Average Ransom Payment Decreased by 34% in 1st Q of 2022

The average ransom payment associated with ransomware attacks diminished by 34% in Quarter 1 of 2022, from a record high in 4th Q of 2021, based on ransomware incident response company Coveware. The average and median ransom payment in Quarter 1 of 2022 was $211,259 and $73,906, respectively.

The drop in total ransom payments was related to a number of factors. Coveware says ransomware groups were targeting smaller businesses and issuing lesser ransom payments, because of the growing scrutiny by law enforcement whenever attacks are done on large companies. The median organization size is dropping since Quarter 4 of 2020, and is currently with about 160 workers. This seems to be the sweet spot, where the organizations have enough income to get big ransom payments, however not so big that attacks will prompt appreciable scrutiny by authorities.

One more reason why total ransom payments have dropped is the reduced number of victims of ransomware attacks who were paying the ransom. The number of subjects of ransomware attacks that pay the ransom is gradually declining, from 85% of victims in 1st Q of 2019 to 46% of victims in Quarter 1 of 2022. Also, a few of the most well-known ransomware operations had been quiet, like Maze and REvil (Sodinokibi).

LockBit and Conti are the most high profile ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, then BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware advises that the affiliates who partner with ransomware-as-a-service operations seem to be less eager to work together with large RaaS groups because those groups are usually targeted by law enforcement. It is currently common for affiliates to try scaled-down RaaS operations or possibly make their own ransomware variants using leaked source code.

The most typical attack vectors in ransomware attacks are exploiting unpatched vulnerabilities in software apps and operating systems, phishing, and Remote Desktop Protocol connections. Coveware has seen a rise in other attack vectors as of 2nd Q, 2021, for instance, social engineering and the direct compromise of insiders. Social engineering attacks are comparable to phishing however are remarkably targeted and usually include preparing or grooming targeted staff members before convincing them to give access to the network. There has additionally been a growth in solitary wolf attackers. Coveware knew the development in late 2021, and it has carried on all through the 1st Q of 2022. Attacks by these threat actors are generally carried out on businesses that have much better security than the common ransomware victim, like multi-factor authentication appropriately enabled for all workers and critical resources.

The Maze ransomware operation began utilizing double extortion tactics in late 2019.  That is, data is stolen from victims prior to file encryption. Payment is then demanded for the decryptor and to avoid the publication or sale of stolen information. These tactics were quickly followed by numerous ransomware operations and grew to be the norm, even though there was a fall in attacks concerning encryption and extortion in Quarter 1 of 2022. Double extortion was utilized in 84% of attacks in 4th Q of 2021, and 77% of attacks in 1st Q of 2022. Although double extortion is probably broadly employed in attacks for the near future, Coveware thinks the change from data encryption to data extortion will keep on, because data theft and naming and shaming of affected individuals will only call the interest of authorities. Data theft without encryption leads to no operational interruption yet maintains the capability of the threat actor to extort the affected individual. We anticipate this change from Big Game Hunting to Big Shame Hunting to carry on, explained Coveware in the report.

Coveware warned about giving the ransom demand to avert the posting or selling of data, as there are no guarantees that payment will bring about data deletion. In 63% of attacks wherein a ransom payment was made to stop the publication or selling of stolen information, the attackers gave no proof of data removal. In the rest of the attacks where evidence was offered, it could very easily be faked. When videos, screenshots, live screen shares, or deletion logs are given as proof, victims should have faith that a copy of the information was not made. In one prominent case, a threat actor explicitly stated that the stolen data will not be deleted if paid, and would keep it for future use against the victim, stated Coveware.

Microsoft Sinkholes Infamous ZLoader Botnet

Microsoft’s Digital Crimes Unit (DCU) disabled the well-known ZLoader cybercrime botnet that was utilized to transmit Ryuk ransomware in attacks on healthcare companies. Microsoft recently acquired a court order from the United States District Court for the Northern District of Georgia approving the seizure of 65 hard-coded domains the ZLoader botnet uses for command-and-control communications. Those websites were now sinkholed, stopping the botnet operator from connecting with devices attacked with ZLoader malware.

ZLoader malware contained a domain generation algorithm (DGA) which is activated when it’s not possible to communicate with the hard-coded domains, which works as a failsafe against any takedown attempts. The court order additionally permitted Microsoft to grab 319 DGA-registered domains. Microsoft is taking steps to prohibit the registration of any more DGA domains.

ZLoader is associated with a family of malware variants that came from the ZeuS banking Trojan. In the beginning, ZeuS was employed for credential and financial theft, with the purpose of getting money from victims’ financial accounts. The threat actor behind the malware then started a malware-as-a-service operation to send malware and ransomware to other threat actors like Ryuk.

Ryuk ransomware was broadly utilized in attacks on the healthcare sector since its appearance in 2018, and ZLoader was one way of delivering the ransomware. ZLoader could disable a well-known antivirus solution to avert detection, and the malware was installed on lots of devices, which are mostly in education and medical care.

The takedown of the botnet is substantial; nevertheless, the botnet operators are probably already working to create new command and control infrastructure. Microsoft stated the seizure was a success and resulted in the short-term disabling of the ZLoader system, which has made it harder for the organized criminal gang to carry on with its malicious activities.

The case has been referred to law enforcement, who are monitoring this activity directly and will carry on and work with our partners to keep track of the conduct of these cybercriminals. Microsoft will work together with internet service providers to determine and remediate victims. Microsoft additionally affirmed that it is ready to take further legal action and employ technical procedures to handle ZLoader and other botnets.

Microsoft furthermore named Denis Malikov, who resides in Simferopol on the Crimean Peninsula, as someone who is considered to be accountable for making a component of the malware that was employed for transmitting ransomware. This suggests that cybercriminals are not allowed to hide behind the anonymity of the internet to commit their criminal offenses.

Microsoft mentioned that the cybersecurity firm ESET, Black Lotus Labs, and Palo Alto Networks’ Unit 42 team assisted with its investigation of the ZLoader operation. The Health Information Sharing and Analysis Center (H-ISAC), the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team also provided additional insights.

Importance of HIPAA Compliance for Healthcare Specialists

Why Healthcare Experts Could Not Avoid HIPAA

One of the goals of HIPAA is to give a federal ground of privacy protections for personally identifiable health information kept by Covered Entities. To accomplish this goal, the Privacy and Security Rules put standards that Covered Entities should adhere to so as to secure the privacy of “Protected Health Information” (PHI). The inability to conform to the HIPAA standards may bring about large financial fines – even if no data breach happens and PHI isn’t exposed.

The majority of healthcare providers are Covered Entities and, therefore, need to enforce guidelines and procedures to adhere to the Privacy and Security Rule criteria. As workers of Covered Entities, healthcare experts should follow their company’s policies and procedures. For this reason, healthcare experts are not able to avoid HIPAA. Nevertheless, this isn’t the sole reason why HIPAA compliance is essential for healthcare experts.

