The Health Sector Cybersecurity Coordination Center (HC3) has issued a healthcare and public health (HPH) sector alert about credential harvesting, one of the most common tactics used by hackers in cyberattacks on the HPH sector.

While there are more secure ways of authenticating individuals and controlling access to accounts and resources, credentials such as usernames, passwords, and personal information are commonly used. Credentials provide access to online accounts, email systems, patient data, and network resources. If credentials are obtained, hackers will gain the user’s privileges and a foothold in the network.

Credential harvesting leads to data breaches, but oftentimes credential harvesting is the first stage in a much more extensive attack. The access may allow a hacker to compromise further accounts and escalate privileges, exploit vulnerabilities in internal systems, deploy malware, move laterally within the network, disrupt administrative functions, and cause system downtime, which can impair healthcare professionals’ ability to provide patient care.

Credential harvesting is most commonly associated with phishing, but credentials can be obtained using a variety of methods, the most common of which are:

• Phishing: The use of deceptive messages to trick users into disclosing their login credentials, often on attacker-controlled websites
• Keylogging: Malware that records keystrokes as they are entered by users, including usernames and passwords.
• Brute Force Attacks: Automated attempts using numerous combinations of usernames and commonly used passwords until the correct combination is identified.
• Person-in-the-Middle (PITM) Attacks: The interception of communications between two parties, capturing login credentials exchanged during the authentication process.
• Credential Stuffing: The use of credentials obtained in one data breach to access accounts on other platforms/systems where the same username/password combinations have been used.

Since there are a variety of ways that credentials can be harvested, there is no single mitigation that can protect against this tactic. Healthcare organizations need to be proactive and implement several mitigations to reduce risk. Multi-factor authentication (MFA) is one of the most important security measures as it adds an extra layer of authentication. If credentials are compromised, without the additional authentication, account access will not be granted. Phishing-resistant MFA provides the highest level of protection.

Many credential harvesting attacks use email to make initial contact with users. Email filtering solutions such as spam filters will block the majority of these messages and prevent them from reaching end users; however, even the most advanced email security solutions will not block all malicious messages. Employee training and awareness are therefore important. Members of the workforce (from the CEO down) should be educated about phishing and other credential harvesting methods and be taught cybersecurity best practices.

Monitoring and detection solutions should be used to identify suspicious login attempts and suspicious user behavior, endpoint security solutions can protect against malware such as keyloggers, systems should be kept up to date to prevent the exploitation of vulnerabilities, and organizations should ensure they have comprehensive incident response plans to minimize the harm caused should an attack prove successful.

This is the second sector alert to be issued by HC3 this month on tactics used by malicious actors in attacks on the HPH sector. The earlier alert covers email bombing, which is used for denial of service attacks.

The post HHS Shares Credential Harvesting Mitigations appeared first on HIPAA Journal.

This week, Senator Mark R. Warner (D-VA) introduced new legislation that will allow for advance and accelerated payments to healthcare providers in the event of a cyberattack. The new legislation was introduced in response to the recent ransomware attack on Change Healthcare, which caused an outage that lasted for more than 4 weeks. The outage prevented physicians and hospitals from processing claims, billing patients, and checking insurance coverage for care, and the reimbursement delays have left many healthcare providers struggling to pay workers and buy supplies, with some placed at risk of becoming financially insolvent.

Given the increase in cyberattacks on the healthcare sector in recent years, a major attack that caused massive nationwide disruption to healthcare was an inevitability, and there will likely be other highly damaging healthcare cyberattacks in the future. The Health Care Cybersecurity Improvements Act of 2024 will help to ensure that in the event of another attack, healthcare providers will not face such challenging financial problems.

Sen. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, has been sounding the alarm about healthcare cybersecurity for some time. In 2022, he published a white paper that framed cybersecurity as a patient safety issue. The Change Healthcare ransomware attack demonstrated how a cyberattack can prevent patients from receiving timely care and essential medications. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

The Health Care Cybersecurity Improvements Act of 2024 will allow for advance and accelerated payments to healthcare providers in the event of a cyber incident; however, they would only qualify if they and their vendors meet minimum cybersecurity standards. In the press release announcing the new legislation, Sen. Warner did not mention what those minimum cybersecurity standards are, as that will be left to the HHS Secretary to determine.

Currently, in certain situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can experience cash flow difficulties due to specific circumstances that are beyond their control, as happened following the Change Healthcare ransomware attack. The Centers for Medicare and Medicaid Services (CMS) has provided temporary financial relief to Medicare Part A providers and Part B suppliers through Accelerated and Advance Payment (AAP) programs, which provide advance payments from the federal government, which are later recovered by withholding payments for later claims.

The Health Care Cybersecurity Improvements Act of 2024 will modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program. If the legislation is passed, the HHS Secretary will determine if the need for payment results from a cyber incident, and if it does, the healthcare provider requiring the payment must meet minimum cybersecurity standards, which will be determined by the Secretary. For instance, a healthcare provider may be required to implement the essential cybersecurity performance goals recently announced by the HHS. If the provider has implemented those minimum cybersecurity measures and the provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards in order for the provider to receive the payments.

If passed, the act would take effect two years from the date of enactment, which will give healthcare organizations sufficient time to ensure they comply with the cybersecurity requirements set by the HHS Secretary.

The post Legislation Introduced to Provide Advance Payments to Providers Affected by Cyberattacks appeared first on HIPAA Journal.