Latest HIPAA News

CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure

Posted by HIPAA Journal

A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health.

The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including healthcare and medical, financial services and markets, higher education and research, and energy.

In the cybersecurity advisory, the CISA, the FBI, and the NSA share information about ransomware trends observed in 2021 ransomware attacks and the tactics, techniques, and procedures known to be used by ransomware gangs to gain access to networks, move laterally, and increase the impact of their attacks and suggest mitigations that can reduce the likelihood of a ransomware attack succeeding and the impact of a successful attack.

2021 Ransomware Attack Trends

In the United States, the first half of 2021 saw ransomware gangs target ‘big game’ targets such as Colonial Pipeline, Kaseya, JBS Foods; however, the increased scrutiny on ransomware gangs following these attacks saw them shift their focus to mid-sized targets; however, big game targeting continued throughout 2021 in the United States and Australia.

In Europe, ransomware gangs have been sharing victim information with other ransomware operations and cybercriminal groups. The BlackMatter ransomware operation shutdown and transferred existing victims to the LockBit 2.0 infrastructure and the Conti ransomware gang is known to have sold access to victims’ networks to other cybercriminal groups.

While double extortion tactics have become the norm, 2021 saw an increase in tripe extortion attacks where, in addition to encryption, files are exfiltrated and a demand is issued for payment to prevent the publication of the stolen data, Internet access is disrupted, and threats are issued to inform partners, shareholders, and suppliers about the attack.

Methods Used to Gain Access to Victims’ Networks

CISA, the FBI, and the NSA say ransomware gangs have increasingly sophisticated technological infrastructure and the ransomware threat is increasing globally. Ransomware gangs are using many methods to gain access networks, which makes implementing defensive measures to block the attacks a major challenge.

Initial access to networks is gained through phishing attacks to obtain credentials, using stolen Remote Desktop Protocol (RDP) credentials, brute force tactics to guess weak credentials and the exploitation of known vulnerabilities that have yet to be patched. CISA has identified several new vulnerabilities that are being actively targeted by ransomware gangs which have been added to its Known Exploited Vulnerabilities Catalog, which now includes 368 vulnerabilities. These attack vectors have proven successful due to the increased attack surface due to remote working and schooling as a result of the pandemic, which has made it difficult for IT security teams to patch vulnerabilities and address security weaknesses while supporting their remote workers and learners.

Ransomware gangs are now operating more like professional businesses and are increasingly outsourcing certain functions to specialist cybercriminal groups, who assist with payments, negotiations, arbitration, and provide 24/7 help centers for victims.

Increasing the Impact of Ransomware Attacks

2021 has seen an increase in the severity of ransomware attacks. The attacks are conducted to cause as much disruption as possible to increase the likelihood of the ransom being paid. Ransomware gangs are targeting cloud infrastructures and are exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. There has been an increase in attacks on managed service providers and their downstream clients, and industrial processes and the software supply chain are being targeted. Attacks are often conducted at the weekend or during holidays when there are likely to be fewer network defenders and support personnel on hand to identify and respond to attacks.

Defending Against Ransomware Attacks

The security advisory details a long list of mitigations to reduce the likelihood of a successful attack and the severity of an attack should perimeter defenses be breached, including limiting the ability of threat actors to learn about an organization’s IT environment and move laterally.

You can view the list of recommended mitigations here.

The post CISA, FBI, NSA Warn of Increased Threat of Ransomware Attacks on Critical Infrastructure appeared first on HIPAA Journal.

Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors

Posted by HIPAA Journal

Ransomware gangs are increasingly targeting unpatched vulnerabilities in software and operating systems to gain access to business networks, and they are weaponizing zero-day vulnerabilities at record speed. Unpatched vulnerabilities are now the primary attack vector in ransomware attacks, according to Ivanti’s Ransomware End of Year Spotlight report.

Ivanti partnered with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware for its report, which identified 32 new ransomware variants in 2021 – An increase of 26% from the previous year. There are know 157 known ransomware families that are being used in cyberattacks on businesses.

Ivanti says 65 new vulnerabilities were identified in 2021 that are known to have been exploited by ransomware gangs – an increase of 29% year-over-year – bringing the total number of vulnerabilities tied to ransomware attacks to 288. 37% of the new vulnerabilities were trending on the dark web and have been exploited in multiple attacks, and 56% of the 223 older vulnerabilities continue to be routinely exploited by ransomware gangs.

Ransomware gangs and the initial access brokers they often use are searching for and leveraging zero-day vulnerabilities, oftentimes exploiting them in their attacks before the vulnerabilities have been issued CVE codes and have been added to the National Vulnerability Database (NVD). This was the case with the QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and Apache Log4j (CVE-2021-44228) vulnerabilities.

