Lake County Health Department Informs 25,000 Patients Regarding Two Data Breaches

The Lake County Health Department in Illinois made an announcement that it has experienced two data breaches that possibly affected the personal data and protected health information (PHI) of about 25,000 patients.

The first data breach happened in 2019 when a Lake County Health worker routed an unencrypted email message from their email account at work to an internal employee’s personal email. With the email was an attached spreadsheet containing medical record requests from December 2016 until June 2019. The requests were made via a third-party firm that managed the release of data requests on behalf of the Lake County Health Department. The spreadsheet contained the names of 24,241 patients together with dates pertinent to the vendor.

On July 22, 2019, Lake County Health found out about the breach; nevertheless, notification letters were sent to impacted patients only on July 2021. The almost two-year delay was because Lake County Health officers did not think the notification letters were necessary, since no PHI was compromised; but the Department of Health and Human Services did not agree with that analysis and demanded the issuance of notification letters because PHI might have been exposed.

Another data breach was identified on May 14, 2021 that concerned a Google spreadsheet comprising names, birth dates, email addresses, telephone numbers, and 705 individuals’ COVID-19 vaccination status. The spreadsheet was kept in the employee’s personal Google Drive account. Although Google Drive may be HIPAA compliant if used in healthcare in conjunction with other G Suite services, personal Google accounts are not HIPAA-compliant. Google can view the data in personal Google accounts and utilizes that data to offer customized services and adverts. All impacted people were senior citizens who had looked for data on COVID-19 vaccinations. Those people have already received notifications.

Although both privacy incidents ended in the exposure of patient data, Lake County Health mentioned internal risk checks were done and there is no evidence found that suggests unauthorized individuals acquired any exposed information or misused it.

Since the data breach, Lake County Health Department has enforced measures to avoid identical breaches later on, such as encrypting all email messages and improving monitoring.

OIG Survey Reports Insufficient Oversight of Cybersecurity of Networked Medical Devices in Hospitals

The HHS’ Office of Inspector General (OIG) has done an audit to find out the level to which the Medicare Accreditation Organizations (AOs) and Centers for Medicare and Medicaid Services (CMS) demand healthcare providers implement a cybersecurity strategy for networked devices and the strategies utilized to evaluate the cybersecurity of networked medical devices.

Cybersecurity controls are necessary to safeguard medical devices that are linked to the web, internal hospital systems, or other medical devices. With no such controls, unauthorized individuals could access the devices and cause harm to patients. Networked medical devices can include MRIs, ultrasound, computed tomography, endoscopy, and nuclear medicine systems, in addition to systems that connect with clinical lab analyzers like laboratory data systems. OIG reported that a big hospital may have approximately 85,000 medical devices linked to its system.

These devices are typically isolated from other systems, they could link to a similar system as the electronic health record (EHR) system. When there are inadequate cybersecurity controls, they may be possibly vulnerable to an attack that may affect critical healthcare systems. Although there were no identified instances of cyberattacks carried out particularly to cause problems to patients, patients may unintentionally be hurt as a consequence of an attack done for other motives. In Germany in 2020, a patient passed away due to a ransomware attack. With no access to hospitals, the patient was brought to another facility and died prior to getting treatment.

The CMS has some cybersecurity prerequisites for hospitals but depends on state survey organizations and Medicare accreditation organizations (AOs) to examine Medicare-partner hospitals. Those surveys are done once in 3 years. The Social Security Act calls for AOs’ survey protocols to be comparable to or stricter than those by CMS.

For the study, OIG provided written interview questions to the CMS and performed phone interviews with 4 AOs. The study showed the CMS survey protocol doesn’t include cybersecurity specifications for networked medical devices and AOs don’t ask hospitals to use cybersecurity programs addressing networked medical devices.

OIG found that AOs at times assess selected facets of device cybersecurity. The study showed two AOs had equipment servicing specifications, which may give minimal information about medical device cybersecurity. In case hospitals determined networked device cybersecurity in their emergency-preparedness risk checks, AOs would evaluate their mitigation programs; but the majority of hospitals didn’t determine device cybersecurity in the risk assessments regularly. AOs might additionally look at networked devices when evaluating hospital safety measures for medical record privacy. Neither the CMS nor the AOs had any programs to revise their survey prerequisites, later on, to include networked devices or cybersecurity in general.

