Michigan Law Company and Medical Imaging Companies Report Breaches of Patient Data

The Michigan law firm, Warner Norcross and Judd LLP, has distributed breach notification letters to 255,160 people telling them about a security breach in October 2021 resulting in the potential access and exfiltration of files containing their personal data and protected health information (PHI). The breach was discovered on October 22, 2021. In the substitute breach notification, there was no mention of when, and for how long, unauthorized persons got access to its systems.

A digital forensics company helped to investigate the nature and magnitude of the data breach and conducted a programmatic and manual evaluation of the files on the affected areas of its network. The assessment showed that the files held information like names, dates of birth, government-issued IDs, driver’s license numbers, Social Security numbers, annual compensation amounts, benefit contribution details, credit or debit card numbers, debit card or credit card PINs, financial account or routing numbers, patient account numbers, passport numbers, health data, and life insurance policy data.

The Michigan Law company sent notification letters to impacted people in August and provided details on tips that persons can do to decrease the risk of identity theft and fraud, however it would seem that credit monitoring and identity theft protection services are not available. The law company stated it is going to take steps to enhance security to stop other security breaches.

Medical Imaging Firms Announces PHI Breach

Gateway Diagnostic Imaging, a company operating 12 medical imaging centers in North Texas, and Radiology Ltd, a medical imaging organization based in Tucson, AZ, have recently began alerting a number of patients regarding a breach of systems that held patient records. The data breach was noticed on December 24, 2021, and the following forensic investigation confirmed that unauthorized people acquired access to its systems between December 17 and December 24, 2021.

The data on the compromised systems comprised data like names, Social Security numbers, birth dates, addresses, medical insurance details, patient account numbers, medical record numbers, physician names, dates of service, and details associated with the radiology services received.

As a safety measure against identity theft and fraud, the firm offered to the affected persons a complimentary 12-month membership to the credit monitoring and identity theft protection service of Equifax Credit Watch Gold. Additional safeguards are also being enforced to avoid more security breaches, and improvements were made to its monitoring features.

The breach is not posted yet on the HHS’ Office for Civil Rights Breach portal so it is currently not clear how many people were impacted.

LastPass Data Breach Results in Theft of Source Code

LastPass, the provider of the most popular password management solution in the world, announced a cyberattack and information breach. As reported by LastPass, there are about 30 million users of its password manager tool around the world, including 85,000 business customers. Notifications were sent to clients to notify them regarding the cyberattack and offer reassurances that although a number of company data were stolen because of the attack, users’ password vaults were not affected and the cyberattack did not result in any problems to its products or services.

Based on the notice released two weeks ago, LastPass found out that an unauthorized individual had acquired access to one programmer’s account, which allowed the attacker access to the LastPass creator’s environment. LastPass stated steps were quickly taken to control the attack and stop continuing unauthorized access, with the forensic investigation verifying the attackers stole sections of its source code and some exclusive LastPass technical data.

Just like the case with a lot of other password management tools, LastPass operates under the zero-knowledge model, meaning it got no access to its end users’ encrypted password vaults. Only individual end users could access their password vaults using the master password and doing multi-factor authentication validations (if MFA is enabled). Karim Toubba, LastPass CEO, mentioned that there’s no evidence that the incident permitted any access to end user information or encrypted password vaults, thus, users don’t have to alter their master passwords.

LastPass stated it is presently analyzing further mitigation methods and will be taking steps to reinforce the protection of its environment. This is not LastPass’ first experience of a cyberattack. In 2015, the company encountered an attack in which hackers had obtained the usernames of selected customers, along with their hashed master passwords. LastPass enforced a password reset as a preventative measure. Since only hashed passwords were stolen, just the end users who had set weak master passwords were at risk.

LastPass users were also targeted in a credential stuffing campaign. LastPass cautioned its users in late 2021 that it had discovered strange, attempted login activity and had seen a slight increase in security notifications associated with user accounts. The investigation affirmed this was because of credential stuffing attacks, where threat actors utilize usernames and passwords compromised in third-party data breaches to try to get access to accounts on other systems. These attacks can just succeed when passwords are reused on multiple accounts. When a unique master password is employed for an account, it will be safeguarded against credential stuffing attacks.

Cyberattacks on password managers are fairly unusual and though such an attack can possibly permit a threat actor to gain access to a user’s password vault, password managers remain recommended and could significantly enhance password security. All end users of password managers ought to make sure they pick a long, complicated, and unique password or passphrase for their password manager account. They should use multi-factor authentication. For even more security, consider utilizing the secure password manager’s username generator, when that feature is available.

Data Breaches Announced by the Onyx Technologies, San Diego American Indian Health Center, and New Jersey Department of Health

Onyx Technologies located in Largo, MD, a firm providing IT and Consulting Services and a vendor of Independent Care Health Plan (iCare), lately advised 96,814 health plan members concerning the likely exposure of some of their protected health information (PHI).

Onyx learned on June 28, 2022 that unauthorized persons had accessed its computer systems and may have obtained access to the PHI of iCare members, such as names, birth dates, addresses, telephone numbers, iCare member ID numbers, Medicare ID Numbers, dates of service, and names of the provider.

Onyx stated that an evaluation of its computer networks was quickly carried out, and a security agency helped with the analysis. Systems access was recovered on July 7, 2022. As per Onyx, a server may have been taken out or accessed starting on March 29, 2022 and ending on June 28, 2022. On July 15, 2022, the security company discovered that certain information associated with members might have been viewed.

Onyx mentioned it didn’t uncover any proof that indicates any of the impacted data was identified. Impacted persons were provided complimentary two-year credit monitoring and identity theft protection services.

27,367 Individuals Affected by San Diego American Indian Health Center Breach

San Diego American Indian Health Center has informed 27,367 present and past patients that unauthorized people acquired access to areas of its network and exfiltrated files that contain some of their PHI.

The health center discovered the security breach on May 5, 2022, and took prompt steps to safeguard the system and avoid further unauthorized access. The investigation by a digital forensics agency affirmed on July 22, 2022 the compromise of patient information, such as names, driver’s license numbers, state identification card numbers, tribal ID card numbers, medical details, medical insurance data, dates of birth, and Social Security numbers.

San Diego American Indian Health Center stated it is not aware of any actual or attempted misuse of patient data. Impacted persons have been given free credit monitoring and identity protection services and action had been undertaken to strengthen security to stop more data breaches.

New Jersey Department of Health Warns Patients Concerning Vendor Data Breach

The New Jersey Department of Health, Division of Behavioral Health Services lately reported on the theft of the protected health information of a number of patients of Trenton Psychiatric Hospital and the Anne Klein Forensic Center in a security incident that occurred at a vendor offering the hospitals medical translation and dictation services.

Unauthorized people obtained access to sections of the vendor’s systems and extracted files that contained the PHI of patients. The vendor advised the NJ Department of Health concerning the information breach on June 30, 2022. It is presently unclear which vendor was affected, the types of data exposed, and the number of persons impacted by the data breach. The affected hospitals will inform the patients directly when they are impacted.