The Advantages of HIPAA Compliance for Healthcare Experts

Trust is very important in a patient/healthcare specialist relationship. Patients rely on their healthcare specialists with personal information about their lives simply because they believe that healthcare specialists work to accomplish the best health results. Nevertheless, trust may be a delicate thing. If their personal details are compromised because of a HIPAA violation, patients may hold back data important to the giving of care in spite of the possible long-lasting effects on their wellness.

Healthcare experts can minimize the risk of breaking trust by following the guidelines and procedures enforced by their company to avoid HIPAA violations. If patients are assured their privacy is being protected, this encourages trust – which results in giving better care so as to realize optimal health results. Better patient results boost the morale of healthcare experts and bring about more gratifying work life.

The Professional and Individual Implications of Noncompliance

One of the guidelines a Covered Entity needs to impose is a sanctions policy for when the noncompliance of members of its staff with HIPAA guidelines and procedures. Covered Entities must implement the sanctions policy and address HIPAA violations by healthcare specialists since, when they don´t implement the sanctions policy, it’s a HIPAA violation by the Covered Entity. In addition, when the Covered Entity doesn’t act, noncompliance could turn into a cultural convention.

Getting sanctioned for a HIPAA violation has professional and individual effects on healthcare specialists. Penalties can vary from spoken warnings to the revocation of professional accreditation – which will make it hard for a healthcare specialist to acquire another work – and, when there’s a criminal conviction because of the noncompliance, it will probably be announced in the press which will have consequences for a healthcare specialist´s personal track record.

Who is Accountable for HIPAA Violations?

As stated earlier, the inability to follow HIPAA is not the healthcare specialist´s fault at all times. Though Covered Entities must give training about policies and procedures that correspond with healthcare specialists´ functions, they might not have the materials to give training on every imaginable situation a healthcare specialist may come across, or to keep track of compliance 24/7 so as to avoid the creation of cultural norms.

As a result, unintentional HIPAA violations can happen because of an absence of understanding. Nevertheless, Covered Entities are not ready to accept accountability for unintentional violations at all times because of a lack of understanding as it means they were unable to perform a complete risk evaluation, disregarded a threat to PHI privacy, and were unable to give required and proper training – or, when a cultural norm has been created, failed to keep track of compliance with guidelines and procedures.

How You Can Avert Unintentional HIPAA Violations

To steer clear of unintentional HIPAA violations and the professional and individual penalties of noncompliance – regardless if they aren’t your wrongdoing – it is best to make sure your understanding of HIPAA addresses every facet of your role and the cases you may come across. To attain this stage of information, you must use third-party HIPAA training programs that offer you an exhaustive understanding of HIPAA and its guidelines and regulations.

Accepting responsibility for your personal HIPAA knowledge – and utilizing that understanding to work in a HIPAA-compliant way – safeguards your career, enhances your job prospects, and allows you to get more from your career. Granted the choice, the majority of healthcare experts would choose to work in a setting that works compliantly to provide better patient results, in which morale is great, and wherein the healthcare specialist has a more fulfilling work encounter.

How Small Healthcare Organizations Differ from Big Healthcare Providers in Terms of Security

A recent Software Advice survey of healthcare organizations provides observations on healthcare data breaches, their actual causes, and the various security procedures at small and large healthcare companies.

The survey involved 130 small practices with 5 or fewer licensed providers and 129 big practices having six or more providers to know the security problems they face and the steps each group has made to protect against cyberattacks and data breaches. With both groups of healthcare providers, more than 50 percent store over 90% of patient information digitally, for instance, patient records, medical histories, and billing records. Even though digital records are more useful, there is a threat that hackers could acquire access to patient records.

Hackers have a tendency to target bigger practices rather than small practices, depending on the number of reported data breaches. 48% of large healthcare organizations stated they had encountered a data breach previously, and 16% claimed they had experienced a breach in the past 12 months. 23% of small practices had suffered a breach in past times with 5% suffering from a breach in the last year. By far the major cause of data breaches was human error. 46% of small practices and 51% of big practices stated human error was the top reason for data breaches.

23% of small healthcare practices mentioned they had encountered a ransomware attack before, compared to 45% of large practices. 5% of the attacks on small healthcare companies and 12% of attacks on large healthcare organizations happened in the last 12 months. 76% of small practices and 74% of big practices stated they had recovered at least part of their information from backups without making ransom payments, which demonstrates the great importance of having very good backup plans. That is particularly essential as paying the ransom doesn’t ensure the restoration of files. 23% of small practices made ransom payments to restore their files compared to 19% of big healthcare companies, however, 14% of small healthcare organizations stated they failed to retrieve their files after ransom payment.

11% of big practices completely lost their files because of the attack, 7% acknowledged data loss and 4% made ransom payments yet still failed to recover their files. The majority of the healthcare companies didn’t express how much was the ransom payment. Two small practices mentioned they paid approximately $5,000 -$10,000 and two paid roughly $25,000 – $100,000.

To protect against attacks, healthcare companies have put in place a variety of technical safety steps, with the most typical solutions such as firewalls, antivirus software programs, email security options, and data backup technology. Small practices were spending more money compared to large organizations on antivirus solutions, and although such options are crucial, it is likewise critical to spend on email and networks security resources. Bigger companies with more finances were more probable to purchase those resources and be better shielded because of that. Software Advice recommends that smaller healthcare organizations ought to think about lowering spending on antivirus applications and enhancing email and network protection because that could help to avert even more data breaches.

It is critical not to overlook the human aspect of cybersecurity, particularly since many data breaches were ascribed to human error. Giving security awareness training to staff is demanded by the HIPAA Security Rule, nevertheless, it shouldn’t only be a checkbox choice. Frequent security awareness training to train workers on how to identify and prevent threats can significantly minimize the risk of a successful cyberattack however 42% of small practices and 25% of large practices stated they spent under 2 hours on privacy and security awareness training for staff members in 2021.

Two-factor authentication is an essential security measure to avoid the usage of compromised credentials to acquire access to accounts. Microsoft has earlier mentioned that two-factor authentication can prohibit over 99% of programmed attacks on accounts. It is wonderful that 90% of big practices have enforced 2FA somewhat, nevertheless, small practices are a lot less likely to employ 2FA to safeguard their accounts. 22% of small practices stated they haven’t used 2FA yet and 59% just use 2FA on a few programs.

Using all data protection software available is not a wise choice as it results in your vulnerability to other ways of attack or breach, for example, circumstantial exposure or human error. Rather, protect yourself on several fronts, advises Software Advice. That entails training staff members, buying the right security tools to secure data, and creating an action plan to help offset ruin in case of a breach or attack.

Data Breach Reports Sent by New Jersey Brain and Spine, Dialyze Direct, and Highmark Inc

New Jersey Brain and Spine (NJBS) has lately reported it encountered a cyberattack on or about November 16, 2021, that encrypted information on its system. NJBS stated it quickly took action to protect its network and had a computer forensic company look into the security breach. Although no proof was discovered that indicates there was any improper use of patient information due to the attack, the forensics agency mentioned the attacker might have viewed files that contain patient records.