OIG has proposed the CMS to determine and apply a way of managing the cybersecurity of networked medical devices in its quality supervision of hospitals, in consultation with HHS and other partners. CMS agreed with the proposition and is thinking about more ways to properly highlight the value of implementing cybersecurity on networked medical devices by healthcare providers.

OIG recommended a number of ways that the CMS can enhance its monitoring and evaluation of medical device cybersecurity. For instance, the CMS can utilize language as it looks at cybersecurity being part of maintaining device security during operating situations, emphasize the risk that unsecured medical devices linked to the EHR can be a threat to protected health information (PHI), and may additionally tell hospitals to comply with HIPAA specifications, such as the HIPAA Security Rule. The CMS can additionally advise surveyors to inquire hospitals whether they have cybersecurity of networked devices in place when they conducted their hazard vulnerability analyses.

NIST Creates Critical Software Definition for U.S. Government Agencies

President Biden’s Cybersecurity Executive Order calls for all government institutions to re-assess their process to cybersecurity, establish new techniques of checking software, and employ advanced security strategies to lower risk, for instance, multi-factor authentication, encryption for data in transit and at rest, and employing a zero-trust approach to safety.

One of the initial demands of the Executive Order was to get the National Institute of Standards and Technology (NIST) to issue a definition of critical software that the Cybersecurity and Infrastructure Security Agency (CISA) is going to employ to make a listing of all software programs included in the Executive Order and for developing security regulations that federal agencies need to comply with when acquiring and implementing the software. These actions will help to protect against cyberattacks like the SolarWinds Orion supply chain attack that led to the access of the networks of various government agencies by state-sponsored Russian cyber attackers.

The Executive Order expected NIST to release its critical software definition in 45 days. NIST required suggestions from the private and public industry and many government agencies when defining what critical software truly is.

One of the objectives of the EO is to support in creating a security standard for critical software solutions utilized throughout the Federal Government. The status of software as EO-critical will subsequently push for added activities, such as how the Federal Government buys and deals with deployed critical software.”

NIST described critical software as software or software dependencies that have at least one of the following features:

  1. Software created to operate with upgraded privileges or employed to handle privileges.
  2. Software with direct or privileged access to network or computer assets.
  3. Software developed to regulate access to files or functional technology.
  4. Software that executes a function vital to trust.
  5. Software that runs outside of common trust boundaries with privileged access.

The earlier mentioned definition concern all software programs, whether it is crucial to devices or hardware parts, stand-alone application, or cloud-based software utilized for or deployed in production systems or employed for operational requirements. That definition addresses an extensive selection of software programs, like security tools, operating systems, access management applications, hypervisors, network monitoring software, web browsers, and other software program made by private providers and offered to federal agencies, or software designed internally by government agencies for use in federal networks, which include government off-the-shelf application.

NIST has proposed for federal agencies to primarily concentrate on carrying out the demands of the Executive Order on standalone, on-premises software program that has critical security capabilities or has substantial potential to produce problems when compromised. Then, federal agencies ought to go onto other categories of application, for example web-based software, software that manages data access, and software elements in boot-level and operational technology software.

NIST has publicized a record of EO-critical software program, though CISA will release a more detailed completed checklist soon.

Ransomware Attack on Reproductive Biology Associates, UF Health Central Florida and Georgia Hospital System

The fertility clinic Reproductive Biology Associates in Georgia has reported a ransomware attack in April that allowed attackers to exfiltrate files made up of the personal data and protected health information (PHI) of roughly 38,000 patients.

The attackers acquired access to a file server that contains embryology information on April 7, 2021, and used ransomware to encrypt data files on April 16, 2021. The records included the sensitive data of patients of Reproductive Biology Associates along with its affiliate My Egg Bank North America. The compromised PHI included complete names, addresses, Social Security numbers, lab test data, and data associated with the handling of human tissue.

The breach investigation ended on June 7, 2021. Although there is no formal confirmation of the ransom payment, Reproductive Biology Associates stated the attackers had all the stolen data deleted and all encrypted information was already restored.

Reproductive Biology Associates is continually monitoring the web and dark websites for evidence of misuse of the stolen information. Impacted persons received offers of free credit monitoring and identity theft protection services. A third-party cybersecurity company also helped enhance the security of its systems to avoid other attacks.