58% of Healthcare Providers Have Enforced Zero-Trust Initiatives

There is a noticeable increase in the number of healthcare providers that have enforced zero trust initiatives, as reported by Okta in its 2022 State of Zero Trust Security report. In 2022, 58% of surveyed companies said they had or have begun employing zero trust initiatives, up by 21 percentage points from the 37% a year ago. Moreover, 96% of all healthcare respondents stated they either had or are preparing to use zero trust within the next 12 to 18 months, higher than 91% last year.

The traditional method of security considers devices and apps within the network perimeter as trusted since they are behind the security of perimeter defenses; nonetheless, that strategy does not do well in the cloud, where there is no perimeter to secure. The concept of zero trust is, “never trust, always verify”. Zero trust presumes that every device and account might be malicious, irrespective of whether it is inside or outside the network perimeter. With zero trust, every device, account, application, and connection are subject to tough authentication inspections, the principle of least privilege is applied, and there’s extensive security checking.

Okta explained that “Zero Trust is a sound guiding rule, but getting there is a complicated proposition, needing several deeply integrated best-of-breed solutions working easily together. Every organization has a distinct starting situation, diverse resources, and different priorities, leading to unique journeys to get to a similar destination-true Zero Trust security.

Adopting Zero Trust in Healthcare

There’s been a substantial growth in medical and IoT devices, programs, and cloud-based tools, which has considerably expanded the attack surface. Therefore, security teams find it more challenging to protect against cyberattacks utilizing traditional protection strategies. Zero trust provides a solution and most healthcare providers that have not yet used zero trust initiatives state they have a plan in place to use zero trust in the following 6 to 12 months.

98% of healthcare survey participants mentioned identity has a significant part in their zero trust strategy, with 72% rating it essential and 27% rating it critical, with the most urgent projects using Single Sign-on for workers and securing access to APIs. Presently, merely 6% of healthcare respondents stated they have context-based access policies set up. However 40% mentioned they will be rolling these out within the upcoming 12-18 months, and all healthcare participants considering using SSO, MFA, or both for SaaS applications, internal programs, and servers in the following 12-18 months.

The most crucial factors for managing and enhancing access to internal resources were the following: device trust, geographic area, and trusted IP address, then the time of day or working hours-based access, and if the resource seeking to be accessed is very sensitive. Healthcare companies are likewise shifting away from password-based authentication. Use of passwords declined from 94% of healthcare providers in 2021 to 85% in 2022, as push authentication use increased from 16% in 2021 to greater than 40% in 2022.

Okta explained that usage of a Zero Trust framework offers a strategy that makes it less difficult for firms to continuously evaluate their security posture and the relative maturity of their model, and identify the appropriate security options to speed up their progress at each stage of their journeys. Nevertheless, there are difficulties for healthcare companies, and the most important is the present talent and skill scarcity. In view of the talent/skill deficiency experienced worldwide, organizations must find options that help them move along their Zero Trust journeys without creating the need for extra finances, headcount, or training resources. They have to find solutions that integrate with their current security ecosystems to acquire the best value.

Cyberspace Solarium Commission Co-Chairs Asks HHS to Enhance Threat Data Sharing with HPH Industry

Congressman Mike Gallagher (R-WI) and Senator Angus S. King Jr. (I-ME), Co-Chairs of the Cyberspace Solarium Commission, wrote to Secretary Xavier Becerra of HHS, to express their fears regarding the insufficiency of disclosing actionable threat data with industry associates to aid the health and public health sector (HPH) deal with present cybersecurity issues.

The lawmakers mentioned in the letter that the COVID-19 pandemic showed a number of the systemic problems confronting the HPH sector, and at that time when healthcare personnel was coping with amplified workforce problems, cybercriminals and nation-state threat actors attacked the HPH industry and ransomware attacks exploded.

They say cyber threat actors found that the HPH industry was more likely to give ransom payments to maintain patient privacy and the big volumes of sensitive patient information are kept by healthcare suppliers making them appealing targets for scammers and nation-state attackers. The lawmakers lauded the work of the White House and the HHS on bettering cybersecurity in the HPH industry yet are worried about the deficiency of solid and timely disclosure of actionable threat data with industry associates. They mentioned it is necessary to considerably increase the Department’s abilities and resources because of the exponential increase of cyber threats, and that it is necessary to prioritize dealing with the HPH sector’s cybersecurity issues.

King and Gallagher have asked for the HHS Secretary’s briefing to talk about the standing of the department’s attempts to reinforce its capabilities and operationalize ventures with companies throughout the HPH industry. That is only feasible to perform effective oversight when they know the problems that the HHS and the HPH industry are dealing with.

Particularly, they have asked for data about the present organizational framework, roles, and duties that the HHS uses to help HPH cybersecurity and work as the Sector Risk Management Agency (SRMA) for the whole HPH.

  • The present authorities – the HHS needs to boost the cybersecurity of the HPH industry
  • The resources, such as employees and budget – the HHS needs to be an efficient SRMA
  • The interagency coordination structures employed to help the HHS’s efforts and the cybersecurity work of the HPH industry, the achievements reached, and the challenges encountered.

The lawmakers have additionally asked for an unclassified threat report from the HHS on present cybersecurity threats to the HPH industry.

Most Popular Malware Variants in 2021

The U.S. Cybersecurity and Infrastructure Security Agency has released a listing of the top malware variants discovered in 2021. Threat actors use malware to attack devices, allowing them an entry point into devices and systems to do a variety of nefarious activities. Malware is detrimental to sabotage systems, for instance, wipers that erase all information in systems. The surge in the price of cryptocurrencies resulted in a growth in the usage of cryptocurrency miners that hijack the information of systems for mining cryptocurrencies. Worms and other malware can breach one device and likewise self-propagate and affect all other vulnerable gadgets on a system.

Recently, the use of ransomware greatly increased. Ransomware encrypts data on attacked systems to make information inaccessible. Ransom demand is sent to the victim in exchange for the decryption keys. The majority of ransomware variants support information exfiltration. Before encryption, files are stolen. The ransom payment should then be given to decrypt files and also to stop the public posting or sale of the stolen information. Although ransomware is a kind of malware, it is usual for threat actors to use it like the Remote Access Trojans (RATs) to obtain preliminary access to systems, and sell the access to ransomware groups.

Malware is downloaded utilizing different attack vectors. Malware is often sent through email, upon the exploitation of vulnerabilities in Remote Desktop Protocol, and by taking advantage of identified vulnerabilities in software programs. Preliminary access to accounts may be obtained by using brute force tactics to figure out weak credentials. Because of different attack vectors, there is no one cybersecurity control that could be employed to prevent all malware attacks. It must additionally be mentioned that although antivirus software program can identify malware according to malware signatures available in the definition lists of the software program, it can’t prohibit malware except if the signature is found in the definition list. Different variants of malware are launched, and small adjustments could be all that are needed to avert antivirus remedies.

