Latest HIPAA News

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

HHS Warns of Potential Threats to the Healthcare Sector

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the U.S. health sector about potential cyber threats that could spill over from the conflict and affect U.S. healthcare organizations.

HC3 said the HHS is unaware of any specific threats to the Health and Public Health (HPH) Sector; however, it is clear that allies on both sides of the conflict have cyber capabilities and there are fears that there could be cyberattacks on the HPH sector as a consequence of the conflict.

HC3 has warned that threats could come from three areas: Threat actors linked to the Russian government, threat actors linked to the Belarussian government, and cybercriminal groups operating out of Russia and its neighboring states. There is also potential for other cybercriminal groups to either get involved in the conflict or take advantage of the conflict to conduct unrelated cyberattacks.

“Russia has for several decades been one of the most capable cyber powers in the world. Going back to the Moonlight Maze attacks against the US Department of Defense in the 1990s, Russian state-sponsored actors have been believed to be behind some of the most sophisticated cyberattacks publicly disclosed. Specifically, they are known to target adversarial critical infrastructure in furtherance of their geopolitical goals,” warns HC3.

There are also highly capable cyber criminal organizations that operate out of Russia or have voiced their support for Russia, including the operators of Conti Ransomware. The Conti ransomware gang, which is widely believed to have also operated Ryuk ransomware, has extensively targeted the healthcare sector in the United States. The Conti ransomware gang engages in big game hunting, multi-stage attacks, and targets managed service providers and their downstream clients. The Conti ransomware gang engages in double and triple extortion, exfiltrating data prior to encryption and then threatening to publish the data and notify partners and shareholders if payment is not made.

HC3 believes that the Conti ransomware gang and/or other cybercriminal groups could either join in the conflict or take advantage of the conflict for financial gain. The threat group known as UNC1151 is believed to be part of the Belarussian military and has reportedly been conducting phishing campaigns targeting Ukrainian soldiers in January, and the Whispergate Wiper was used in cyberattacks in Ukraine, which have been linked to Belarus.

Whispergate is one of three wiper malware variants that have recently been identified. These wiper malware variants use ransomware as a decoy and drop ransom notes that claim files have been encrypted; however, the master boot record is corrupted rather than encrypted and there is no mechanism for recovery.

Another wiper dubbed HermeticWiper has been used in attacks in Ukraine since February 24, 2022, of which several variants have so far been identified. ESET has recently identified another wiper which the firm dubbed IsaacWiper, that it is currently analyzing.

While attacks involving these malware variants are currently concentrated in Ukraine, in 2017, NotPetya wiper malware was used in targeted attacks in Ukraine and was delivered through compromised tax software, but attacks involving the malware spread globally and affected multiple healthcare organizations in the United States.

All organizations in the HPH sector are strongly advised to adopt a heightened state of vigilance, take steps to improve their defenses, and review CISA guidance on mitigations and improving resilience to cyberattacks.

The post HHS Warns of Potential Threats to the Healthcare Sector appeared first on HIPAA Journal.

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry.

2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached.

The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled.

Pino also drew attention to the critical vulnerability identified in the Java-based logging utility Log4J, which has been incorporated into many healthcare applications. The vulnerability was discovered in December 2021 and cybercriminals and other threat groups were quick to exploit it to gain access to servers and networks for a range of malicious purposes.

The vulnerabilities and data breaches show how important it is for healthcare organizations to be vigilant to threats and take prompt action when new risks to the confidentiality, integrity, and availability of protected health information are identified. “With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022,” said Pino.

