IT Security Company COO Pleads Guilty to Conducting Cyberattack to Win Business

Posted by Steve Alder

The Chief Operating Officer (COO) of the Atlanta cybersecurity firm Securolytics has pled guilty to one count of intentional damage to a protected computer after masterminding a series of attacks on Gwinnett Medical Center in Georgia in an attempt to win new business.

Vikas Singla was indicted by a federal grand jury on June 8, 2021, for a series of attacks on Gwinnett Medical Center in Duluth and Lawrenceville, GA. The September 2018 attacks disrupted the medical center’s phone and network printer services, data was stolen from a Hologic R2 digitizing device, and the attacks resulted in damage being caused to 10 protected computers. According to the indictment, Singla was aided and abetted by other (unnamed) individuals in attacks that were conducted for financial gain and commercial advantage. Singla was charged with 17 counts of causing damage to a protected computer and one count of information theft and faced a maximum jail term of 10 years for each of the damaging a protected computer counts and a maximum of 5 years in jail for the theft of data count. Singla initially entered a not guilty plea and was released on bond while he awaited his trial. An Atlanta magistrate judge recommended dismissing the criminal charges against Singla; however, in March 2023, a federal judge rejected those recommendations. Singla’s attorneys then negotiated a plea deal under which Singla would agree to plead guilty to one count of intentional damage to a protected computer.

Singla admitted to sending a command on September 27, 2018, that resulted in the modification of a configuration template on the ASCOM phone system of the Gwinnett Medical Center campus in Duluth. The command rendered all phones connected to the system at the time of the transmission inoperable, and more than 200 ASCOM handset devices were taken offline. The phone system was used internally by doctors, nurses, and other staff members for communication, including code blue emergencies, and the ASCOM devices were also used for external communications.

Also on September 27, 2023, the protected health information of 300 patients was stolen from a password-protected Hologic R2 digitizing device, including names, dates of birth, and gender. The same day, Singla sent a command to more than 200 network printers, which caused them to print out patient data obtained from the digitizer, along with the message “WE OWN YOU.” The printers were used by the hospitals in connection with patient care.

A few days after the attack, Singla caused a Twitter account to post 43 messages claiming that the Medical Center had suffered a cyberattack, with each of those messages containing the name, date of birth, and sex of a patient obtained from the digitizing device. In the days that followed, Singla attempted to create and use publicity about the attack to generate business for his company and emailed several potential clients offering them the services of Securolytics. The attacks resulted in financial harm of $817,804.12 to Gwinnett Medical Center.

According to Singla’s attorneys, incarcerating him would interfere with medical care for a rare case of terminal cancer and a dangerous vascular condition. Under the plea deal, the Department of Justice will recommend 57 months of probation, which will include home detention, and Singla has agreed to pay restitution of $817,804.12 to the medical center. The plea deal means Singla has given up his right to enter a not guilty plea and have a jury trial. The judge can impose a maximum term of 10 years imprisonment for the count of causing damage to a protected computer followed by up to 3 years of supervised release. In addition, a fine can be imposed for up to twice the loss in addition to full restitution.

Singla is due to be sentenced on February 15, 2024.

The post IT Security Company COO Pleads Guilty to Conducting Cyberattack to Win Business appeared first on HIPAA Journal.

CISA Publishes Mitigation Guide for the Healthcare and Public Health Sector

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new mitigation guide for Healthcare and Public Health (HPH) Sector for combating pervasive cyber threats affecting the sector. The guidance is a supplemental companion to the HPH Cyber Risk Summary, published by CISA on July 19, 2023, and maps CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) to the 405(d) Health Industry Cybersecurity Practices (HCIP): Managing Threats and Protecting Patients guidance that was jointly published by the Department of Health and Human Services (HHS) and the Health Sector Coordinating Council (HSCC).

CISA has identified vulnerabilities and insecure configurations across the HPH sector that present opportunities for mitigating risks before they can be exploited by threat actors. The top vulnerabilities in the HPH sector are web application vulnerabilities, encryption weaknesses, unsupported software and Windows operating systems, known exploited vulnerabilities, and vulnerable services. These vulnerabilities are commonly exploited in phishing, ransomware, and denial of service attacks, and often lead to data breaches. The 25-page guidance document outlines three mitigation strategies for improving defenses against the most common attack vectors and includes recommendations and cybersecurity best practices for asset management and security, identity management and device security, and vulnerability, patch, and configuration management.

Knowing what assets are on the organization’s network is fundamental to cybersecurity. All assets must be known, as well as their relationships and interdependencies, the functions of each asset, what each exposes, and the software/firmware that each is running.  Organizations that have not implemented and maintained a complete inventory of all assets risk exposing vulnerabilities and services that can be exploited by threat actors. Once the asset inventory has been created, healthcare organizations can focus on securing all assets, segmenting networks to limit the potential for lateral movement, and using demilitarized zones (DMZs) and firewalls to shield assets from unauthorized access. The guidance includes recommendations for network segmentation, securing vulnerable and exploitable services, and asset security mitigations.

As the HPH sector continues to transition from on-premises to online systems, is vital that devices and digital accounts are properly secured through effective identity management and device security controls. The guidance suggests several focus areas, including email security and phishing prevention, access management, password policies, data protection and data loss prevention strategies, and logging and monitoring for unauthorized access.

Vulnerabilities and weak configurations are commonly exploited by cyber actors to gain initial access to internal systems and data. CISA stresses the importance of proactively scanning devices and systems for vulnerabilities or technology flaws that threat actors could exploit, and engaging in a continuous process of identifying vulnerabilities, assessing and prioritizing threats, mitigating vulnerabilities, verifying vulnerabilities have been addressed, and improving defenses. In addition to vulnerability management, HPH entities should implement security configuration management (SecCM) to identify and address misconfigurations in default system settings.

In addition to the recommendations for healthcare organizations, CISA has urged technology manufacturers to employ secure by design principles and ensure their products have the necessary security measures built in for the entire product lifecycle and to ensure that their default configurations are secure.

The post CISA Publishes Mitigation Guide for the Healthcare and Public Health Sector appeared first on HIPAA Journal.