A third party vendor conducted an evaluation of all files on its network that was possibly accessed, and although the data mining procedure is in progress, it was affirmed that the files comprised data such as names, email addresses, physical addresses, birth dates, phone numbers, social security numbers, driver’s license numbers or other ID numbers, financial account details, credit or debit card data, and health details. Notification letters had been mailed to impacted people on March 10, 2022.

NJBS stated that right after the breach, a number of steps were done to better safeguard patient information, such as using two-factor authentication, migrating patient information to a third-party hosted cloud-based system, and setting up a new server. NJBS has additionally used an ongoing monitoring response solution that monitors user activity, services, and ports, and synchronizes logging.

The breach report was sent to the HHS’ Office for Civil Rights revealing that approximately 92,453 persons were affected.

Highmark Inc. Patients Impacted by Breach at Printing and Mailing Provider

Highmark Inc., a non-profit healthcare firm and Integrated Delivery Network located in Pittsburgh, PA, has just announced that certain HIPAA-protected records were compromised in a data breach at Quantum Group. Webb Mason offers marketing services to Highmark and uses the printing and mailing vendor, Quantum Group.

Webb Mason gave Quantum Group access to patient information in 2017 to help with marketing projects for Highmark, and that data was likely accessed by unauthorized people. Highmark emphasized that its own IT solutions were not exposed.

Highmark said the breach impacted around 67,147 persons, who were provided free online identity monitoring services for 12 months.

Dialyze Direct Notifies Patients Regarding PHI Breach in Cyberattack

Dialyze Direct, a provider of kidney care services based in Neptune City, NJ, has experienced a data breach that has impacted about 14,203 patients. Based on a March 10, 2022 data breach notification, Dialyze Direct mentioned it found out on February 14, 2022, that an unauthorized person got access to a worker email account from January 21, 2021 to March 4, 2021.

A thorough evaluation of the email account established it included patients’ protected health information (PHI) like names, dates of birth, Social Security numbers, government ID numbers, financial account data, payment card details, and medical data that likely includes financial identification numbers, medical diagnostic and treatment information, and/or medical insurance plan details.

Notification letters were delivered to affected persons. People whose Social Security numbers were possibly exposed were given complimentary credit monitoring services. Dialyze Direct stated it has identified no information that indicates the misuse of any patient data.

Healthcare Scores Terribly for Practicing the Cyber Incident Response

The healthcare industry had an awful 2021 in terms of data breaches with over 50 million records breached and above 900 data breaches were reported by databreaches.net. Considering the magnitude to which the healthcare sector is attacked by cyber actors, the danger of a data breach happening is high. A SecureLink/Ponemon Institute review in 2021 discovered 44% of healthcare and pharmaceutical firms encountered a data breach in the last year.

Although steps can be done to enhance defenses to avoid cyber attacks from succeeding, healthcare companies must be ready for the worse and must have an incident response plan set up that could be promptly started in the event of a cyberattack. With correct planning, when a cyberattack happens, healthcare providers will be prepared and will be able to recover in the least possible time frame.

Regular exercises ought to be done to make sure everybody knows their duties and that the plan works. Oftentimes, cyberattack victims see that their incident response plan is not enough or ineffective due to inadequate testing, which may bring about a slow and expensive response to a cyberattack.

This month, Immersive Labs issued its 2022 cyber workforce benchmark report, which contained data from about 2,100 institutions from a variety of industries that utilize the Immersive Labs platform for performing cyber crisis simulations. Remarkably prized, high profile targets such as financial and technology services conducted the most cyber crisis exercises, doing an average of 7 and 9 exercises annually respectively, nevertheless, healthcare companies were near the bottom of the list, doing an average of 2 exercises annually.

In the event of a cyberattack, a lot of different people will be engaged in the response. It is for that reason crucial for those individuals to take part in exercises. It is not surprising that the more persons who are involved in incident response exercises the more prepared an organization will be to act in response to a cyberattack. Immersive Labs measured the performance of the exercises and found that every exercise that scored over 90% for effectiveness had about 11 people taking part. All but one of the crisis situations that had a score of less than 50% for effectiveness had just one person engaging. In healthcare, an average of 4 people joined in the exercises, in comparison to 21 in education and 7 in technology.

Immersive Labs examined performance with regard to the crisis response activities and computed a score dependent on the type of choices made all through the entire simulation. The average performance score in all exercises was 68%, which indicates there is substantial room for improvement. The prominent industry was manufacturing, with a performance rating of 85%. Worryingly, medical care performed the worst out of all industries for cyber crisis response by some distance, attaining a performance score of only 18% – substantially lower than the next worst-performing segment – financial services – which scored 45%.

Immersive Labs additionally analyzed the speed at which 35,000 members of cybersecurity teams at 400 large companies took to develop the expertise, abilities, and judgment to deal with 185 breaking threats. On average, it required 96 days for teams to grow the skills to secure against breaking threats. They discovered that mitigating against a vulnerability in the Exim mail transfer agent – which affected over 4.1 million systems and was being actively exploited – took security teams more than 6 months on average to grasp. CISA states vulnerabilities must be patched within 15 days from initial detection.

Developing the human skills to fight attackers is slow, particularly in healthcare. The best performing industry was leisure/entertainment, which took typically 65 days for security groups to build the required skills. In medical care, it had taken about 116 days. Only infrastructure, consulting, and transport performed worse. Throughout all industry sectors, the average time frame to develop the competencies to respond to threats was 96 days.

The current cyber crisis is an all-encompassing organizational tension. Stopping incidents that halt operations and ruin reputation, corporate value and stakeholder relationships demands a holistic response from the entire labor force. Reaching this sort of resilience calls for a constantly maturing responsive capability for technical and non-technical teams, created by exercising with a cadence that traditional tabletop exercises struggle to reach… exercising to collect evidence, and then utilizing these insights to equip teams with pertinent skills, is crucial to ongoing resilience.

NIST Wants Feedback on How to Strengthen its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) wants to get comments on the advantages of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and ideas on any enhancements that may be made.

The NIST Cybersecurity Framework was introduced in 2014 to help public and private industry institutions to follow cybersecurity requirements and best practices to enhance their cybersecurity posture, better protect against cyber threats, and immediately determine and react to ongoing cyberattacks to restrict the damage that could be caused. The NIST Cybersecurity Framework is regarded as the gold standard for cyber threat management; nonetheless, that does not indicate enhancements couldn’t be made.

The latest update to the Cybersecurity Framework happened in April 2018. In the past four years, there have been substantial improvements to the cybersecurity threat landscape. New threats have surfaced, the tactics, techniques, and procedures (TTPs) utilized by cyber threat actors have improved, there are new technologies and security features, and more resources are accessible to help with the administration of cybersecurity risk. NIST is not looking at upgrading its Framework once again to take these variables into account.

