The Health Sector Cybersecurity Coordination Center (HC3) has issued a healthcare and public health (HPH) sector alert about credential harvesting, one of the most common tactics used by hackers in cyberattacks on the HPH sector.

While there are more secure ways of authenticating individuals and controlling access to accounts and resources, credentials such as usernames, passwords, and personal information are commonly used. Credentials provide access to online accounts, email systems, patient data, and network resources. If credentials are obtained, hackers will gain the user’s privileges and a foothold in the network.

Credential harvesting leads to data breaches, but oftentimes credential harvesting is the first stage in a much more extensive attack. The access may allow a hacker to compromise further accounts and escalate privileges, exploit vulnerabilities in internal systems, deploy malware, move laterally within the network, disrupt administrative functions, and cause system downtime, which can impair healthcare professionals’ ability to provide patient care.

Credential harvesting is most commonly associated with phishing, but credentials can be obtained using a variety of methods, the most common of which are:

• Phishing: The use of deceptive messages to trick users into disclosing their login credentials, often on attacker-controlled websites
• Keylogging: Malware that records keystrokes as they are entered by users, including usernames and passwords.
• Brute Force Attacks: Automated attempts using numerous combinations of usernames and commonly used passwords until the correct combination is identified.
• Person-in-the-Middle (PITM) Attacks: The interception of communications between two parties, capturing login credentials exchanged during the authentication process.
• Credential Stuffing: The use of credentials obtained in one data breach to access accounts on other platforms/systems where the same username/password combinations have been used.

Since there are a variety of ways that credentials can be harvested, there is no single mitigation that can protect against this tactic. Healthcare organizations need to be proactive and implement several mitigations to reduce risk. Multi-factor authentication (MFA) is one of the most important security measures as it adds an extra layer of authentication. If credentials are compromised, without the additional authentication, account access will not be granted. Phishing-resistant MFA provides the highest level of protection.

Many credential harvesting attacks use email to make initial contact with users. Email filtering solutions such as spam filters will block the majority of these messages and prevent them from reaching end users; however, even the most advanced email security solutions will not block all malicious messages. Employee training and awareness are therefore important. Members of the workforce (from the CEO down) should be educated about phishing and other credential harvesting methods and be taught cybersecurity best practices.

Monitoring and detection solutions should be used to identify suspicious login attempts and suspicious user behavior, endpoint security solutions can protect against malware such as keyloggers, systems should be kept up to date to prevent the exploitation of vulnerabilities, and organizations should ensure they have comprehensive incident response plans to minimize the harm caused should an attack prove successful.

This is the second sector alert to be issued by HC3 this month on tactics used by malicious actors in attacks on the HPH sector. The earlier alert covers email bombing, which is used for denial of service attacks.

The post HHS Shares Credential Harvesting Mitigations appeared first on HIPAA Journal.

This week, Senator Mark R. Warner (D-VA) introduced new legislation that will allow for advance and accelerated payments to healthcare providers in the event of a cyberattack. The new legislation was introduced in response to the recent ransomware attack on Change Healthcare, which caused an outage that lasted for more than 4 weeks. The outage prevented physicians and hospitals from processing claims, billing patients, and checking insurance coverage for care, and the reimbursement delays have left many healthcare providers struggling to pay workers and buy supplies, with some placed at risk of becoming financially insolvent.

Given the increase in cyberattacks on the healthcare sector in recent years, a major attack that caused massive nationwide disruption to healthcare was an inevitability, and there will likely be other highly damaging healthcare cyberattacks in the future. The Health Care Cybersecurity Improvements Act of 2024 will help to ensure that in the event of another attack, healthcare providers will not face such challenging financial problems.

Sen. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, has been sounding the alarm about healthcare cybersecurity for some time. In 2022, he published a white paper that framed cybersecurity as a patient safety issue. The Change Healthcare ransomware attack demonstrated how a cyberattack can prevent patients from receiving timely care and essential medications. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

The Health Care Cybersecurity Improvements Act of 2024 will allow for advance and accelerated payments to healthcare providers in the event of a cyber incident; however, they would only qualify if they and their vendors meet minimum cybersecurity standards. In the press release announcing the new legislation, Sen. Warner did not mention what those minimum cybersecurity standards are, as that will be left to the HHS Secretary to determine.

