Category: Cybersecurity News

Tenet Healthcare lost $100 million in income and mitigation expenses because of a cyberattack and data breach in Q2, 2022. Tenet Healthcare based in Dallas, TX is one of the biggest healthcare companies in the U.S. operating 65 hospitals and over 450 healthcare centers across the United States through its brands and subsidiaries. Last April 2022, Tenet encountered a cyberattack that prompted serious interruption to its IT programs and acute care procedures for a few weeks. The attack compelled the employees to work using pen and paper throughout the recovery phase, and at least one impacted hospital needed to briefly reroute ambulances to other hospitals. The attack likewise interfered with its telephone system, so doctors had to leave the building to make telephone calls. The cyberattack started on April 20, 2022 and impacted at least two hospitals. Tenet didn’t give to the public any details of the attack like whether it involved ransomware.

Based on Tenet’s Q2 2022 revenue report shows that the attack has got a $100 million unfavorable EBITDA (earnings prior to interest, taxes, amortization, and depreciation) effect. Adjusted admissions dropped by 5.3% year-over-year, with total admissions decreasing 8% from Q2 of 2021, and same-hospital net patient service income dropped 0.2% because of the cyberattack. Over the quarter, Tenet had a lower income of 68% in comparison to Q1 of 2021, which dropped to $38 million, and its operating income dropped by 6.4% to $4.6 million for the quarter. The attack was furthermore partially the reason for a 2.8-day growth in its outstanding accounts receivable.

CEO Saum Sutaria of Tenet mentioned that IT systems at the impacted hospitals needed to be completely rebuilt, and although the cyberattack had a considerable business and financial effect, Tenet continued to have a strong quarter. Sutaria stated the company got enough cybersecurity insurance coverage which helped to minimize the overall financial effect of the cyberattack. Its insurance plan covered $5 million in Q2 of 2022. Tenet shouldered a substantial cost because of the attack, however, it is similar to other cyberattacks like the Scripps Health ransomware attack. Five hospitals and 19 outpatient centers were affected, which resulted in $112.7 million in lost income and remediation expenses.

Tenet will additionally need to take care of other costs including the class action lawsuit filed against it in Florida in June. Allegedly, Tenet didn’t use enough security measures to secure against cyberattacks and didn’t give enough notifications to impacted persons. The lawsuit additionally claims that notification letters were not sent to all persons impacted by the data breach.

The Cyber Safety Review Board (CSRB), created by President Biden in February 2022, has released a report about the Log4j vulnerability (CVE-2021-44228) and related vulnerabilities that were found in late 2021. The vulnerabilities impact Log4j, the open source Java-based logging tool. CSRB states that they are very prevalent and will probably stay in a lot of systems for a long time.

The Log4j vulnerability could be exploited remotely to do code execution on susceptible systems and was designated a maximum CVSS severity score of 10 out of 10. Based on the report, the vulnerabilities are considered one of the most serious to be identified in the past few years.

The CSRB consists of 15 cybersecurity heads from the private industry and government and was designated to conduct reviews of big cybersecurity occurrences and make suggestions for bettering public and private segment cybersecurity. The Log4J vulnerability report is the first to be publicized by the CSRB.

According to Secretary of Homeland Security Alejandro N. Mayorkas, the country’s cybersecurity is at a critical juncture, as the ability to deal with risk is not keeping pace with developments in the digital space. Thus, the Cyber Safety Review Board is an institution seeking to improve cyber resilience in unprecedented means. The CSRB’s first-of-its-kind evaluation has provided the government and the industry with clear, actionable advice that DHS can help put into action to reinforce cyber resilience and enhance the public-private relationship that is so essential to collective security.

For the Log4j vulnerability evaluation, the CSRB engaged with about 80 organizations to have a knowledge of how the vulnerability is being mitigated, so as to develop actionable recommendations to avoid and successfully respond to future incidents similar to this.

The report is divided into three sections, offering factual details regarding the vulnerability and what took place, the results and conclusions according to the evaluation of the information, and a list of suggestions. The 19 actionable recommendations are split into four categories: Deal with the ongoing threats from theLog4j vulnerabilities; drive current best practices for safety hygiene; create a better software system; and investments in the future.

One of the most crucial recommendations is to make and keep an accurate IT asset inventory, as vulnerabilities cannot be resolved if it is unfamiliar where the vulnerabilities are found. It is important to have a complete software bill of materials (SBOM) that has all third-party software parts and dependencies utilized in software solutions. One of the greatest issues with dealing with the Log4j vulnerabilities is understanding which products were affected. The report additionally suggests that enterprises develop a vulnerability response plan and a vulnerability disclosure and handling process and recommends the U.S. government to inspect whether a Software Security Risk Assessment Center of Excellence is practical.

This is the first time the industry and government cyber leaders joined together like this to evaluate serious incidents, find out what happened, and advise the entire community on how to do much better later on.

University Pediatric Dentistry based in Buffalo, NY, has begun informing 6,843 patients about the exposure of some of their protected health information (PHI) because of an email security incident.

The provider secured its email system right away after detecting the breach. Forensic specialists confirmed that an unauthorized third party accessed two email accounts from January 12, 2022 to January 19, 2022. According to University Pediatric Dentistry, it was discovered on April 25, 2022, that the compromised email messages and file attachments contained patient information, which was likely viewed or stolen.

The exposed data included patient names, contact data, birth dates, Social Security numbers, government ID numbers, driver’s license numbers, treatment and diagnosis details, names of providers, patient account numbers, medical record numbers, prescription details, dates of service and/or medical insurance data. The financial account data of some patients were also exposed.

People whose driver’s license numbers or Social Security numbers were exposed received free credit monitoring and identity theft protection services. University Pediatric Dentistry stated that technical security procedures will be put in place to safeguard and keep track of its email system.

Eye Care Leaders Data Breach Impacts Several More Eye Care Practices

The number of eye care centers affected by the data breach at Eye Care Leaders is still growing. Aloha Laser Vision in Hawaii, Mattax Neu Prater Eye Center in Missouri, and Sight Partners Physicians in Washington are among the latest known to be impacted. No less than 33 eye care companies have stated they were affected by the cyberattack and the data of more than 2.9 million people were potentially exposed.

Cyberattack Announced by Michigan Avenue Immediate Care

Michigan Avenue Immediate Care (MAIC) located in Chicago, IL, has just reported a hacking incident by which an unauthorized third-party gained access to its computer system and exfiltrated files that contain sensitive patient information. The cyberattack was identified on May 1, 2022. MAIC confirmed on May 12, 2022 that the files taken from its network included some patient data.

The types of records contained in the files varied from one person to another and may possibly include names, telephone numbers, addresses, dates of birth, Social Security numbers, driver’s license numbers, treatment details, and/or health insurance data. Affected persons were notified via mail and were given complimentary membership to the Experian IdentityWorks Credit 3B service for one year.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, thus it is currently not clear how many people were impacted.