In 2021, the most popular types of malware employed in attacks are banking Trojans, remote access Trojans, malware, and information stealers. The leading malware variants were:

Information Stealers – Agent Tesla, AZORult, Formbook, NanoCore
Information Stealer and Banking Trojan – Ursnif
Trojon Information Stealer – LokiBot
Ransomware dropper – MOUSEISLAND
Banking Trojan – Qakbot – This is often utilized for reconnaissance and information exfiltration, and sending more malware payloads
Remcos – Remote management and pen testing tool employed to develop a backdoor in system of victims
Banking Trojan cum botnet cum malware dropper – TrickBot
Malware loader – GootLoader

These malware variants have been employed in attacks for many years and have progressed to become more elusive and offer them new functionality. AZORult, Agent Tesla, Formbook, NanoCore, LokiBot, TrickBot, and Remcos have all been employed for over 5 years, whereas Qakbot and Ursnif have been used for over 10 years.

Besides giving malware gangs access to victims’ systems, TrickBot and Qakbot work as malware droppers and were broadly employed to provide ransomware groups such as Conti with systems access. The Conti group is recognized to have performed a minimum of 450 ransomware attacks in the first 6 months of 2021. All through 2021, the malware variants Agent Tesla, Formbook, and Remcos were substantially used in phishing emails, exploiting the pandemic and making use of COVID-19-inspired baits.

Mitigations

CISA has given a listing of proposed mitigations for preventing malware threats and minimizing the effect of successful attacks, the most critical of which are to update software programs and patch immediately, implement multifactor authentication, protect and keep track of RDP and other possibly dangerous services, and give consumer security awareness instruction.

Ransomware Attacks Lower by 23% Worldwide Yet Higher by 328% in Healthcare

SonicWall has updated its mid-year 2022 Cyber Threat Report, which shows the worldwide cyberattack developments in H1 of 2022. The information for the report was gathered from over 1.1 million worldwide sensors in 215 nations and reveals a global drop in ransomware attacks, with a significant rise in malware attacks. This trend is a first in three years.

Ransomware

SonicWall states a 23% drop in ransomware attacks worldwide in H1 of 2022 with only 236.1 million attempted attacks. The downhill trend continues for the past four quarters. The lowest number of ransomware attacks was in June 2022. Although ransomware attacks decreased overall, that isn’t true for the healthcare sector with 328% higher attacks in H1 2022.

Although the decrease in attacks is good news, it ought to be mentioned that the year-to-date numbers of ransomware attacks continue to be greater than in 2017, 2018, and 2019. SonicWall documented 707 ransomware attempts on average per client in the first half of 2022 in the U.S.A. SonicWall states that the reduction in attacks is due to the mix of geopolitical forces, unpredictable cryptocurrency rates, and a greater government and law-enforcement emphasis on ransomware groups.

Malware

Ransomware attacks had grown for two years, however, malware attacks are at low figures. 2021 had the lowest malware attacks in 7 years. H1 2022 saw a sharp rise in malware attacks. It is 11% more compared to H1 2021. There were 2.8 billion malware attacks in H1 2022 with 8,240 attempts on average per customer. There was a noticeable increase in new malware variants in 2022, which grew by 45% compared to H1 2021. Cryptojacking has grown by 30% in comparison to H1 2021, despite the sharp drop in the price of cryptocurrencies. Cryptjacking attacks in healthcare dropped by 87%.

The largest upsurge in malware was observed in IoT malware, which grew by 77% from H1 2021 having 57 million detections. That is the maximum rate of detection since SonicWall started tracking the attacks. The number of attacks in H1 2022 was just somewhat less than the total attacks documented in 2021. IoT attacks in America grew by 228% in June while IoT malware attacks on the healthcare sector grew by 123%.

Malicious Files

SonicWall revealed in its mid-year 2021 report that the number of malicious Office files dropped by 54% and malicious PDF files dropped by 13%. However, the decrease in number was brief, as this year saw a boost in detections of malicious files. In the H1 of 2022, malicious Office file detections went up by 18%, while malicious PDF file detections grew by 9%. Currently, 18% of malicious file types are PDF files, while 10% are Office files and over 84% are Excel files. 64% of malicious Excel files are Excel Macro 4.0 (XLM) files. Executable files remain the most popular malicious file types, with over 33% of malicious files.

Encrypted Attacks

SonicWall noticed a 132% rise in encrypted attacks in H1 2022, which is a continuation of the past two years’ trends. May 2022 had the second highest number of malware over HTTPS ever documented. Encrypted threats were most common in the U.S., which is 41% of the worldwide volume, having a 284% growth over the equivalent period in 2021. There was a 6% drop in encrypted attacks in healthcare.

Intrusion Attempts

Intrusion attempts increased by 18% worldwide in H1 2022, however, the number of malicious intrusions dropped by 19%. In North America, there was a rise in intrusion attempts yet the attacks seem to have reached the maximum in June. Intrusion attempts grew by 39% in the healthcare sector, 46% in government, and 200% in the retail industry. Despite these surges, the H1 2022 statistics are less than in 2021.

Survey Shows Bad Practices in Cyber Security and Poor Password

The majority of Americans are certain regarding their knowledge of cybersecurity based on a newly released AT&T survey of 2,000 Americans. However, bad cyber hygiene and poor password routines continue to be prevalent. OnePoll conducted the survey on behalf of AT&T and discovered that 70% of respondents felt they were proficient concerning cybersecurity with 69% stating they were assured in their capability to be able to recognize suspicious websites quickly, but the typical person still lands on a suspicious online page or social media page 6.5 times a day.

When asked about Internet use, merely 39% of participants claimed they knew that online sites could download malware to their computers and merely 45% stated they were aware that suspicious websites can bring about identity theft. 54% did not know the difference between an active threat – one that demands some user action – and an inactive threat – where a device is attacked without any activity from the user.

Though thinking they could distinguish suspicious online sites, for example, unverified internet sites, HTTP sites, and websites having a lot of pop-ups, the potential security threats from accessing those internet sites were frequently overlooked. 38% of respondents stated they go to those websites for streaming sporting events, 37% utilize the internet sites to download music and video games that are not easy to get, and 36% reported they would check out those sites if they have good discounts on purchases.

The risks due to bad cybersecurity practices are not only theoretical. Poor cyber hygiene is taken advantage of by threat actors and often allows compromise of accounts. When asked about threat experiences, 45% of respondents mentioned they had received a telephone call from somebody saying to be from the government and 36% of participants mentioned they would reply to communication if it looked like it came from an official company.

Under 40% of people consider the security problems of accessing the Web such as potential device or network attacks, malicious applications, or malware downloads. The number of survey respondents affected by password security risks is worrying. One of the biggest password security errors is utilizing the same password on several accounts. When passwords are obtained during a data breach of an organization, a credential stuffing attack may be done that would permit access to every account where that password has been utilized. 42% of survey respondents mentioned they reuse passwords across various accounts.

The best practice for creating passwords is to utilize a mix of numbers, upper and lower-case letters, and symbols, and to refrain from using personal data in passwords. 31% of participants confessed they use their birthday as their password, although many people will know the details and even find it on social media profiles pages. The survey additionally revealed that 34% of men and women are reactive and not proactive with regards to password security, and would just modify a password if they receive a security advisory regarding an attempt to access their account via an unrecognized IP address. These bad password practices continue even if a lot of people assert they know about cybersecurity, and password managers are extensively offered for free or at a low price that can significantly enhance password security.

