robust network segmentation, organizing assets into logical zones, and implementing regular and robust backup procedures.

You can view the alert and recommended mitigations here.

The post CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks appeared first on HIPAA Journal.