Pino said OCR investigations and audits have uncovered many cases of noncompliance with the risk analysis and risk management requirements of the HIPAA Rules. “All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope,” explained Pino. “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

OCR’s investigations of data breaches in 2020 showed multiple areas where HIPAA-regulated entities need to take steps to improve compliance with the standards of the HIPAA Security Rule, especially in the following areas:

  • Risk analysis
  • Risk management
  • Information system activity review
  • Audit controls
  • Security awareness and training
  • Authentication

Pino made several recommendations, including reviewing risk management policies and procedures, ensuring data are regularly backed up (and testing backups to ensure data recovery is possible), conducting regular vulnerability scans, patching and updating software and operating systems promptly, training the workforce how to recognize phishing scams and other common attacks, and practicing good cyber hygiene.

“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure”, concluded Pino, who also drew attention to resources that have been made available by CISA and the Office for Civil Rights to help protect against common threats to ePHI.

The post OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture appeared first on HIPAA Journal.

Webinar Today: How to Become HIPAA Compliant

Healthcare organizations and their business associates need to be HIPAA compliant, but complying with the HIPAA Rules can be a daunting task and many new businesses don’t know where to start.

To help HIPAA-regulated entities get on the right track, Compliancy Group is hosting a webinar this month and will explain the ins and outs of what is needed for your compliance program.

In the webinar, you will learn:

  • How HIPAA satisfies your patients/clients
  • The 7 fundamental elements of an effective compliance program
  • The benefits of being HIPAA compliant
  • How to protect your business from breaches and fines
  • And many more tips and tricks!

Join Compliance Group to learn how your organization can become compliant and how to start leveraging the full benefits of HIPAA.

Webinar: How to Become HIPAA Compliant

Wednesday, March 23rd, 2022 @ 11:00 a.m. PT ¦ 2:00 p.m. ET

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: How to Become HIPAA Compliant appeared first on HIPAA Journal.

NIST Requests Comments on How to Improve its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is seeking feedback on the usefulness of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and suggestions on any improvements that can be made.

The NIST Cybersecurity Framework was released in 2014 to help public and private sector organizations implement cybersecurity standards and best practices to improve their cybersecurity posture, better defend against cyber threats, and quickly identify and respond to cyberattacks in progress to limit the harm that can be caused. The NIST Cybersecurity Framework is considered the gold standard for cyber threat management; however, that does not mean improvements could not be made.

The last update to the Cybersecurity Framework occurred in April 2018 and the past four years have seen considerable changes to the cybersecurity threat landscape. New threats have emerged, the tactics, techniques, and procedures used by cyber threat actors have changed, there are new technologies and security capabilities, and more resources are available to help with the management of cybersecurity risk. NIST is not considering updating its Framework again to take these factors into account.

The NIST Cybersecurity Framework has been adopted by many healthcare organizations to improve cybersecurity, but some healthcare organizations have faced challenges implementing the Framework and currently fewer than half of healthcare organizations are adhering to NIST standards. NIST wants to learn about the challenges organizations have faced implementing the Framework and the commonalities and conflicts with other non-NIST frameworks and approaches that are used in conjunction with the NIST Cybersecurity Framework. There may be ways of improving alignment or integration of those approaches with the NIST Cybersecurity Framework. NIST wants suggestions on changes that could be made to the features of the Framework, features that should be added or removed, and any other ways that NIST could improve the Framework to make it more useful.

In addition to feedback on the Cybersecurity Framework, NIST has requested comments on possible improvements to other NIST guidance and standards, including its guidance on improving supply chain cybersecurity. NIST recently announced that it would launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in supply chains. NIST has requested comments on challenges related to the cybersecurity aspects of supply chain risk management that could be addressed by the NIICS, and whether there are currently gaps in existing cybersecurity supply chain risk management guidance and resources, including the application of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST has requested all comments be submitted by April 25, 2022.

The post NIST Requests Comments on How to Improve its Cybersecurity Framework appeared first on HIPAA Journal.

NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance

The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST guidance on Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30).