The NIST Cybersecurity Framework has been used by numerous healthcare companies to strengthen cybersecurity, however, a number of healthcare institutions have experienced difficulties carrying out the Framework, and presently fewer than half of healthcare companies are keeping NIST standards. NIST would like to find out about the problems organizations have encountered putting into action the Framework and the commonalities and conflicts with other non-NIST frameworks and methods that are employed together with the NIST Cybersecurity Framework. There may be strategies for enhancing alignment or application of those approaches with the NIST Cybersecurity Framework. NIST wishes to receive recommendations on modifications that could be made to the characteristics of the Framework, functions that ought to be added or eliminated, and any other methods that NIST can develop the Framework to make it more beneficial.

Aside from the responses on the Cybersecurity Framework, NIST has requested feedback on potential advancements to other NIST guidance and standards, which include its guidance on bettering supply chain cybersecurity. NIST lately announced that it would start the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to deal with cybersecurity challenges in supply chains. NIST has asked for responses on challenges associated with the cybersecurity factors of supply chain risk management that can be resolved by the NIICS, and whether there are presently gaps in active cybersecurity supply chain risk management guidance and assets, such as the use of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST wants to receive all comments by April 25, 2022.

CISA Publishes Listing of Free Cybersecurity Tools to Improve Security Capabilities

Increasing security functions is achievable with a limited budget by utilizing free cybersecurity tools and services. Numerous tools and services were created by government institutions, the cybersecurity community, and the public and private industry that could be utilized to boost defenses against damaging cyberattacks, identify possible intrusions quickly, and help providers respond to and manage security breaches.

Getting suitable free cybersecurity tools and services is often a time-consuming undertaking. To aid critical infrastructure companies lessen cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has put together a listing of services offered by CISA and other government agencies, open-source tools, and tools and services made and serviced by the cybersecurity community that may be used to strengthen protection, identification, response and the management of cyber threats.

The list of free cybersecurity tools and services is broken into four categories, dependent on the four goals described in already released guidance: CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats.

  • Minimizing the possibility of a damaging cyber incident;
  • Identifying malicious activity fast;
  • Responding properly to verified incidents; and
  • Boosting resilience

All of the tools and services included in the listing were evaluated by CISA utilizing neutral principles and conditions; nevertheless, CISA does not confirm the suitability of any product or service, nor the efficiency of any solution for any specific use scenario. Although a number of commercial products and services were added to the list, CISA doesn’t recommend or provide any recommendations for employing those products and services. The information will be regularly modified by CISA to add new products and services and CISA welcomes any recommendations of additional products and services for future addition to the list.

Though all included tools and services may be beneficial for the enhancement or inclusion of new security features, they are no alternative for creating and enforcing a strong cybersecurity program. It is important to create such a system and make certain several foundational cybersecurity steps are implemented, such as dealing with known flaws in software and operating systems, placing strong passwords, employing multi-factor authentication, and ending bad cybersecurity practices like the extended use of legacy solutions that have arrived at end-of-life and are not supported anymore. CISA advises registering for its Cyber Hygiene Vulnerability Scanning service and obtaining sensitive Stuff of Search (S.O.S) to decrease Internet attack surfaces that are apparent to anyone making use of a web-based platform.

2021 Showed Clear Growth in Ransomware Data Leaks and Greater Ransom Demands

CrowdStrike has revealed its yearly threat report which indicates there was a serious boost in data leaks subsequent to ransomware attacks in 2021, growing by 82% from 2020. There were 2,686 ransomware attacks documented in 2021 as compared to 1,474 in 2020. The weekly average of ransomware attacks in 2021 is over 50.

Ransomware groups at the same time demanded bigger ransom payments in 2021, greater by 36% in 2021 in comparison to 2020. $6.1 million was the average ransom demand in 2021. The healthcare market was widely attacked by ransomware groups in 2021, though many threat actors claimed they wouldn’t execute attacks on healthcare companies. CrowdStrike monitored 154 ransomware attacks on healthcare companies in 2021, higher than 94 in 2020. Healthcare was number 6 out of all industry markets for information leaks. It was number 4 in 2020.

CrowdStrike mentioned the threat landscape has become far more jampacked in 2021, with many new adversaries appearing which include threat actors that have earlier not been greatly engaged in cyberattacks for example Colombia And Turkey. CrowdStrike found 21 new adversaries in 2021, with considerable growth in China-nexus And Iran-nexus threat actors.

A threat group monitored as Wizard Spider was one high-profile ransomware actor in 2021. Carbon Spider focused on big game hunting, Cozy Bear concentrated on attacking cloud systems, Prophet Spider employed the Log4j exploit for collection of credentials from online workspace services, and Aquatic Panda focused on the Log4j vulnerability and employed the Log4Shell exploit to obtain remote code execution on victims’ environments.

Iran-nexus actors substantially employed lock-and-leak tactics. Russian threat actors progressively attacked online environments. China-nexus threat actors concentrated on taking advantage of new vulnerabilities. CrowdStrike mentioned there was 6 times more vulnerability exploitation in 2021. Ten known adversaries or activity groupings engaged in those attacks. Merely 2 vulnerabilities were taken advantage of by Chinese threat actors in 2020, as opposed to twelve in 2021.

As of 2020, ransomware groups were exfiltrating sensitive information before encrypting files and were employing double extortion techniques on their victims. Victims are forced to pay money to get the keys to decrypt data files and to avert the exposure of the stolen information on data leaks websites. Though ransomware attacks were very common, there was furthermore a rise in data theft and extortion without the usage of ransomware and there was a lively market for vending stolen data on hacking communities and darknet portals.

Malware is frequently employed in cyberattacks nevertheless attackers are more and more evading the usage of malware and are employing legit credentials to gain access to systems and then living-off-the-land techniques, where current system tools are utilized as opposed to malware to evade security methods. In 2021, merely 38% of cyber attacks employed malware, 62% of attacks have nothing to do with malware.

CrowdStrike believes web-related threats will be more commonplace and grow in 2022 as threat actors choose targets that present direct access to big combined stores of high-value information. Threat actors are furthermore possible to broaden their tool arsenal to comprise of mobile malware 9nm 2022, and it is remarkably possible adversaries will still search for weaknesses in platforms employed by their targets in 2022.

To combat these threats, CrowdStrike proposes understanding the adversaries that are recognized to target your market, as this can enable you to better get ready for attacks. It is critical to secure all workloads and have a proven response plan to permit quick action to be undertaken in case of an attack. The rate of the response frequently dictates whether or not mitigations become successful or not.

Cloud misconfigurations are typically taken advantage of to obtain access to sizeable data storage. One strategy to lessen the risk of human error is to create new accounts and infrastructure making use of default patterns. Though it is necessary to employ technical steps to identify and discontinue attacks, it is furthermore crucial to invest in user awareness plans, as end-users may play a major role in avoiding data breaches, specifically identifying and averting phishing attacks and social engineering techniques.

Cyberattack at Taylor Regional Hospital and a Connecticut Accountancy Company

Taylor Regional Hospital Still Affected by January Cyberattack

Taylor Regional Hospital based in Campbellsville, KY has encountered a cyberattack, which led to taking down its IT and telephone systems. The hospital reported the cyberattack on January 24, 2021. To date, the hospital continues to experience outages with selected computer systems and phone lines. There were temporary telephone lines set up so that patients can get in touch with the hospital whilst resolving the cyberattack.