OrthoNebraska Email Account Compromised

Orthopedic clinic OrthoNebraska located in Omaha, NE has lately reported that an unauthorized individual accessed the email account of an employee. The breach happened in early December 2021 and was discovered because the email account was utilized to send spam emails. An analysis of the affected email account showed that the emails and file attachments included protected health information (PHI) of some patients, and that sensitive information could have been seen or obtained.

The exposed details contained names, demographic data, Social Security numbers, state ID numbers, driver’s license numbers, usernames/passwords, medical insurance, claims information, and medical histories. Impacted persons were informed through the mail and credit monitoring and offered identity theft protection services. Up to now, there was no evidence found that indicates the actual or attempted misuse of any patient information. OrthoNebraska said it has offered additional data security training to the employees and implemented additional safeguards to enhance email security.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

A bipartisan bill called The Strengthening Cybersecurity for Medical Devices Act was introduced which requires the U.S. Food and Drug Administration (FDA) to evaluate and revise its policies on the cybersecurity of medical devices more often to make sure devices are secured from cyberattacks and potential hacking.

Sen. Jacky Rosen (D-NV) with co-sponsor Sen Todd Young (R-IN) introduced the bill calling for the Secretary of the Department of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to give updated policies on medical device cybersecurity to FDA annually, and for the FDA to give updated policies and recommendations on medical device cybersecurity once every two years. The regularity of updates must be enhanced to make sure the guidelines stay up-to-date, particularly considering the quick-changing threat landscape and the degree to which the healthcare sector is being attacked by cyber threat actors.

Sen Young stated that medical devices are more and more linked to the web or other medical care facility systems to give features that enhance the capability of health care companies to treat individuals. The bill helps to make sure medical devices are secured from cyberattacks and utilized safely and securely so as to minimize threats and vulnerabilities for individual patients.

The bill additionally requires the FDA to publish facts publicly regarding government resources for healthcare experts, medical device producers, and health systems that will enable them to determine and deal with vulnerabilities and to make sure they can acquire proper support. The Strengthening Cybersecurity for Medical Devices Act additionally calls for the Government Accountability Office (GAO) to put together a report about cybersecurity vulnerabilities impacting medical devices and to give suggestions for enhancing government coordination to help cybersecurity for medical devices.

Senator Rosen said that because of growing cyber threats, the health care system’s cyber infrastructure must be strengthened. This bipartisan will make sure that medical devices and systems are updated with the most recent cybersecurity, safeguarding patients and health care networks.

For the past 15 years, Verizon has been making annual Data Breach Investigation Reports (DBIR). The report this year confirms just how terrible the last one year has been. Verizon explained the last 12 months as representing an unrivaled year in the history of cybersecurity. The financially inspired crooks and nefarious nation-state actors have seldom if ever, emerge swinging the way they did over the past year, explained Verizon.

The 2022 DBIR was put together along with 87 partner companies utilizing data from 23,896 security incidents. 5,212 of the cases were confirmed data breaches, 849 of the cases assessed in the report happened in the healthcare industry and 571 of those cases resulted in affirmed data breaches.

The report confirms that there was a significant surge in ransomware attacks in 2021, growing by 13% from the prior year. To include some opinion, the growth is bigger than the mixed increases in the past five years. As Verizon remarks in the report that ransomware is simply a means of using access to victims’ systems, however, it has proven to be specifically effective at making money with illegal access to sites and private information. 25% of data breaches in 2021 used ransomware.

The most typical vectors in ransomware attacks entailed the use of stolen credentials, mainly for desktop sharing software programs, which offered initial access in 40% of ransomware attacks. Phishing was the second most popular vector in ransomware attacks, offering preliminary access in 35% of attacks, then the exploitation of vulnerabilities in web programs and direct installs. The substantial percentage of attacks associated with remote desktop software and email shows the value of locking down RDP and protecting email.

The rise in ransomware attacks is worrying, and so is the increase in supply chain attacks, which are the reason for 62% of system interruptions. Supply chain attacks could be carried out by financially driven cyber actors, although quite often they are utilized by nation-state actors to obtain persistent access to systems for spying purposes.

Protecting against cyberattacks demands action be done to deal with the four major ways that result in gaining initial access to systems, which are botnets, phishing, credentials, and exploitation of vulnerabilities. Although insiders can and do bring about data breaches, definitely the primary cause is external actors. Breaches caused by external actors exceed insider breaches by four to 4. Though external attacks are a lot more likely, the median number of records impacted in insider breaches is a lot higher.

Human error continues to play a big part in data breaches. 13% of data breaches were misconfigurations, typically of cloud storage solutions, and 82% of all data breaches assessed in the previous year had a human component. 25% of all breaches in 2021 were due to social engineering attacks, showcasing not just the significance of employing advanced email defenses but additionally giving recurrent security awareness training to the staff.

The top three attack strategies were just like last year, though switching positions. System intrusions took the number one spot, next was web application attacks, and then social engineering. In healthcare, the top causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which caused 76% of all data breaches.

Verizon mentioned that although insiders have always been a top reason for data breaches in medical care, the growth in web application attacks has resulted in external threats exceeding insiders. Healthcare staff prompted 39% of breaches in 2021, which is significantly greater than the 18% across all other industry groups. Although there will continually be malicious insiders in the healthcare industry, workers are 2.5 times more probable to make a mistake than to maliciously exploit their access to information, with misdelivery and loss the most typical errors made in medical care.

The average ransom payment associated with ransomware attacks diminished by 34% in Quarter 1 of 2022, from a record high in 4th Q of 2021, based on ransomware incident response company Coveware. The average and median ransom payment in Quarter 1 of 2022 was $211,259 and $73,906, respectively.

The drop in total ransom payments was related to a number of factors. Coveware says ransomware groups were targeting smaller businesses and issuing lesser ransom payments, because of the growing scrutiny by law enforcement whenever attacks are done on large companies. The median organization size is dropping since Quarter 4 of 2020, and is currently with about 160 workers. This seems to be the sweet spot, where the organizations have enough income to get big ransom payments, however not so big that attacks will prompt appreciable scrutiny by authorities.

One more reason why total ransom payments have dropped is the reduced number of victims of ransomware attacks who were paying the ransom. The number of subjects of ransomware attacks that pay the ransom is gradually declining, from 85% of victims in 1st Q of 2019 to 46% of victims in Quarter 1 of 2022. Also, a few of the most well-known ransomware operations had been quiet, like Maze and REvil (Sodinokibi).

LockBit and Conti are the most high profile ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, then BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware advises that the affiliates who partner with ransomware-as-a-service operations seem to be less eager to work together with large RaaS groups because those groups are usually targeted by law enforcement. It is currently common for affiliates to try scaled-down RaaS operations or possibly make their own ransomware variants using leaked source code.

