Latest HIPAA News

April 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations

Posted by HIPAA Journal

According to a recent security advisory issued by the Five Eyes Cybersecurity agencies in the US, UK, Canada, Australia, and New Zealand, the most common attack vectors used by cyber threat actors for initial access to networks are exploits of public-facing applications, external remote services, trusted relationships, phishing, and compromised credentials for valid user accounts.

These attack methods often succeed due to poor security practices, bad cyber hygiene, weak controls, and poor security configurations. The security advisory details the most commonly exploited controls and practices and provides recommendations for mitigations to strengthen security and block these attack vectors.

Top 10 Security Weaknesses Exploited by Hackers

The top ten security weaknesses exploited by hackers consist of poor security practices, weak security controls, and misconfigurations and unsecured systems, which allow the most common attack vectors to be used.

Slow software updates and patching

The failure to update software promptly and apply patches for known vulnerabilities gives attackers a window of opportunity for exploiting the vulnerabilities. Exploits for vulnerabilities are often released publicly within days or weeks. Vulnerabilities can be exploited to gain access to sensitive information, conduct denial-of-service attacks, or take full control of vulnerable systems. Slow patching is one of the commonest poor security practices.

Open ports and misconfigurations that expose services to the Internet

Another commonly identified vulnerability is the failure to close open ports. Hackers continuously scan for open ports and misconfigured services that expose systems to the Internet. The compromising of these services can provide attackers with initial access. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.

Failure to enforce multifactor authentication

Multifactor authentication should be enforced on all accounts to block attempts to use stolen credentials. This is especially important for Remote Desktop Protocol, other remote services, and accounts with administrative privileges. The lack of multifactor authentication for RDP is commonly exploited in ransomware attacks.

Use of default credentials and configurations

The failure to change default credentials provides attackers with easy access, as default credentials are often in the public domain. Default configurations are typically excessively permissible to ensure they are user-friendly, and the failure to change configurations can give attackers an avenue for exploitation.

Insufficient controls for remote access

Remote services are commonly targeted by threat actors who exploit a lack of sufficient authentication controls, such as no multifactor authentication. In addition to enforcing MFA, network defenders should consider implementing a boundary firewall in front of a VPN and IDS/IPS sensors to detect anomalous activity.

Incorrectly applied privileges or permissions, and errors within access control lists

Incorrectly applied privileges or permissions can prevent access control rules from being enforced, which could allow system processes or unauthorized users to be granted access to objects.

Poor password policies

Many different methods can be used to exploit weak, leaked, or compromised passwords to access victims’ systems. Policies should be set and enforced requiring strong, unique passwords to be used. Weak RDP passwords are commonly exploited.

Unprotected cloud services

Misconfigurations and poor security configurations can leave cloud services unprotected, giving threat actors easy access to sensitive data and permitting cryptojacking using cloud servers.

Insufficient phishing defenses

Phishing is one of the leading ways that threat actors gain a foothold in networks. Email security solutions should be used that have strong antivirus controls, use behavioral analysis to identify malware, and have the capability to scan embedded links. Security awareness training should be regularly provided to the workforce.

Poor endpoint detection and response

Endpoint detection solutions should be implemented that go beyond signature-based detection methods as threat actors commonly use obfuscated malicious scripts and PowerShell to bypass endpoint security solutions such as antivirus software.

Suggested Mitigations

The security alert includes several mitigations that can help network defenders strengthen security and protect against these commonly exploited weak security controls and practices. The suggested mitigations are concerned with controlling access, credential hardening, establishing centralized log management, deploying antivirus and other detection tools, conducting vulnerability scans, establishing a robust patch management program, and maintaining a rigorous configuration management program.

The post Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations appeared first on HIPAA Journal.

Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers

Posted by HIPAA Journal

The Five Eyes intelligence alliance, which consists of cybersecurity agencies from the United States, United Kingdom, Australia, New Zealand, and Canada, has issued a joint alert warning about the increasing number of cyberattacks targeting managed service providers (MSPs).

MSPs are attractive targets for cybercriminals and nation-state threat actors. Many businesses rely on MSPs to provide information and communication technology (ICT) and IT infrastructure services, as it is often easier and more cost-effective than developing the capabilities to handle those functions internally.

In order to provide those services, MSPs require trusted connectivity and privileged access to the networks of their clients. Cyber threat actors target vulnerable MSPs and use them as the initial access vector to gain access to the networks of all businesses and organizations that they support. It is far easier to conduct a cyberattack on a vulnerable MSP and gain access to the networks of dozens of businesses than to target those businesses directly.

When MSP systems are compromised, it may take several months before the intrusion is detected, during which time threat actors may conduct cyber espionage on the MSP and its customers or prepare for other follow-on activities such as ransomware attacks.