UF Health Ransomware Attack Affects Patient Care

UF Health Central Florida experienced a ransomware attack on May 31, 2021 that impacted Leesburg Hospital and The Villages Regional Hospital. After the attack, the healthcare provider enforced emergency downtime procedures and continued to provide care to patients, though staff members used pen and paper to record patient information.

After more than 2 weeks since the attack occurred, the hospitals still implement EHR downtime procedures as UF Health works on restoring its systems and impacted information. Now, the attack is negatively impacting patient care.

As per the latest report on WESH 2 News, staff at the impacted hospitals mentioned they still cannot access the EHR, cannot get medication details, and cannot confirm whether patients have certain allergies. Employees are likewise encountering delays obtaining laboratory reports. Employees at the hospital talked to reporters and mentioned a number of patients were getting one medication if a different one was requested, and medicines that are due are not available. One employee expressed concern that something might happen in case they administer a medication that was believed to be ordered but wasn’t.

It is presently uncertain if UF Health expects to give the ransom payment and if patient data was stolen. A UF Health spokesperson cannot confirm the date when systems will be re-established.

Georgia Hospital System Encounters Ransomware Attack

St. Joseph’s/Candler (SJ/C) hospital system based in Savannah, GA reported a ransomware attack on June 17, 2021. The attack blocked access to computer systems and so the hospital implemented emergency protocols. Staff is currently using pen and paper to log patient information.

The attack was discovered immediately and action was undertaken to isolate systems to restrict the problems caused; nevertheless, it is still premature to say which patient information, if any, was impacted and if the attackers acquired patient information before the ransomware encrypted files.

SJ/C stated that it is continuing patient care operations using set-up backup procedures and other downtime measures. The hospital doctors, nurses and personnel are prepared to deliver care during these types of circumstances and are dedicated to doing everything possible to offset disruption and offer continuous patient care.

Avaddon Ransomware Operation Shuts Down and Gives Decryption Keys

The Avaddon ransomware-as-a-service operation was stopped on June 11 and the threat group gave to all its victims the decryption keys. Bleeping Computer was given an email containing a password and a hyperlink to a password-protected ZIP file. The file contained the private keys for 2,934 of Avaddon’s ransomware attack victims. The keys were verified as genuine by Emsisoft and Coveware, with the former currently having given a free decryptor that may be utilized by all Avaddon ransomware attack victims to decrypt their documents.

Avaddon is a fairly new ransomware-as-a-service operation that began in March 2020. The threat group behind the operation got affiliates to carry out attacks and provided them with a site through which they can create copies of the ransomware to do their own cyberattacks. All ransoms created were then distributed to the affiliate as well as the RaaS operator.

It is common for RaaS operations to instantly cease and release the keys for victims that have not yet given payment, however, the timing of the deactivation indicates the RaaS operator may have gotten anxious with the elevated focus of government authorities and law enforcement agencies on ransomware gangs.

After the JBS and Colonial Pipeline ransomware attacks, the White House instructed the Department of Justice to centralize its efforts on ransomware investigations and consider attacks similar to terrorist attacks. Deputy press secretary Karine Jean-Pierre of the White House mentioned that it would likewise be giving the message that responsible states ought not to foster ransomware criminals and that it will be engaging with the Russian government to persuade it to take action against ransomware groups that operate in the country.

The G7 nations furthermore committed to doing something on ransomware attacks and released a statement calling on Russia and other nations possibly harboring ransomware gangs to make a move to distinguish, disrupt, and make individuals accountable for performing ransomware attacks, abusing virtual currency for ransom laundering, and conduct other cybercrimes. President Biden is likewise anticipated to talk to Vladimir Putin at the Geneva summit on June 16 concerning ransomware groups operating from Russia.

Right after the DarkSide ransomware attack on Colonial Pipeline that interrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang stated it was shutting down. The REvil and Avaddon gangs released a joint declaration saying they were changing their regulations and won’t allow their affiliates to perform ransomware attacks on critical infrastructure companies, governments, healthcare companies, and educational organizations. It would look like that this was not sufficient for the Avaddon ransomware group. It remains to be seen whether the operation has been shut down completely or if the operator of the ransomware is simply laying low for some time. It isn’t unusual for ransomware operations to stop then rebrand and begin their attacks a couple of weeks or months later.

Emsisoft threat analyst Brett Callow explained to Bleeping Computer that the present actions by law enforcement have made some attackers worried; this is the outcome. Let’s wish others will go down too.

