Category: Cybersecurity News

The Health Sector Cybersecurity Coordination Center (HC3) has released an analyst note regarding BlackSuit ransomware, which is a new ransomware group thought to present a valid threat to the healthcare and public health (HPH) sector.

Security researchers have seen some commonalities between Royal ransomware and BlackSuit ransomware. Royal ransomeware has been active in targeting the HPH industry just like the Conti ransomware group. BlackSuit has previously been employed in an attack on the HPH sector this October 2023, thus it is fair to believe that BlackSuit is going to be employed in more attacks. A medical scans and radiology services provider to over 1,000 hospitals located in 48 states was attacked.

Similar to a lot of other ransomware attacks, BlackSuit ransomware is employed in double extortion attacks, exfiltrating sensitive information before encrypting files. Ransoms should be paid to stop the exposure of the stolen information and to decrypt the coded files. To date, BlackSuit ransomware has just been employed in a few attacks; nonetheless, activity may be increased at any time.

BlackSuit ransomware is thought to be a private group instead of a ransomware-as-a-service operation. Its operation is believed to be managed by people with expertise in carrying out ransomware attacks because of relations with Royal and Conti. A number of cybersecurity researchers have thought that BlackSuit could be a rebrand of Royal ransomware, which carried out a big attack on a Texas city last May 2023 which drew the attention of media and police authorities. BlackSuit first showed up soon after that attack however Royal is still in operation, though BlackSuit was not broadly used thus far, that conclusion is not discounted.

There were Windows and Linux variants of BlackSuit discovered, and just like Royal ransomware, utilize OpenSSL’s AES for encryption. The ransomware utilizes intermittent encryption methods, which are more effective and encrypt files faster. Considering the low number of recognized attacks, it is hard to say which attack strategies are liked by the group. The distribution techniques that are probably utilized are email attachments that contain macros, downloading the ransomware in torrent files, malicious advertisements (malvertising), and distribution through other malware types like droppers, Trojans, and downloaders, which are frequently spread through compromised sites, phishing emails, and phony software updates.

The HC3 Analyst Note  explains the MITRE ATT&CK strategies employed by the Blacksuit group, Indicators of Compromise (IoCs), and suggested mitigations for strengthening defenses. HC3 has additionally suggested reporting any supposed ransomware attacks to the FBI Internet Crime Compliant Center (IC3)and area Federal Bureau of Investigation (FBI) field office.

Data Effectively Encrypted in 75% of Healthcare Ransomware Attacks

Sophos’ new report about healthcare cybersecurity shows that 75% of ransomware attacks on healthcare companies had implemented successful data encryption. Just 24% of surveyed healthcare companies had identified an ongoing attack and stopped it prior to encrypting files. Sophos states this is the best encryption rate and the cheapest rate of disruption observed by the company in the last 3 years. In 2022, healthcare companies stopped 34% of attacks prior to encrypting files.

The percentage of companies that were able to stop an attack prior to encryption is a good indication of security maturity. The healthcare industry only had a low disruption rate of 24%. In addition, this number is decreasing, which implies the industry is losing to cyber attackers and is progressively unable to discover and prevent an ongoing attack.

A lot of ransomware groups make use of double-extortion strategies, encrypting files after data extraction and demanding a ransom payment to decrypt files and stop the exposure of the stolen information. Healthcare ransomware attacks engaged in double extortion tactics increased to 37% compared to previous years. Ransomware attacks are still growing in complexity, threat actors are continually changing and enhancing their strategies, and attack time tables are accelerating, allowing system defenders less time to identify and stop cyberattacks. Sophos states the median time from the beginning of an attack to discovery has already dropped to merely 5 days. Most attacks are likewise planned to take place beyond office hours when workforce levels are smaller. Just 10% of attacks were carried out during normal work hours.

The complex nature of cyberattacks has taken longer recovery time. Just 47% of healthcare companies could recover from a ransomware attack in one week, in comparison to 54% in 2022. According to the Department of Health and Human Services’ Office for Civil Rights, there has been a 278% rise in ransomware attacks on healthcare companies in the last four years; nevertheless, Sophos’s information shows a small decrease in attacks, from 66% (2022) to 60% (2023). There’s likewise a big decrease in the number of healthcare companies giving ransom payments. In 2022, 61% of healthcare companies gave a ransom payment. In 2023, only 42% decided to pay the ransom.

The ransomware threat has become too complicated for many companies to handle on their own. All companies, particularly those in healthcare, must modernize their defensive method of cybercrime, going from being exclusively precautionary to actively tracking and examining warnings 24/7 and getting outside assistance such as managed detection and response (MDR.

Sophos advises building up defenses by utilizing security tools like end-point protection options with powerful anti-ransomware and anti-exploit capabilities, applying zero trust network access to avoid the misuse of breached credentials, utilizing adaptive systems that could respond immediately to attacks in progress to give system defenders additional time and to apply 24/7 threat discovery, investigation, and reaction, whether that is done in-house or through a specific MDR company.

It is additionally necessary to adopt good security practices, like updating software programs and patching immediately, routinely checking security tool settings, routinely backing up, restoring data using backups, and keeping an updated incident response plan.

On August 1, 2023, Prospect Medical Holdings based in Los Angeles, CA discovered suspicious activity in parts of its IT network. The company conducted a forensic investigation to figure out the nature and extent of the data breach, and it was established that on September 13, 2023, an unauthorized third party accessed part of its IT network from July 31 to August 3, 2023. In that period of time, the attacker accessed and/or obtained files that contained the data of a number of patients and workers.

The breached information belongs to patients from these facilities:

• Foothill Regional Medical Center
• Los Angeles Community Hospital
• Los Angeles Community Hospital at Bellflower
• Los Angeles Community Hospital at Norwalk
• Southern California Hospital at Culver City
• Southern California Hospital at Van Nuys
• Southern California Hospital at Hollywood

Prospect Medical Holdings has additionally affirmed that 24,130 present and past workers and dependents from the Waterbury Health and Prospect Medical’s Eastern Connecticut Health Network (ECHN) facilities likewise had their data compromised. The breached data differed from one person to another and might have contained names along with at least one of these data: address, birth date, diagnosis, laboratory results, medicines, other treatment details, medical insurance data, name of provider/facility, treatment date(s), and financial data. A number of patients likewise had their driver’s license number and Social Security number compromised.

Patients began receiving notification regarding the data breach on September 29, 2023, and free credit monitoring and ID protection services were provided to people whose driver’s license number or Social Security number were compromised. Prospect Medical Holdings stated supplemental safety measures and technical security procedures were put in place to better secure and keep track of its systems.

The security incident has not yet been published on the HHS’ Office for Civil Rights breach website; nevertheless, the breach report was submitted to the Maine Attorney General indicating that 190,492 persons were impacted. Prospect Medical Holdings hasn’t revealed which group was responsible for the attack, however, the Rhysida ransomware group has stated that it was behind the attack.

Acquisition Deal in Jeopardy After the Cyberattack

The three Connecticut hospitals that were impacted by the attack are now with Yale New Haven Health under an acquisition agreement. Although the offer to get the facilities was decided in October 2022, that deal is now in doubt after the cyberattack. Yale New Haven Health has increasing issues concerning the purchase of the Waterbury Health and ECHN facilities because of the cyberattack and the declining condition of the facilities.

A representative of Yale New Haven Health stated a multi-party restoration plan was suggested to preserve the deal and that it is involved in conversations with Prospect Medical Holdings and is attempting to come to an agreement on a path onward. In case the deal pushes through, the medical facilities will be in danger of closure because they aren’t financially feasible, which would be devastating for the communities where the hospitals are located.

Up to 2.5 Million McLaren Health Care Patients Affected by Ransomware Attack

15-hospital health system, McLaren Health Care, based in Grand Blanc, Michigan, has reported that it suffered a ransomware attack and warned that the data contained in the stolen patient files could be exposed on the dark web.

The health system detected suspicious activity in its IT systems at the end of August, and it was later established that this was a ransomware attack. During the investigation, the computer network was disconnected from the web, which resulted in disruption throughout its medical facilities, though medical services were made available at all facilities and patient care was not affected

The ALPHV/BlackCat ransomware group professed that it was behind the attack and included McLaren Health Care on its dark web data leak website. ALPHV was created from the now-non-existent Conti ransomware group and is known for attacking medical care institutions. The group states it has exfiltrated over 6 terabytes of information during the attack and states the stolen information consists of the sensitive data of 2.5 million individuals. Though McLaren Health Care states all its networks are restored online, ALPHV states it still has access to the systems of McLaren Health Care via an active backdoor.

A representative for McLaren Health Care stated it is looking into reports of sensitive information being exposed on the dark web and claims cybersecurity experts have not seen any proof that indicates the group continues to access its IT systems. The potentially exposed data is still being reviewed by McLaren Health Care and will send notification letters to the impacted persons when that procedure is finished. At this point, there is no confirmation yet from McLaren Health Care regarding the number of affected patients.