The report highlights the importance of applying patches promptly but also emphasizes the need to prioritize patching to ensure vulnerabilities that have been weaponized are patched first. While it is important to keep track of vulnerabilities as they are added to the NVD, security teams should also sign up to receive threat intelligence feeds and security advisories from security agencies and should be on the lookout for exploitation instances and vulnerability trends.

While ransomware attacks on individual businesses are common, ransomware gangs are looking for major paydays and are increasingly targeting managed service providers and supply chain networks to inflict damage on as many businesses as possible. A supply chain attack or an attack on a managed service provider allows a ransomware gang to conduct ransomware attacks on dozens or even hundreds of victim networks, as was the case with REvil’s ransomware attack on the Kaseya VSA remote management service.

Ransomware gangs are also increasingly collaborating with others, either through ransomware-as-a-service (RaaS), where affiliates are used to conduct large numbers of attacks for a cut of the ransom payments, exploit-as-a-service, where exploits for known vulnerabilities are rented from developers, and dropper-as-a-service operations, where ransomware gangs pay malware operators to drop malicious payloads on infected devices.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks,” said Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti. “Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

The post Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors appeared first on HIPAA Journal.

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

Posted by HIPAA Journal

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals.

The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA.

RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals. The difference in the numbers was due to UnitedHealthcare, RIPTA’s previous health insurance provider, providing RIPTA with files containing the data of non-RIPTA employees.  In total, up to 22,000 individuals had their sensitive data stolen in the attack. The files were stored on RIPTA’s servers and were not encrypted and the hackers exfiltrated approximately 40,000 files from RIPTA’s systems.

RIPTA sent notification letters to affected individuals, including those that had no association with RIPTA, triggering a barrage of complaints to the Office for the Attorney General questioning why their personal data had been compromised in a breach at RIPTA when they had never had any association with the quasi-public agency. The delay in issuing notification letters was due to each of those 40,000 files having to be manually searched, which was a labor-intensive and time-consuming process. RIPTA said only a small number of people were involved in the document review to prevent sensitive data from being further exposed.

On Monday this week, RIPTA administrators testified under oath at a Senate oversight committee hearing about the incident. RIPTA Chief Legal Counsel Steven Colantuono said at the hearing, “We don’t believe that anyone did anything wrong on our end, but we are still investigating it.”

RIPTA Director Scott Avedisian confirmed that reports downloaded by RIPTA from a UnitedHealthcare portal between 2015 and 2020 were ‘filtered files’, and the data unrelated to RIPTA was supposed to remain hidden. While not confirmed, the description suggests the downloaded files were Excel spreadsheets with certain rows hidden. The secure links to access the files on the portal were emailed to RIPTA by UnitedHealthcare.

At the hearing, officials at the state Department of Information Technology confirmed there is a statewide policy requiring the encryption of sensitive data such as personally identifiable information, personal health information, and federal tax information; however, RIPTA is not one of the agencies or quasi-state agencies assisted or supported by the Department of Information Technology, so RIPTA is not required to comply with the state’s encryption policy.

UnitedHealthcare’s VP of external affairs was scheduled to appear at the hearing but backed out after initially agreeing to appear. UnitedHealthcare said it is investigating the breach to determine what went wrong. At this stage, there is no listing of a breach at UnitedHealthcare on the HHS’ Office for Civil Rights breach portal.

In addition to the investigation by the Rhode Island Attorney General, Colantuono said there will also be a federal investigation and discussions are currently being had between the Department of Justice and the HHS’ Office for Civil Rights to determine which of the two agencies will be conducting the investigation. There is also the possibility of legal action being taken against UnitedHealthcare and RIPTA by state employees affected by the data breach.

The post RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach appeared first on HIPAA Journal.

Technologies Supporting Telehealth are Placing Healthcare Data at Risk

Posted by HIPAA Journal

A new report from Kaspersky indicates the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed.

Massive Increase in the Use of Telehealth

The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth.

Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give them telehealth capabilities.

Telehealth has literally been a lifesaver during the pandemic; however, the use of new technologies is not without risk. Many of the products and services now being used to support telehealth include a variety of third-party components that have not been verified as having the necessary safeguards to ensure the confidentiality, integrity, and availability of healthcare data, and they are potentially putting patient information is at risk.

Kaspersky hypothesized that the rapid digitalization of medical services and the wealth of sensitive and valuable patient data collected, stored, or transmitted by these new healthcare technologies has not gone unnoticed and cybercriminals, who are looking to exploit vulnerabilities. A study was devised to explore the security landscape of telehealth in 2020 and 2021 to determine the extent to which healthcare data is being put at risk.