IT Security Company COO is Facing Lawsuit Due to Cyberattack on Georgia Medical Center

The Chief Operating Officer of an IT security company has been sued over a financially inspired cyberattack on Gwinnett Medical Center located in Lawrenceville, GA in September 2018.

Vikas Singla, 45 years old, of Marietta, GA is the COO of Securolytics, a network security firm in the metro-Atlanta region. On June 8, 2021, a federal grand jury indicted Singla for allegedly getting access to the systems of the healthcare organization, disrupting its phone and network printer services, and stealing information from a Hologic R2 digitizing gadget.

The Department of Justice stated that the attack was performed, in part, for financial gain and commercial gain. Based on court documents a minimum of 10 protected computers were ruined in the incident. It is uncertain if Singla, or his IT firm, had any prior business partnership with Gwinnett Medical Center and the reason why the healthcare provider was targeted.

Singla was indicted in the U.S. District Court for the Northern District of Georgia on June 10, 2021 and was charged with 17 counts of causing intentional damage to a protected computer and one count of acquiring records from a secured computer. Singla is looking at a maximum sentence of 10 years in jail for each of the intentional damage to a protected computer counts and up to a jail term of 5 years for the theft of data count.

It is believed that Singla did not act alone. Based on the indictment, Singla was assisted and abetted by other people, though they haven’t been named. Singla pleaded not guilty to the allegations and has been freed on bond. There is no trial date yet.

Criminal disruptions of hospital computer networks could have terrible outcomes, mentioned Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. It is the department’s commitment to hold responsible anyone who endangers the lives of individuals by destroying computers that are needed in the work of our health care system.

This attack on a hospital not merely could have had devastating effects, but patients’ personal PHI was also compromised stated Special Agent in Charge Chris Hacker of the FBI’s Atlanta Field Office. The FBI and our law enforcement partners are driven to hold liable, those who purportedly put patients’ health and safety in danger while compelled by greed.

Third-Party Phishing Attack Affects Approximately 34,862 Lafourche Medical Group Patients

Urgent care center operator Lafourche Medical Group based in Louisiana has notified 34,862 patients concerning a security breach that possibly affected some of their protected health information (PHI).

Lafourche Medical Group found out on March 30, 2021 that an external accountant had responded to a phishing email that spoofed one of the company owners of Lafourche Medical Group and revealed login credentials to the hacker. The compromised credentials were utilized to obtain access to the group’s Microsoft 365 account.

A third-party IT firm assisted with the investigation, however, uncovered no evidence that suggests the compromise of its on-premise systems or cloud-based electronic medical record system; nonetheless, the credentials might have been employed to see or get data from its Microsoft 365 environment, which included a few patient information. Due to the size of the email system, it was impossible to know all potential patient data that might have been contained in the system, reported in the substitute breach notice of Lafourche Medical Group.

Clinical information wasn’t breached; nevertheless, emails were employed to communicate selected patient data for invoicing and other clinic purposes. The types of information frequently transmitted through email include names, addresses, e-mail addresses, dates of birth, dates of service, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating specialist names, and lab test results.

A more powerful vetting process was put in place for business associates and a third-party IT firm was employed to re-evaluate its computer system and security steps and to endorse best practices for enhancing data safety. A number of measures were already enforced to enhance security, including strengthening the firewall and spam and malware filters, employing stricter password policies, incorporating multi-factor authentication for mobile access, and retraining the employees on cybersecurity, social engineering, and phishing.

Breach of Records at LogicGate and Hoboken Radiology

The risk and compliance company LogicGate has discovered a security breach that resulted in the potential compromise of the protected health information (PHI) of 47,035 people.

LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform.

The Risk Cloud Platform is employed by organizations to identify and deal with compliance risks and take care of information protection and security requirements. All backup files kept in AWS S3 buckets are coded, however, the attacker had used stolen credentials to decrypt information. The backup records included customer information that was loaded to their Risk Cloud environment before February 23, 2021. LogicGate stated it failed to determine any decrypt events connected with clients’ saved attachments.

It is presently uncertain if the attacker exfiltrated any customer information and there was no information published regarding the way the credentials were acquired.

Hoboken Radiology Notifies Patients About Potential Breach of Medical Photos and PHI

Hoboken Radiology based in New Jersey has begun sending notifications to patients regarding a security breach that happened between June 2, 2019 and December 1, 2020. In a recent press release, Hoboken Radiology stated it obtained a notification on November 3, 2020 regarding suspicious activity on its medical imaging server.