Cyberattacks like this usually involve ransomware, however, no information has been available up to now regarding the actual nature of the attack, nor the time its IT systems are likely to be available. At this early phase, it is not clear if any patient data has been accessed or stolen by attackers.

An announcement on the hospital’s website said that the hospital continues to provide quality care to patients and it is working as fast as possible to securely bring back its IT systems on the internet. Patients are encouraged not to postpone seeking clinical care; nonetheless, without access to computer systems, patients were requested to bring details of their prescription medication with them to any visits that were previously planned.

The hospital stated routine outpatient labs will just be conducted for a limited time until further notice, and patients were informed to have a written order and patients ought to expect extended wait times than before. The walk-in COVID-19 clinic remains open although will accept patients on a first-come, first-served basis.

Data Stolen from Connecticut Accountancy Company Due to Cyberattack

The certified public accountancy company located in Glastonbury, CT, Fiondella, Milone & LaSaracina, has reported a cyberattack in September 2021. The company detected the security breach on September 14, 2021, and based on the forensic investigation, the hackers got access to its systems from September 9, 2021.

On or about October 13, 2021, it was confirmed that the attackers copied files and folders from its system that included the sensitive data of a number of people. The information probably breached was mainly limited to names and Social Security numbers. Some individuals also had the following ambulance trips related data stolen: service level, tracking numbers and date, payor types and category, mileage details, charge/payment details, billing review data, and remittance advice details, which may have included health care details.

Fiondella, Milone & LaSaracina mentioned an analysis of security measures was conducted and more safeguards will be put in place to stop other security breaches. There is no statement in the website breach notice about credit monitoring and identity theft protection services.

The accounting firm has sent the breach report to the HHS’ Office for Civil Rights indicating that 6,215 persons were affected.

Data Breaches Reported by Memorial Health System and MedQuest Pharmacy

Memorial Health System based in Ohio has lately confirmed that the ransomware attack it encountered in August 2021 possibly impacted the protected health information (PHI) of 216,478 patients. Because of the ransomware attack, the health system had to get selected patients to other hospitals and cancel a few appointments to make sure of patient safety. The hospital announced the attack immediately after the breach, which happened on August 14, 2021. The investigation revealed the first breach of its network happened on July 10, 2021.

The health system reported the incident to the HHS’ Office for Civil Rights immediately, however, during that time it was not known how many people were affected. Memorial Health System found out that patient data may have been impacted on or around September 17, 2021, then had a thorough assessment of all affected files. On November 1, 2021, the scope of the breach was confirmed however it took until December 9, 2021, to verify the persons impacted and the specific types of information involved, consequently there was a delay in sending notifications. Written notices were delivered to affected people on or approximately January 12, 2022.

The breached and potentially exfiltrated information included names, Social Security numbers, addresses, medical/treatment details, and health insurance data. Affected persons were provided a complimentary membership to Kroll’s credit monitoring service for 12 months. Since then, Memorial Health System has used extra safeguards to enhance its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 People

In mid-December, MedQuest Pharmacy started sending notifications to 39,447 individuals regarding the potential compromise of some of their PHI because of a cyberattack that was identified on November 18, 2021. With the help of its parent companies, Innovations Group and UpHealth Inc, and independent cybersecurity specialists, MedQuest confirmed the attackers first acquired access to its systems on October 27, 2021. The unauthorized access was prevented on October 30, 2021.

A detailed evaluation of all impacted systems showed the attackers possibly accessed or obtained the following types of data: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, medical information, prescription data, date(s) of treatment, referring doctor names, health insurance policy numbers (which include Medicare or Medicaid number), and internal MedQuest patient ID number.

MedQuest stated that the driver’s license number, Social Security Number, financial account/payment card details, medical insurance claim number, policy details, and/or claim/appeal data of a very small number of persons likewise had been exposed. All affected people have been given a one-year free membership to credit and identity monitoring services of Equifax.

Entira Family Clinics and Caring Communities Send Notification Letters Regarding Netgain’s Ransomware Attack in 2020

A Minnesota network of family medicine practices began sending notifications to approximately 200,000 patients concerning the potential compromise of some of their personal data and protected health information (PHI) due to a cyberattack on a business associate about a year ago.

It was stated in the breach notification letters sent by Entira Family Clinics to the affected people on January 13, 2022 that the breach happened at Netgain Technologies, which is the hosting and cloud IT solutions provider to organizations in the healthcare and accounting industries. Entira Family Clinics employed Netgain’s hosting and email services.

The healthcare organization mentioned the files likely compromised included names, Social Security numbers, addresses, and medical backgrounds. Entira said in its notification letters that they had their information technology (IT) support group working immediately upon being aware of the breach and engaged a law agency with a specialty in cybersecurity and data privacy to investigate. They also communicated closely with Netgain and its breach counsel concerning Netgain’s incident response and forensic investigation.

The investigation found no information of actual or attempted misuse of any personal records. Entira Family Clinics mentioned it is taking steps to enhance security and offset risk, and that process required an assessment and update of policies and procedures associated with the safety of its systems, servers, and life cycle administration. Security analysis was likewise done of the Netgain environment to make sure of the stronger security of the cloud hosting platform.

Entira Family Clinics offered the impacted individuals a complimentary membership to online credit monitoring services via IDX. The breach report submitted to the Maine Attorney General shows 199,628 persons were affected.

The notification letters distributed to the impacted people state that the provider found out that a data security incident on Netgain’s environment may have caused the accidental exposure of their personal data and that Netgain was recently targeted by a cybersecurity incident.

The date of the incident was not mentioned in the notification letters, therefore affected persons wouldn’t realize that the ransomware attack and data theft had happened over 12 months already on November 4, 2020.

Netgain stated the data breach in December 2020, and the majority of impacted firms were informed by February 2021. Many of the affected Netgain clients dispatched notification letters during the spring and summer months of 2021. It is uncertain why Entira Family Clinics delayed issuing notification letters for so long, and whether this was because of delayed notification from Netgain.

Additionally, this month, Caring Communities, a member-owned liability insurance provider in Illinois serving not-for-profit senior housing and care organizations, likewise sent notification letters regarding the Netgain data breach. The firm mailed notification letters on January 14, 2022, which stated the same things as those provided by Entira.

Caring Communities stated it is no longer using Netgain as its hosting provider and transferred its environment to a different service provider after being advised regarding the data breach and similar steps are being done to strengthen security. Affected persons have likewise been provided credit monitoring and identity theft protection services by means of IDX. It is currently not clear how many people were impacted. The notification letters additionally refer to the latest cyberattack on Netgain and did not talk about when the attack took place nor why the issuing of notification letters was long-delayed.

Over 212,500 Patients Impacted by 2020 Email Account Breach at Florida Digestive Health Specialists

The gastroenterology healthcare company located in Bradenton, FL, known as Florida Digestive Health Specialists (FDHS) has recently informed around 212,000 patients concerning the potential compromise of their protected health information (PHI) due to a cyberattack last December 2020.