These bad cyber practices ought to be a concern for companies. In case individuals are lax concerning personal security in spite of knowing the threats of identity theft and fraud, it is probable that those poor practices may likewise happen at work. Employers must make sure they offer regular security awareness training to show their workers how taking risks like these could put the company in danger.

Tenet Healthcare Cyberattack Resulted in $100 Million Unfavorable Effect in Q2 of 2022

Tenet Healthcare lost $100 million in income and mitigation expenses because of a cyberattack and data breach in Q2, 2022. Tenet Healthcare based in Dallas, TX is one of the biggest healthcare companies in the U.S. operating 65 hospitals and over 450 healthcare centers across the United States through its brands and subsidiaries. Last April 2022, Tenet encountered a cyberattack that prompted serious interruption to its IT programs and acute care procedures for a few weeks. The attack compelled the employees to work using pen and paper throughout the recovery phase, and at least one impacted hospital needed to briefly reroute ambulances to other hospitals. The attack likewise interfered with its telephone system, so doctors had to leave the building to make telephone calls. The cyberattack started on April 20, 2022 and impacted at least two hospitals. Tenet didn’t give to the public any details of the attack like whether it involved ransomware.

Based on Tenet’s Q2 2022 revenue report shows that the attack has got a $100 million unfavorable EBITDA (earnings prior to interest, taxes, amortization, and depreciation) effect. Adjusted admissions dropped by 5.3% year-over-year, with total admissions decreasing 8% from Q2 of 2021, and same-hospital net patient service income dropped 0.2% because of the cyberattack. Over the quarter, Tenet had a lower income of 68% in comparison to Q1 of 2021, which dropped to $38 million, and its operating income dropped by 6.4% to $4.6 million for the quarter. The attack was furthermore partially the reason for a 2.8-day growth in its outstanding accounts receivable.

CEO Saum Sutaria of Tenet mentioned that IT systems at the impacted hospitals needed to be completely rebuilt, and although the cyberattack had a considerable business and financial effect, Tenet continued to have a strong quarter. Sutaria stated the company got enough cybersecurity insurance coverage which helped to minimize the overall financial effect of the cyberattack. Its insurance plan covered $5 million in Q2 of 2022. Tenet shouldered a substantial cost because of the attack, however, it is similar to other cyberattacks like the Scripps Health ransomware attack. Five hospitals and 19 outpatient centers were affected, which resulted in $112.7 million in lost income and remediation expenses.

Tenet will additionally need to take care of other costs including the class action lawsuit filed against it in Florida in June. Allegedly, Tenet didn’t use enough security measures to secure against cyberattacks and didn’t give enough notifications to impacted persons. The lawsuit additionally claims that notification letters were not sent to all persons impacted by the data breach.

Cyber Safety Review Board States Log4j Vulnerabilities Endemic and Will Continue for Years

The Cyber Safety Review Board (CSRB), created by President Biden in February 2022, has released a report about the Log4j vulnerability (CVE-2021-44228) and related vulnerabilities that were found in late 2021. The vulnerabilities impact Log4j, the open source Java-based logging tool. CSRB states that they are very prevalent and will probably stay in a lot of systems for a long time.

The Log4j vulnerability could be exploited remotely to do code execution on susceptible systems and was designated a maximum CVSS severity score of 10 out of 10. Based on the report, the vulnerabilities are considered one of the most serious to be identified in the past few years.

The CSRB consists of 15 cybersecurity heads from the private industry and government and was designated to conduct reviews of big cybersecurity occurrences and make suggestions for bettering public and private segment cybersecurity. The Log4J vulnerability report is the first to be publicized by the CSRB.

According to Secretary of Homeland Security Alejandro N. Mayorkas, the country’s cybersecurity is at a critical juncture, as the ability to deal with risk is not keeping pace with developments in the digital space. Thus, the Cyber Safety Review Board is an institution seeking to improve cyber resilience in unprecedented means. The CSRB’s first-of-its-kind evaluation has provided the government and the industry with clear, actionable advice that DHS can help put into action to reinforce cyber resilience and enhance the public-private relationship that is so essential to collective security.

For the Log4j vulnerability evaluation, the CSRB engaged with about 80 organizations to have a knowledge of how the vulnerability is being mitigated, so as to develop actionable recommendations to avoid and successfully respond to future incidents similar to this.

The report is divided into three sections, offering factual details regarding the vulnerability and what took place, the results and conclusions according to the evaluation of the information, and a list of suggestions. The 19 actionable recommendations are split into four categories: Deal with the ongoing threats from theLog4j vulnerabilities; drive current best practices for safety hygiene; create a better software system; and investments in the future.

One of the most crucial recommendations is to make and keep an accurate IT asset inventory, as vulnerabilities cannot be resolved if it is unfamiliar where the vulnerabilities are found. It is important to have a complete software bill of materials (SBOM) that has all third-party software parts and dependencies utilized in software solutions. One of the greatest issues with dealing with the Log4j vulnerabilities is understanding which products were affected. The report additionally suggests that enterprises develop a vulnerability response plan and a vulnerability disclosure and handling process and recommends the U.S. government to inspect whether a Software Security Risk Assessment Center of Excellence is practical.

This is the first time the industry and government cyber leaders joined together like this to evaluate serious incidents, find out what happened, and advise the entire community on how to do much better later on.

Data Breaches Reported by University Pediatric Dentistry, Eye Care Practices, OrthoNebraska, and Michigan Avenue Immediate Care

University Pediatric Dentistry based in Buffalo, NY, has begun informing 6,843 patients about the exposure of some of their protected health information (PHI) because of an email security incident.

The provider secured its email system right away after detecting the breach. Forensic specialists confirmed that an unauthorized third party accessed two email accounts from January 12, 2022 to January 19, 2022. According to University Pediatric Dentistry, it was discovered on April 25, 2022, that the compromised email messages and file attachments contained patient information, which was likely viewed or stolen.

The exposed data included patient names, contact data, birth dates, Social Security numbers, government ID numbers, driver’s license numbers, treatment and diagnosis details, names of providers, patient account numbers, medical record numbers, prescription details, dates of service and/or medical insurance data. The financial account data of some patients were also exposed.

People whose driver’s license numbers or Social Security numbers were exposed received free credit monitoring and identity theft protection services. University Pediatric Dentistry stated that technical security procedures will be put in place to safeguard and keep track of its email system.

Eye Care Leaders Data Breach Impacts Several More Eye Care Practices

The number of eye care centers affected by the data breach at Eye Care Leaders is still growing. Aloha Laser Vision in Hawaii, Mattax Neu Prater Eye Center in Missouri, and Sight Partners Physicians in Washington are among the latest known to be impacted. No less than 33 eye care companies have stated they were affected by the cyberattack and the data of more than 2.9 million people were potentially exposed.