Currently, in certain situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can experience cash flow difficulties due to specific circumstances that are beyond their control, as happened following the Change Healthcare ransomware attack. The Centers for Medicare and Medicaid Services (CMS) has provided temporary financial relief to Medicare Part A providers and Part B suppliers through Accelerated and Advance Payment (AAP) programs, which provide advance payments from the federal government, which are later recovered by withholding payments for later claims.

The Health Care Cybersecurity Improvements Act of 2024 will modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program. If the legislation is passed, the HHS Secretary will determine if the need for payment results from a cyber incident, and if it does, the healthcare provider requiring the payment must meet minimum cybersecurity standards, which will be determined by the Secretary. For instance, a healthcare provider may be required to implement the essential cybersecurity performance goals recently announced by the HHS. If the provider has implemented those minimum cybersecurity measures and the provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards in order for the provider to receive the payments.

If passed, the act would take effect two years from the date of enactment, which will give healthcare organizations sufficient time to ensure they comply with the cybersecurity requirements set by the HHS Secretary.

The post Legislation Introduced to Provide Advance Payments to Providers Affected by Cyberattacks appeared first on HIPAA Journal.

Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has demanded answers from the Department of Health and Human Services (HHS) about a 2023 cyberattack that resulted in the theft of millions of dollars of grant funds and the failure of the HHS to notify Congress about the incident.

In January this year, Bloomberg published a report about a hacking incident at the HHS. According to the report, hackers had access to an HHS system that processed civilian grant payments between March 2023 and November 2023 and stole $7.5 million. The money should have been transferred to five accounts to provide support for at-risk populations, including children, pregnant women, and patients in rural communities.

Hackers are thought to have used spear phishing emails to target HHS staff, who were tricked into disclosing credentials that allowed access to the grantees’ accounts. The HHS provided a statement at the time confirming the incident had been reported to the HHS’ Office of Inspector General; however, in January, an HHS OIG spokesperson could neither confirm nor deny that an investigation had been launched into the incident.

In his letter to HHS Secretary Xavier Becerra, Sen. Cassidy said the HHS did not notify Congress about the incident and has so far failed to publicly acknowledge the breach, even though federal law requires government agencies to disclose major cyberattacks. Sen. Cassidy said any disruption to grant funding can place healthcare facilities under significant financial strain and the delay in receiving grant awards could delay life-saving care to patients. Cyberattacks on healthcare organizations are increasing and the HHS has issued regular guidance to HIPAA-regulated entities on the steps that should be taken to improve cybersecurity and has recently announced voluntary cybersecurity performance goals for the HPH sector. Senator Cassidy said, “This attack raises serious questions about HHS’ ability to safeguard its own systems and protect taxpayer funds and sensitive data.”

Senator Cassidy also criticized the HHS for the lack of transparency about the breach and its incident response.  “HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” wrote Sen. Cassidy. “Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again.”

Sen. Cassidy has demanded answers about when the HHS identified the breach of its Payment Management Services (PMS) system, when the system was accessed by hackers, how many grantees were affected, how much was stolen, when the HHS notified the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) about the breach, whether the attack delayed any payments of grant awards, and what steps the HHS has taken to try to recover the stolen funds. Questions were also asked about the safeguards that were in place prior to the attack, its internal incident response plan, the steps that have been taken to identify and address any vulnerabilities in HHS systems, and how the HHS can justify failing to notify Congress. Sen. Cassidy has requested answers on a question-by-question basis by April 5, 2024.

A spokesperson for the HHS confirmed that the HHS has been in regular contact with Congress about the incident and is working to ensure that the affected grantees will have access to the funds that they were awarded. “The event in December was a targeted fraud campaign against the Payment Management System, not a cyberattack,” said the HHS spokesperson. “HHS promptly reported the incident to the HHS Office of Inspector General. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance.”

The post Senator Cassidy Demands Answers About HHS Cyberattack and $7.5M Theft appeared first on HIPAA Journal.