HHS Unveils Voluntary HPH Cybersecurity Performance Goals

Posted by Steve Alder

The Department of Health and Human Services (HHS) has unveiled the Cybersecurity Performance Goals (CPGs) that were outlined in its December 2023 Healthcare Sector Cybersecurity Strategy. These voluntary goals will help healthcare organizations take the necessary steps to improve cybersecurity and guide them through implementing high-impact measures to quickly improve resilience to cyber threats and recover quickly should their defenses be breached.

Cyberattacks on healthcare organizations have increased significantly in recent years with 2023 breaking records for the number of data breaches (725) and the number of breached records (133M). The HHS Cybersecurity Strategy aims to help the healthcare and public health (HPH) sector prepare for and respond to cyber threats, adapt to a rapidly changing threat landscape, and improve cyber resilience across the sector, with the establishment of voluntary cybersecurity goals the first step in that process.

The voluntary CPGs will help HPH sector organizations prioritize the implementation of high-impact cybersecurity practices – cybersecurity practices that will have the greatest impact on improving resilience to the most common attack vectors. As outlined in the HHS cybersecurity strategy, two tiers of CPGs have been developed: Essential CPGs and Enhanced CPGs. The essential CPGs are relatively low-cost minimum foundational cybersecurity practices that will greatly improve cybersecurity, and the enhanced CPGs are intended to encourage the adoption of more advanced cybersecurity practices. The aim is to get all healthcare delivery organizations to adopt the essential CPGs to make it harder for cyber actors to gain access to their networks and incentivize them to mature their cybersecurity programs by adopting the Enhanced CPGs.

The CPGs were developed based on the Cross-Sector CPGs released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in March 2023, which were intended to serve as a cybersecurity baseline for all critical infrastructure entities. The HHS collaborated with CISA and the industry to develop the healthcare-specific CPGs, which were also informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies such as the National Cybersecurity Strategy, Healthcare Industry Cybersecurity Practices (HICP) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Layered Protection at Each Stage of the Attack Chain

The HPH CPGs are concerned with improving resiliency at all points in digital systems that can be exploited by cyber actors. The Essential CPGs will help HPH sector organizations address common vulnerabilities to improve their security posture, improve incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defense against additional attack vectors.

Essential HPH CPGs

  • Mitigate Known Vulnerabilities
  • Email Security
  • Multifactor Authentication
  • Basic Cybersecurity Training for the Workforce
  • Strong Encryption for Sensitive Data in Transit
  • Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
  • Basic Incident Planning and Preparedness
  • Unique Credentials for all members of the Workforce
  • Separate User and Privileged Accounts
  • Vendor/Supplier Cybersecurity Requirements

Enhanced CPGs

  • Asset Inventory
  • Third-Party Vulnerability Disclosure
  • Third-Party Incident Reporting
  • Cybersecurity Testing
  • Cybersecurity Mitigation
  • Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
  • Network Segmentation
  • Centralized Log Collection
  • Centralized Incident Planning and Preparedness
  • Configuration Management

Initially, the CPHs will be voluntary; however, the HHS will use these CPGs to inform future rulemaking, including new cybersecurity requirements for healthcare organizations that participate in Medicare and Medicaid programs, the planned updates to the HIPAA Security Rule, and HHS efforts to incentivize the adoption of cybersecurity practices. Any new regulatory updates that include new cybersecurity requirements will be subject to standard notice and comment periods.

“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”

The HHS outlined in its cybersecurity strategy its plans to make funds available to help under-resourced healthcare delivery organizations make the necessary investments in cybersecurity by helping to cover the initial costs of implementing the essential CPGs. The HHS also plans to create an incentive program to encourage the adoption of the Enhanced CPGs. The establishment of these programs to help financially challenged hospitals is essential, as while the creation of the CPGs is a great first step, many healthcare delivery organizations simply do not have the funding available to make the necessary investments to improve cybersecurity.

The HPH CPGs are detailed in an 11-page PDF document that can be accessed on the HHS HPH Cyber website.

The post HHS Unveils Voluntary HPH Cybersecurity Performance Goals appeared first on HIPAA Journal.