Cyberattack Announced by Michigan Avenue Immediate Care

Michigan Avenue Immediate Care (MAIC) located in Chicago, IL, has just reported a hacking incident by which an unauthorized third-party gained access to its computer system and exfiltrated files that contain sensitive patient information. The cyberattack was identified on May 1, 2022. MAIC confirmed on May 12, 2022 that the files taken from its network included some patient data.

The types of records contained in the files varied from one person to another and may possibly include names, telephone numbers, addresses, dates of birth, Social Security numbers, driver’s license numbers, treatment details, and/or health insurance data. Affected persons were notified via mail and were given complimentary membership to the Experian IdentityWorks Credit 3B service for one year.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, thus it is currently not clear how many people were impacted.

OrthoNebraska Email Account Compromised

Orthopedic clinic OrthoNebraska located in Omaha, NE has lately reported that an unauthorized individual accessed the email account of an employee. The breach happened in early December 2021 and was discovered because the email account was utilized to send spam emails. An analysis of the affected email account showed that the emails and file attachments included protected health information (PHI) of some patients, and that sensitive information could have been seen or obtained.

The exposed details contained names, demographic data, Social Security numbers, state ID numbers, driver’s license numbers, usernames/passwords, medical insurance, claims information, and medical histories. Impacted persons were informed through the mail and credit monitoring and offered identity theft protection services. Up to now, there was no evidence found that indicates the actual or attempted misuse of any patient information. OrthoNebraska said it has offered additional data security training to the employees and implemented additional safeguards to enhance email security.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bipartisan Legislation Presented to Improve Cybersecurity for Medical Devices

A bipartisan bill called The Strengthening Cybersecurity for Medical Devices Act was introduced which requires the U.S. Food and Drug Administration (FDA) to evaluate and revise its policies on the cybersecurity of medical devices more often to make sure devices are secured from cyberattacks and potential hacking.

Sen. Jacky Rosen (D-NV) with co-sponsor Sen Todd Young (R-IN) introduced the bill calling for the Secretary of the Department of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to give updated policies on medical device cybersecurity to FDA annually, and for the FDA to give updated policies and recommendations on medical device cybersecurity once every two years. The regularity of updates must be enhanced to make sure the guidelines stay up-to-date, particularly considering the quick-changing threat landscape and the degree to which the healthcare sector is being attacked by cyber threat actors.

Sen Young stated that medical devices are more and more linked to the web or other medical care facility systems to give features that enhance the capability of health care companies to treat individuals. The bill helps to make sure medical devices are secured from cyberattacks and utilized safely and securely so as to minimize threats and vulnerabilities for individual patients.

The bill additionally requires the FDA to publish facts publicly regarding government resources for healthcare experts, medical device producers, and health systems that will enable them to determine and deal with vulnerabilities and to make sure they can acquire proper support. The Strengthening Cybersecurity for Medical Devices Act additionally calls for the Government Accountability Office (GAO) to put together a report about cybersecurity vulnerabilities impacting medical devices and to give suggestions for enhancing government coordination to help cybersecurity for medical devices.

Senator Rosen said that because of growing cyber threats, the health care system’s cyber infrastructure must be strengthened. This bipartisan will make sure that medical devices and systems are updated with the most recent cybersecurity, safeguarding patients and health care networks.

Verizon Data Breach Investigation Report Shows 2021 Data Breach Statistics

For the past 15 years, Verizon has been making annual Data Breach Investigation Reports (DBIR). The report this year confirms just how terrible the last one year has been. Verizon explained the last 12 months as representing an unrivaled year in the history of cybersecurity. The financially inspired crooks and nefarious nation-state actors have seldom if ever, emerge swinging the way they did over the past year, explained Verizon.

The 2022 DBIR was put together along with 87 partner companies utilizing data from 23,896 security incidents. 5,212 of the cases were confirmed data breaches, 849 of the cases assessed in the report happened in the healthcare industry and 571 of those cases resulted in affirmed data breaches.

The report confirms that there was a significant surge in ransomware attacks in 2021, growing by 13% from the prior year. To include some opinion, the growth is bigger than the mixed increases in the past five years. As Verizon remarks in the report that ransomware is simply a means of using access to victims’ systems, however, it has proven to be specifically effective at making money with illegal access to sites and private information. 25% of data breaches in 2021 used ransomware.

The most typical vectors in ransomware attacks entailed the use of stolen credentials, mainly for desktop sharing software programs, which offered initial access in 40% of ransomware attacks. Phishing was the second most popular vector in ransomware attacks, offering preliminary access in 35% of attacks, then the exploitation of vulnerabilities in web programs and direct installs. The substantial percentage of attacks associated with remote desktop software and email shows the value of locking down RDP and protecting email.

The rise in ransomware attacks is worrying, and so is the increase in supply chain attacks, which are the reason for 62% of system interruptions. Supply chain attacks could be carried out by financially driven cyber actors, although quite often they are utilized by nation-state actors to obtain persistent access to systems for spying purposes.

Protecting against cyberattacks demands action be done to deal with the four major ways that result in gaining initial access to systems, which are botnets, phishing, credentials, and exploitation of vulnerabilities. Although insiders can and do bring about data breaches, definitely the primary cause is external actors. Breaches caused by external actors exceed insider breaches by four to 4. Though external attacks are a lot more likely, the median number of records impacted in insider breaches is a lot higher.

Human error continues to play a big part in data breaches. 13% of data breaches were misconfigurations, typically of cloud storage solutions, and 82% of all data breaches assessed in the previous year had a human component. 25% of all breaches in 2021 were due to social engineering attacks, showcasing not just the significance of employing advanced email defenses but additionally giving recurrent security awareness training to the staff.

The top three attack strategies were just like last year, though switching positions. System intrusions took the number one spot, next was web application attacks, and then social engineering. In healthcare, the top causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which caused 76% of all data breaches.

Verizon mentioned that although insiders have always been a top reason for data breaches in medical care, the growth in web application attacks has resulted in external threats exceeding insiders. Healthcare staff prompted 39% of breaches in 2021, which is significantly greater than the 18% across all other industry groups. Although there will continually be malicious insiders in the healthcare industry, workers are 2.5 times more probable to make a mistake than to maliciously exploit their access to information, with misdelivery and loss the most typical errors made in medical care.

Average Ransom Payment Decreased by 34% in 1st Q of 2022

The average ransom payment associated with ransomware attacks diminished by 34% in Quarter 1 of 2022, from a record high in 4th Q of 2021, based on ransomware incident response company Coveware. The average and median ransom payment in Quarter 1 of 2022 was $211,259 and $73,906, respectively.

The drop in total ransom payments was related to a number of factors. Coveware says ransomware groups were targeting smaller businesses and issuing lesser ransom payments, because of the growing scrutiny by law enforcement whenever attacks are done on large companies. The median organization size is dropping since Quarter 4 of 2020, and is currently with about 160 workers. This seems to be the sweet spot, where the organizations have enough income to get big ransom payments, however not so big that attacks will prompt appreciable scrutiny by authorities.