Analysis of Telehealth Applications and Related Technology

In the summer of 2021, Kaspersky conducted an analysis of 50 of the most popular applications that were being used to provide telehealth services to identify vulnerabilities that could potentially be exploited to gain access to patient data, and checked for the presence of malicious code used to mimic those applications or steal data from them. No vulnerabilities were identified in the 50 applications, although that does not mean vulnerabilities do not exist, only that they have not been found by researchers. Deeper analyses of those apps may uncover vulnerabilities.

“In the absence of centralized quality control of telehealth at the application level, their security can significantly vary from product to product,” suggests Kaspersky. “Another unfortunate fact is that smaller companies, like start-ups, simply do not have enough hands and resources to control the quality and safety of their applications. Accordingly, such applications may contain many vulnerabilities currently unknown to the public that cybercriminals can find and use.”

The researchers then looked at wearable devices and sensors, which are often used in conjunction with telemedicine, specifically, the most commonly used protocol for transferring data from wearable devices and sensors – MQTT..

Kaspersky notes in its report – Telehealth: A New Frontier in Medicine- and Security – that MQTT does not require authentication for data transfers, and even if authentication is implemented, data are transferred in plain text with no encryption, which means MQTT is susceptible to man-in-the-middle (MITM) attacks to gain access to the transferred data. If a device is exposed to the Internet, data transfers via MQTT could easily be intercepted.

According to Kaspersky, between 2016 and 2021, 87 vulnerabilities have been identified in MQTT, and 57 of those vulnerabilities were rated critical or high-severity. Many of those vulnerabilities have still not been patched.

Kaspersky reports that the most common wearable device platform, Qualcomm Snapdragon Wearable, is riddled with vulnerabilities. Since the platform was launched in 2020, more than 400 bugs have been detected, many of which have yet to be patched. Multiple vulnerabilities have also been identified in other vendors’ wearable devices.

Cybercriminals Are Looking to Exploit Vulnerabilities to Access Patient Data

Kaspersky warns that cybercriminals are increasingly using medical themes in their phishing campaigns. Between June 2021 and December 2021, more than 150,000 phishing attacks were detected that used medical themes as lures, and as the digitization of healthcare increases, that trend is only likely to continue to increase.

Telehealth is likely to continue to be used to provide care to patients for years to come and there have been calls for the telehealth flexibilities introduced in response to the pandemic to be made permanent. It is therefore vital for app developers and manufacturers of wearable devices, as well as the healthcare organizations that use them, to be aware of the security risks associated with the technology.

Developers need to be aware of vulnerabilities that could be exploited to gain access to patient data and should implement appropriate safeguards to keep data protected. Users of telehealth services, especially frontline workers who have a say in the platforms and devices used for telehealth, should study the security of each application or product and take steps to secure their accounts with strong passwords, multifactor authentication.

“We expected that 2021 would be a year of greater collaboration between the medical sector and IT security specialists,” said Kaspersky. “In some ways, our expectations were met, but the explosive growth of telehealth has brought new challenges to this collaboration which have yet to be solved.”

The post Technologies Supporting Telehealth are Placing Healthcare Data at Risk appeared first on HIPAA Journal.

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

Posted by HIPAA Journal

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here.

Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process.

The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) on behalf of the GAO, and responses will be provided in aggregate to GAO.

GAO has requested only one survey be completed by each covered entity and business associate. GAO said it will not attribute specific comments to specific individuals and/or organizations when it produces the report, and the only individually identifiable information passed to GAO will be the email address provided in the survey along with any individually identifiable information provided voluntarily in any of the open-ended questions.

“This is an important opportunity to inform the work of the GAO and help identify the benefits of, along with the many issues of concern expressed over the years by hospitals and health system victims of cyberattacks, regarding the ensuing HHS Office for Civil Rights audit and investigation process,” said John Riggi, AHA national advisor for cybersecurity and risk.

The post February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

Deadline for Reporting 2021 PHI Breaches Affecting Fewer Than 500 Individuals

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule places a strict time limit on issuing notifications to individuals whose protected health information has been exposed or impermissibly disclosed. The maximum time limit is 60 days from the date of discovery of the data breach, although notification letters should be sent “without unreasonable delay.”

In addition to sending notification letters to individuals affected by a data breach, the HIPAA Breach Notification Rule also requires the Secretary of the Department of Health and Human Services (HHS) to be notified about a data breach. The time limit for submitting that notification depends on the number of individuals affected by the data breach.

When a data breach has been experienced that affects 500 or more individuals, the Secretary of the HHS must also be notified “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” If all information is not known about the breach within 60 days, the breach should still be reported to the HHS, and it can be amended at a later date when more information is known.

When a data breach has affected fewer than 500 individuals, HIPAA-regulated entities have longer to report the breaches to the HHS.  N.B. the time limit for individual notifications is still 60 days from the date of discovery of the breach, regardless of how many individuals have been affected.