Other healthcare companies that were recently posted in the group’s data leak website included Pain Care Specialists of Oregon, Prestige Senior Living, and MNGI Digestive Health. Data from MNGI Digestive Health was published on the ALPHV leak website after no ransom payment was made. Currently, there is no exposed McLaren Health Care information on the group’s leak website.

Cyberattack on Mount Graham Regional Medical Center

Mount Graham Regional Medical Center based in Safford, AZ, encountered a cyberattack that affected its network, including its data and communications programs. The medical center confirmed in a press release that it is looking into the matter to find out the scope of the event and if patient information was exposed.

A representative of the medical facility affirmed that it has notified law enforcement and third-party specialists were involved to help with the investigation. If the exposure or compromise of patient data is confirmed, the provider will mail notification letters without delay.

The U.S. Department of Homeland Security (DHS) has submitted a report to Congress including recommendations about cyber
incidents reporting to the Federal government. Reports can be harmonized to better safeguard the critical infrastructure of the nation.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to create the requirements for the new cyber incident reporting. Presently, there’s a patchwork of cyber incident reporting requirements throughout the Federal government and the bigger ecosystem. A number of the reporting requirements are about national security, public safety, or economic security, and a few include investor, consumer, or privacy considerations.

To avert duplication and synchronize the reporting of cyber incidents, CIRCIA created a Cyber Incident Reporting Council (CIRC) to coordinate, de-conflict, and harmonize Federal incident reporting requirements and mandates the Secretary of the DHS to submit a report to Congress that determines duplicative reporting specifications, problems to synchronize, the actions the CISA Director wants to do to enable synchronization and suggested legislative revisions to deal with duplicative reporting.

The report contains a number of suggestions for lowering the present difficulty of submitting cyber incident reports, which includes using

• a model definition for reportable cyber incidents
• model timelines for reporting
• ways to better align the content of cyber incident reports
  to move toward using a model reporting form that all federal agencies can adopt

At this time, there are 52 various cyber incident reporting specifications throughout the federal government that are in effect or are proposed. Various agencies got their own reporting specifications, mechanisms, timelines, and ways for understanding reports, and they usually employ various languages to define security events and have varying reporting thresholds.

Certain reporting entities are under more than one federal institution and need to submit a few reports concerning security events, which could be at a moment when they are dealing with and managing cyber events. For example, certain entities need to submit security incident report to the Federal Trade Commission (FTC) Breach Notification Rule as well as the final rule of the SEC on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, whereas there are 8 federal bureaus that demand the reporting of incidents with a cyber nexus for the financial services industry. In the healthcare industry, incidents may need to be reported to the HHS’ Office for Civil Rights, the Food and Drug Administration, and the FTC. The cyber events that require a number of reports may have resulted in breaches of various types of information in distinct systems, and although they may be categorized as individual data breaches they may all have happened during a similar cyber event. This double security incident reporting puts unneeded complexity.

The DHS has proposed that all federal agencies use a model definition of a reportable cyber event, a proposal for which is contained in the report that was created according to a number of suggested practices that are mandated by federal bureaus for describing a reportable cyber incident. The DHS proposes the use of the model by all federal bureaus, as long as is practicable.

The use of model timelines and triggers was likewise suggested, and the DHS proposed that model language be created for late public notifications concerning cyber incidents, for example, when delays are needed to avert alarming a threat actor about the detection of a breach. The DHS has additionally suggested that federal bureaus examine the probability of leveraging a model form for cyber incident reporting and integrating into the report form common data elements, web portals, and other submission systems to make the reporting process simple for reporting entities.

The DHS likewise proposes improving communication among federal agencies and improving present reporting systems, ideally including one portal for reporting security events. The DHS has likewise asked Congress to give the required funds and authority to federal bureaus to enable them to gather and share common information elements, as existing laws, may not allow the disclosure of all data, and for Congress to take away any legal or statutory hindrances that could stop the use of the proposed model provisions and forms.

Medical Records from Prospect Ransomware Attack Appear on Dark Web

Health records exfiltrated during the latest ransomware attack on Prospect Medical Holdings are purportedly being sold on the dark web-based on social media information. The notice of the sale is viewed as a hint for Prospect Medical Holdings to immediately react to the ransom demands of hackers.

A ransomware attack on Prospect Medical Holdings health system last August 3 crippled the operations in 17 hospitals and 166 outpatient centers. Back then, the attackers were unidentified. Nonetheless, a notice appeared on the Rhysida dark leak website last week stating that it is responsible for the attack.

At the same time, the notice announced a public sale of the data stolen during the attack, which included over 500,000 driver’s licenses, Social Security Numbers, passports of employees and clients, patient files (profiles and medical backgrounds), legal and financial documents. It is said that the sale includes a 1.3TB SQL database and 1TB of unique files.

The notice came with a number of snapshots of the stolen information a few of which are confirmed as authentic by comparing the pictures to publicly accessible information, and a price tag of 50 Bitcoin ($1,298,340). The price tag included in the notice is meant to speed up a ransom payment.

It is unknown at the moment if the sale will continue or if Prospect Medical Holdings will agree to pay the ransom. A few services are still not available and employees in specific medical departments are using paper and pen for recording. A representative for Prospect Medical Holdings likewise gave the message that Prospect Medical is aware that unauthorized actors stole its data and is investigating the nature of the breach. When the investigation confirms the involvement of any protected health or personal data, the health system will send the proper notifications as outlined by applicable legislation. Since the investigation is in progress, additional data is still not available at this time, but Prospect Medical Holdings is taking all necessary steps to handle this incident.

PHI Exposed in Mom’s Meals Data Breach

PurFood LLC, the parent company of the Mom’s Meals home delivery meal service, has posted on its website a Notice of Data Event and submitted a Data Breach Notification to the Maine Attorney General after a cyberattack at the beginning of this year wherein personal data associated with 1,237,681 clients, workers, and contractors is thought to have been compromised.

PurFood LLC, doing business as Mom’s Meals, offers refrigerated ready-to-eat foods across the country to clients with particular nutritional needs. In addition to providing to private clients, the company works together with over 500 health plans, managed care companies, and other organizations to give access to meals for individuals covered by Medicare and Medicaid.

Based on a Notice of Data Event posted on its website, Mom’s Meals encountered a cyberattack from January 16, 2023 to February 22, 2023, that led to encryption of client, worker, and contractor information. An investigation into the cyberattack showed the use of data exfiltration software programs to transmit information from the servers of PurFood.

The investigation confirmed that the encrypted data contained personal data and PHI associated with a number of people. Nevertheless, there is no certainty that information was extracted, and the Notice of Data Event states that the organization has not seen any proof of the misuse or further disclosure of the personal info because of the Mom’s Meals data breach.

Nevertheless, the organization has submitted a Data Breach Notification to the Maine Attorney General and is informing potentially affected individuals through U.S. Mail. During the time of publication, the company name doesn’t appear on the HIPAA Breach Report. Nevertheless, based on the Data Breach Notification, the breach was recorded on July 10, 2023, which is when it was discovered.

What Data is Thought to be Taken From the Mom’s Meal Data Breach?

The data thought to have been stolen in the Mom’s Meal data breach consists of birth dates, account data, driver’s license numbers, payment card details, medical data, medical record numbers, Medicaid and Medicare identifiers, treatment details, diagnosis codes, meal categories and expenses, medical insurance details, patient ID numbers, and Social Security numbers.

To stop a recurrence of the incident, PurFood mentions in its breach notification letter that it implemented a couple of steps to reinforce its security system and is going over its current guidelines and procedures to recognize any extra measures and safety measures that might be required. It is furthermore offering credit monitoring, identity theft restoration, and fraud consultation services for one year.

People who get a breach notification letter associated with the Mom’s Meals data breach are encouraged to sign up for the credit monitoring services offered by the company, look at any communication from Medicare, Medicaid, or an insurance company to make sure the services were obtained (and report any differences), and keep an eye on their credit report, putting a freeze on the credit when they are worried about being an identity theft victim.

Johns Hopkins Investigation of Cyberattack and Data Breach

Johns Hopkins Health System and Johns Hopkins University are looking into a cyberattack and data breach that occurred on May 31, 2023
targeting a popular software program. Although there was no mention of the targeted tool in the attack, the date of the breach is the same as the date of the attacks on the MOVEit Transfer managed file transfer solution by Clop/FIN11.

The data breach investigation is still in progress, but the preliminary information suggests that sensitive personal data and financial details were affected, such as names, contact details, and health billing data. Affected individuals will receive notifications in the following weeks as soon as the entire scope of the breach is confirmed. Johns Hopkins has stated that it will provide credit monitoring services to impacted persons. Meanwhile, Johns Hopkins prompts all students, teachers, and their dependents to do something immediately to secure their personal data, such as completing the evaluation of their credit reports, statements, and accounts with strange activity, and getting an alert for fraud and credit freeze by a national credit bureau.