The most typical attack vectors in ransomware attacks are exploiting unpatched vulnerabilities in software apps and operating systems, phishing, and Remote Desktop Protocol connections. Coveware has seen a rise in other attack vectors as of 2nd Q, 2021, for instance, social engineering and the direct compromise of insiders. Social engineering attacks are comparable to phishing however are remarkably targeted and usually include preparing or grooming targeted staff members before convincing them to give access to the network. There has additionally been a growth in solitary wolf attackers. Coveware knew the development in late 2021, and it has carried on all through the 1st Q of 2022. Attacks by these threat actors are generally carried out on businesses that have much better security than the common ransomware victim, like multi-factor authentication appropriately enabled for all workers and critical resources.

The Maze ransomware operation began utilizing double extortion tactics in late 2019.  That is, data is stolen from victims prior to file encryption. Payment is then demanded for the decryptor and to avoid the publication or sale of stolen information. These tactics were quickly followed by numerous ransomware operations and grew to be the norm, even though there was a fall in attacks concerning encryption and extortion in Quarter 1 of 2022. Double extortion was utilized in 84% of attacks in 4th Q of 2021, and 77% of attacks in 1st Q of 2022. Although double extortion is probably broadly employed in attacks for the near future, Coveware thinks the change from data encryption to data extortion will keep on, because data theft and naming and shaming of affected individuals will only call the interest of authorities. Data theft without encryption leads to no operational interruption yet maintains the capability of the threat actor to extort the affected individual. We anticipate this change from Big Game Hunting to Big Shame Hunting to carry on, explained Coveware in the report.

Coveware warned about giving the ransom demand to avert the posting or selling of data, as there are no guarantees that payment will bring about data deletion. In 63% of attacks wherein a ransom payment was made to stop the publication or selling of stolen information, the attackers gave no proof of data removal. In the rest of the attacks where evidence was offered, it could very easily be faked. When videos, screenshots, live screen shares, or deletion logs are given as proof, victims should have faith that a copy of the information was not made. In one prominent case, a threat actor explicitly stated that the stolen data will not be deleted if paid, and would keep it for future use against the victim, stated Coveware.

Microsoft’s Digital Crimes Unit (DCU) disabled the well-known ZLoader cybercrime botnet that was utilized to transmit Ryuk ransomware in attacks on healthcare companies. Microsoft recently acquired a court order from the United States District Court for the Northern District of Georgia approving the seizure of 65 hard-coded domains the ZLoader botnet uses for command-and-control communications. Those websites were now sinkholed, stopping the botnet operator from connecting with devices attacked with ZLoader malware.

ZLoader malware contained a domain generation algorithm (DGA) which is activated when it’s not possible to communicate with the hard-coded domains, which works as a failsafe against any takedown attempts. The court order additionally permitted Microsoft to grab 319 DGA-registered domains. Microsoft is taking steps to prohibit the registration of any more DGA domains.

ZLoader is associated with a family of malware variants that came from the ZeuS banking Trojan. In the beginning, ZeuS was employed for credential and financial theft, with the purpose of getting money from victims’ financial accounts. The threat actor behind the malware then started a malware-as-a-service operation to send malware and ransomware to other threat actors like Ryuk.

Ryuk ransomware was broadly utilized in attacks on the healthcare sector since its appearance in 2018, and ZLoader was one way of delivering the ransomware. ZLoader could disable a well-known antivirus solution to avert detection, and the malware was installed on lots of devices, which are mostly in education and medical care.

The takedown of the botnet is substantial; nevertheless, the botnet operators are probably already working to create new command and control infrastructure. Microsoft stated the seizure was a success and resulted in the short-term disabling of the ZLoader system, which has made it harder for the organized criminal gang to carry on with its malicious activities.

The case has been referred to law enforcement, who are monitoring this activity directly and will carry on and work with our partners to keep track of the conduct of these cybercriminals. Microsoft will work together with internet service providers to determine and remediate victims. Microsoft additionally affirmed that it is ready to take further legal action and employ technical procedures to handle ZLoader and other botnets.

Microsoft furthermore named Denis Malikov, who resides in Simferopol on the Crimean Peninsula, as someone who is considered to be accountable for making a component of the malware that was employed for transmitting ransomware. This suggests that cybercriminals are not allowed to hide behind the anonymity of the internet to commit their criminal offenses.

Microsoft mentioned that the cybersecurity firm ESET, Black Lotus Labs, and Palo Alto Networks’ Unit 42 team assisted with its investigation of the ZLoader operation. The Health Information Sharing and Analysis Center (H-ISAC), the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team also provided additional insights.

Why Healthcare Experts Could Not Avoid HIPAA

One of the goals of HIPAA is to give a federal ground of privacy protections for personally identifiable health information kept by Covered Entities. To accomplish this goal, the Privacy and Security Rules put standards that Covered Entities should adhere to so as to secure the privacy of “Protected Health Information” (PHI). The inability to conform to the HIPAA standards may bring about large financial fines – even if no data breach happens and PHI isn’t exposed.

The majority of healthcare providers are Covered Entities and, therefore, need to enforce guidelines and procedures to adhere to the Privacy and Security Rule criteria. As workers of Covered Entities, healthcare experts should follow their company’s policies and procedures. For this reason, healthcare experts are not able to avoid HIPAA. Nevertheless, this isn’t the sole reason why HIPAA compliance is essential for healthcare experts.

The Advantages of HIPAA Compliance for Healthcare Experts

Trust is very important in a patient/healthcare specialist relationship. Patients rely on their healthcare specialists with personal information about their lives simply because they believe that healthcare specialists work to accomplish the best health results. Nevertheless, trust may be a delicate thing. If their personal details are compromised because of a HIPAA violation, patients may hold back data important to the giving of care in spite of the possible long-lasting effects on their wellness.

Healthcare experts can minimize the risk of breaking trust by following the guidelines and procedures enforced by their company to avoid HIPAA violations. If patients are assured their privacy is being protected, this encourages trust – which results in giving better care so as to realize optimal health results. Better patient results boost the morale of healthcare experts and bring about more gratifying work life.

The Professional and Individual Implications of Noncompliance

One of the guidelines a Covered Entity needs to impose is a sanctions policy for when the noncompliance of members of its staff with HIPAA guidelines and procedures. Covered Entities must implement the sanctions policy and address HIPAA violations by healthcare specialists since, when they don´t implement the sanctions policy, it’s a HIPAA violation by the Covered Entity. In addition, when the Covered Entity doesn’t act, noncompliance could turn into a cultural convention.

Getting sanctioned for a HIPAA violation has professional and individual effects on healthcare specialists. Penalties can vary from spoken warnings to the revocation of professional accreditation – which will make it hard for a healthcare specialist to acquire another work – and, when there’s a criminal conviction because of the noncompliance, it will probably be announced in the press which will have consequences for a healthcare specialist´s personal track record.

Who is Accountable for HIPAA Violations?

As stated earlier, the inability to follow HIPAA is not the healthcare specialist´s fault at all times. Though Covered Entities must give training about policies and procedures that correspond with healthcare specialists´ functions, they might not have the materials to give training on every imaginable situation a healthcare specialist may come across, or to keep track of compliance 24/7 so as to avoid the creation of cultural norms.