Russian National Sanctioned for Medibank Ransomware Attack

Posted by Steve Alder

A Russian national who was involved in a ransomware attack on the Australian health insurance provider Medibank in 2022 has been sanctioned by the governments on Australia, the United States, and the United Kingdom.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, is believed to have been a member of the now-disbanded ransomware group REvil. REvil was one of the most notorious cybercriminal groups until July 2021 when the group ceased operations and disappeared. Prior to that, the group was a ransomware-as-a-service group that encrypted appropriately 175,000 computers and was paid an estimated $200 million in ransom payments from its attacks.

In October 2022, REvil gained access to the Medibank network and stole the data of approximately 9.7 million of its customers and then used ransomware to encrypt files. The stolen data included names, dates of birth, Medicare numbers, and highly sensitive medical information including mental health, sexual health and drug use data.

As a Russian national, Ermakov is unlikely to face justice for the Revil attacks as there is no extradition treaty with Australia, the United States, or the United Kingdom and Ermakov is unlikely to travel to any country where there is a risk of arrest. The U.S. Department of the Treasury criticized Russia for allowing ransomware gangs to operate within its borders and freely conduct attacks around the world, and for enabling ransomware attacks by cultivating and co-opting criminal hackers. The Treasury has called for Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

The sanctions mean that it is a criminal offence to provide any assets to Ermakov or to use or deal with any of his assets, which includes making ransom payments through cryptocurrency wallets. Australia was the first to sanction Ermakov, closely followed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the UK government. OFAC said all property and interests in property of Ermakov that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. Any entities that are directly or indirectly 50% or more owned by Ermakov are also blocked. Violation of the sanctions is punishable by up to 10 years’ imprisonment.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson. “Today’s trilateral action with Australia and the United Kingdom, the first such coordinated action, underscores our collective resolve to hold these criminals to account.”

The post Russian National Sanctioned for Medibank Ransomware Attack appeared first on HIPAA Journal.

Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit

Posted by Steve Alder

A $7.25 million settlement has been proposed to resolve a class action lawsuit – In re: Lincare Holdings Inc. Data Breach Litigation – filed against Lincare Holdings over a September 2021 data breach that affected 2,918,444 individuals.

Lincare Holdings is a provider of in-home respiratory care and equipment. In September 2021, unauthorized activity was detected within its network and the forensic investigation confirmed an unauthorized third party had gained access to files containing patient data. The exposed protected health information included names, addresses, Lincare account numbers, dates of birth, treatment information, provider names, dates of service, diagnosis and procedure information, account or record numbers, health insurance information, and prescription information, and for a small number of affected individuals, Social Security numbers.

Legal action was taken by the affected individuals who alleged that Lincare Holdings was negligent for failing to implement reasonable and appropriate cybersecurity measures, and had those measures been implemented, the data breach could have been avoided. Lincare has not admitted any wrongdoing but has proposed a settlement to end the litigation.

Class members will be permitted to submit claims for up to $5,000 as reimbursement for out-of-pocket losses fairly traceable to the data breach, including up to 4 hours of lost time at $20 per hour. Recoverable losses include bank fees, credit fees, communication costs, unreimbursed fraudulent charges, and losses to identity theft. Individuals who were California residents at the time of the breach can also claim an additional $90.

All class members are eligible to receive a one-year membership to Medical Shield services, which includes medical record monitoring, health insurance monitoring, dark web monitoring, real-time authentication alerts, high-risk transaction monitoring, Medicare monitoring, provider monitoring HSA monitoring, ICD monitoring, credit freeze assistance, and identity theft remediation services. They will also be covered by a $1 million identity theft insurance policy.

Claims must be submitted by April 15, 2024, and any class member wishing to object to or exclude themselves from the settlement must do so by March 14, 2024. The final hearing has been scheduled for June 12, 2024.