Attorney Jason M. Schwent of Clark Hill mailed breach notification letters to the affected patients on December 27, 2021. The notification letters stated that there was suspicious activity found in the email account of a worker on December 16, 2020. An unauthorized individual used the email account to send email messages.

This was a business email compromise attack. BEC attacks entail an attacker obtaining access inside an email account, typically by means of a phishing email, and then using it to impersonate the employee and persuading other individuals to do fake wire transfers. On December 21, 2020, FDHS found a fraudulent money transfer to an anonymous bank account.

FDHS engaged Clark Hill’s expert services and a third-party cybersecurity firm to check into the cyberattack. According to the investigation, unauthorized persons got access to several employees’ email accounts. The email accounts were known to be “voluminous” and contained the personal information and protected health information (PHI) of 212,509 patients. The goal of this type of attack is to obtain payments through bogus wire transfers and not to get patient data; still, data theft could not be ruled out.

The amount of data contained in the breached email accounts were used as a reason for delaying the sending of notification letters to the impacted patients for 12 months. FDHS explained that it took a long time to audit the email accounts, which only concluded on November 19, 2021.

As a result of the breach, several changes were done to its IT systems to improve safety. The safety procedures consisted of a password reset in all its IT networks, use of multifactor authentication, strengthening password criteria, and re-establishing of its firewall.

Affected individuals were provided zero-cost credit monitoring and identity theft protection services for one year.

Learnings from a Big Healthcare Ransomware Attack

One of the most severe healthcare ransomware attacks happened in Ireland at the beginning of 2021. A serious attack on the Health Service Executive (HSE), the national health system of the Republic of Ireland, allowed Conti ransomware to be deployed and shut down the National Healthcare Network. Consequently, healthcare specialists throughout the country could not access the HSE IT systems, which include patient records, clinical care systems, laboratory systems, payroll, as well as other clinical and non-clinical systems. This disrupted the healthcare services throughout the country.

After the attack, the HSE Board called on PricewaterhouseCoopers (PWC) to perform an independent post-attack analysis to confirm the facts associated with technical and operational readiness and the conditions that permitted the attackers to obtain access to its systems, copy sensitive information, encrypt data files, and extort money from the HSE.

Cybersecurity Problems that are Prevalent in the Healthcare Sector

PWC’s recently released report shows several security problems that permitted the infiltration of the HSE systems. Although the report refers to the HSE cyberattack, its results could be applied to numerous healthcare companies in the United States that have the same unresolved vulnerabilities and insufficient readiness for ransomware attacks. The PWC recommendations may be employed to reinforce security and prevent the same attacks from happening.

Although the HSE ransomware attack impacted a substantial number of IT systems, it began with a phishing email. On March 16, 2021, a staff got an email having a malicious Microsoft Excel spreadsheet attachment. Upon opening the attachment, the malware was installed on the unit. Even though the HSE workstation had an installed antivirus software, it failed to detect the malicious file because the virus definition list was not updated for more than a year.

After one device was infected, the attacker moved laterally inside the network, accessed a number of accounts having high-level privileges, obtained access to many servers, and exfiltrated information. On May 14, 2021, 8 weeks from the first compromise, Conti ransomware was widely deployed to encrypt files. The HSE discovered the encryption and de-activated the National Health Network to control the attack. However, healthcare specialists throughout the country could not access applications and vital information.

In that 8 weeks of systems compromise, suspicious activity was found on over one occasion which must have prompted an investigation into a possible security breach, however, there was no response on those notifications. If proper action was carried out, it would have been possible to prevent the deployment of ransomware and the exfiltration of sensitive information.

Simple Strategies Employed to Devastating Result

As per PWC, the attacker used well-known and straightforward attack techniques to maneuver around the network, determine and exfiltrate sensitive information, and use Conti ransomware in many areas of the IT network easily. The attack may have been a lot worse. The attacker may have exploited medical devices, damaged data at scale, employed auto-propagation systems like those employed in the WannaCry ransomware attacks and may have targeted cloud systems as well.

The HSE clearly stated that it wouldn’t pay the ransom. On May 20, 2021, after 6 days of shutting down the HSE IT system access to control the attack, the ransomware attackers released the decryption keys. Thanks to a strong attack response and the release of the decryption keys, severe effects had been prevented. But despite having the decryption keys, it was only on September 21, 2021 that the HSE had completely decrypted all files in its servers and reestablished about 99% of its software. The HSE approximated the cost of the attack can grow to as much as 500 M Euros.

Ireland’s Biggest Company Had No CISO

PWC stated the attack happened because of a low level of cybersecurity readiness, weak IT systems and controls, and workforce problems. PWC stated there was not enough cybersecurity leadership, since there was no person in the HSE in charge of giving leadership and guidance over its cybersecurity initiatives, which is quite uncommon for a company with the size and sophistication of the HSE. The HSE is Ireland’s biggest company and had more than 130,000 personnel and over 70,000 devices during the attack, although the HSE only had 1,519 employees with cybersecurity functions. PWC stated that the staff members responsible for cybersecurity didn’t have the required skills to execute the tasks required of them and the HSE should have a Chief Information Security Officer (CISO) having overall accountability for cybersecurity.

Insufficiency of Monitoring and Cybersecurity Controls

The HSE had no capability to efficiently check and respond to security notifications throughout its entire system, patching was slow and updates were not employed immediately throughout the IT systems linked to the National Health Network. The HSE was additionally dependent on one anti-malware solution which wasn’t being checked or efficiently maintained through all its IT environment. The HSE at the same time kept on using legacy systems having known security problems and staying greatly dependent on Windows 7.

The same vulnerabilities in people, procedures, and technology could be seen in a lot of health systems around the globe, and the PWC advice is applicable beyond the HSE to strengthen cybersecurity and make it more difficult for attacks like this to be successful.

The PWC report, advice, and learnings from the attack are available here.

New Data Reveals Degree of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has introduced new data on cyberattacks in the healthcare sector. Based on the most recent statistics, 295 cyberattacks are known to have been performed on the healthcare industry in the previous 18 months between June 2, 2020, and December 3, 2021. The attacks were occurring at a rate of 3.8 each week and have happened in 35 countries.

Those attacks consist of 263 incidents that were either affirmed as ransomware attacks (165) or are believed of involving ransomware (98), with those attacks happening in 33 nations at 3.4 incidents per week. Over the past 18 months, a minimum of 39 different ransomware groups have carried out ransomware attacks on the healthcare sector. Those attacks have mainly targeted patient care services (179), then pharma (35), medical manufacturing & development (26), and other medical agencies (23).

The CyberPeace Institute analyzed darknet publications, communication with ransomware gangs, and interviews and recognized 12 ransomware gangs that had mentioned they would not carry out attacks on the healthcare industry during the pandemic, yet still carried on to attack healthcare companies, with at least six of the 12 having done attacks on hospitals.