As a result, unintentional HIPAA violations can happen because of an absence of understanding. Nevertheless, Covered Entities are not ready to accept accountability for unintentional violations at all times because of a lack of understanding as it means they were unable to perform a complete risk evaluation, disregarded a threat to PHI privacy, and were unable to give required and proper training – or, when a cultural norm has been created, failed to keep track of compliance with guidelines and procedures.

How You Can Avert Unintentional HIPAA Violations

To steer clear of unintentional HIPAA violations and the professional and individual penalties of noncompliance – regardless if they aren’t your wrongdoing – it is best to make sure your understanding of HIPAA addresses every facet of your role and the cases you may come across. To attain this stage of information, you must use third-party HIPAA training programs that offer you an exhaustive understanding of HIPAA and its guidelines and regulations.

Accepting responsibility for your personal HIPAA knowledge – and utilizing that understanding to work in a HIPAA-compliant way – safeguards your career, enhances your job prospects, and allows you to get more from your career. Granted the choice, the majority of healthcare experts would choose to work in a setting that works compliantly to provide better patient results, in which morale is great, and wherein the healthcare specialist has a more fulfilling work encounter.

A recent Software Advice survey of healthcare organizations provides observations on healthcare data breaches, their actual causes, and the various security procedures at small and large healthcare companies.

The survey involved 130 small practices with 5 or fewer licensed providers and 129 big practices having six or more providers to know the security problems they face and the steps each group has made to protect against cyberattacks and data breaches. With both groups of healthcare providers, more than 50 percent store over 90% of patient information digitally, for instance, patient records, medical histories, and billing records. Even though digital records are more useful, there is a threat that hackers could acquire access to patient records.

Hackers have a tendency to target bigger practices rather than small practices, depending on the number of reported data breaches. 48% of large healthcare organizations stated they had encountered a data breach previously, and 16% claimed they had experienced a breach in the past 12 months. 23% of small practices had suffered a breach in past times with 5% suffering from a breach in the last year. By far the major cause of data breaches was human error. 46% of small practices and 51% of big practices stated human error was the top reason for data breaches.

23% of small healthcare practices mentioned they had encountered a ransomware attack before, compared to 45% of large practices. 5% of the attacks on small healthcare companies and 12% of attacks on large healthcare organizations happened in the last 12 months. 76% of small practices and 74% of big practices stated they had recovered at least part of their information from backups without making ransom payments, which demonstrates the great importance of having very good backup plans. That is particularly essential as paying the ransom doesn’t ensure the restoration of files. 23% of small practices made ransom payments to restore their files compared to 19% of big healthcare companies, however, 14% of small healthcare organizations stated they failed to retrieve their files after ransom payment.

11% of big practices completely lost their files because of the attack, 7% acknowledged data loss and 4% made ransom payments yet still failed to recover their files. The majority of the healthcare companies didn’t express how much was the ransom payment. Two small practices mentioned they paid approximately $5,000 -$10,000 and two paid roughly $25,000 – $100,000.

To protect against attacks, healthcare companies have put in place a variety of technical safety steps, with the most typical solutions such as firewalls, antivirus software programs, email security options, and data backup technology. Small practices were spending more money compared to large organizations on antivirus solutions, and although such options are crucial, it is likewise critical to spend on email and networks security resources. Bigger companies with more finances were more probable to purchase those resources and be better shielded because of that. Software Advice recommends that smaller healthcare organizations ought to think about lowering spending on antivirus applications and enhancing email and network protection because that could help to avert even more data breaches.

It is critical not to overlook the human aspect of cybersecurity, particularly since many data breaches were ascribed to human error. Giving security awareness training to staff is demanded by the HIPAA Security Rule, nevertheless, it shouldn’t only be a checkbox choice. Frequent security awareness training to train workers on how to identify and prevent threats can significantly minimize the risk of a successful cyberattack however 42% of small practices and 25% of large practices stated they spent under 2 hours on privacy and security awareness training for staff members in 2021.

Two-factor authentication is an essential security measure to avoid the usage of compromised credentials to acquire access to accounts. Microsoft has earlier mentioned that two-factor authentication can prohibit over 99% of programmed attacks on accounts. It is wonderful that 90% of big practices have enforced 2FA somewhat, nevertheless, small practices are a lot less likely to employ 2FA to safeguard their accounts. 22% of small practices stated they haven’t used 2FA yet and 59% just use 2FA on a few programs.

Using all data protection software available is not a wise choice as it results in your vulnerability to other ways of attack or breach, for example, circumstantial exposure or human error. Rather, protect yourself on several fronts, advises Software Advice. That entails training staff members, buying the right security tools to secure data, and creating an action plan to help offset ruin in case of a breach or attack.

New Jersey Brain and Spine (NJBS) has lately reported it encountered a cyberattack on or about November 16, 2021, that encrypted information on its system. NJBS stated it quickly took action to protect its network and had a computer forensic company look into the security breach. Although no proof was discovered that indicates there was any improper use of patient information due to the attack, the forensics agency mentioned the attacker might have viewed files that contain patient records.

A third party vendor conducted an evaluation of all files on its network that was possibly accessed, and although the data mining procedure is in progress, it was affirmed that the files comprised data such as names, email addresses, physical addresses, birth dates, phone numbers, social security numbers, driver’s license numbers or other ID numbers, financial account details, credit or debit card data, and health details. Notification letters had been mailed to impacted people on March 10, 2022.

NJBS stated that right after the breach, a number of steps were done to better safeguard patient information, such as using two-factor authentication, migrating patient information to a third-party hosted cloud-based system, and setting up a new server. NJBS has additionally used an ongoing monitoring response solution that monitors user activity, services, and ports, and synchronizes logging.

The breach report was sent to the HHS’ Office for Civil Rights revealing that approximately 92,453 persons were affected.

Highmark Inc. Patients Impacted by Breach at Printing and Mailing Provider

Highmark Inc., a non-profit healthcare firm and Integrated Delivery Network located in Pittsburgh, PA, has just announced that certain HIPAA-protected records were compromised in a data breach at Quantum Group. Webb Mason offers marketing services to Highmark and uses the printing and mailing vendor, Quantum Group.

Webb Mason gave Quantum Group access to patient information in 2017 to help with marketing projects for Highmark, and that data was likely accessed by unauthorized people. Highmark emphasized that its own IT solutions were not exposed.

Highmark said the breach impacted around 67,147 persons, who were provided free online identity monitoring services for 12 months.

Dialyze Direct Notifies Patients Regarding PHI Breach in Cyberattack

Dialyze Direct, a provider of kidney care services based in Neptune City, NJ, has experienced a data breach that has impacted about 14,203 patients. Based on a March 10, 2022 data breach notification, Dialyze Direct mentioned it found out on February 14, 2022, that an unauthorized person got access to a worker email account from January 21, 2021 to March 4, 2021.