At this point, the number of individuals affected is still not clear.

PHI of 33,000 Maimonides Medical Center Patients Compromised in Cyberattack

Maimonides Medical Center located in Brooklyn, NY reported the unauthorized access to the protected health information (PHI) of around 33,000 patients that was saved on its systems. The medical center discovered the security breach on April 4, 2023 and immediately blocked the unauthorized access. The forensic investigation established the first access happened on March 18, 2023.

The analysis of impacted files showed that most persons just had their names, addresses, and selected clinical data compromised, for example, diagnoses and treatment data; nevertheless, for some people, their Social Security numbers were also compromised. Impacted persons were provided two years of free credit monitoring and identity theft protection services. The medical center hired third-party cybersecurity specialists to look at system security and be sure that enough safety measures were set up, and extra authentication steps were recently enforced.

iSpace Inc. Cyberattack Affects 24,400 Individuals About Data

iSpace, Inc., a company offering insurance eligibility services, has lately begun informing 24,382 people regarding a cyberattack it identified on February 5, 2023. In its notification letter sent to the California Attorney General on May 31, 2023, iSpace mentioned that the forensic team confirmed the occurrence of a system compromise and exfiltration of files from January 30 to February 5, 2023.

The evaluation of the affected files showed that they included names, birth dates, Social Security numbers, diagnosis details, medical insurance group/policy numbers, subscriber numbers, medical insurance data, and prescription details. During the issuance of notifications, there was no report of actual or attempted misuse of the impacted individuals’ data. iSpace stated it employed the assistance of security experts to examine its privacy and security guidelines and practices and will change them as necessary. The late issuance of notifications was because of the long scrutiny and data analysis process, which was finished on March 3, 2023, and the following confirmation of contact details.

Ransomware Attack at Richmond University Medical Center

Richmond University Medical Center (RUMC) located in West Brighton, NY has reported its complete recovery after encountering a ransomware attack in early May. The attack compelled the medical center to deactivate systems and initialize its emergency procedures, and so employees noted patient data by hand as systems were re-established. The investigation of the ransomware attack is in progress to find out the scope of patient information compromised. Affected individuals will receive notification letters after the completion of that process.

PHI of 181,700+ Great Valley Cardiology Patients Exposed

Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology based in Scranton, PA, has informed 181,764 present and past patients concerning a cyberattack and data breach it identified on April 13, 2023. The forensic investigation stated that the data possibly exposed during the attack contained names along with addresses, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, credit/debit card and bank account details, diagnosis, prescription drugs, laboratory test results, and medical insurance/claims details.

Hackers initially acquired access to the systems of Great Valley Cardiology on February 2, 2023. It had access to the systems until April 14, 2023 when the healthcare provider secured its systems. The Department of Homeland Security notified the healthcare provider about the attack. Systems access was acquired due to a successful brute-force attack.

Impacted persons received free credit monitoring and identity theft protection services for two years as a safety measure, even though there was no misuse of patient data reported due to the data breach.

EpiSource Reports Data Breach

EpiSource, the medical coding vendor based in Gardena, CA has reported the potential exposure and compromise of the PHI of patients of its healthcare customers during a cyberattack on its Amazon Web Services (AWS) environment in February 2023.

EpiSource detected the cyberattack on its AWS account on February 20, 2023. The investigation affirmed that an unauthorized person accessed its AWS environment from February 19 to 21, 2023. The forensic investigation affirmed on April 20, 2023, the potential access and theft of health and personal data, such as names, birth dates, addresses, telephone numbers, medical record numbers, health plan ID numbers, provider data, diagnoses, and prescription drugs. EpiSource stated it has enhanced its security controls and tracking practices after the attack. Affected people received one year of free identity theft protection services.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website. Hence, the number of affected individuals is currently uncertain.

25K UPMC Patients Affected by Business Associate Data Breach

University of Pittsburg Medical Center (UPMC) has reported that around 25,000 patients were impacted by a data breach that occurred at a business associate offering billing and collection services. Intellihartx LLC encountered the data breach and sent notifications to the impacted UPMC patients. The breached information included names, Social Security numbers, addresses, and other personal data. Free credit monitoring services were provided to the victims. Intellihartx submitted the breach report to the Maine Attorney General indicating that 489,830 persons were affected.

Because of the Internet of Medical Things (IoMT), it is possible to connect a variety of medical devices to the Internet and operate, configure, and monitore them remotely. These devices can send medical information online to physicians enabling them to quickly take action to alter treatments. The data sent from the devices could be easily added to the electronic medical records. IoMT device usage is growing immensely as it is expected for smart hospitals to double the number of IoMT devices used to 7 million by 2026.

Although there are important benefits to using Internet-connected medical devices, such usage increases the attack surface significantly. There are vulnerabilities in IoMT devices being identified that malicious actors can potentially exploit to get access to the devices and their connected networks. Based on a 2022 FBI report, there is at least one unpatched critical vulnerability found in 53% of IoMT devices and other IoT devices.

Armis, an asset visibility and security company, conducted a detailed analysis of information compiled from medical and IoT devices to determine which IoMT and IOT devices carry the most risk. The Armis Asset Intelligence and Security Platform tracked the data from over 3 billion assets and found the following riskiest connected medical devices.

1. Nurse call systems – 39% of nurse call systems contain unpatched critical vulnerabilities while 48% contain other unpatched vulnerabilities. A malicious actor can exploit a critical vulnerability in a direct or indirect attack and the resulting effects will be critical or significant. In case hackers exploit the vulnerabilities in medical devices, they could access the systems to which the devices connect with, take sensitive information, or change the settings of the devices and put patients in danger.

2. Infusion pumps – 27% of analyzed infusion pumps have at least one unpatched critical flaw while 30% have other unpatched vulnerabilities

3. Medication dispensing systems – 4% of analyzed systems have unpatched critical flaws while 86% have other unpatched vulnerabilities. According to Armis, 32% of the analyzed medication dispensing systems were using unsupported versions of Windows. In all connected medical devices, 19% were using unsupported operating systems considering that IoMT devices usually outlive the lifespans of their operating systems.

IoT devices could likewise bring in substantial risks and give hackers an easy way to get a foothold in healthcare systems. Armis lists the following riskiest IoT devices:

1. IP cameras in healthcare environments – 56% of IP cameras contain unpatched critical vulnerabilities and 59% contain other unpatched vulnerabilities

2. Printers – 37% contain unpatched critical vulnerabilities and 30% contain other unpatched vulnerabilities

3. VoIP devices – 53% contain unpatched critical vulnerabilities and 2% contain other unpatched vulnerabilities

Developments in technology are important to enhance the speed and excellence of care delivery. The healthcare industry is facing a scarcity of care providers, but with more connected care, there is a bigger attack surface, states Mohammad Waqas, Armis’ Principal Solutions Architect for Healthcare. Securing medical and IoT-connected devices, even the building management systems by visual and continuous contextualized monitoring is important to ensuring patient safety.

The increasing volume of wireless, Internet- and network-connected devices and growing cybersecurity threats attacking the healthcare industry made the U.S. Food and Drug Administration (FDA) do something. Companies of medical devices will shortly be obligated to give details concerning the cybersecurity of their units in pre-market submissions to strengthen medical device cybersecurity. The requirements will include

• a software bill of materials that will help identify and patch the vulnerable parts
• cybersecurity steps to protect the devices and sensitive information
• a security plan to address changes throughout the lifespan of the devices

Discussion Draft of NIST CSF 2.0 Core Released by NIST

The National Institute of Standards and Technology (NIST) is currently making changes to the NIST Cybersecurity Framework (CSF) 1.1 and will publish the full draft version 2.0 soon. It published a discussion draft that includes revisions to the Core elements of the Framework. NIST is soliciting feedback on improving the Framework prior to publishing the complete draft. The NIST CSF 2.0 Core addresses the results of the 6 Functions, 21 Categories, and 112 Subcategories and consists of a sample of possible new CSF 2.0 Informative Examples. Though the discussion draft is not yet finished and is just initial, it was released to enhance transparency and show the progress of the finished draft.

Changes were done to the NIST CSF 1.1 to enhance clarity, make sure a steady level of abstraction, deal with developments in technologies and risks, and enhance alignment with domestic and international cybersecurity criteria and procedures. NIST has gotten remarks that version 1.1 of the Framework remains effective at responding to cybersecurity risks yet felt a change was necessary to make it simpler for companies to handle present risks and upcoming cybersecurity issues more efficiently.

NIST got 92 written replies to its January 2023 CSF 2.0 concept paper, comments from working consultations and workshops, 134 written reactions to its February 2022 NIST Cybersecurity RFI, and recommendations at conventions, webinars, roundtables, and events all over the world. All responses were thought of when creating the updated Framework.