One more reason why total ransom payments have dropped is the reduced number of victims of ransomware attacks who were paying the ransom. The number of subjects of ransomware attacks that pay the ransom is gradually declining, from 85% of victims in 1st Q of 2019 to 46% of victims in Quarter 1 of 2022. Also, a few of the most well-known ransomware operations had been quiet, like Maze and REvil (Sodinokibi).

LockBit and Conti are the most high profile ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, then BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware advises that the affiliates who partner with ransomware-as-a-service operations seem to be less eager to work together with large RaaS groups because those groups are usually targeted by law enforcement. It is currently common for affiliates to try scaled-down RaaS operations or possibly make their own ransomware variants using leaked source code.

The most typical attack vectors in ransomware attacks are exploiting unpatched vulnerabilities in software apps and operating systems, phishing, and Remote Desktop Protocol connections. Coveware has seen a rise in other attack vectors as of 2nd Q, 2021, for instance, social engineering and the direct compromise of insiders. Social engineering attacks are comparable to phishing however are remarkably targeted and usually include preparing or grooming targeted staff members before convincing them to give access to the network. There has additionally been a growth in solitary wolf attackers. Coveware knew the development in late 2021, and it has carried on all through the 1st Q of 2022. Attacks by these threat actors are generally carried out on businesses that have much better security than the common ransomware victim, like multi-factor authentication appropriately enabled for all workers and critical resources.

The Maze ransomware operation began utilizing double extortion tactics in late 2019.  That is, data is stolen from victims prior to file encryption. Payment is then demanded for the decryptor and to avoid the publication or sale of stolen information. These tactics were quickly followed by numerous ransomware operations and grew to be the norm, even though there was a fall in attacks concerning encryption and extortion in Quarter 1 of 2022. Double extortion was utilized in 84% of attacks in 4th Q of 2021, and 77% of attacks in 1st Q of 2022. Although double extortion is probably broadly employed in attacks for the near future, Coveware thinks the change from data encryption to data extortion will keep on, because data theft and naming and shaming of affected individuals will only call the interest of authorities. Data theft without encryption leads to no operational interruption yet maintains the capability of the threat actor to extort the affected individual. We anticipate this change from Big Game Hunting to Big Shame Hunting to carry on, explained Coveware in the report.

Coveware warned about giving the ransom demand to avert the posting or selling of data, as there are no guarantees that payment will bring about data deletion. In 63% of attacks wherein a ransom payment was made to stop the publication or selling of stolen information, the attackers gave no proof of data removal. In the rest of the attacks where evidence was offered, it could very easily be faked. When videos, screenshots, live screen shares, or deletion logs are given as proof, victims should have faith that a copy of the information was not made. In one prominent case, a threat actor explicitly stated that the stolen data will not be deleted if paid, and would keep it for future use against the victim, stated Coveware.

Microsoft Sinkholes Infamous ZLoader Botnet

Microsoft’s Digital Crimes Unit (DCU) disabled the well-known ZLoader cybercrime botnet that was utilized to transmit Ryuk ransomware in attacks on healthcare companies. Microsoft recently acquired a court order from the United States District Court for the Northern District of Georgia approving the seizure of 65 hard-coded domains the ZLoader botnet uses for command-and-control communications. Those websites were now sinkholed, stopping the botnet operator from connecting with devices attacked with ZLoader malware.

ZLoader malware contained a domain generation algorithm (DGA) which is activated when it’s not possible to communicate with the hard-coded domains, which works as a failsafe against any takedown attempts. The court order additionally permitted Microsoft to grab 319 DGA-registered domains. Microsoft is taking steps to prohibit the registration of any more DGA domains.

ZLoader is associated with a family of malware variants that came from the ZeuS banking Trojan. In the beginning, ZeuS was employed for credential and financial theft, with the purpose of getting money from victims’ financial accounts. The threat actor behind the malware then started a malware-as-a-service operation to send malware and ransomware to other threat actors like Ryuk.

Ryuk ransomware was broadly utilized in attacks on the healthcare sector since its appearance in 2018, and ZLoader was one way of delivering the ransomware. ZLoader could disable a well-known antivirus solution to avert detection, and the malware was installed on lots of devices, which are mostly in education and medical care.

The takedown of the botnet is substantial; nevertheless, the botnet operators are probably already working to create new command and control infrastructure. Microsoft stated the seizure was a success and resulted in the short-term disabling of the ZLoader system, which has made it harder for the organized criminal gang to carry on with its malicious activities.

The case has been referred to law enforcement, who are monitoring this activity directly and will carry on and work with our partners to keep track of the conduct of these cybercriminals. Microsoft will work together with internet service providers to determine and remediate victims. Microsoft additionally affirmed that it is ready to take further legal action and employ technical procedures to handle ZLoader and other botnets.

Microsoft furthermore named Denis Malikov, who resides in Simferopol on the Crimean Peninsula, as someone who is considered to be accountable for making a component of the malware that was employed for transmitting ransomware. This suggests that cybercriminals are not allowed to hide behind the anonymity of the internet to commit their criminal offenses.

Microsoft mentioned that the cybersecurity firm ESET, Black Lotus Labs, and Palo Alto Networks’ Unit 42 team assisted with its investigation of the ZLoader operation. The Health Information Sharing and Analysis Center (H-ISAC), the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team also provided additional insights.

Importance of HIPAA Compliance for Healthcare Specialists

Why Healthcare Experts Could Not Avoid HIPAA

One of the goals of HIPAA is to give a federal ground of privacy protections for personally identifiable health information kept by Covered Entities. To accomplish this goal, the Privacy and Security Rules put standards that Covered Entities should adhere to so as to secure the privacy of “Protected Health Information” (PHI). The inability to conform to the HIPAA standards may bring about large financial fines – even if no data breach happens and PHI isn’t exposed.

The majority of healthcare providers are Covered Entities and, therefore, need to enforce guidelines and procedures to adhere to the Privacy and Security Rule criteria. As workers of Covered Entities, healthcare experts should follow their company’s policies and procedures. For this reason, healthcare experts are not able to avoid HIPAA. Nevertheless, this isn’t the sole reason why HIPAA compliance is essential for healthcare experts.

The Advantages of HIPAA Compliance for Healthcare Experts

Trust is very important in a patient/healthcare specialist relationship. Patients rely on their healthcare specialists with personal information about their lives simply because they believe that healthcare specialists work to accomplish the best health results. Nevertheless, trust may be a delicate thing. If their personal details are compromised because of a HIPAA violation, patients may hold back data important to the giving of care in spite of the possible long-lasting effects on their wellness.

Healthcare experts can minimize the risk of breaking trust by following the guidelines and procedures enforced by their company to avoid HIPAA violations. If patients are assured their privacy is being protected, this encourages trust – which results in giving better care so as to realize optimal health results. Better patient results boost the morale of healthcare experts and bring about more gratifying work life.

The Professional and Individual Implications of Noncompliance

One of the guidelines a Covered Entity needs to impose is a sanctions policy for when the noncompliance of members of its staff with HIPAA guidelines and procedures. Covered Entities must implement the sanctions policy and address HIPAA violations by healthcare specialists since, when they don´t implement the sanctions policy, it’s a HIPAA violation by the Covered Entity. In addition, when the Covered Entity doesn’t act, noncompliance could turn into a cultural convention.