A thorough evaluation of the email account established it included patients’ protected health information (PHI) like names, dates of birth, Social Security numbers, government ID numbers, financial account data, payment card details, and medical data that likely includes financial identification numbers, medical diagnostic and treatment information, and/or medical insurance plan details.

Notification letters were delivered to affected persons. People whose Social Security numbers were possibly exposed were given complimentary credit monitoring services. Dialyze Direct stated it has identified no information that indicates the misuse of any patient data.

The healthcare industry had an awful 2021 in terms of data breaches with over 50 million records breached and above 900 data breaches were reported by databreaches.net. Considering the magnitude to which the healthcare sector is attacked by cyber actors, the danger of a data breach happening is high. A SecureLink/Ponemon Institute review in 2021 discovered 44% of healthcare and pharmaceutical firms encountered a data breach in the last year.

Although steps can be done to enhance defenses to avoid cyber attacks from succeeding, healthcare companies must be ready for the worse and must have an incident response plan set up that could be promptly started in the event of a cyberattack. With correct planning, when a cyberattack happens, healthcare providers will be prepared and will be able to recover in the least possible time frame.

Regular exercises ought to be done to make sure everybody knows their duties and that the plan works. Oftentimes, cyberattack victims see that their incident response plan is not enough or ineffective due to inadequate testing, which may bring about a slow and expensive response to a cyberattack.

This month, Immersive Labs issued its 2022 cyber workforce benchmark report, which contained data from about 2,100 institutions from a variety of industries that utilize the Immersive Labs platform for performing cyber crisis simulations. Remarkably prized, high profile targets such as financial and technology services conducted the most cyber crisis exercises, doing an average of 7 and 9 exercises annually respectively, nevertheless, healthcare companies were near the bottom of the list, doing an average of 2 exercises annually.

In the event of a cyberattack, a lot of different people will be engaged in the response. It is for that reason crucial for those individuals to take part in exercises. It is not surprising that the more persons who are involved in incident response exercises the more prepared an organization will be to act in response to a cyberattack. Immersive Labs measured the performance of the exercises and found that every exercise that scored over 90% for effectiveness had about 11 people taking part. All but one of the crisis situations that had a score of less than 50% for effectiveness had just one person engaging. In healthcare, an average of 4 people joined in the exercises, in comparison to 21 in education and 7 in technology.

Immersive Labs examined performance with regard to the crisis response activities and computed a score dependent on the type of choices made all through the entire simulation. The average performance score in all exercises was 68%, which indicates there is substantial room for improvement. The prominent industry was manufacturing, with a performance rating of 85%. Worryingly, medical care performed the worst out of all industries for cyber crisis response by some distance, attaining a performance score of only 18% – substantially lower than the next worst-performing segment – financial services – which scored 45%.

Immersive Labs additionally analyzed the speed at which 35,000 members of cybersecurity teams at 400 large companies took to develop the expertise, abilities, and judgment to deal with 185 breaking threats. On average, it required 96 days for teams to grow the skills to secure against breaking threats. They discovered that mitigating against a vulnerability in the Exim mail transfer agent – which affected over 4.1 million systems and was being actively exploited – took security teams more than 6 months on average to grasp. CISA states vulnerabilities must be patched within 15 days from initial detection.

Developing the human skills to fight attackers is slow, particularly in healthcare. The best performing industry was leisure/entertainment, which took typically 65 days for security groups to build the required skills. In medical care, it had taken about 116 days. Only infrastructure, consulting, and transport performed worse. Throughout all industry sectors, the average time frame to develop the competencies to respond to threats was 96 days.

The current cyber crisis is an all-encompassing organizational tension. Stopping incidents that halt operations and ruin reputation, corporate value and stakeholder relationships demands a holistic response from the entire labor force. Reaching this sort of resilience calls for a constantly maturing responsive capability for technical and non-technical teams, created by exercising with a cadence that traditional tabletop exercises struggle to reach… exercising to collect evidence, and then utilizing these insights to equip teams with pertinent skills, is crucial to ongoing resilience.

The National Institute of Standards and Technology (NIST) wants to get comments on the advantages of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and ideas on any enhancements that may be made.

The NIST Cybersecurity Framework was introduced in 2014 to help public and private industry institutions to follow cybersecurity requirements and best practices to enhance their cybersecurity posture, better protect against cyber threats, and immediately determine and react to ongoing cyberattacks to restrict the damage that could be caused. The NIST Cybersecurity Framework is regarded as the gold standard for cyber threat management; nonetheless, that does not indicate enhancements couldn’t be made.

The latest update to the Cybersecurity Framework happened in April 2018. In the past four years, there have been substantial improvements to the cybersecurity threat landscape. New threats have surfaced, the tactics, techniques, and procedures (TTPs) utilized by cyber threat actors have improved, there are new technologies and security features, and more resources are accessible to help with the administration of cybersecurity risk. NIST is not looking at upgrading its Framework once again to take these variables into account.

The NIST Cybersecurity Framework has been used by numerous healthcare companies to strengthen cybersecurity, however, a number of healthcare institutions have experienced difficulties carrying out the Framework, and presently fewer than half of healthcare companies are keeping NIST standards. NIST would like to find out about the problems organizations have encountered putting into action the Framework and the commonalities and conflicts with other non-NIST frameworks and methods that are employed together with the NIST Cybersecurity Framework. There may be strategies for enhancing alignment or application of those approaches with the NIST Cybersecurity Framework. NIST wishes to receive recommendations on modifications that could be made to the characteristics of the Framework, functions that ought to be added or eliminated, and any other methods that NIST can develop the Framework to make it more beneficial.

Aside from the responses on the Cybersecurity Framework, NIST has requested feedback on potential advancements to other NIST guidance and standards, which include its guidance on bettering supply chain cybersecurity. NIST lately announced that it would start the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to deal with cybersecurity challenges in supply chains. NIST has asked for responses on challenges associated with the cybersecurity factors of supply chain risk management that can be resolved by the NIICS, and whether there are presently gaps in active cybersecurity supply chain risk management guidance and assets, such as the use of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST wants to receive all comments by April 25, 2022.

Increasing security functions is achievable with a limited budget by utilizing free cybersecurity tools and services. Numerous tools and services were created by government institutions, the cybersecurity community, and the public and private industry that could be utilized to boost defenses against damaging cyberattacks, identify possible intrusions quickly, and help providers respond to and manage security breaches.

Getting suitable free cybersecurity tools and services is often a time-consuming undertaking. To aid critical infrastructure companies lessen cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has put together a listing of services offered by CISA and other government agencies, open-source tools, and tools and services made and serviced by the cybersecurity community that may be used to strengthen protection, identification, response and the management of cyber threats.

The list of free cybersecurity tools and services is broken into four categories, dependent on the four goals described in already released guidance: CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats.