Particularly, NIST wants comments on whether the cybersecurity solutions shared in the discussion draft resolve the present difficulties encountered by companies, are in-line with current cybersecurity strategies and resources, and if the updates took care of the submitted feedback. NIST stated recommendations may also be submitted on any parts of the framework where additional enhancements could be made, which include the content, format, and extent of the implementation samples.

NIST has affirmed that other elements of the Framework will be updated and stated there is still a lot of work to do before the intended summer launch of the complete NIST CSF 2.0 draft.

Download and read the discussion draft here.

 

The Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA), issued a joint cybersecurity alert about LockBit 3.0 ransomware, also referred to as LockBit Black.

The LockBit ransomware gang has been active since September 2019. The group carried out more attacks compared to other ransomware operation in 2022. It has been approximated that LockBit ransomware is linked to about 40% of all ransomware attacks around the world. The group is thought to have done over 1,000 attacks on companies in the United States and has earned over $100 million in ransom.

LockBit as a ransomware-as-a-service operation gets affiliates to conduct attacks in exchange for a percentage of the ransom payments. The group uses double extortion tactics, which entails stealing files before encryption and issuing threats to expose or market the stolen information when there is no ransom payment. Victims are generally small- to medium-sized companies, though there had been attacks on large companies. The average ransom demand is about $85,000 per victim.

The ransomware is actively created and improved into LockBit 2.0 in 2021, then LockBit 3.0 in June 2022. LockBoit 3.0 has attributes comparable to that of BlackMatter ransomware, and it’s likely that a number of the same code was used. Preliminary access to victim systems is acquired through different strategies, which include buying access from preliminary access brokers, insider access, taking advantage of unpatched and zero-day vulnerabilities, Remote Desktop Protocol (RDP) exploitation, and phishing. Affiliates make use of

• Stealbit – a customized data extraction tool
• rclone – an open-source software for cloud storage management
• MEGA – a publicly available file sharing services like to extract stolen information.

The group was responsible for the attacks on the following companies and others:

• Continental – the German auto parts manufacturer
• Advanced – the NHS vendor, which impacted 16 clients in the medical and social care market
• Accenture – IT company
• UK’s Royal Mail

In December 2022, an affiliate of LockBit attacked The Hospital for Sick Children (SickKids) located in Toronto. The group sent an apology to the victim and gave a free decryptor saying the group has kicked out the affiliate for breaking its agreements which forbid attacks on healthcare organizations where attacks may bring about death, such as cardiology centers, maternity hospitals, and neurosurgical departments. But the group permits attacks on pharmaceutical companies, plastic surgeons, and dentists. These guidelines aren’t always imposed, seeing that LockBit affiliates have carried out attacks on hospitals in past times and did not provide free decryptors, for example, the attack on France’s Center Hospitalier Sud Francilien (CHSF).

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center released a threat alert analyst  regarding LockBit 3.0 in December 2022 after knowing about attacks on the Healthcare and Public Healthcare (HPH) industry, and irrespective of the group’s statements, HC3 is convinced LockBit 3.0 presents a danger to the HPH industry. The Joint Cybersecurity advisory  from CISA, the FBI, and MS-ISAC gives information on the most recent tactics, techniques, and procedures (TTPs) linked to the group, Indicators of Compromise (IoCs) technical data for system defenders, and advised mitigations for enhancing cybersecurity stance.

FBI: $10.3 Billion Losses Due to Cybercrime Depicts 49% Increase in 2022

The Federal Bureau of Investigation (FBI) has shared its 2022 Internet Crime Report. According to the report, Cybercrime in 2022 resulted in $10.3 billion losses, higher by 49% or $3.4 billion than in 2021, even though complaints decreased by 5% or 800,944. In the last 5 years, the FBI Internet Crime Complaint Center (IC3) had seen over $27.6 billion in losses from 3.26 million complaints.

According to FBI’s report, ransomware attacks decreased by 36% year-over-year. There were 3,729 complaints received in 2021 compared to 2,385 complaints received in 2022. Even with this decrease, the FBI states that ransomware still presents a substantial risk, particularly to the healthcare industry, which is number one of the 16 critical infrastructure industries targeted by ransomware attacks in 2022 and pretty much saw a rise in complaints. Healthcare companies filed 210 ransomware complaints with IC3 in 2022, whereas it filed only 148 in 2021.

The FBI has noticed more double extortion tactics used in ransomware attacks, in which the attacker steals data before file encryption and demands a payment to get the decryption keys and to stop the exposure or sale of the stolen information. LockBit was linked to 149 reported ransomware attacks; ALPHV/BlackCat was lined to 114 attacks, while Hive was linked to 87 attacks.

A number of cybercriminal groups that have conducted ransomware attacks in the past have turned to extortion-only attacks. That is, stealing data and demanding ransom without encrypting files. The FBI’s records indicate extortion attacks have stayed flat, escalating just a little bit from 39,360 complaints (2021) to 39,416 complaints (2022).

Phishing is still one of the most popular attack methods with 300,497 incident reports, though phishing attacks droppped by 7% year over year. Even with that decrease, phishing continues to be the most prevalent crime type when it comes to victim count with 58,859 complaints, whereas non-delivery/non-payment has 51,679 complaints.

Business email compromise (BEC) placed 9th out of all types of crimes when it comes to complaints; however it placed 2nd when it comes to reported losses. In 2022, the cost sustained due to BEC attacks totals $2,742,354,049. BEC attacks grew by 9% year-over-year though losses due to frauds decreased by 14.5%. BEC was overtaken this year by investment frauds, which had $3,311,742,206 reported losses, higher by 127% than in 2021. The FBI reports an unparalleled escalation in crypto investment tactics in 2022 when it comes to both number of victim count and losses.

There was a significant escalation in tech assistance for scams in 2022, which went up to 3rd place when it comes to losses. Tech assistance scam complaints increased by 36% year-over-year with 32,538 complaints and deficits due to these incidents increased by about 132% or $806,551,993.

The FBI pointed out the importance of reporting cases of cybercrime of any type. Verified assistance will be given to attempt to recoup losses. The IC3 Recovery Asset Team (RAT) got a 73% success rate in freezing money and limiting losses. From $590.62 million in reported deficits throughout 2,838 cases$433.30 million in cash has been froze .

Malicious actors use various ways to acquire preliminary access to victims’ systems. However, in 2022, cybercriminal gangs seemed to concentrate on attacking cloud databases and Remote Desktop Protocol, stated by cyber insurance company Coalition. RDP is a very common way for initial access brokers (IABs) and ransomware groups to acquire access to the networks of victims. RDP is certainly the most frequently employed remote-scanning by threat actors. In 2022, RDP scanning traffic was quite high as information gathered from Coalition’s honeypots showing RDP scans was 37.67% of all observed scans. Every time a new vulnerability is discovered in RDP, scans escalate as threat actors hurry to select targets that may be attacked.

Ransomware is still a major problem. In 2022, the groups more and more attacked cloud databases, particularly MongoDB and Elasticsearch databases, a significant number of which were snagged by ransomware groups. The team found 2,846 Elasticsearch databases and 68,423 MongoDB databases attacked by ransomware in 2022.

The reports of new software vulnerabilities continue to grow in the last 6 years. 2022 had over 23,000 new common IT vulnerabilities and exposures (CVEs) identified, the greatest number among all the years thus far. Coalition forecasts this trend will carry on in 2023 and expects over 1,900 new CVEs appearing every month – a 13% expected increase from 2022. Every month, Coalition is looking at an average of 155 critical vulnerabilities and 270 high-severity vulnerabilities and explained that companies must be cautious and be updated on patching and immediately deal with the security breaks.

With a lot of vulnerabilities currently being reported, patching is a big concern. Considering the many vulnerabilities that need to be resolved by security teams, patching is usually slow-moving, and that allows hackers to have more chances to take advantage of the vulnerabilitites. Immediate patching is important, since most of the newly exposed CVEs are taken advantage of by cybercriminals in 30 days of publicizing the vulnerabilities. The most number is exploited in 90 days. Exploitation could happen unbelievably fast. For example, attackers exploited CVE-2022-40684, the Fortinet vulnerability, in just 2 days after making the public announcement.

Malicious actors usually concentrate on exploiting a small set of vulnerabilities. If they find new vulnerabilities that could be exploited, they are likely to follow their proven exploits and strike as many businesses they can. Although the objective of security teams is to make sure to patch all vulnerabilities immediately, it’s an almost impossible job considering the big number of reported vulnerabilities. The biggest gains can come by putting patching first and making sure the most frequently exploited vulnerabilities are patched first of all. The Cybersecurity and Infrastructure Security Agency (CISA) keeps a listing of identified exploited vulnerabilities, and every year publishes a listing of the most frequently exploited vulnerabilities. All the listed vulnerabilities must be given priorty and patched first.