Third-party cybersecurity professionals were employed to inspect the incident and determine if any patient data had been acquired by unauthorized individuals. The investigation is still in progress, however, it was confirmed that there were suspicious relationships from an external source during the earlier mentioned dates. The impacted server comprised patient information which could have possibly been viewed or obtained by unauthorized persons.

An analysis of files on the server confirmed they included a variety of patient data such as names, genders, dates of birth, treatment dates, referring physician names, patient ID numbers, accession numbers, medical photos, and a description of those pictures. There were no compromised Social Security numbers, payment card information, financial details, and medical insurance data.

Although it was established that there was an unauthorized access to the server, no proof was identified that indicates the actual or attempted improper use of patient information. Policies, procedures, and processes associated with storage of and access to personal records are being evaluated and will be kept up to date to better take care of patient records down the road.

Hoboken Radiology already reported the breach to the proper authorities however there is no publication of the information on the HHS’ Office for Civil rights portal, therefore it is uncertain specifically how many people were affected.

FBI Warns About Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has published a TLP:WHITE Flash alert concerning serious Conti ransomware attacks aimed at healthcare providers and first responder systems. According to the FBI, the Conti ransomware gang by now had attacked 16 healthcare providers and first responder networks within the United States.

Aside from healthcare organizations, the ransomware gang likewise tried to execute ransomware attacks on emergency medical support, 911 dispatch centers, municipalities, and law enforcement agencies. The attacker is widely recognized to have carried out cyberattacks on 400 organizations all over the world, including the most current attacks on Ireland’s Department of Health (DoH) and Health Service Executive (HSE). To date, the attacker had a total of 290 victims within the United States.

Conti ransomware is deemed to be operated by the Wizard Spider, a cybercrime group in Russia, and functions as a ransomware-as-a-service (RaaS) operation. The ransomware group is known to have attacked big firms asking for large ransom amounts of up to $25 million. The ransom demanded from each victim depends on the extent of the encryption and the determined ability of the victim to pay.

Just like many ransomware attacks today, before file encryption, the Conti ransomware gang exfiltrates sensitive data and uses it to threaten the victims saying it will sell or publish the stolen information if the ransom is not paid. Within 8 days, the victims must pay the ransom. Even if the victims do not make contact with the gang, the gang contacts them by using encrypted email like ProtonMail or Voice Over Internet Protocol (VOIP) services within 2-8 days of threatening them into paying.

Attacks usually start with phishing emails having weaponized hyperlinks or email attachments or using compromised Remote Desktop Protocol (RDP) credentials. Prior to deploying the Emotet botnet, the hackers employed malicious Word documents that have loaded PowerShell scripts, at first to stage Cobalt Strike after that to create the Emotet Trojan within the system, which allowed the attacker to transfer their ransomware payload. The threat group is similarly widely recognized to use the TrickBot Trojan in their attacks. From the initial compromise up to the ransomware deployment, it typically takes 4 days to 3 weeks, and frequently, the ransomware payload is created using dynamic link libraries (DLLs).

The threat group employs living-off-the-land techniques for advance privileges and move laterally on the internal networks, just like Mimikatz and Sysinternals. Right after files encryption, the gang normally remains inside the network and beacons out using Anchor DNS. The ransomware gang utilizes remote access tools to signal local and international VPS systems to posts 80, 443, 8443, typically using port 53 for persistence. Ongoing indicators of attacks include the creation of new accounts and usage of tools such as Sysinternals, along with disabled sensors and nonstop HTTP and DNS beacons.

The FBI does not support paying ransoms since it isn’t an assurance that data will be retrieved or stolen information will not be offered for sale or posted. The FBI has cautioned all Conti ransomware attack affected individuals to reveal information about the attacks such as boundary records showing chats between international IP addresses, Bitcoin wallet information, benign samples of encrypted files and/or decryptor files.

The FBI has published these mitigations to be used for protecting against Conti as well as any ransomware attack:

  1. Consistently back up data, verify backups, and keep backups on air-gapped systems.
  2. Keep a few copies of sensitive and exclusive data on servers that are segregated physically and aren’t available from the systems where data is found.
  3. Execute system segmentation.
  4. Use multi-factor authentication.
  5. Employ patches and update systems, software programs, and firmware as soon as possible.
  6. Use strong passwords and consistently modify network systems and accounts passwords.
  7. Remove links in incoming email communications.
  8. Attach email banners in each incoming email coming from outside sources.
  9. Do regular user account evaluations for accounts having administrator privileges.
  10. Just use secure networks and never connect using public Wi-Fi networks.
  11. Use a VPN equipped with remote access.
  12. Make certain that all personnel get regular security awareness training.