• Minimizing the possibility of a damaging cyber incident;
• Identifying malicious activity fast;
• Responding properly to verified incidents; and
• Boosting resilience

All of the tools and services included in the listing were evaluated by CISA utilizing neutral principles and conditions; nevertheless, CISA does not confirm the suitability of any product or service, nor the efficiency of any solution for any specific use scenario. Although a number of commercial products and services were added to the list, CISA doesn’t recommend or provide any recommendations for employing those products and services. The information will be regularly modified by CISA to add new products and services and CISA welcomes any recommendations of additional products and services for future addition to the list.

Though all included tools and services may be beneficial for the enhancement or inclusion of new security features, they are no alternative for creating and enforcing a strong cybersecurity program. It is important to create such a system and make certain several foundational cybersecurity steps are implemented, such as dealing with known flaws in software and operating systems, placing strong passwords, employing multi-factor authentication, and ending bad cybersecurity practices like the extended use of legacy solutions that have arrived at end-of-life and are not supported anymore. CISA advises registering for its Cyber Hygiene Vulnerability Scanning service and obtaining sensitive Stuff of Search (S.O.S) to decrease Internet attack surfaces that are apparent to anyone making use of a web-based platform.

CrowdStrike has revealed its yearly threat report which indicates there was a serious boost in data leaks subsequent to ransomware attacks in 2021, growing by 82% from 2020. There were 2,686 ransomware attacks documented in 2021 as compared to 1,474 in 2020. The weekly average of ransomware attacks in 2021 is over 50.

Ransomware groups at the same time demanded bigger ransom payments in 2021, greater by 36% in 2021 in comparison to 2020. $6.1 million was the average ransom demand in 2021. The healthcare market was widely attacked by ransomware groups in 2021, though many threat actors claimed they wouldn’t execute attacks on healthcare companies. CrowdStrike monitored 154 ransomware attacks on healthcare companies in 2021, higher than 94 in 2020. Healthcare was number 6 out of all industry markets for information leaks. It was number 4 in 2020.

CrowdStrike mentioned the threat landscape has become far more jampacked in 2021, with many new adversaries appearing which include threat actors that have earlier not been greatly engaged in cyberattacks for example Colombia And Turkey. CrowdStrike found 21 new adversaries in 2021, with considerable growth in China-nexus And Iran-nexus threat actors.

A threat group monitored as Wizard Spider was one high-profile ransomware actor in 2021. Carbon Spider focused on big game hunting, Cozy Bear concentrated on attacking cloud systems, Prophet Spider employed the Log4j exploit for collection of credentials from online workspace services, and Aquatic Panda focused on the Log4j vulnerability and employed the Log4Shell exploit to obtain remote code execution on victims’ environments.

Iran-nexus actors substantially employed lock-and-leak tactics. Russian threat actors progressively attacked online environments. China-nexus threat actors concentrated on taking advantage of new vulnerabilities. CrowdStrike mentioned there was 6 times more vulnerability exploitation in 2021. Ten known adversaries or activity groupings engaged in those attacks. Merely 2 vulnerabilities were taken advantage of by Chinese threat actors in 2020, as opposed to twelve in 2021.

As of 2020, ransomware groups were exfiltrating sensitive information before encrypting files and were employing double extortion techniques on their victims. Victims are forced to pay money to get the keys to decrypt data files and to avert the exposure of the stolen information on data leaks websites. Though ransomware attacks were very common, there was furthermore a rise in data theft and extortion without the usage of ransomware and there was a lively market for vending stolen data on hacking communities and darknet portals.

Malware is frequently employed in cyberattacks nevertheless attackers are more and more evading the usage of malware and are employing legit credentials to gain access to systems and then living-off-the-land techniques, where current system tools are utilized as opposed to malware to evade security methods. In 2021, merely 38% of cyber attacks employed malware, 62% of attacks have nothing to do with malware.

CrowdStrike believes web-related threats will be more commonplace and grow in 2022 as threat actors choose targets that present direct access to big combined stores of high-value information. Threat actors are furthermore possible to broaden their tool arsenal to comprise of mobile malware 9nm 2022, and it is remarkably possible adversaries will still search for weaknesses in platforms employed by their targets in 2022.

To combat these threats, CrowdStrike proposes understanding the adversaries that are recognized to target your market, as this can enable you to better get ready for attacks. It is critical to secure all workloads and have a proven response plan to permit quick action to be undertaken in case of an attack. The rate of the response frequently dictates whether or not mitigations become successful or not.

Cloud misconfigurations are typically taken advantage of to obtain access to sizeable data storage. One strategy to lessen the risk of human error is to create new accounts and infrastructure making use of default patterns. Though it is necessary to employ technical steps to identify and discontinue attacks, it is furthermore crucial to invest in user awareness plans, as end-users may play a major role in avoiding data breaches, specifically identifying and averting phishing attacks and social engineering techniques.

Taylor Regional Hospital Still Affected by January Cyberattack

Taylor Regional Hospital based in Campbellsville, KY has encountered a cyberattack, which led to taking down its IT and telephone systems. The hospital reported the cyberattack on January 24, 2021. To date, the hospital continues to experience outages with selected computer systems and phone lines. There were temporary telephone lines set up so that patients can get in touch with the hospital whilst resolving the cyberattack.

Cyberattacks like this usually involve ransomware, however, no information has been available up to now regarding the actual nature of the attack, nor the time its IT systems are likely to be available. At this early phase, it is not clear if any patient data has been accessed or stolen by attackers.

An announcement on the hospital’s website said that the hospital continues to provide quality care to patients and it is working as fast as possible to securely bring back its IT systems on the internet. Patients are encouraged not to postpone seeking clinical care; nonetheless, without access to computer systems, patients were requested to bring details of their prescription medication with them to any visits that were previously planned.

The hospital stated routine outpatient labs will just be conducted for a limited time until further notice, and patients were informed to have a written order and patients ought to expect extended wait times than before. The walk-in COVID-19 clinic remains open although will accept patients on a first-come, first-served basis.

Data Stolen from Connecticut Accountancy Company Due to Cyberattack

The certified public accountancy company located in Glastonbury, CT, Fiondella, Milone & LaSaracina, has reported a cyberattack in September 2021. The company detected the security breach on September 14, 2021, and based on the forensic investigation, the hackers got access to its systems from September 9, 2021.

On or about October 13, 2021, it was confirmed that the attackers copied files and folders from its system that included the sensitive data of a number of people. The information probably breached was mainly limited to names and Social Security numbers. Some individuals also had the following ambulance trips related data stolen: service level, tracking numbers and date, payor types and category, mileage details, charge/payment details, billing review data, and remittance advice details, which may have included health care details.

Fiondella, Milone & LaSaracina mentioned an analysis of security measures was conducted and more safeguards will be put in place to stop other security breaches. There is no statement in the website breach notice about credit monitoring and identity theft protection services.

The accounting firm has sent the breach report to the HHS’ Office for Civil Rights indicating that 6,215 persons were affected.