It is a challenge to effectively prioritize patching because it isn’t always obvious which vulnerabilities are going to be exploited. IT teams usually evaluate vulnerabilities with the CVSS severity score and Exploit Prediction Scoring System (EPSS), still this data is not always readily available at first disclosure of vulnerabilities. Coalition has circumvented this issue by creating the Coalition Exploit Scoring System (CESS) to rate vulnerabilities. CESS utilizes deep learning models that could forecast the CVSS score for a vulnerability according to its description, the possibility of developing an exploit fast according to past availability of exploit for CVEs, and the possibility of using the exploit against Coalition policyholders by recreating earlier attacks.

With a lot of vulnerabilities to deal with, systems frequently remain unpatched for many years, so big swaths of the web are unprotected. Leaders in charge of securing the network require the most appropriate and useful data to take action – and they require an efficient way to prioritize which CVEs to react to. The Coalition has tried to offer that required circumstance and the CVSS/CESS framework to aid cybersecurity frontrunners and practitioners to make educated choices regarding their digital risk and respond immediately to threatening vulnerabilities.

Healthcare Companies Most Frequently Affected by 3rd Party Data Breaches

Attacks on business associates of healthcare companies have gone up to the point that they exceed the number of attacks on healthcare companies. Besides a rise in cyberattacks on third-party vendors, the effect and damage resulting from those attacks have likewise gone up, as per the latest report by Black Kite, a vendor risk management firm.

Every year, Black Kite’s Third-Party Breach Reports evaluates the effect of third-party cyberattacks and data breaches. This 2023, there were 63 third-party breaches analyzed along with the 298 companies impacted. The report stated a doubling of the effect and damage resulting from those breaches. In 2021, about 2.46 companies were impacted by third-party breaches. The number of impacted companies grew to about 4.73 per breach in 2022.

In 2022, 40% of attacks on third parties resulting in data breaches was due to unauthorized system access. Black Kite states that these kinds of attacks grew to such high numbers because of remote workers that makes it possible for cybercriminals to exploit vulnerabilities. 27% of 2022’s third-party breaches involved the use of ransomware; but there was a slight decrease in year-over-year cyberattacks. Black Kite states that the decrease was because of the reduced Russian sanctions, which cut down the Russian cybercriminals’ capability to execute ransomware attacks. The following are the other causes of data breaches: unsecured servers (9.5% of data breaches), earrings (6.3%), phishing (3.2%), and malware (3.2%).

Other notable results reported by Black Kite is an increase in the time of issuing breach notifications to affected companies. There was about 50% increase to the average year-over-year time, which is 108 days from the date of discovering the attack. With the late notifications, cybercriminals get more time to steal and misuse data, causing more problems. The most targeted third parties are technical service vendors (30%) followed by vendors of healthcare services and software services. Healthcare providers were typical third-party breach victims (34.9% in 2022), followed by finance and government (each at 14%).

Global business ecosystems are becoming more complicated, with every company becoming more affected by the cybersecurity mode of their third party vendors. The fact is a company’s attack surface is bigger than the things it can control. Therefore, it is important to assess and keep track of your extended ecosystem to identify vulnerabilities and do something to avoid problems.

The VA Office of Inspector General (OIG) examined the data security at Tuscaloosa VA Medical Center located in Alabama and found inadequacies in three out of the four evaluated security control sections. The OIG inspection included contingency planning, configuration management, security management, and access controls, with inadequacies found in configuration management, access controls, and security management.

Configuration management controls are needed to spot and handle security functions for all hardware and software parts of a data system. OIG discovered inadequacies in database scans, vulnerability management, and remediation. The Office of Information and Technology (OIT) regularly scans for vulnerabilities, and when OIG and OIT utilized similar vulnerability-scanning tools, OIT did not discover all vulnerabilities. OIG found 119 critical-risk vulnerabilities that OIT couldn’t identify. OIG additionally found 301 vulnerabilities that were not mitigated in the expected 30- or 60-days. There were 134 critical-risk vulnerabilities determined on 14% of devices, and there were 134 high-risk vulnerabilities identified on 46% of devices. One high-risk vulnerability was not patched for 7 years.

A number of devices were found to be lacking crucial security patches, which were accessible but were not applied, which put VA systems in danger of unauthorized access, modification, or breakdown. Although database scans are done each quarter, OIT just provided scans for 50 % of the databases, because it could not access all databases as a result of port-filtering problems. Without the finished scans, OIT wouldn’t know of security control flaws that can affect the security position of databases.

Security management settings were evaluated, and OIG discovered one deficiency: a number of actionable plans and milestones were not found or didn’t have adequate information to be actionable. Four access control inadequacies were discovered associated with network segmentation, environmental controls, audit and monitoring controls, and emergency power.

Network segmentation is necessary for medical devices and special-purpose systems, which ought to be put on singled-out systems for protection. A number of network segments that included medical and special-purpose systems didn’t have the required network segmentation controls. 19 network segments made up of 221 medical devices and special-purpose systems didn’t have access control lists used, which permitted any user to gain access to those devices. Logs must be monitored to assess the efficiency of security controls, identify attacks, and investigate at the time of or following any attacks. 50 % of the databases of the Tuscaloosa VAMC were missing. The missing records were for the databases that were not put through vulnerability scanning.

A number of communication rooms were lacking temperature or humidity adjustments, which can have a considerable negative effect on the accessibility of systems, and uninterruptible power supplies were likewise found to be gone, meaning infrastructure equipment would stop to work in power imbalances or outages, bringing about the interruption of information flow and interruption to network resources access.

OIG created 8 recommendations to deal with the inadequacies, 6 to the assistant secretary for data and technology and chief data officer associated with the security problems, and 2 to the Tuscaloosa VAMC director, who needs to make sure communication rooms have enough environmental adjustments and uninterruptible power resources for infrastructure equipment.

A New Mexico federal judge has approved Rehoboth McKinley Christian Health Care Services’ proposed settlement to take care of claims associated with a February 2021 cyberattack. The settlement will pay affected individuals up to a maximum of $4,000 per person for out-of-pocket expenses sustained and lost time in response to the data breach.

Rehoboth McKinley Christian Health Care Services manages a 60-bed acute care hospital and outpatient clinics and offers home health care services in Arizona and New Mexico. The provider detected a security breach in February 2021. The investigation confirmed that unauthorized persons got access to its system from January 21 to February 5, 2021. The attackers accessed the protected health information (PHI) of around 191,000 patients, which include names, contact details, Social Security numbers, health data, and medical insurance data. Patients received notification concerning the data breach last May 2021.

The Charlie et al. versus Rehoboth McKinley Christian Health Care Services lawsuit was submitted on behalf of Leona Garcia Lacey, Alicia Charlie, Darrell Tsosie, and a small child, which has a representing guardian Gary Hicks. Allegedly, Rehoboth McKinley Christian Health Care Services was unable to apply proper safety measures to avert unauthorized access to their PHI and furthermore unnecessarily delayed sending notifications to impacted patients.

The lawsuit claimed Rehoboth McKinley Christian Health Care Services did not follow the New Mexico and Arizona consumer protection laws, and had claims of negligence, breach of implied contract, breach of fiduciary duty, and intrusion upon seclusion. However, the judge rejected the claims for breach of implied contract, intrusion upon seclusion, and the violation of the Arizona Consumer Fraud Act. Rehoboth McKinley Christian Health Care Services had contended that there was no actionable obligation to safeguard the plaintiffs’ information, however, U.S. District Court Judge Steven C. Yarbrough decided that Rehoboth McKinley Christian Health Care Services had a duty of ordinary care to the plaintiffs with regards to the retention of their private data and didn’t show that lost time recovery in relation to the breach wasn’t allowed under state legislation.

As per the conditions of the settlement, the 191,009 people in the class may file claims for as much as $500 to compensate for standard out-of-pocket expenditures, which may include around 4 hours of lost time valued at $15 hourly. Standard expenditures include bank charges, long-distance telephone charges, cell phone and data costs, postage, fuel for local travel, credit report charges, and credit monitoring and identity theft insurance services. Claims could likewise be filed for documented outstanding out-of-pocket expenditures as much as $3,500. Unlike a lot of settlements which are compensated pro rata according to the number of claims, this arrangement will pay the entire $4,000 for all class members. Class members will likewise be given 2 years of free credit monitoring services. Rehoboth McKinley Christian Health Care Services has additionally consented to improve data protection. A final fairness hearing will be on May 24, 2022.

The Office of Inspector General of the U.S. Department of the Interior (DOI OIG) has observed poor password management and enforcement procedures at the Department of the Interior resulting in heightened risk for its critical IT systems. These fundamental password blunders are very typical in the healthcare sector and make it overly easy for threat actors to acquire initial access to systems to launch ransomware attacks as well as other nefarious functions.

A check up was performed on the password difficulty required by the department to know whether its password management and enforcement procedures were useful and could possibly stop malicious actors from employing brute force tactics to acquire unauthorized account access. The DOI OIG discovered a number of password management weak spots and a lot of weak passwords. 4.75% of accounts were protected utilizing variations of ‘password’, which can be cracked immediately by a threat actor. Password-1234 was employed to secure 478 different, unrelated accounts. Five of the 10 most reused passwords have the term password and the number string 1234.