The Five Eyes agencies provide recommendations for baseline security measures that MSPs and their customers should implement and also recommend customers review their contracts with MSPs to ensure that the contracts specify that their MSPs must implement the recommended measures and controls.

Steps need to be taken to improve defenses to prevent the initial compromise. Cyber threat actors commonly exploit vulnerable devices and Internet-facing services and conduct phishing and brute force attacks to gain a foothold in MSP networks. The Five Eyes agencies recommend MSPs and their customers:

  • Improve the security of vulnerable devices
  • Protect internet-facing services
  • Defend against brute force and password spraying
  • Defend against phishing

It is vital to enable or improve monitoring and logging processes to allow intrusions to be rapidly detected. Since threat actors may compromise networks for months, all organizations should store their most important logs for at least six months. “Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks,” suggest the agencies in the alert.

It is important to secure remote access applications and enforce multi-factor authentication as far as possible, and ensure MFA is implemented on all accounts that allow access to customer environments. Customers of MSPs should ensure that their contracts state that MFA must be used on accounts that are used to access their systems.

The Five Eyes agencies also suggest

  • Managing internal architecture risks and segregating internal networks
  • Applying the principle of least privilege
  • Deprecating obsolete accounts and infrastructure
  • Applying software updates and patches promptly
  • Backing up systems and data regularly and testing backups
  • Developing and exercising incident response and recovery plans
  • Understanding and proactively managing supply chain risk
  • Promoting transparency
  • Managing account authentication and authorization

MSPs and their customers will have unique environments, so the recommendations should be applied as appropriate in accordance with their specific security needs and appropriate regulations.

The post Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers appeared first on HIPAA Journal.

HC3 Highlights Trends in Ransomware Attacks on the HPH Sector

Posted by HIPAA Journal

The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3).

In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days.

Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to organizations’ networks, then sell the access to the ransomware gangs. The use of IABs helps ransomware gangs concentrate on developing their ransomware variants and running their RaaS operations, which allows them to work on their TTPs and conduct more successful attacks. HC3 has not observed any change in the numbers of IABs working with ransomware gangs in Q1, 2022, with similar numbers observed as throughout 2022.

IABs were most commonly observed advertising general VPN/RDP access to the networks of HPH entities on cybercrime forums, which accounted for more than half of forum adverts, and around 25% of advertisements were offering compromised Citrix/VPN appliances. Remote access solutions were extensively implemented by organizations to support a remote workforce during the COVID-19 pandemic, but the rush to deploy meant basic security features were not implemented, and vulnerabilities have been extensively exploited.

Ransomware gangs are increasingly using living-of-the-land (LOTL) techniques in their attacks, utilizing legitimate tools that are already available in the environments of large organizations during ransomware attacks such as CMD.exe, PowerShell, Task Scheduler, MSHTA, and Sysinternals. The use of these tools makes the malicious activities of the gangs harder to detect.

Tactics include the use of remote access tools such as AnyDesk, Windows Safe Mode, Atera, ScreenConnect, ManageEngine, encryption tools such as BitLocker and DiskCryptor, file transfer tools including FileZilla FTP, Microsoft Sysinternals tools such as PsExec, Procdump, and Dumpert, and open-source tools such as Cobalt Strike, Mimikatz, AdFind, Process Hacker, and MegaSync.

While the malicious use of these tools is difficult to detect by security teams, there are detection opportunities. HC3 recommends using a behavior-based approach to detection, such as a Security Information and Event Management (SIEM) tool, which can detect malicious use of LOTL tools which signature-based detection tools cannot.

The HC3 Ransomware Trends in the HPH Sector Report provides detailed information on the TTPs employed by each ransomware operation, including the most commonly abused LOTL tools, relevant ATT&CK techniques, and a long list of mitigations that can be implemented to prevent, detect, respond to, and recover from ransomware attacks.

The post HC3 Highlights Trends in Ransomware Attacks on the HPH Sector appeared first on HIPAA Journal.

NIST Published Updated Cybersecurity Supply Chain Risk Management Guidance

Posted by HIPAA Journal

On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain.

Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses.

The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization.

While organizations should consider vulnerabilities in the finished product they are considering using, the guidance also encourages them to consider the security of components of the project, which may include open source code or components developed by third parties. A product or device may have been designed in one country, manufactured in another, and incorporate components from many other countries, which in turn may have been assembled from parts provided by disparate manufacturers. Malicious code may have been incorporated into components, and vulnerabilities may have been introduced that could be exploited by cyber threat actors. The guidance encourages organizations to consider the journey that each of the components took to reach their destination.