Memorial Health System based in Ohio has lately confirmed that the ransomware attack it encountered in August 2021 possibly impacted the protected health information (PHI) of 216,478 patients. Because of the ransomware attack, the health system had to get selected patients to other hospitals and cancel a few appointments to make sure of patient safety. The hospital announced the attack immediately after the breach, which happened on August 14, 2021. The investigation revealed the first breach of its network happened on July 10, 2021.

The health system reported the incident to the HHS’ Office for Civil Rights immediately, however, during that time it was not known how many people were affected. Memorial Health System found out that patient data may have been impacted on or around September 17, 2021, then had a thorough assessment of all affected files. On November 1, 2021, the scope of the breach was confirmed however it took until December 9, 2021, to verify the persons impacted and the specific types of information involved, consequently there was a delay in sending notifications. Written notices were delivered to affected people on or approximately January 12, 2022.

The breached and potentially exfiltrated information included names, Social Security numbers, addresses, medical/treatment details, and health insurance data. Affected persons were provided a complimentary membership to Kroll’s credit monitoring service for 12 months. Since then, Memorial Health System has used extra safeguards to enhance its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 People

In mid-December, MedQuest Pharmacy started sending notifications to 39,447 individuals regarding the potential compromise of some of their PHI because of a cyberattack that was identified on November 18, 2021. With the help of its parent companies, Innovations Group and UpHealth Inc, and independent cybersecurity specialists, MedQuest confirmed the attackers first acquired access to its systems on October 27, 2021. The unauthorized access was prevented on October 30, 2021.

A detailed evaluation of all impacted systems showed the attackers possibly accessed or obtained the following types of data: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, medical information, prescription data, date(s) of treatment, referring doctor names, health insurance policy numbers (which include Medicare or Medicaid number), and internal MedQuest patient ID number.

MedQuest stated that the driver’s license number, Social Security Number, financial account/payment card details, medical insurance claim number, policy details, and/or claim/appeal data of a very small number of persons likewise had been exposed. All affected people have been given a one-year free membership to credit and identity monitoring services of Equifax.

A Minnesota network of family medicine practices began sending notifications to approximately 200,000 patients concerning the potential compromise of some of their personal data and protected health information (PHI) due to a cyberattack on a business associate about a year ago.

It was stated in the breach notification letters sent by Entira Family Clinics to the affected people on January 13, 2022 that the breach happened at Netgain Technologies, which is the hosting and cloud IT solutions provider to organizations in the healthcare and accounting industries. Entira Family Clinics employed Netgain’s hosting and email services.

The healthcare organization mentioned the files likely compromised included names, Social Security numbers, addresses, and medical backgrounds. Entira said in its notification letters that they had their information technology (IT) support group working immediately upon being aware of the breach and engaged a law agency with a specialty in cybersecurity and data privacy to investigate. They also communicated closely with Netgain and its breach counsel concerning Netgain’s incident response and forensic investigation.

The investigation found no information of actual or attempted misuse of any personal records. Entira Family Clinics mentioned it is taking steps to enhance security and offset risk, and that process required an assessment and update of policies and procedures associated with the safety of its systems, servers, and life cycle administration. Security analysis was likewise done of the Netgain environment to make sure of the stronger security of the cloud hosting platform.

Entira Family Clinics offered the impacted individuals a complimentary membership to online credit monitoring services via IDX. The breach report submitted to the Maine Attorney General shows 199,628 persons were affected.

The notification letters distributed to the impacted people state that the provider found out that a data security incident on Netgain’s environment may have caused the accidental exposure of their personal data and that Netgain was recently targeted by a cybersecurity incident.

The date of the incident was not mentioned in the notification letters, therefore affected persons wouldn’t realize that the ransomware attack and data theft had happened over 12 months already on November 4, 2020.

Netgain stated the data breach in December 2020, and the majority of impacted firms were informed by February 2021. Many of the affected Netgain clients dispatched notification letters during the spring and summer months of 2021. It is uncertain why Entira Family Clinics delayed issuing notification letters for so long, and whether this was because of delayed notification from Netgain.

Additionally, this month, Caring Communities, a member-owned liability insurance provider in Illinois serving not-for-profit senior housing and care organizations, likewise sent notification letters regarding the Netgain data breach. The firm mailed notification letters on January 14, 2022, which stated the same things as those provided by Entira.

Caring Communities stated it is no longer using Netgain as its hosting provider and transferred its environment to a different service provider after being advised regarding the data breach and similar steps are being done to strengthen security. Affected persons have likewise been provided credit monitoring and identity theft protection services by means of IDX. It is currently not clear how many people were impacted. The notification letters additionally refer to the latest cyberattack on Netgain and did not talk about when the attack took place nor why the issuing of notification letters was long-delayed.

The gastroenterology healthcare company located in Bradenton, FL, known as Florida Digestive Health Specialists (FDHS) has recently informed around 212,000 patients concerning the potential compromise of their protected health information (PHI) due to a cyberattack last December 2020.

Attorney Jason M. Schwent of Clark Hill mailed breach notification letters to the affected patients on December 27, 2021. The notification letters stated that there was suspicious activity found in the email account of a worker on December 16, 2020. An unauthorized individual used the email account to send email messages.

This was a business email compromise attack. BEC attacks entail an attacker obtaining access inside an email account, typically by means of a phishing email, and then using it to impersonate the employee and persuading other individuals to do fake wire transfers. On December 21, 2020, FDHS found a fraudulent money transfer to an anonymous bank account.

FDHS engaged Clark Hill’s expert services and a third-party cybersecurity firm to check into the cyberattack. According to the investigation, unauthorized persons got access to several employees’ email accounts. The email accounts were known to be “voluminous” and contained the personal information and protected health information (PHI) of 212,509 patients. The goal of this type of attack is to obtain payments through bogus wire transfers and not to get patient data; still, data theft could not be ruled out.

The amount of data contained in the breached email accounts were used as a reason for delaying the sending of notification letters to the impacted patients for 12 months. FDHS explained that it took a long time to audit the email accounts, which only concluded on November 19, 2021.

As a result of the breach, several changes were done to its IT systems to improve safety. The safety procedures consisted of a password reset in all its IT networks, use of multifactor authentication, strengthening password criteria, and re-establishing of its firewall.

Affected individuals were provided zero-cost credit monitoring and identity theft protection services for one year.

One of the most severe healthcare ransomware attacks happened in Ireland at the beginning of 2021. A serious attack on the Health Service Executive (HSE), the national health system of the Republic of Ireland, allowed Conti ransomware to be deployed and shut down the National Healthcare Network. Consequently, healthcare specialists throughout the country could not access the HSE IT systems, which include patient records, clinical care systems, laboratory systems, payroll, as well as other clinical and non-clinical systems. This disrupted the healthcare services throughout the country.

After the attack, the HSE Board called on PricewaterhouseCoopers (PWC) to perform an independent post-attack analysis to confirm the facts associated with technical and operational readiness and the conditions that permitted the attackers to obtain access to its systems, copy sensitive information, encrypt data files, and extort money from the HSE.