Healthcare delivery organizations have been increasingly adopting telehealth and remote patient monitoring (RPM) systems to improve the care they provide to patients while reducing costs. Patient monitoring systems have traditionally only been used in healthcare facilities but there are advantages to using these solutions in patients’ homes. Many patients prefer to receive care at home, the cost of receiving that care is reduced, and healthcare delivery organizations benefit from freeing up bed space and being able to treat more patients.

While there are advantages to be gained from the provision of virtual care and the remote monitoring of patients in their homes, telehealth and RPM systems can introduce vulnerabilities that could put sensitive patient data at risk and if RPM systems are not adequately protected, they could be vulnerable to cyberattacks that could disrupt patient monitoring services.

Special Publication 1800-30 was developed by NCCoE in collaboration with healthcare, technology, and telehealth partners to form a reference architecture that demonstrates how a standard-based approach can be adopted along with commercially available cybersecurity tools to improve privacy and security for the telehealth and RCM ecosystem.

The project team at NCCoE performed a risk assessment based on the NIST Risk Management Framework on a representative RPM ecosystem in a laboratory environment. The NIST Cybersecurity Framework was applied along with guidance based on medical device standards, and the team demonstrated how healthcare delivery organizations can implement a solution to enhance privacy and better secure their telehealth RPM ecosystem.

SP 1800-30 explains how healthcare delivery organizations can identify cybersecurity risks associated with telehealth and RPM solutions, use the NIST Privacy Framework to broaden their understanding of privacy risks, and apply cybersecurity and privacy controls. How-To guides are provided that include detailed instructions for installing and configuring the products used to build NCCoE’s example solution. NCCoE used solutions from AccuHealth and Vivify, but the principles can be applied to other solutions.

The final guidance and How-To guides can be downloaded from NCCoE here.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance appeared first on HIPAA Journal.

January 2022 Healthcare Data Breach Report

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020.

Healthcare data breaches over the past 12 months to January 2022

The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.

Healthcare records breached in the past 12 months to January 2022

 

Largest Healthcare Data Breaches in January 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach Cause
North Broward Hospital District d/b/a Broward Health FL Healthcare Provider 1,351,431 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
Medical Review Institute of America UT Business Associate 134,571 Hacking/IT Incident Network Server Ransomware attack
Medical Healthcare Solutions, Inc. MA Business Associate 133,997 Hacking/IT Incident Network Server Ransomware attack
Ravkoo FL Healthcare Provider 105,000 Hacking/IT Incident Other Cyberattack on cloud prescription portal
TTEC Healthcare Solutions CO Business Associate 86,305 Hacking/IT Incident Network Server Ransomware attack
Advocates, Inc. MA Healthcare Provider 68,236 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
iRise Florida Spine and Joint Institute, LLC FL Healthcare Provider 61,595 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Suncoast Skin Solutions FL Healthcare Provider 57,730 Hacking/IT Incident Network Server Ransomware attack
Hospital Authority of Valdosta and Lowndes County Georgia GA Healthcare Provider 41,692 Unauthorized Access/Disclosure Desktop Computer Unauthorized access and PHI theft by former employee
Family Christian Health Center IL Healthcare Provider 31,000 Hacking/IT Incident Network Server Ransomware attack
Lakeshore Bone & Joint Institute, PC IN Healthcare Provider 23,627 Hacking/IT Incident Email Email account accessed by unauthorized individual
South City Hospital MO Healthcare Provider 21,601 Theft Network Server, Other Burglary
Pace Center for Girls FL Healthcare Provider 18,300 Unauthorized Access/Disclosure Network Server Unspecified hacking and data theft incident
County of Kings, a political subdivision of the State of California CA Healthcare Provider 16,590 Hacking/IT Incident Network Server Misconfigured web server
Philadelphia FIGHT Community Health Centers PA Healthcare Provider 15,000 Hacking/IT Incident Network Server Unspecified hacking incident
Catholic Hospice, Inc. FL Healthcare Provider 14,986 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Houston Area Community Services, Inc. d/b/a Avenue 360 Health and Wellness TX Healthcare Provider 12,186 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Spencer Gifts LLC Health and Welfare Benefit Plan NJ Health Plan 10,023 Hacking/IT Incident Network Server Unspecified hacking and data theft incident