Getting sanctioned for a HIPAA violation has professional and individual effects on healthcare specialists. Penalties can vary from spoken warnings to the revocation of professional accreditation – which will make it hard for a healthcare specialist to acquire another work – and, when there’s a criminal conviction because of the noncompliance, it will probably be announced in the press which will have consequences for a healthcare specialist´s personal track record.

Who is Accountable for HIPAA Violations?

As stated earlier, the inability to follow HIPAA is not the healthcare specialist´s fault at all times. Though Covered Entities must give training about policies and procedures that correspond with healthcare specialists´ functions, they might not have the materials to give training on every imaginable situation a healthcare specialist may come across, or to keep track of compliance 24/7 so as to avoid the creation of cultural norms.

As a result, unintentional HIPAA violations can happen because of an absence of understanding. Nevertheless, Covered Entities are not ready to accept accountability for unintentional violations at all times because of a lack of understanding as it means they were unable to perform a complete risk evaluation, disregarded a threat to PHI privacy, and were unable to give required and proper training – or, when a cultural norm has been created, failed to keep track of compliance with guidelines and procedures.

How You Can Avert Unintentional HIPAA Violations

To steer clear of unintentional HIPAA violations and the professional and individual penalties of noncompliance – regardless if they aren’t your wrongdoing – it is best to make sure your understanding of HIPAA addresses every facet of your role and the cases you may come across. To attain this stage of information, you must use third-party HIPAA training programs that offer you an exhaustive understanding of HIPAA and its guidelines and regulations.

Accepting responsibility for your personal HIPAA knowledge – and utilizing that understanding to work in a HIPAA-compliant way – safeguards your career, enhances your job prospects, and allows you to get more from your career. Granted the choice, the majority of healthcare experts would choose to work in a setting that works compliantly to provide better patient results, in which morale is great, and wherein the healthcare specialist has a more fulfilling work encounter.

How Small Healthcare Organizations Differ from Big Healthcare Providers in Terms of Security

A recent Software Advice survey of healthcare organizations provides observations on healthcare data breaches, their actual causes, and the various security procedures at small and large healthcare companies.

The survey involved 130 small practices with 5 or fewer licensed providers and 129 big practices having six or more providers to know the security problems they face and the steps each group has made to protect against cyberattacks and data breaches. With both groups of healthcare providers, more than 50 percent store over 90% of patient information digitally, for instance, patient records, medical histories, and billing records. Even though digital records are more useful, there is a threat that hackers could acquire access to patient records.

Hackers have a tendency to target bigger practices rather than small practices, depending on the number of reported data breaches. 48% of large healthcare organizations stated they had encountered a data breach previously, and 16% claimed they had experienced a breach in the past 12 months. 23% of small practices had suffered a breach in past times with 5% suffering from a breach in the last year. By far the major cause of data breaches was human error. 46% of small practices and 51% of big practices stated human error was the top reason for data breaches.

23% of small healthcare practices mentioned they had encountered a ransomware attack before, compared to 45% of large practices. 5% of the attacks on small healthcare companies and 12% of attacks on large healthcare organizations happened in the last 12 months. 76% of small practices and 74% of big practices stated they had recovered at least part of their information from backups without making ransom payments, which demonstrates the great importance of having very good backup plans. That is particularly essential as paying the ransom doesn’t ensure the restoration of files. 23% of small practices made ransom payments to restore their files compared to 19% of big healthcare companies, however, 14% of small healthcare organizations stated they failed to retrieve their files after ransom payment.

11% of big practices completely lost their files because of the attack, 7% acknowledged data loss and 4% made ransom payments yet still failed to recover their files. The majority of the healthcare companies didn’t express how much was the ransom payment. Two small practices mentioned they paid approximately $5,000 -$10,000 and two paid roughly $25,000 – $100,000.

To protect against attacks, healthcare companies have put in place a variety of technical safety steps, with the most typical solutions such as firewalls, antivirus software programs, email security options, and data backup technology. Small practices were spending more money compared to large organizations on antivirus solutions, and although such options are crucial, it is likewise critical to spend on email and networks security resources. Bigger companies with more finances were more probable to purchase those resources and be better shielded because of that. Software Advice recommends that smaller healthcare organizations ought to think about lowering spending on antivirus applications and enhancing email and network protection because that could help to avert even more data breaches.

It is critical not to overlook the human aspect of cybersecurity, particularly since many data breaches were ascribed to human error. Giving security awareness training to staff is demanded by the HIPAA Security Rule, nevertheless, it shouldn’t only be a checkbox choice. Frequent security awareness training to train workers on how to identify and prevent threats can significantly minimize the risk of a successful cyberattack however 42% of small practices and 25% of large practices stated they spent under 2 hours on privacy and security awareness training for staff members in 2021.

Two-factor authentication is an essential security measure to avoid the usage of compromised credentials to acquire access to accounts. Microsoft has earlier mentioned that two-factor authentication can prohibit over 99% of programmed attacks on accounts. It is wonderful that 90% of big practices have enforced 2FA somewhat, nevertheless, small practices are a lot less likely to employ 2FA to safeguard their accounts. 22% of small practices stated they haven’t used 2FA yet and 59% just use 2FA on a few programs.

Using all data protection software available is not a wise choice as it results in your vulnerability to other ways of attack or breach, for example, circumstantial exposure or human error. Rather, protect yourself on several fronts, advises Software Advice. That entails training staff members, buying the right security tools to secure data, and creating an action plan to help offset ruin in case of a breach or attack.

Data Breach Reports Sent by New Jersey Brain and Spine, Dialyze Direct, and Highmark Inc

New Jersey Brain and Spine (NJBS) has lately reported it encountered a cyberattack on or about November 16, 2021, that encrypted information on its system. NJBS stated it quickly took action to protect its network and had a computer forensic company look into the security breach. Although no proof was discovered that indicates there was any improper use of patient information due to the attack, the forensics agency mentioned the attacker might have viewed files that contain patient records.

A third party vendor conducted an evaluation of all files on its network that was possibly accessed, and although the data mining procedure is in progress, it was affirmed that the files comprised data such as names, email addresses, physical addresses, birth dates, phone numbers, social security numbers, driver’s license numbers or other ID numbers, financial account details, credit or debit card data, and health details. Notification letters had been mailed to impacted people on March 10, 2022.

NJBS stated that right after the breach, a number of steps were done to better safeguard patient information, such as using two-factor authentication, migrating patient information to a third-party hosted cloud-based system, and setting up a new server. NJBS has additionally used an ongoing monitoring response solution that monitors user activity, services, and ports, and synchronizes logging.

The breach report was sent to the HHS’ Office for Civil Rights revealing that approximately 92,453 persons were affected.