Cybersecurity Problems that are Prevalent in the Healthcare Sector

PWC’s recently released report shows several security problems that permitted the infiltration of the HSE systems. Although the report refers to the HSE cyberattack, its results could be applied to numerous healthcare companies in the United States that have the same unresolved vulnerabilities and insufficient readiness for ransomware attacks. The PWC recommendations may be employed to reinforce security and prevent the same attacks from happening.

Although the HSE ransomware attack impacted a substantial number of IT systems, it began with a phishing email. On March 16, 2021, a staff got an email having a malicious Microsoft Excel spreadsheet attachment. Upon opening the attachment, the malware was installed on the unit. Even though the HSE workstation had an installed antivirus software, it failed to detect the malicious file because the virus definition list was not updated for more than a year.

After one device was infected, the attacker moved laterally inside the network, accessed a number of accounts having high-level privileges, obtained access to many servers, and exfiltrated information. On May 14, 2021, 8 weeks from the first compromise, Conti ransomware was widely deployed to encrypt files. The HSE discovered the encryption and de-activated the National Health Network to control the attack. However, healthcare specialists throughout the country could not access applications and vital information.

In that 8 weeks of systems compromise, suspicious activity was found on over one occasion which must have prompted an investigation into a possible security breach, however, there was no response on those notifications. If proper action was carried out, it would have been possible to prevent the deployment of ransomware and the exfiltration of sensitive information.

Simple Strategies Employed to Devastating Result

As per PWC, the attacker used well-known and straightforward attack techniques to maneuver around the network, determine and exfiltrate sensitive information, and use Conti ransomware in many areas of the IT network easily. The attack may have been a lot worse. The attacker may have exploited medical devices, damaged data at scale, employed auto-propagation systems like those employed in the WannaCry ransomware attacks and may have targeted cloud systems as well.

The HSE clearly stated that it wouldn’t pay the ransom. On May 20, 2021, after 6 days of shutting down the HSE IT system access to control the attack, the ransomware attackers released the decryption keys. Thanks to a strong attack response and the release of the decryption keys, severe effects had been prevented. But despite having the decryption keys, it was only on September 21, 2021 that the HSE had completely decrypted all files in its servers and reestablished about 99% of its software. The HSE approximated the cost of the attack can grow to as much as 500 M Euros.

Ireland’s Biggest Company Had No CISO

PWC stated the attack happened because of a low level of cybersecurity readiness, weak IT systems and controls, and workforce problems. PWC stated there was not enough cybersecurity leadership, since there was no person in the HSE in charge of giving leadership and guidance over its cybersecurity initiatives, which is quite uncommon for a company with the size and sophistication of the HSE. The HSE is Ireland’s biggest company and had more than 130,000 personnel and over 70,000 devices during the attack, although the HSE only had 1,519 employees with cybersecurity functions. PWC stated that the staff members responsible for cybersecurity didn’t have the required skills to execute the tasks required of them and the HSE should have a Chief Information Security Officer (CISO) having overall accountability for cybersecurity.

Insufficiency of Monitoring and Cybersecurity Controls

The HSE had no capability to efficiently check and respond to security notifications throughout its entire system, patching was slow and updates were not employed immediately throughout the IT systems linked to the National Health Network. The HSE was additionally dependent on one anti-malware solution which wasn’t being checked or efficiently maintained through all its IT environment. The HSE at the same time kept on using legacy systems having known security problems and staying greatly dependent on Windows 7.

The same vulnerabilities in people, procedures, and technology could be seen in a lot of health systems around the globe, and the PWC advice is applicable beyond the HSE to strengthen cybersecurity and make it more difficult for attacks like this to be successful.

The PWC report, advice, and learnings from the attack are available here.

The CyberPeace Institute has introduced new data on cyberattacks in the healthcare sector. Based on the most recent statistics, 295 cyberattacks are known to have been performed on the healthcare industry in the previous 18 months between June 2, 2020, and December 3, 2021. The attacks were occurring at a rate of 3.8 each week and have happened in 35 countries.

Those attacks consist of 263 incidents that were either affirmed as ransomware attacks (165) or are believed of involving ransomware (98), with those attacks happening in 33 nations at 3.4 incidents per week. Over the past 18 months, a minimum of 39 different ransomware groups have carried out ransomware attacks on the healthcare sector. Those attacks have mainly targeted patient care services (179), then pharma (35), medical manufacturing & development (26), and other medical agencies (23).

The CyberPeace Institute analyzed darknet publications, communication with ransomware gangs, and interviews and recognized 12 ransomware gangs that had mentioned they would not carry out attacks on the healthcare industry during the pandemic, yet still carried on to attack healthcare companies, with at least six of the 12 having done attacks on hospitals.

The definition of healthcare employed by the groups varies from what a lot of individuals would believe to be medical care. For instance, although all 12 of the ransomware gangs stated they wouldn’t target hospitals, many utilized vague words to describe healthcare, for instance, medical companies. Although that may show all healthcare was off-limits, numerous gangs regarded the pharmaceutical market to be fair game, considering that pharma firms were profiting from the pandemic.

Three ransomware operations confessed mistakes had been made and healthcare companies were attacked in error. They mentioned publicly that if a mistake is committed, the keys to decrypt files would be provided at no charge. Nonetheless, there were instances where there was some argument with regards to whether an entity was considered in the gangs’ definitions of exempt institutions.

It must be mentioned that whenever an attack happens and files are encrypted, the ruin is already there. Even when the keys to decrypt information are given cost-free, the attacked agencies still experience interruption to business functions and patient services. The way to restore data from backups is not an easy process and attacked companies still need to cover substantial mitigation fees. 19% of attacks were established as causing canceled consultations, 14% had patients redirected, and 80% had suffered the exposure or a leak of sensitive information.

The CyberPeace Institute stated a number of threat actors have specifically targeted the healthcare market. One example given was a member of the Groove ransomware operation who was actively looking for preliminary access brokers who can give access to healthcare sites. The Groove ransomware operation had the biggest percentage of healthcare targets than other fields according to its data leak website.

Data from Mandiant have shown that 20% of ransomware victims are in the healthcare industry, indicating the industry is being greatly targeted. The FIN 12 threat actor is well-known to target the healthcare industry, and ransomware operations for example Pysa, Conti, and Hive have big percentages of healthcare institutions in their listings of victims (4%, 9%, and 12% respectively).

Though there was some targeting of the medical care industry, a lot of ransomware gangs utilize spray and pray techniques and indiscriminately perform attacks that lead to the attack of healthcare providers being attacked together with all other industries. These attacks frequently involve attacks on Remote Desktop Protocol (RDP), indiscriminate phishing campaigns, or brute force attacks to guess weak passwords.

Regardless of whether the targeting of healthcare companies is by mistake, design, or indifference, ransomware operators are operating with impunity and are de facto characterizing which companies represent legitimate targets and what is off-limits. Their simplified distinctions disregard the complexities and interconnectedness of the healthcare field, in which assaulting pharmaceuticals during a pandemic can have an equally harmful human impact as attacking hospitals.