Although the DOI had followed minimum requirements for password difficulty, these guidelines were outdated and not fit anymore for its purpose. There were additionally numerous cases of users using passwords that satisfied those requirements yet were nevertheless quite weak, for example, Changeme$12345 and P@s$w0rd. Without time limits set on passwords, even somewhat complex passwords are weak to brute force attacks. Moreover, with unused accounts that were not deactivated promptly, 6,000 accounts were put at risk.

DOI OIG conducted tests to crack passwords and was able to do so within 90 minutes. DOI rightly guessed about 16% of the passwords. Overall, the test were conducted on 85,944 department passwords. 18,174 passwords or 21% were guessed correctly, which include 288 passwords for accounts with elevated privileges and 362 accounts owned by senior government staff. Besides these password management problems, the DOI did not regularly use multi-factor authentication. The DOI OIG inspection showed 89% of high-value assets didn’t use multi-factor authentication even though it is required for 15 years now. Additionally, when told to show records of which accounts had implemented multi-factor authentication, there was no list presented.

The DOI OIG stated that the ransomware attack on Colonial Pipeline in 2021, which led to the shutdown of the gas pipeline to the Eastern Seaboard of the U.S. creating substantial disruption to nearly half of the country’s fuel source, happened because of the compromise of one password. The password management errors discovered by DOI OIG are very prevalent throughout federal, state, and local governments as well as public and private companies.

The DOI OIG made a number of suggestions for enhancing password management and enforcement, such as

• monitoring MFA
• making sure it is used for all accounts
• establishing new minimum prerequisites for password difficulty consistent with the most recent password suggestions of the National Institute of Standards and Technology (NIST SP 800-63)
• applying controls to track, limit, and avoid setting often used, expected, or exposed passphrases and passwords
• making sure to disable inactive accounts promptly

Vulnerabilities were found in Citrix solutions, Zoho ManageEngine products, and Netgear routers that need quick patching. An APT actor is actively exploiting one Citrix vulnerability, and it is probable that there will be attempts to take advantage of the Netgear and Zoho vulnerabilities on devices without patching.

Active Exploitation of Citrix ADC and Citrix Gateway Vulnerabilities

In the middle of December, companies that utilize the Citrix ADC load balancing and/or Citrix Gateway remote access solutions were encouraged to quickly upgrade to the most recent software versions to repair two critical vulnerabilities, CVE-2022-27518 and CVE-2022-27510. The National Security Agency (NSA) and the Health Sector Cybersecurity Coordination Center (HC3) gave security warnings concerning the vulnerabilities. A Chinese APT actor is known to exploit one vulnerability to execute remote code on vulnerable servers.

According to a new scan by Fox-IT, in spite of active exploitation, a number of servers are still vulnerable. The majority of those servers are found in the U.S. For several weeks now, one vulnerability is being actively targeted. Therefore, all companies that have not applied the most recent version yet must do so right away and likewise check for probable exposure. These are the security advisories from the NSA and HC3

Immediate Patching Required for Critical Zoho ManageEngine Vulnerability

Zoho is informing all customers of its ManageEngine Password Manager Pro, PAM360, along with Access Manager Plus solutions to use the latest version of the software immediately to correct a critical SQL injection vulnerability. CVE-2022-47523 can be taken advantage of by an enemy to acquire unauthenticated access to the after-sales database and accomplish customized questions.

The patches, introduced at the end of December, put appropriate validation and escape of special characters to stop vulnerability exploitation. Users ought to update to Access Manager Plus v4309 and Password Manager Pro v12210, PAM360 v 5801.

Nation-state threat actors have previously exploited ManageEngine vulnerabilities. A Chinese APT actor is believed to have influenced the 2021 vulnerability on Internet-facing servers, as pointed out in a security alert from CISA and the FBI, therefore taking advantage of the recently disclosed vulnerability may be expected. Approximately 11,000 servers control the impacted tools and will be vulnerable when not upgraded to the newest versions.

High-Severity Vulnerability Discovered in Netgear Routers

Netgear has given a security advisory concerning a high-severity pre-authentication buffer overflow a weakness impacting a lot of versions of its routers, which can be taken advantage of by an enemy to bring about a denial-of-service condition. The vulnerability is monitored as PSV-2019-0104 with a CVSS v3 severity score of 7.4.

The vulnerability impacts the RAX35, RAX40, R6400v2, R6400v3, R6900P, R7000, R7000P, R7960P, and R8000P routers. End users ought to upgrade the software program immediately to avoid taking advantage of the vulnerability. The chosen firmware versions are the following:

• R6400v2 + R6700v3 – Version 1.0.4.122
• RAX40 + RAX35 – Version 1.0.2.60
• R6900P + R7000P – Version 1.3.3.152
• R7000 – Version 1.0.11.136
• R7960P + R8000P – Version 1.4.4.94

 

Southwest Louisiana Health Care System, Inc. recently announced the compromise of the protected health information (PHI) of approximately 269,752 Lake Charles Memorial Health System patients. The Louisiana healthcare system’s security team detected suspicious activity on October 21, 2022 and took steps to deal with the occurrence and look into the potential breach. It was confirmed on October 25 that an unauthorized entity got access to the system. The forensic investigators stated that the attack began on October 20 to October 21, 2022 and the attackers stole patient records from the system.

The analysis of the extracted files confirmed they included data such as names, addresses, birth dates, patient ID numbers, medical record numbers, medical insurance data, payment details, and limited clinical data. A number of Social Security numbers were likewise breached. The health system sent breach notification letters to impacted persons on December 23, 2022, and offered free credit monitoring and identity theft protection services to those who had their Social Security numbers exposed.

Southwest Louisiana Health Care System didn’t reveal the precise method of the cyberattack, however, the Hive ransomware group professed to be behind the attack. Although Hive is well-known for employing ransomware for file encryption, the group claims to have only extracted patient records. It did not encrypt the files and issued a ransom demand asking for payment to make sure to delete the stolen information. Payment doesn’t seem to have been given because the Hive group began leaking the stolen information last month.

FoundCare Email Account Breach Affects 14,000 Patients

The federally qualified health center known as FoundCare Inc. based in Palm Springs, FL has reported that unauthorized persons have acquired access to its email account and possibly viewed or acquired email messages and files containing the PHI of 14,194 patients.

The health center detected suspicious activity in its email account on September 2, 2022, and engaged a third-party digital forensics agency to investigate. FoundCare stated it confirmed on October 18, 2022, that the breached files contained patient information. The analysis of those records and checking of patient contact details were done. Currently, FoundCare is sending notification letters to the impacted persons. Information compromised during the cyberattack included the following: names, dates of birth, email addresses, addresses, Social Security numbers, credit card numbers, passport numbers, other government ID numbers, medical insurance details, health conditions, internal patient identifiers, diagnoses, and treatment data. FoundCare mentioned that most of the affected persons only had minimal medical data compromised.

FoundCare has applied the following extra security procedures because of the breach:

• using multifactor authentication for all end users
• stopping basic authentication steps
• including an alert to all emails coming from new email addresses
• giving employees regular phishing awareness training

 

NYC Health + Hospitals Warns Patients Concerning Loss of Device With PHI

NYC Health + Hospitals reports a faulty hard drive that stored the protected health information (PHI) of 2,174 patients was found to be gone from a visual field testing device situated at its NYC Health + Hospitals/Woodhull facility in Brooklyn, NY. Since the drive can’t be located it was not possible to confirm if the records on the device could be accessed, nevertheless, it was stated that the device comprised patients’ names, birth dates, visual field test data, and medical record numbers.

As a result of the breach, NYC Health + Hospitals has re-trained employees on its policy for the right chain of custody for devices comprising PHI when those units are taken out of service. Moreover, a new policy was applied that calls for PHI to be taken from visual testing devices consistently. The training was additionally enhanced to ensure all employees are aware of the need to promptly notify officials about potential breaches of PHI.

Unauthorized System Access Discovered by Missouri Law Firm

Law company Polsinelli PC based in Kansas City, MO, which offers hospitals corporate legal services, states that unauthorized individuals viewed files that had patient records on September 9, 2022, from two locations. A third-party cybersecurity firm investigated the breach and confirmed that the breach did not affect its network and main document repository; nonetheless, the files that were accessed included some patient data, such as names, addresses, birth dates, health insurance details, patient account numbers, medical record numbers, very limited clinical data, and Social Security numbers. St. Luke’s Health Brazosport patients are found to have been affected.

Individuals whose Social Security numbers were impacted got offers of credit monitoring and identity theft protection services. Nevertheless, the law agency believes that no compromised information will be utilized for identity theft or fraud. The HHS Office for Civil Rights already received the breach report, which indicated that 1,220 persons were affected.