Highmark Inc. Patients Impacted by Breach at Printing and Mailing Provider

Highmark Inc., a non-profit healthcare firm and Integrated Delivery Network located in Pittsburgh, PA, has just announced that certain HIPAA-protected records were compromised in a data breach at Quantum Group. Webb Mason offers marketing services to Highmark and uses the printing and mailing vendor, Quantum Group.

Webb Mason gave Quantum Group access to patient information in 2017 to help with marketing projects for Highmark, and that data was likely accessed by unauthorized people. Highmark emphasized that its own IT solutions were not exposed.

Highmark said the breach impacted around 67,147 persons, who were provided free online identity monitoring services for 12 months.

Dialyze Direct Notifies Patients Regarding PHI Breach in Cyberattack

Dialyze Direct, a provider of kidney care services based in Neptune City, NJ, has experienced a data breach that has impacted about 14,203 patients. Based on a March 10, 2022 data breach notification, Dialyze Direct mentioned it found out on February 14, 2022, that an unauthorized person got access to a worker email account from January 21, 2021 to March 4, 2021.

A thorough evaluation of the email account established it included patients’ protected health information (PHI) like names, dates of birth, Social Security numbers, government ID numbers, financial account data, payment card details, and medical data that likely includes financial identification numbers, medical diagnostic and treatment information, and/or medical insurance plan details.

Notification letters were delivered to affected persons. People whose Social Security numbers were possibly exposed were given complimentary credit monitoring services. Dialyze Direct stated it has identified no information that indicates the misuse of any patient data.

Healthcare Scores Terribly for Practicing the Cyber Incident Response

The healthcare industry had an awful 2021 in terms of data breaches with over 50 million records breached and above 900 data breaches were reported by databreaches.net. Considering the magnitude to which the healthcare sector is attacked by cyber actors, the danger of a data breach happening is high. A SecureLink/Ponemon Institute review in 2021 discovered 44% of healthcare and pharmaceutical firms encountered a data breach in the last year.

Although steps can be done to enhance defenses to avoid cyber attacks from succeeding, healthcare companies must be ready for the worse and must have an incident response plan set up that could be promptly started in the event of a cyberattack. With correct planning, when a cyberattack happens, healthcare providers will be prepared and will be able to recover in the least possible time frame.

Regular exercises ought to be done to make sure everybody knows their duties and that the plan works. Oftentimes, cyberattack victims see that their incident response plan is not enough or ineffective due to inadequate testing, which may bring about a slow and expensive response to a cyberattack.

This month, Immersive Labs issued its 2022 cyber workforce benchmark report, which contained data from about 2,100 institutions from a variety of industries that utilize the Immersive Labs platform for performing cyber crisis simulations. Remarkably prized, high profile targets such as financial and technology services conducted the most cyber crisis exercises, doing an average of 7 and 9 exercises annually respectively, nevertheless, healthcare companies were near the bottom of the list, doing an average of 2 exercises annually.

In the event of a cyberattack, a lot of different people will be engaged in the response. It is for that reason crucial for those individuals to take part in exercises. It is not surprising that the more persons who are involved in incident response exercises the more prepared an organization will be to act in response to a cyberattack. Immersive Labs measured the performance of the exercises and found that every exercise that scored over 90% for effectiveness had about 11 people taking part. All but one of the crisis situations that had a score of less than 50% for effectiveness had just one person engaging. In healthcare, an average of 4 people joined in the exercises, in comparison to 21 in education and 7 in technology.

Immersive Labs examined performance with regard to the crisis response activities and computed a score dependent on the type of choices made all through the entire simulation. The average performance score in all exercises was 68%, which indicates there is substantial room for improvement. The prominent industry was manufacturing, with a performance rating of 85%. Worryingly, medical care performed the worst out of all industries for cyber crisis response by some distance, attaining a performance score of only 18% – substantially lower than the next worst-performing segment – financial services – which scored 45%.

Immersive Labs additionally analyzed the speed at which 35,000 members of cybersecurity teams at 400 large companies took to develop the expertise, abilities, and judgment to deal with 185 breaking threats. On average, it required 96 days for teams to grow the skills to secure against breaking threats. They discovered that mitigating against a vulnerability in the Exim mail transfer agent – which affected over 4.1 million systems and was being actively exploited – took security teams more than 6 months on average to grasp. CISA states vulnerabilities must be patched within 15 days from initial detection.

Developing the human skills to fight attackers is slow, particularly in healthcare. The best performing industry was leisure/entertainment, which took typically 65 days for security groups to build the required skills. In medical care, it had taken about 116 days. Only infrastructure, consulting, and transport performed worse. Throughout all industry sectors, the average time frame to develop the competencies to respond to threats was 96 days.

The current cyber crisis is an all-encompassing organizational tension. Stopping incidents that halt operations and ruin reputation, corporate value and stakeholder relationships demands a holistic response from the entire labor force. Reaching this sort of resilience calls for a constantly maturing responsive capability for technical and non-technical teams, created by exercising with a cadence that traditional tabletop exercises struggle to reach… exercising to collect evidence, and then utilizing these insights to equip teams with pertinent skills, is crucial to ongoing resilience.

NIST Wants Feedback on How to Strengthen its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) wants to get comments on the advantages of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and ideas on any enhancements that may be made.

The NIST Cybersecurity Framework was introduced in 2014 to help public and private industry institutions to follow cybersecurity requirements and best practices to enhance their cybersecurity posture, better protect against cyber threats, and immediately determine and react to ongoing cyberattacks to restrict the damage that could be caused. The NIST Cybersecurity Framework is regarded as the gold standard for cyber threat management; nonetheless, that does not indicate enhancements couldn’t be made.

The latest update to the Cybersecurity Framework happened in April 2018. In the past four years, there have been substantial improvements to the cybersecurity threat landscape. New threats have surfaced, the tactics, techniques, and procedures (TTPs) utilized by cyber threat actors have improved, there are new technologies and security features, and more resources are accessible to help with the administration of cybersecurity risk. NIST is not looking at upgrading its Framework once again to take these variables into account.

The NIST Cybersecurity Framework has been used by numerous healthcare companies to strengthen cybersecurity, however, a number of healthcare institutions have experienced difficulties carrying out the Framework, and presently fewer than half of healthcare companies are keeping NIST standards. NIST would like to find out about the problems organizations have encountered putting into action the Framework and the commonalities and conflicts with other non-NIST frameworks and methods that are employed together with the NIST Cybersecurity Framework. There may be strategies for enhancing alignment or application of those approaches with the NIST Cybersecurity Framework. NIST wishes to receive recommendations on modifications that could be made to the characteristics of the Framework, functions that ought to be added or eliminated, and any other methods that NIST can develop the Framework to make it more beneficial.

Aside from the responses on the Cybersecurity Framework, NIST has requested feedback on potential advancements to other NIST guidance and standards, which include its guidance on bettering supply chain cybersecurity. NIST lately announced that it would start the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to deal with cybersecurity challenges in supply chains. NIST has asked for responses on challenges associated with the cybersecurity factors of supply chain risk management that can be resolved by the NIICS, and whether there are presently gaps in active cybersecurity supply chain risk management guidance and assets, such as the use of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST wants to receive all comments by April 25, 2022.