Michigan Man Charged With Theft and Sale of PII of UPMC Workers

A Michigan guy has pleaded guilty to hacking into the human resource databases of the University of Pittsburgh Medical Center in 2013 and 2014 and stealing 65,000 UPMC workers’ personally identifiable information (PII) and W-2 information.

Justin Sean Johnson, 30 years old, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT professional also called as The DearthStar and Dearthy Star on darknet forums. After 6 years of hacking the databases and vending stolen records, Johnson was accused by a federal grand jury in Pittsburgh and was detained for aggravated identity theft, conspiracy and wire fraud.

Johnson at first hacked into UPMC’s Oracle PeopleSoft HR database in December 2013 and accessed the PII of 23,500 UPMC workers. Between January 2014 and February 2014, Johnson viewed the data source several times per day and downloaded PII. Johnson then sold the stolen information on darknet marketplaces like AlphaBay to crooks who utilized the records in 2014 to file lots of fake 1040 tax returns.

Based on a Department of Justice press release, the scheme brought about approximately $1.7 million fraudulent tax refunds being paid by the IRS. The tax refunds were converted to Amazon.com gift cards that were employed to buy high-value products that were delivered to Venezuela. Johnson was compensated roughly $8,000 in Bitcoin for the stolen UPMC workers’ data.

Besides the robbery and selling of UPMC worker PII, between 2014 to 2017 Johnson stole and marketed about 90,000 sets of PII on darknet forums. That data was later utilized to do identity theft and bank fraud.

Johnson recently confessed to 2 counts of a 43-count indictment and currently is waiting for sentencing. Johnson will have a maximum of 5 years jail term and will pay a fine of up to $250,000, along with a compulsory 24-months in prison and a penalty of as much as $250,000 for aggravated identity theft.

The U.S. Secret Service Special Agent in Charge Timothy Burke stated that the healthcare industry has come to be an appealing target of hackers seeking to update personal information and use it for fraud, and so the Secret Service is determined to detect and arrest those that do crimes against our Nation’s critical systems for their personal benefit.

Three other people have pleaded guilty to crimes done relating to the scheme. Maritza Maxima Soler Nodarse from Venezuela pleaded guilty in 2017 to committing conspiracy to defraud the United States with regards to the processing of falsified tax refunds. Yoandy Perez Llanes of Cuba pleaded guilty in 2017 to buying Amazon.com gift cards to launder the funds. Justin. A. Tollefson from Spanaway, WA pleaded guilty in 2017 to using stolen identities to file fake income tax returns.

CISA Publishes Guidance on Expelling Attackers from Systems After the SolarWinds Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance on expelling threat actors from systems compromised in the SolarWinds Orion supply chain attacks and, which include following breaches of Active Directory and M365 environments.

The attacks were ascribed to threat actors associated with the Russian Foreign Intelligence Service (SVR). After getting network access via the update process of SolarWinds Orion, the threat actor chose targets of interest for more compromise and overlooked multi-factor authentication solutions and shifted laterally into Microsoft 365 settings by exposing federated identity solutions. A lot of the targets picked for additional compromise include government agencies and bureaus and critical infrastructure corporations, even though private sector companies may additionally have encountered more comprehensive compromises.

The guidance is applicable to expelling threats from on-premises and cloud environments and comprises a 3-phase remediation strategy. CISA remarks that malicious compromises are distinct to every single victim, thus careful thought should be given to every step and the guidance then implemented to the distinct environment of every breached company to guarantee success.

All three phases are necessary to totally evict an attacker from on-premises or cloud settings, therefore cutting corners should never be used. Failing to observe all steps can lead to extensive, long-term unseen Advanced Persistent Threat (APT) activity, extended theft of information, and crumbling of public faith in victims’ sites.

The guidance gives the strategy for evicting attackers from a network, nevertheless will never offer precise information regarding the needed steps to be undertaken.