Patient Information Exposed Due to Hawaiian Eye Center Cyberattack

Hawaiian Eye Center located in Wahiawa, HI recently began informing a number of patients that unauthorized individuals accessed some of their PHI that was saved on a server. It was discovered on November 2, 2022 that the server was unresponsive. Upon investigation, it was confirmed that an unauthorized individual accessed the server and the network. The attackers also exfiltrated files from the system that contain patient data.

Those files included names, birth dates, addresses, email addresses, driver’s license numbers, Social Security numbers, medical record numbers, and medical insurance data. The eye center informed the impacted persons and offered them single-bureau credit monitoring services. It also engaged third-party cybersecurity professionals to perform an evaluation of its security procedures and systems and implemented appropriate upgrades to avoid more breaches later on.

It is presently uncertain how many persons were impacted.

Insider Data Breach at The Elizabeth Hospice

nonprofit hospice, The Elizabeth Hospice, manages facilities in Carlsbad, Escondido, Temecula, and San Diego, CA. It found out that an ex-employee was sending email messages from her email account at work to a private account when she was working at the hospice. An analysis of the email messages was finished on November 14, 2022. It confirmed that they included first and last names, admission and discharge dates, basic health data, and patient account numbers. The Elizabeth Hospice stated it did not know of any actual or attempted patient data misuse. Still, affected individuals were instructed to be wary and monitor unauthorized activity in their accounts and statements.

It is presently unknown how many people were impacted.

CommonSpirit Health has reported the exposure and potential theft of the protected health information (PHI) of about 623,774 patients because of a
ransomware attack in October 2022. CommonSpirit Health initially announced that it encountered a cyberattack last October 4, 2022, and is posting frequent updates on its site as soon as addtional information regarding the attack is available. The provider discovered the attack on October 2, 2022 and the investigation confirmed that the attackers got access to areas of its system from September 16 to October 3.

The most recent update, released on December 1, 2022, stated that the persons responsible for the attack viewed the information of patients who got healthcare services previously, or affiliates of those persons, from Franciscan Medical Group and/or Franciscan Health (known today as Virginia Mason Franciscan Health) located in Washington state, which includes patients of St. Anne Hospital (previously Highline Hospital), St. Joseph Hospital, St. Michael Medical Center (previously Harrison Hospital), St. Anthony Hospital, St. Elizabeth Hospital, St. Clare Hospital, and St. Francis Hospital.

The breached information consists of names, internal patient IDs, addresses, telephone numbers, and birth dates. CommonSpirit Health mentioned that the breach had no impact on Dignity Health, TriHealth, Centura Health, or Virginia Mason Medical Center facilities.

75,992-Record Data Breach Reported by Suncoast Skin Solutions

Suncoast Skin Solutions based in a Lutz, FL is a medical and cosmetic dermatology practice network. It just began informing its patients about a cyberattack that it discovered on or about July 14, 2021. The network took prompt action to control the attack. Third-party forensics specialists investigated the incident and confirmed the nature and extent of the data breach.

The investigation was completed on October 21, 2022. It was confirmed that the files on the system included patient information accessed during the attack. Nevertheless, the attack did not affect its electronic medical record system. Initial analysis identified the types of data impacted, which was finished on November 8, 2021. That analysis showed that only old patient information was affected.

Suncoast began issuing notification letters to impacted persons on November 28, 2022. Based on the breach notification letter submitted to the Maine Attorney General by Suncoast, the long delay in sending notification letters was because of the nature and volume of the impacted information. The data mining procedure began in December 2021, and it was completed in October 2022. Suncoast stated that in the beginning, so as to follow the HIPAA Breach Notification Rule, it issued a media notice about the data breach on January 7, 2022 and posted it on its website.

The potentially compromised information included names, birth dates, clinical data, doctor’s records, and some treatment data. Credit monitoring services were provided to impacted persons. Suncoast sent the breach report to the HHS’ Office for Civil Rights in July indicating that 57,730 persons were impacted. The new notification sent to the Maine Attorney General shows that 75,992 persons were impacted.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently given guidance for federal and private organizations on the reduction and mitigation of distributed Denial of Service (DDoS) attacks.

These attacks are carried out to overload apps and websites with traffic, therefore rendering them inaccessible and stopping legitimate users from getting access to that service. A Denial of Service (DoS) attack leads to a network resource overload that affects all bandwidth, hardware, and software, protocol resource overloads affect the available session or connection sources, and application resource overloads utilize all compute or storage assets.

With DDoS attacks, the traffic originates from several devices that are acting together. They may entail big amounts of traffic and have the probability to trigger hardware troubles. Botnets or slave armies of malware-attacked devices are frequently utilized to execute DDoS attacks at scale, and they are much more prevalent because of the big increase in IoT devices. The botnets are frequently rented out to threat actors, therefore, enabling unskilled individuals to carry out DDoS attacks.

These attacks may be temporary; however, continuous attacks can considerably interrupt critical services, leading to substantial remediation expenses and significant reputational harm. These attacks are just concerned with creating disruption and do not involve getting access to systems or data theft; nevertheless, cybercriminal groups are known to carry out DDoS attacks to distract IT teams at the same time an attack is carried out on another portion of the network. With the focus of security groups focused elsewhere, there is less chance that data exfiltration, malware download, or ransomware deployment will be noticed. It is consequently essential that any response to a DDoS attack does not lead to the neglect of other security monitoring.

Stopping and Minimizing the Effect of DDoS Attacks

What is important to protecting against DDoS attacks and minimizing their severity is preparation. All vital assets and services that are accessible to the public Internet should be identified, with those applications and services prioritized. It is important to implement web application firewalls to secure the most critical assets. Cybersecurity protocols must be implemented, including hardening servers and patching immediately. Understanding how users connect to the services and knowing any chokepoints can make it less difficult to carry out mitigations to stop interruption to key stuff.

Think about enlisting in a DDoS protection service, ideally, a dedicated DDoS protection service, because those offered by ISPs are not as strong and may not safeguard against bigger attacks. These services enable the identification of the source of the attack and will reroute traffic somewhere else. Managed Service Providers can probably assist and provide DDoS protection, which includes giving custom network edge defense services.

Do something to avoid single points of failure, for example, having a high-value asset hosted on a single node. Load balancing throughout multiple loads is recommended. It is additionally important to create an incident response plan, particularly for DDoS attacks. All stakeholders ought to keep in mind their duties through all phases of an attack to make sure a quick and efficient response is possible. You should likewise develop a business continuity plan to make certain that business operations can carry on in the event of an attack, and tabletop exercises must be done to check those plans.

Steps to Take During an Attack

In the event of an alleged attack, like when there is network latency, slow application performance, abnormally high traffic, or the unavailability of websites, technical experts ought to be contacted for support. Check with your ISP to find out if they have an outage, and understand the nature of the attack, like where the traffic is originating from and which apps are being targeted. This will let you to employ targeted mitigations and work with service providers to block the attack immediately.

Although an attack may target a particular application, keep track of other network assets, as they may be concurrently attacked. Specific mitigations for dealing with DDoS attacks are mentioned in the MS-ISAC Guide to DDoS Attacks.

Recovering from a DDoS Attack

Following an attack, continue monitoring all network resources, learn from the response, and revise your incident response plan appropriately to correct any facet of the response plan that didn’t run efficiently. You must furthermore make sure you proactively keep an eye on your network and create a baseline of normal activity since this will enable you to quickly identify ongoing attacks in the future.

The 2022 Mid-Year Report of Check Point has shown that the healthcare sector got the highest percentage increase in cyberattacks among all industries. Cyberattacks in the first half of 2022 are higher by 69% than in 2021. Healthcare currently holds the fifth-highest record in the number of attacks per week, next to the sectors of education, military/government, ISP/MSP, and communications.

According to Check Point’s report, cyberattacks in 2022 have become completely established as a state-level weapon, having seen an unprecedented increase in state-sponsored attacks during the first half of 2022 because of the continuous war in Ukraine. In addition, there’s a significant rise in hacktivism or the employment of private individuals for an ‘IT Army’ for executing attacks. Check Point states the after-effects of this are expected to be experienced by governments and businesses around the world.

The power of cyberattacks to impact day-to-day lives is very clear. In 2022, attacks on TV stations stopped broadcasting, and attacks on critical infrastructure and government units disrupted important services. A lot of these attacks were done in Ukraine, however, this is a global problem. The attack on Costa Rica upset services throughout the country, which include healthcare, and it wasn’t a singled-out incident, with the same attack impacting Peru soon after. Cyberattacks with a nationwide effect could become more prevalent. In education, the ransomware attack on Lincoln College compelled it to shut down after 157 years, and many ransomware attacks on healthcare companies have resulted in serious interruptions to medical services.