The deadline for reporting breaches of the PHI of fewer than 500 individuals to the HHS is 60 days from the end of the calendar year in which the breach was discovered. That means all PHI breaches discovered in 2021 that involved the PHI of fewer than 500 individuals must be reported to the Secretary of the HHS no later than 11:59:59 p.m. on March 1, 2022. Each breach must be reported to the HHS separately via the breach reporting tool on the HHS website.

Many HIPAA-regulated entities will leave their breach reporting until close to the reporting deadline, so the breach reporting portal is likely to see high levels of traffic as the deadline approaches, which could potentially cause availability issues. It is therefore advisable to report any breaches well ahead of the breach reporting deadline.

You should bear in mind that several states have passed legislation covering the reporting of data breaches, and the time frame for reporting breaches may be shorter than those of the HIPAA Breach Notification Rule. In many cases, HIPAA-regulated entities are exempt from state breach notification laws provided they comply with the reporting requirements of HIPAA. If they are not compliant with the Breach Notification Rule, state attorneys general may decide to investigate, and civil monetary penalties could be imposed for violations of HIPAA or state laws.

The post Deadline for Reporting 2021 PHI Breaches Affecting Fewer Than 500 Individuals appeared first on HIPAA Journal.

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

Posted by HIPAA Journal

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy.

The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound devices, patient monitors, and medicine dispensers the next most vulnerable device categories.

The recently announced Urgent11 and Ripple20 IoT vulnerabilities are naturally a cause for concern; however, there are much more common and easily exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities affect around 10% of healthcare IoT and IoMT devices, but the most common risk was weak credentials. Default passwords can easily be found in online device manuals and weak passwords are vulnerable to brute force attacks. One-fifth (21%) of IoT and IoMT devices were found to have default or weak credentials.

The majority of pharmacology, oncology, and laboratory devices and large numbers of the devices used in radiology, neurology, and surgery departments were running outdated Windows versions (older than Windows 10) which are potentially vulnerable.

Unaddressed software and firmware vulnerabilities are common in bedside devices, with the most common being improper input validation, improper authentication, and the continued use of devices for which a device recall notice has been issued. Without visibility into the devices connected to the network and a comprehensive inventory of all IoT and IoMT devices, identifying and addressing vulnerabilities before they are exploited by hackers will be a major challenge and it will be inevitable that some devices will remain vulnerable.

Many medical devices are used in critical care settings, where there is very little downtime. More than 80% of healthcare IoT devices are used monthly or more frequently, which gives security teams a small window for identifying and addressing vulnerabilities and segmenting the network. Having an IT solution in place that can provide visibility into connected medical devices and provide key data on the security of those devices will help security teams identify vulnerable devices and plan for updates.

Oftentimes it is not possible for patches to be applied. Oftentimes healthcare IoT devices are in constant use and they are frequently used past the end-of-support date. In such cases, the best security alternative is virtual patching, where steps are taken to prevent the vulnerabilities from being exploited such as quarantining devices and segmenting the network.

Segmenting the network is one of the most important steps to take to improve healthcare IoT and IoMT security. When segmentation is performed that takes medical workflows and patient care contexts into account, Cybnerio says 92% of critical risks in IoT and IoMT devices can be effectively mitigated.

Most healthcare IoT and IoMT cybersecurity efforts are focused on creating a comprehensive inventory of all IoT and IoMT devices and gathering data about those devices to identify potential risks. “Visibility and risk identification are no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up,” said Daniel Brodie, CTO and co-founder, Cynerio.

The post More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability appeared first on HIPAA Journal.

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine.

The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible.

The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected device is powered down and generates the ransom note. The second stage of the malware, stage2.exe, is a file corruptor that runs in the memory and corrupts files based on hardcoded file extensions to prevent the files from being recovered.

The attacks have so far been conducted on targets in Ukraine, but there is a risk of much broader attacks. Wiper malware such as this has been used to attack organizations in Ukraine in the past and in much broader attacks worldwide. In 2017, the NotPetya wiper was used to attack organizations in Ukraine and was delivered in a supply chain attack via legitimate tax software. NotPetya attacks were also conducted globally causing major damage to IT systems and significant data loss. NotPetya is believed to have been used by a Russian hacking group known as Voodoo Bear/Sandworm.

The current theory of the Ukrainian government is the attacks are being conducted by an Advanced Persistent Threat (APT) group known to have strong links with Belarus. There is a legitimate concern that similar attacks may occur in the United States using Whispergate, especially on critical infrastructure organizations and companies with links to Ukraine.

CISA has issued an Insights bulletin providing information on steps that can be taken to protect against the malware threat and reduce the likelihood of a damaging cyber intrusion. The bulletin also includes guidance on how to quickly detect and respond to a potential intrusion, and how to maximize resilience to a destructive cyber threat.

The post CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks appeared first on HIPAA Journal.