The definition of healthcare employed by the groups varies from what a lot of individuals would believe to be medical care. For instance, although all 12 of the ransomware gangs stated they wouldn’t target hospitals, many utilized vague words to describe healthcare, for instance, medical companies. Although that may show all healthcare was off-limits, numerous gangs regarded the pharmaceutical market to be fair game, considering that pharma firms were profiting from the pandemic.

Three ransomware operations confessed mistakes had been made and healthcare companies were attacked in error. They mentioned publicly that if a mistake is committed, the keys to decrypt files would be provided at no charge. Nonetheless, there were instances where there was some argument with regards to whether an entity was considered in the gangs’ definitions of exempt institutions.

It must be mentioned that whenever an attack happens and files are encrypted, the ruin is already there. Even when the keys to decrypt information are given cost-free, the attacked agencies still experience interruption to business functions and patient services. The way to restore data from backups is not an easy process and attacked companies still need to cover substantial mitigation fees. 19% of attacks were established as causing canceled consultations, 14% had patients redirected, and 80% had suffered the exposure or a leak of sensitive information.

The CyberPeace Institute stated a number of threat actors have specifically targeted the healthcare market. One example given was a member of the Groove ransomware operation who was actively looking for preliminary access brokers who can give access to healthcare sites. The Groove ransomware operation had the biggest percentage of healthcare targets than other fields according to its data leak website.

Data from Mandiant have shown that 20% of ransomware victims are in the healthcare industry, indicating the industry is being greatly targeted. The FIN 12 threat actor is well-known to target the healthcare industry, and ransomware operations for example Pysa, Conti, and Hive have big percentages of healthcare institutions in their listings of victims (4%, 9%, and 12% respectively).

Though there was some targeting of the medical care industry, a lot of ransomware gangs utilize spray and pray techniques and indiscriminately perform attacks that lead to the attack of healthcare providers being attacked together with all other industries. These attacks frequently involve attacks on Remote Desktop Protocol (RDP), indiscriminate phishing campaigns, or brute force attacks to guess weak passwords.

Regardless of whether the targeting of healthcare companies is by mistake, design, or indifference, ransomware operators are operating with impunity and are de facto characterizing which companies represent legitimate targets and what is off-limits. Their simplified distinctions disregard the complexities and interconnectedness of the healthcare field, in which assaulting pharmaceuticals during a pandemic can have an equally harmful human impact as attacking hospitals.

Planned Parenthood Los Angeles Facing Class Action Lawsuit for the October 2021 Ransomware Attack

A class-action lawsuit was filed against Planned Parenthood Los Angeles (PPLA) over a ransomware attack that was uncovered on October 17, 2021. The cyberattack compromised the protected health information (PHI) of more than 409,759 patients. The notification letters given to the affected people on November 30, 2021, PPLA explained the breach of its systems on October 9, 2021. The hackers got access to files that contain PHI until October 17, when they were evicted from the network.

The data files on the impacted systems included names, birth dates, addresses, diagnoses, treatment, and prescribed medicine information, and a number of files were exfiltrated from its system prior to encrypting of files. PPLA stated it did not receive any evidence to suggest patient data has been misused.

A PPLA patient who was affected by the data breach filed a lawsuit at the U.S. District Court of Central California concerning the incident. The lawsuit claims the patient, along with class members, were placed at certain risk of harm due to the theft of their sensitive health information, which included electronic health records that list the procedures done by PPLA like abortions, treatment of sexually transmitted diseases, emergency contraception drugs, cancer screening details, other very sensitive health data.

The lawsuit additionally references the timing of the attack, which was simultaneous with the Supreme Court debates on abortion, and states the exposure of data on abortion processes at such a time makes it more probable that patients will face harm. Besides confronting an impending threat of harm, affected persons are probable to continue suffering economic and actual hurt and have lost handle of their healthcare records. They have likewise sustained out-of-pocket costs as a direct result of the data breach like expenses and time spent protecting their accounts, checking for identity theft and fraud, and taking action to avoid misuse of their personal information. The lead plaintiff states she has experienced actual harm because of the breach, such as stress and anxiety, and has additionally endured damage and a decrease in the value of her personal details.

Although the Health Insurance Portability and Accountability Act (HIPAA) has no private cause of action, the lawsuit claims PPLA has violated HIPAA by not being able to make sure the confidentiality of patient information and inadequate cybersecurity measures are in place to avoid unauthorized PHI access. The legal action furthermore claims that this is the third data breach suffered by PPLA in the past three years.

Aside from the HIPAA violations, the lawsuit states PPLA likewise breached the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit wants injunctive relief, compensatory and statutory damages, investment in cybersecurity solutions to make certain more breaches do not occur, and for impacted persons to have identity theft protection and restoration services and to have an identity theft insurance coverage policy.

Ransomware Attack Impacts 81,000 Patients of Howard University College of Dentistry

Howard University College of Dentistry found out on September 3, 2021, that unauthorized people had acquired access to its system and utilized ransomware for file encryption. The university announced soon after the attack that it was pressured to stop online and hybrid classes when its systems were repaired, and that a nationally known computer forensics company was called in to check out the incident to find out the scope of the attack and if sensitive data was accessed or compromised.

The university confirmed on September 24, 2021 that a system keeping the dental information of patients was compromised during the ransomware attack. There was no particular proof of unauthorized access or files exfiltration received, though dental records were encrypted. The encrypted information associated with dental appointments from October 5, 2019, to September 3, 2021, and included data like names, contact details, birth dates, dental record numbers, medical insurance details, dental history data, and Social Security numbers for some patients.

The university has sent notifications to all impacted patients through the mail and told them to keep track of their account statements for any indication of bogus activity and mentioned it has additionally improved its cybersecurity procedures to better secure against potential attacks and data breaches.

Howard University College of Dentistry lately sent the data breach report to the HHS’ Office for Civil Rights stating that up to 80,915 individuals were affected.

PHI of Great Plains Manufacturing Health Plan Members Impacted by Cyberattack

Great Plains Manufacturing located in Kansas has informed 4,110 workers that some of their protected health information (PHI) was possibly exposed due to a cyberattack that was identified on October 11, 2021.

The investigation affirmed that unauthorized persons first obtained access to its network on September 28, 2021, and got access until October 11, 2021, when the organization detected the breach and ejected the hackers from its network. An analysis of the compromised file server revealed on November 1, 2021, that the accessed files contained information including names, Social Security numbers, dates of birth, health insurance numbers, and members’ health plan choices.

The breach merely impacted personnel and their dependents who had coverage by the Great Plains Manufacturing, Inc. Employee’s Beneficiary Association Trust health plan. The company sent breach notifications to affected persons on December 1, 2021, and all impacted people were provided with 12 months of complimentary identity theft monitoring services.

Biomanufacturing Industry Informed of High Risk Attacks by Tardigrade Malware

A highly sophisticated malware able to aggressively spread inside networks is being employed on biomanufacturing industry targeted attacks. Security researchers named the malware Tardigrade and based on initial research, it might be a SmokeLoader variant. SmokeLoader is commonly utilized as a malware loader and backdoor, however, Tardigrade and SmokeLoader are different from each other.