Causes of January 2022 Healthcare Data Breaches

Hacking incidents continue to dominate the breach reports and accounted for 76% of the month’s data breaches and 95.57% of the month’s breached records. The average breach size was 57,962 records and the median breach size was 6,174 records. The largest healthcare data breach of the month resulted in the theft of the protected health information of more than 1.35 million patients of Broward Health in Florida. A hacker gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.

Causes of January 2022 Healthcare Data Breaches

Ransomware is still being extensively used in cyberattacks on healthcare organizations. 5 of the month’s top 10 data breaches were reported as ransomware attacks, with several others likely to have involved ransomware. Ransomware attacks have become highly sophisticated, with the attackers using a variety of methods to gain access to healthcare networks. CISA, the FBI, and the NSA recently issued a joint threat brief warning about the increased risk of ransomware attacks on critical infrastructure firms and provided mitigations that can be implemented to improve resilience to ransomware attacks.

Phishing attacks are also common. 12 of the month’s data breaches involved compromised email accounts. Combatting phishing attacks requires a combination of email security solutions and end user training. While HIPAA does not specify anti-phishing training for employees, HIPAA-regulated entities should go beyond the requirements of HIPAA and ensure the workforce receives regular security awareness training, including instruction on how to identify phishing emails. When combined with phishing simulation exercises, susceptibility to phishing attacks can be significantly reduced.

There were 11 unauthorized access/disclosure incidents reported to OCR in January, across which the protected health information of 80,456 individuals was impermissibly accessed or disclosed. One of the incidents reported in January involved the theft of the protected health information of 41,692 patients by a former employee. That individual was arrested and charged in connection to the incident. The average size of these breaches was 7,314 records, and the median breach size was 1,125 records. There was also one theft incident reported – a burglary – involving the theft of a network server that contained the protected health information of 21,601 patients.

January 2022 healthcare data breaches - location of breached PHI

Data Breaches by HIPAA-Regulated Entity Type

Data breaches were reported by 31 healthcare providers, 6 health plans, and 13 business associates in January; however, a further 5 breaches occurred at business associates but were reported by the HIPAA-covered entity. The pie chart below shows the adjusted figures for where the data breach occurred.

January 2022 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states, with Florida the worst affected with 7 data breaches.

State Number of Reported Data Breaches
Florida 7
Pennsylvania 6
California 4
Illinois, Massachusetts, New Jersey & New York 3
Colorado, Georgia, Ohio, Tennessee, Texas, & Utah 2
Arkansas, Connecticut, Idaho, Indiana, Minnesota, Missouri, Oklahoma, South Carolina, & Wisconsin 1

HIPAA Enforcement in January 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in January 2022.

The post January 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk.

The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. Some of the emerging technologies now being used to record, store, and transmit health data are not covered by HIPAA and its protections and safeguards do not apply. Further, the proposed updates to the HIPAA Privacy Rule will make it easier for individuals to access their health data and direct covered entities to send that information to unregulated personal health applications.

New bipartisan legislation has now been introduced that aims to start the process of identifying and closing the current privacy gaps associated with emerging technologies to ensure health data are better protected, including health data that are not currently protected by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aims to set up a new commission that will be tasked with analyzing current federal and state laws covering health data privacy and make recommendations for improvements to cover the current technology landscape.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

The Comptroller General is tasked with appointing committee members who will be required to submit their report, conclusions, and recommendations to Congress and the President within 6 months. The commission will be required to assess current privacy laws and determine their effectiveness and limitations, any potential threats to individual health privacy and legitimate business and policy interests, and the purposes for which the sharing of health data is appropriate and beneficial to consumers.