The plaintiff and class members were represented by John A. Yanchunis of Morgan & Morgan; Stephen R. Basser of Barrack Rodos & Bacine; Raina Borrelli of Turke & Strauss LLP; Alexandra M Honeycutt of Milberg Coleman Bryson Phillips Grossman PLLC; and Carl V Malmstrom of Wolf Haldenstein Adler Freeman & Herz LLC

The post Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Patch Fortra GoAnywhere Now: Exploit Code Released for Critical Flaw

Posted by Steve Alder

Fortra has disclosed and patched a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) solution. The vulnerability – CVE-2024-0204 – is an authentication bypass bug due to a path traversal weakness. If exploited, an unauthenticated user can create a new admin user via the administration portal and remotely take control of the customer’s environment and gain access to their network. The vulnerability has a CVSS severity score of 9.8 out of 10.

Fortra explained in its security advisory that the vulnerability affects all versions of GoANywhere MFT prior to 7.4.1. All users of the file transfer solution should ensure they update to version 7.4.1 as soon as possible. If it is not possible to immediately upgrade, Fortra has suggested temporary workarounds.

For non-container deployments, users should delete the InitialAccountSetup.xhtml file in the install directory and restart the services. For container deployments, the InitialAccountSetup.xhtml file should be deleted and replaced with an empty file, followed by a restart.

Managed file transfer solutions are attractive targets for hackers. Last year, the Clop ransomware group exploited a vulnerability in Fortra’s GoAnywhere MFT – CVE-2023-0669 – and attacked 129 of the company’s clients, including several healthcare organizations. Exploitation of the flaw is likely and according to Searchlight Cyber threat intelligence engineer, John Honey, a proof-of-concept exploit for the vulnerability is being circulated on at least one Telegram channel.

After upgrading to version 7.4.1 or implementing the workaround, an audit should be conducted to see if any new admin users have been added to the admin users group in the GoAnywhere administrator portal Users -> Admin Users section. The cybersecurity firm Horizon3 also recommends checking the logs for the database -\GoAnywhere\userdata\database\goanywhere\log\*.log. – as they include the transactional history of the database and will contain entries if new admin users have been added.

The post Patch Fortra GoAnywhere Now: Exploit Code Released for Critical Flaw appeared first on HIPAA Journal.

HC3 Warns of Threat of Unauthorized Remote Access via ScreenConnect Tool

Posted by Steve Alder

The ScreenConnect remote access tool has been abused by a threat actor to gain access to the networks of organizations in the healthcare and public health (HPH) sector. According to a sector alert from the Health Sector Cybersecurity Coordination Center (HC3), between October 28 and November 8, 2023, an unknown threat actor abused a locally hosted ScreenConnect instance to gain remote access to victims’ networks.

Once access was gained, the threat actor installed further remote access tools including SecureConnect and AnyDesk instances to allow persistent access to victims’ networks. Researchers at the cybersecurity company Huntress identified two attacks on distinct healthcare organizations and the threat actor’s activity suggests network reconnaissance was being conducted in preparation for attack escalation.

On November 14, the vendor of ScreenConnect said the threat actor gained access to an unmanaged on-premises instance of ScreenConnect that had not been updated since 2019. The ScreenConnect vendor said the organizations affected had gone against recommended best practices. In the attack, the threat actor leveraged local ScreenConnect instances used by the pharmacy supply chain and management systems solution provider Transaction Data Systems (now Outcomes). The company makes Rx30 and ComputerRx software that is used by pharmacies in all 50 states. The Huntress researchers have not been able to determine the impact of the attack, but say it could be substantial.

HC3 has provided Indicators of Compromise (IoCs) associated with the attack and advises all clients of the pharmacy supply chain and management systems solution provider to take immediate action and examine their systems and networks for the IoCs. If any of the IoCs are identified they should be taken seriously and warrant a prompt and thorough investigation and comprehensive breach response.

According to HC3, the compromised endpoints used an unmanaged instance of a Windows Server 2019 system and organizations should take concerted steps to safeguard their infrastructure. HC3 recommends implementing enhanced endpoint monitoring solutions, robust cybersecurity frameworks, and engaging n proactive threat hunting to mitigate potential threat actors’ intrusions.

The post HC3 Warns of Threat of Unauthorized Remote Access via ScreenConnect Tool appeared first on HIPAA Journal.