The sophisticated character of the malware combined with the targeted attacks on vaccine companies and their partners clearly indicates an Advanced Persisted Threat (APT) actor created and use the malware. The first detection of the malware was in attacks on the biomanufacturing industry in spring 2021. At that time, an infection was identified in a big American biomanufacturing company. The malware was discovered for a second time in an October 2021 attack on a biomanufacturing company. Most likely, the malware has been employed in cyberattacks on a number of companies in the industry.

Compared with SmokeLoader, which needs sending of instructions to the malware from a command-and-control system, Tardigrade malware could make use of its internal logic to decide about lateral activity and which files to alter. The malware possesses a distributed command-and-control system and utilizes various IPs that don’t match a particular command-and-control node. The malware is likewise metamorphic meaning its code frequently changes, at the same time retains its performance. Therefore, it is not effective to use signature-based detection mechanisms to identify and block Tardigrade malware.

Tardigrade malware is sneaky and may be employed to get persistent access to the system of victims for surveillance. The malware makes a tunnel to exfiltrate data and prepares systems for other malicious activities like ransomware attacks. The malware was initially discovered while investigating what seemed like a ransomware attack.

The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) issued an alert regarding the malware because of the considerable threat the malware brings to the biomanufacturing industry and its associates. The HHS’ Health Sector Cybersecurity Coordination Center (HC3) likewise issued an advisory about the malware recently.

BIO-ISAC states all biomanufacturing websites and their partners must have the assumption that they will be targeted and should do something to strengthen their defenses versus this new threat. The main method of malware distribution is thought to be phishing emails, though the malware can spread using USB drives and can pass on autonomously all over the victims’ systems.

It is vital to make sure cybersecurity guidelines are adopted, like closing open remote desktop protocols, updating outdated operating systems and software programs, aggressively segmenting systems, using multifactor authentication, and making sure antivirus software program is employed on all devices that can do the behavioral evaluation.

BIO-ISAC additionally advises performing a “crown jewels” analysis, which must include evaluating the effect of an attack in case particular critical devices be made inoperable, making sure offline backups are done on biomanufacturing system, examining backups to make sure recovery is achievable, giving phishing awareness training to the employees, questioning about lead times for acquiring critical infrastructure parts like chromatography, microbial containment systems, endotoxin, and speeding up the upgrade of obsolete equipment.

Additional details on the Tardigrade malware threat can be found on the pages of BIO-ISAC and HC3.

PHI of 57,000 TriValley Primary Care Patients Possibly Exposed in Cyberattack

TriValley Primary Care based in Perkasie, PA has begun informing 57,596 patients concerning a cyberattack that resulted in the potential breach of their personal data and protected health information (PHI).

Suspicious activity was observed in its IT network on October 11, 2021. The healthcare company took action right away to protect its systems and block further unauthorized access. Third-party forensic professionals assisted in the conduct of an investigation to find out the nature and extent of the attack.

The investigation into the incident came to the conclusion on November 4 and though no proof of actual or attempted patient data misuse, unauthorized access and possible theft of protected health information cannot be overlooked. As a result, affected patients were told to stay alert for activities involving identity theft and fraud. The impacted persons were given free credit monitoring services.

An analysis of the files stored on the compromised systems affirmed that these types of patient information were probably exposed: Last and first name, sex, residence address, email address, telephone number, birth date, Social Security number, medical insurance policy/group plan number, group plan agency, claim details, medical background, diagnosis, treatment data, dates of service, laboratory test data, prescription details, medical account number, name of provider, and other facts included in the health records.

TriValley Primary Care stated it is aided by cybersecurity specialists to strengthen its cybersecurity guidelines, processes, and standards to lessen the risk of even more data breaches and the staff members will be given extra cybersecurity instruction.

Patients Do Not Know the Scope of Healthcare Cyberattacks and Information Breach

Armis, the unified asset visibility and security platform provider, had a new survey to investigate the status of cybersecurity in the healthcare sector and the security challenges that healthcare companies are now facing.

The study was done by Censuswide involving 400 IT experts at healthcare institutions all over the United States, and 2,000 American patients to acquire their ideas on cybersecurity and information breaches in the healthcare industry.

The survey established the growing cyber threat, with 85% of respondents stating cyber risk has expanded during the past 12 months. Ransomware groups have attacked the healthcare field in the past 12 months, and a lot of those attacks were successful. 58% of the participating IT specialists mentioned their corporation had encountered a ransomware attack in the last year.

13% of IT security professionals consider ransomware attacks as a source of concern, stating the majority are convinced that they could bring back data when an attack occurs. Nevertheless, data breaches that cause the loss of patient data were a big concern, with 52% of IT experts ranking data loss as a number one problem, with attacks on hospital operations considered as a key issue by 23% of healthcare IT professionals.

Guarding against cyberattacks is getting even more challenging because of the growing attack surface. Armis states there are already 430 million linked healthcare devices around the world, and that number will keep on rising. When questioned concerning the riskiest devices and systems, building systems like HVAC were the major issue s 54% of IT experts rated them as the main cybersecurity risk. Imaging machines were ranked as among the riskiest by 43% of survey participants, and then medicine dispensing devices (40%), check-in kiosks (39%), and vital sign tracking machines (33%). Though there is concern regarding the safety of these systems and medical gadgets, 95% of IT experts mentioned they assumed their interconnected systems and devices were patched and using the most up-to-date software program.

The growth in cyberattacks in the healthcare field is affecting healthcare decisions. 75% of IT specialists stated the latest attacks had a powerful effect on decision making and 86% of survey respondents mentioned their company had assigned a CISO; nonetheless, only 52% of survey participants mentioned their firm was putting more than enough finances to take care of IT safety.

The survey of patients showed 33 % had become the victim of a healthcare cyberattack, and though more or less one-half of patients (49%) stated they would change healthcare company if it suffered a ransomware attack, lots of patients are not aware of the scope of the latest cyberattacks and how often they are currently being documented. In 2018, healthcare data breach reports were sent at a rate of 1 each day. In the last 12 months, 7 months showed data breach reports of over 2 every day.

Even with comprehensive media reports regarding healthcare data breaches and vulnerabilities in healthcare devices, 61% of potential patients mentioned they didn’t learn about any healthcare cyberattacks during the past two years, evidently showing a lot of patients are uninformed of the threat of ransomware as well as other cyberattacks. Nonetheless, patients know the consequences those attacks might have, with 73% of prospective patients knowing a cyberattack can affect the quality of health care they are given.

When potential patients were asked concerning their privacy issues, 52% stated they were troubled that a cyberattack would stop hospital operations and will likely impact patient care, and 37% mentioned they were bothered about the confidentiality of information accessible via websites.

There undoubtedly seem to be trust concerns, as merely 23% of prospective patients claimed they relied on their healthcare service provider with their sensitive personal information. In comparison, 30% stated they depended on their best friend with that data.