The commission is required to report on whether further federal legislation is necessary and, if current privacy laws need to be updated, provide suggestions on the best ways to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy. Those recommendations could involve updates to HIPAA to cover a broader range of entities or new state or federal legislation covering health data. If updates are recommended, the commission will be required to provide details of the likely costs, burdens, and potential unintended consequences, and whether there is a threat to health outcomes if privacy rules are too stringent.

“I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

The Health Data Use and Privacy Commission Act has attracted support from a dozen medical associations and technology vendors, including the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, Epic Systems, and IBM.

The post Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws appeared first on HIPAA Journal.

CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure

A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health.

The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including healthcare and medical, financial services and markets, higher education and research, and energy.

In the cybersecurity advisory, the CISA, the FBI, and the NSA share information about ransomware trends observed in 2021 ransomware attacks and the tactics, techniques, and procedures known to be used by ransomware gangs to gain access to networks, move laterally, and increase the impact of their attacks and suggest mitigations that can reduce the likelihood of a ransomware attack succeeding and the impact of a successful attack.

2021 Ransomware Attack Trends

In the United States, the first half of 2021 saw ransomware gangs target ‘big game’ targets such as Colonial Pipeline, Kaseya, JBS Foods; however, the increased scrutiny on ransomware gangs following these attacks saw them shift their focus to mid-sized targets; however, big game targeting continued throughout 2021 in the United States and Australia.

In Europe, ransomware gangs have been sharing victim information with other ransomware operations and cybercriminal groups. The BlackMatter ransomware operation shutdown and transferred existing victims to the LockBit 2.0 infrastructure and the Conti ransomware gang is known to have sold access to victims’ networks to other cybercriminal groups.

While double extortion tactics have become the norm, 2021 saw an increase in tripe extortion attacks where, in addition to encryption, files are exfiltrated and a demand is issued for payment to prevent the publication of the stolen data, Internet access is disrupted, and threats are issued to inform partners, shareholders, and suppliers about the attack.

Methods Used to Gain Access to Victims’ Networks

CISA, the FBI, and the NSA say ransomware gangs have increasingly sophisticated technological infrastructure and the ransomware threat is increasing globally. Ransomware gangs are using many methods to gain access networks, which makes implementing defensive measures to block the attacks a major challenge.

Initial access to networks is gained through phishing attacks to obtain credentials, using stolen Remote Desktop Protocol (RDP) credentials, brute force tactics to guess weak credentials and the exploitation of known vulnerabilities that have yet to be patched. CISA has identified several new vulnerabilities that are being actively targeted by ransomware gangs which have been added to its Known Exploited Vulnerabilities Catalog, which now includes 368 vulnerabilities. These attack vectors have proven successful due to the increased attack surface due to remote working and schooling as a result of the pandemic, which has made it difficult for IT security teams to patch vulnerabilities and address security weaknesses while supporting their remote workers and learners.

Ransomware gangs are now operating more like professional businesses and are increasingly outsourcing certain functions to specialist cybercriminal groups, who assist with payments, negotiations, arbitration, and provide 24/7 help centers for victims.

Increasing the Impact of Ransomware Attacks

2021 has seen an increase in the severity of ransomware attacks. The attacks are conducted to cause as much disruption as possible to increase the likelihood of the ransom being paid. Ransomware gangs are targeting cloud infrastructures and are exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. There has been an increase in attacks on managed service providers and their downstream clients, and industrial processes and the software supply chain are being targeted. Attacks are often conducted at the weekend or during holidays when there are likely to be fewer network defenders and support personnel on hand to identify and respond to attacks.

Defending Against Ransomware Attacks

The security advisory details a long list of mitigations to reduce the likelihood of a successful attack and the severity of an attack should perimeter defenses be breached, including limiting the ability of threat actors to learn about an organization’s IT environment and move laterally.

You can view the list of recommended mitigations here.

The post CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure appeared first on HIPAA Journal.