There are more cybercriminal groups undertaking attacks for monetary gain on specific companies as nation-state-level attackers. The Conti ransomware operation, because of Costa Rica’s decision not to give ransom payment, wanted to depose the government by inciting a revolution. A number of cybercriminal organizations now have hundreds of people and have incomes of millions to billions of dollars. In a number of instances, these organizations operate like real companies, with a few even getting physical property, and running at that level becomes hard without some support from the governments of the nations where they are located. There has additionally been a pattern that cyber criminals don’t use ransomware entirely, and rather, choose to do plain extortion or data theft and demand a ransom payment. This is what the Lapsus$, Karakurt, and RansomHouse threat groups are doing.

Check Point’s information reveals a 42% increase in cyberattacks around the world from January to June of 2022. The following lists the gathered statistics:

• 23% of business networks experienced attacks with multipurpose malware
• 15% were attacked with crypto miners
• 13% experienced infostealer infections
• 12% experienced mobile attacks
• 8% experienced ransomware attacks

Attacks on the healthcare sector increased by 69% with 1,387 attacks on companies per week on average.

In the Americas, Emotet has become the most frequent malware threat after law enforcement took it down in January 2021 which halted the attacks. Emotet is being employed in 8.6% of malware attacks in the first half of 2022, with an extensive selection of malware variants now being employed, such as XMRig (1.9%), Remcos (2.3%), and Formbook (4.2%).

High-profile vulnerabilities are still being exploited to acquire access to business networks, such as the Apache Log4j RCE vulnerability (CVE-2021-44228), the F5 BIG IP RCE vulnerability (CVE-2022-1388), and the Atlassian Confluence RCE vulnerability (CVE-2022-26134).

Check Point has predicted the attack trends for the rest of the year according to recognized trends in the first half of 2022. Ransomware is likely to be a more fragmented ecosystem, the deactivation of macros will see more varied email infection chains used, hacktivism is predicted to change, and attacks on the crypto and blockchain platforms are anticipated to go up.

Check Point recommends the following cybersecurity improvements:

• installing updates and patches on a regular basis
• installing anti-ransomware solutions
• implementing a prevention-first strategy and approach
• collaborating with the police and national cyber authorities
• improving education regarding cyber threats
• preparing by employing and testing incident response programs that can be
• instantly followed in case of a successful attack

Businesses are seeing the value of cybersecurity and the need to spend more on cybersecurity because threats are changing at a fast rate. The challenge for companies is making sure that their defenses enable them to block the actions of cybercriminals, however, the rate at which data breaches are reported indicates a lot of companies are having difficulties keeping up.

To know how to secure their companies, IT leaders must understand how cybercriminals are breaking defenses. Then, they can decide about the security options they need to spend on that will give good ROI with regards to security.

Keeper Security lately performed a survey on 516 IT decision-makers in the United States to learn how cybersecurity is changing and where companies are purchasing cybersecurity resources. Keeper released the survey results in its U.S. Cybersecurity Census Report for 2022. The report talks about the risks that companies face and the tactics they may follow to better handle cyber threats and to stay ahead of the cyber criminals that are attacking their networks.

Businesses Making Cybersecurity a Key Priority

According to the survey, 71% of companies had new hires in cybersecurity over the last 12 months. But despite more skilled employees, businesses worry that they can’t keep pace with the quick-changing cyber threat landscape.

U.S. company experiences about 42 cyberattacks per year and IT leaders forecast that attacks will grow in the following 12 months. Most of the respondents stated they believe in their capability to protect against cyber threats and that they have the needed cybersecurity tools to guard against attacks, although a majority of surveyed companies encountered a successful cyberattack last year. IT chiefs additionally state that identifying and responding to cyberattacks now takes longer.

The Effect of Cyberattacks on Businesses

31% of companies stated they had suffered a successful cyberattack causing interrupted partner/customer operations. The same number said that attacks brought about stolen financial data. 28% mentioned that the attacks resulted in reputational damage, and the same number also mentioned stolen corporate data. About 25 % said the attacks disrupted the supply chain as well as the trading/business operations. There is a significant financial effect on businesses because of the attacks. The average cost of successful attacks to businesses is $75,000 per case. More or less 4 in 10 companies said that the cost to resolve attacks is over $100,000.

Lacking Technology to Fight Cyberattacks

Although the confidence in cybersecurity defenses was high, the survey showed the technology being employed to protect against attacks was lacking the necessary tools. About 33% of companies have no management system for IT secrets, for example, database passwords, privileged credentials, and API keys. 84% of survey respondents were worried regarding hard-coded credentials in source code, nevertheless, 25% of companies didn’t have any software program to remove them.

58% of Americans today work remotely, yet over 25% of businesses mentioned they have no remote connection management system set up allowing their remote workers to access their IT infrastructure securely.

The survey also discovered identity and access management vulnerabilities. Merely 44% of businesses stated they have employees guidelines on regulating passwords and access management. Three out of 10 companies allow their workers to set and handle their own passwords and confessed that employees often share their passwords. Just 26% of companies said they own a highly advanced framework for visibility and controling identity security.

The laissez-faire method of access management show that there’s more to do to protect businesses and their workers. The following lists the major areas of security that companies plan to spend on in the following 12 months:

• security awareness training (54%)
• developing a culture of compliance (50%)
• password management (48%)
• enhancing visibility to identify network threats (44%)
• infrastructure secrets management (42%)
• passwordless authentication (42%)
• use a zero-trust and zero-knowledge strategy to security (32%)

Although it is good to see numerous companies making cybersecurity the main priority, the survey showed too little transparency regarding cyberattacks at lots of businesses. 48% of IT leaders admitted that they knew about a cyberattack but didn’t report it to the appropriate authority. This shows a need to develop a culture of trust, responsibility, and responsiveness to stop cyber criminals from thriving.

Ransomware attacks still trouble the healthcare sector. The attacks interrupt services because vital IT systems are being shut down. Having no access to electronic health records (EHR) may result in patient safety problems, and it is typical to redirect emergency patients to other hospitals right away after attacks and to postpone appointments.

Lately, cybersecurity company Trend Micro performed a study to look at the effect ransomware attacks have on healthcare companies. The study was participated by 145 companies and IT decision-makers within the industry. Sapio Research did a more substantial worldwide study on the ransomware threat participated by 2,958 IT security decision-makers in 26 nations.

Trend Micro’s study shows that 25% of all data breaches today are due to ransomware. From 2017 to 2021, ransomware attacks went up by 109%, and there’s a 13% year-over-year increase in attacks in 2022. These attacks are causing a serious effect on healthcare companies, which are actively attacked by a number of ransomware groups.

57% of healthcare companies stated they had encountered a ransomware attack in the last 3 years. 86% of healthcare companies that experienced a ransomware attack had operational shutdowns because of the attack. 25% of companies that encountered an attack were compelled to totally stop operations. 60% mentioned that certain business functions were interrupted as a result of an attack.

The time to recover from these attacks may be substantial, with healthcare companies facing interruption to their services for prolonged time periods. 56% of companies that participated in the survey stated it took a few days to recoup from the ransomware attack, with 24% indicating it took a few weeks to completely bring back operations following an attack.

Stealing data is now prevalent in ransomware attacks with attackers issuing threats to post or sell the stolen information in case the ransom is not paid. This strategy has become so profitable that a number of cybercriminal groups have left ransomware completely and only steal data and issue threats to publish when payment is not given. 60% of surveyed companies stated sensitive information was stolen and exposed by the threat actors, with the information theft and leakage resulting in reputational ruin, compliance problems, and increasing costs of the investigation, remediation, and clean-up.

The research signifies healthcare companies are proactively countering the threat and improving their security. 95% of surveyed companies mentioned they are patching immediately to handle software vulnerabilities, 91% have put in place extra controls to stop malicious email attachments from landing in inboxes, and adopted enhanced detectors and response solutions for their network (NDR) and endpoints (EDR) is increasing, just like the usage of extended detection and response (XDR) tools.

There is additionally great concern regarding supply chains. 43% of survey respondents stated their partners turned them into more appealing targets for attacks, 43% stated they lack awareness throughout the ransomware attack chain making them more susceptible to attacks. 36% stated the insufficiency of visibility throughout attack surfaces made them a much bigger target.

Nevertheless, the survey showed a number of security gaps. For example, 17% of survey respondents didn’t have any remote desktop controls ready, in spite of RDP vulnerabilities frequently being taken advantage of to obtain initial access to healthcare systems. There is substantial room for development regarding threat intelligence sharing, as 30% confessed to not discussing threat information with partners, 46% never give threat intelligence to suppliers or the broader ecosystem, and one-third (33%) mentioned they never share any data with the authorities.

Merely 51% of companies utilize NDR, 50% employ EDR, and 43% utilize XDR, with just 46% of companies tracking living-of-the-land strategies like the malicious usage of tools including PsExec and MimiKatz. Just 42% claim they could identify initial access and only 32% could identify lateral movement.

In the healthcare industry, ransomware could have a possibly very real and very harmful physical effect. Operational outages endanger patient lives. So healthcare companies must get better at recognition and response and share with their partners the relevant intelligence to protect their supply chains.