The guidance is aimed at acquirers and end users of products, software, and services. Since the guidance is intended to be used by a wide audience, user profiles are included that explain which sections of the guidance are most relevant for each group. “The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services,” explained NIST.

The guidance can be used to build cybersecurity supply chain risk considerations and requirements into acquisition processes and create a program for continuously monitoring and managing supply chain risks.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the authors of the publication. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

The post NIST Published Updated Cybersecurity Supply Chain Risk Management Guidance appeared first on HIPAA Journal.

Operational Continuity-Cyber Incident Checklist Published by HSCC

Posted by HIPAA Journal

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has published an Operational Continuity-Cyber Incident (OCCI) checklist which serves as a flexible template for responding to and recovering from serious cyberattacks that cause extended system outages, such as ransomware attacks.

Ransomware attacks on healthcare organizations increased significantly during the pandemic and continue to be conducted at elevated levels. Ransomware threat actors steal sensitive data that has a high value on the black market, threaten to publish that data to pressure visitors into paying, and the extended system outages due to the attacks can cause considerable financial losses, increasing the probability of the ransom being paid. Warnings have recently been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) about ransomware groups that are actively targeting critical infrastructure, including healthcare organizations.

In addition to cybercriminal groups, hospitals are a target for nation-state threat actors. The Five Eyes cybersecurity agencies recently warned that there is an elevated threat of cyberattacks on critical infrastructure in retaliation to the sanctions imposed on Russia by the United States. There is also a risk that healthcare organizations may fall victim to cyber incidents that have been directed at organizations in Ukraine, as was the case with the NotPetya wiper malware attacks in 2017. The development and release of the checklist were accelerated in light of the rising geopolitical tensions from the Ukraine-Russia conflict, and the increased threat to healthcare organizations in the United States.

Due to the high risk of attacks, healthcare organizations need to prepare for attacks and ensure that the business can continue to operate should it not be possible to immediately restore access to critical systems. Having an incident response plan that can be immediately implemented will help to minimize the damage caused and the impact on patients and medical services.

The OCCI toolkit includes a checklist of the steps that should be taken during the first 12 hours after a security incident occurs and outlines actions and considerations for the duration of cybersecurity incidents. The checklist is broken down into role-based modules that align with the Incident Command System but can be refined or modified to match the size, resources, complexity, and capabilities of different organizations, from small physician practices up to large hospitals and health systems.

An incident commander should be appointed to provide overall strategic direction on all response actions and activities, a medical-technical specialist should advise the Incident Commander on issues related to the response, and a public information officer is required to communicate with internal and external stakeholders, site personnel, patients and their families, and the media. The checklist also provides a list of steps that need to be completed by the safety officer and section chiefs. For smaller organizations, those roles may need to be combined to suit their organizational structures.

The checklist was created from input provided by leading health sector cybersecurity and emergency management executives that participate in the HSCC Incident Response/Business Continuity (IRBC) Task Group.

The post Operational Continuity-Cyber Incident Checklist Published by HSCC appeared first on HIPAA Journal.

Webinar: 6 Secret Ingredients to HIPAA Compliance

Posted by HIPAA Journal

 

Free Webinar Recording

6 Secret Ingredients to HIPAA Compliance

Immediate and Direct Access on HIPAAJournal.com

[contact-form-7]

 

This Compliancy Group webinar provides:

Step-by-step “how-to-guides” for HIPAA compliance

Ingredients for a well-run compliance program

Proper time and instruction for each piece

The complexities of the regulation

And much more ….

 

The post Webinar: 6 Secret Ingredients to HIPAA Compliance appeared first on HIPAA Journal.

15 Most Exploited Vulnerabilities in 2021

Posted by HIPAA Journal

The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021.

Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws.

Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor allowing the execution of arbitrary code, which would give the attacker full control of a vulnerable system. The vulnerability was only disclosed publicly in December 2021, yet still ranked first as the most commonly exploited vulnerability, demonstrating how hackers can quickly weaponize and exploit vulnerabilities before organizations can patch. The flaw was rated one of the most serious vulnerabilities to be discovered in the past decade.

CVE Vulnerability Name Vendor and Product Type
CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE)
CVE-2021-40539 Zoho ManageEngine AD SelfService Plus RCE
CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege
CVE-2021-34473 ProxyShell Microsoft Exchange Server RCE
CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass
CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution
CVE-2021-21972 VMware vSphere Client RCE
CVE-2020-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege
CVE-2020-0688 Microsoft Exchange Server RCE
CVE-2019-11510 Pulse Secure Pulse Connect Secure Arbitrary file reading
CVE-2018-13379 Fortinet FortiOS and FortiProxy Path traversal

The remote code execution vulnerability in Zoho ManageEngine AD SelfService Plus – CVE-2021-40539 – has a 9.8 CVSS severity rating and was the second most exploited vulnerability, with attacks exploiting the vulnerability continuing in 2022. The flaw can be exploited remotely and allows web shells to be implanted in a network, allowing the attacker to compromise credentials, move laterally, and exfiltrate sensitive data.

The ProxyLogon flaws in Microsoft Exchange email servers were also extensively exploited. These flaws – CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – allow remote attackers to execute arbitrary code on vulnerable exchange servers to gain access to files and mailboxes on the servers, along with any credentials stored on the servers.

Three ProxyShell vulnerabilities made the top 15 list. These vulnerabilities – CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – can be exploited on Microsoft Exchange email servers that have the Microsoft Client Access Service (CAS) exposed to the Internet. This is a common configuration that allows users to access their emails on their mobile devices and via web browsers. The flaws can be exploited to remotely execute arbitrary code on vulnerable servers.

In many cases, vulnerabilities were exploited within two weeks of the vulnerabilities being publicly disclosed, most commonly as a result of security researchers publishing proof-of-concept exploits, which helped a much broader range of threat actors quickly exploit the vulnerabilities before organizations had the time to patch.

A further 21 vulnerabilities are listed that are also routinely exploited, including many from 2021 and some dating back to 2017.  Patching these vulnerabilities promptly will ensure they cannot be exploited. The Five Eyes agencies have also included a list of mitigations that make it harder for threat actors to exploit these and other vulnerabilities.

The post 15 Most Exploited Vulnerabilities in 2021 appeared first on HIPAA Journal.

HHS Warns HPH Sector About Insider Threats in Healthcare

Posted by HIPAA Journal

Healthcare data breaches are occurring in record numbers, but not all privacy and security threats come from outside the organization. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HCC) has recently issued a warning about the threat from within.

Insider Threats in Healthcare

Nation-state hacking groups, cybercriminal gangs, and lone hackers have long targeted the healthcare industry, but there is also a significant threat of data breaches due to insiders. Insider threats are those involving individuals within a healthcare organization, such as employees, but also contractors and business associates that have been provided with access to healthcare assets and systems. These individuals may be aware of the security practices employed by the organization and have awareness of the network, computer systems, and the location of sensitive data. Oftentimes they will have been provided with access to sensitive data to complete their work or contracted duties.

According to the Verizon 2021 Data Breach Report, there was a decline in external threats between 2017 and 2020 and a corresponding rise in internal threats. Insider threats include healthcare employees who abuse their access rights to steal patient data to commit identity theft and financial fraud, inside agents that steal sensitive data and provide that information to third parties, and disgruntled employees that wish to cause harm to their employers.

Data breaches involving these kinds of insider threats are often covered by the media and healthcare organizations often commit significant resources to protect against and identify these threats. Monitoring systems are employed to monitor for unauthorized accessing of healthcare records to identify employees who have been snooping on patient records or stealing sensitive data; however, the Ponemon Institute’s 2020 Insider Threats Report suggests these incidents only account for a relatively small percentage of insider threat incidents – around 14%.

Other insider threats include negligent and careless workers that act inappropriately and individuals that accidentally put IT systems and data at risk without their knowledge. The Ponemon Institute’s report suggests 61% of insider threat incidents are due to negligent insiders, with credential theft due to negligent insiders accounting for 25% of insider threat incidents.

Negligent insider incidents can be caused by employees not being aware of security policies, which is often a training issue. Employees should be made aware of the organization’s security policies during the onboarding process and should be periodically reminded about those policies thereafter as part of regular security awareness training.

Insider threats often involve data theft, fraud, or system sabotage, all of which can cause harm to the organization and patients/plan members. The Ponemon Institute’s study suggests global organizations lose $11.45 million annually as a result of insider threats.

Insider Threat Prevention, Detection, and Response

“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” suggests HC3, which also recommends revising and updating cybersecurity policies and guidelines, limiting privileged access and establishing role-based access control, implementing zero-trust and MFA models, backing up data and deploying data loss prevention tools, and managing USB devices across the corporate network.

Detecting threats requires constant monitoring of user activity and regular audits of access and activity logs. A security information and event management (SIEM) system should be considered to help with the logging, monitoring, and auditing of employee actions.

Insider threat awareness should form a part of security awareness training, which should be provided to employees during onboarding, with refresher training provided periodically thereafter. Employees should only be given access to the resources they need to complete their work duties, and strict password and access management policies and practices should be implemented. A formal insider threat mitigation program should also be developed along with an incident response plan to ensure prompt and effective actions can be taken when insider threats are identified.

You can view the HC3 Insider Threats in Healthcare Report here (PDF).

The post HHS Warns HPH Sector About Insider Threats in Healthcare appeared first on HIPAA Journal.