Any attempt to expel an adversary from the system calls for a pre-eviction step, an eviction stage, and a post-eviction step. The pre-eviction stage refers to affirming tactics, techniques, and procedures (TTTPs) connected with the attacks and thoroughly checking out the true extent of the breach. In the course of the remediation process, action will be considered to strengthen security and develop more resilient systems; nonetheless, the eviction method is difficult, labor-intensive, and will involve business networks to be detached from the world wide web for 3-5 days.

A complete risk assessment needs to be performed before any eviction effort to fully grasp the likely effects on critical business capabilities. There will possibly be an interruption to business procedures, and so it is important that the remediation attempts are appropriately prepared, the effect on the business is entirely known, and suitable resources are provided to reduce disruption.

After finishing all eviction steps, organizations go into the post-eviction step which consists of validating that the attacker has been expelled. This stage involves combining detection components, setting up endpoint forensics and detection tools for intense collection, and retaining vigilance, with actions undertaken over the 60 days subsequent to finishing the eviction step.

Extended caution is essential because this threat actor has shown extraordinary persistence with follow-on action.

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise – is available on this page.

CaptureRx Ransomware Attack Impacts Multiple Healthcare Provider Clients

CaptureRx provides 340B administrative services to healthcare companies in San Antonio, TX and it reported a ransomware attack that led to the stealing of files that include its customers’ patients protected health information (PHI).

The provider found out about the security incident on February 19, 2021. A breach investigation confirmed on February 6, 2021 that unauthorized persons obtained access to patient files with sensitive data. CaptureRx conducted an analysis of the stolen files, which was completed on March 19, 2021. Then, the provider sent breach notifications to the impacted healthcare company clients starting on March 30 up to April 7, 2021.

Since the attack, CaptureRx has made efforts together with the healthcare providers affected to notify all the men and women whose data was compromised. The attackers potentially accessed the following types of data: names, birth dates, and prescription records. For a number of patients, their medical record numbers were affected as well.

CaptureRx had established security solutions to secure that the privacy of healthcare data, nevertheless the attackers still successfully circumvented that protection. Soon after the attack, the provider analyzed and enhanced its policies and protocols. The employees also acquired supplemental training to lessen the possibility of more security breaches in the future.

It is unclear at this time how many of CaptureRx’s healthcare firm clients nor the total number of individuals impacted by the breach. The breach affected the following medical providers:

  • Thrifty Drug Stores (Thrifty White) has an undetermined number of patients at this time
  • Faxton St. Luke’s Healthcare based in New York, also a Mohawk Valley Health System affiliate, takes care of 17,655 patients.
  • Gifford Health Care based in Randolph, VT takes care of 6,777 patients.

CaptureRx claimed the breach investigation report didn’t come across any evidence that points to any real or attempted misuse of the stolen information; even so, the affected persons are advised to keep an eye on their account and explanation of benefits statements to check for fraudulent orders.

Network Intrusions and Ransomware Attacks Catch Up With Phishing as Primary Breach Cause

Network intrusion occurrences have overtaken phishing as the major reason of healthcare data security problems, which has been the primary reason behind data breaches in the last 5 years.

In 2020, 58% of the security occurrences handled by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network attacks, most frequently concerning the usage of ransomware.

This is the 7th successive year of publishing the BakerHostetler 2021 Data Security Incident Response (DSIR) Report. The report offers information regarding the present threat landscape and gives risk mitigation and breach response intelligence to assist companies to better protect against attacks and enhance their incident resolution. The report is based on the results of over 1,250 data security cases handled by the firm in 2020, which involved many attacks on healthcare institutions and their providers.

Ransomware attacks are today the perfect attack method for a lot of cybercriminal groups and have been shown to be very rewarding. By exfiltrating information before encryption, victims not just have to make payments to retrieve their files, but in addition to avoiding the publicity or vending of sensitive information. This new double extortion technique has really been very successful and data exfiltration before file encryption is currently expected. All through 2020, ransomware attacks continued to increase in occurrence and seriousness.

BakerHostetler states that the ransom payments required and the amount being paid went up significantly in 2020, just as the number of threat groups/ransomware variants employed in the attacks. There were just 15 in 2019; last year, the number had gone up to 75.

Of all the cases inspected and monitored by BakerHostetler in 2020, the biggest ransom payment was for above $65 million. In 2019, the greatest ransom demand reported was $18 million. Payments are frequently given to quicken recovery, make sure data retrieval, and to avoid the selling or exposure of information. In 2020, the biggest ransom paid was over $15 million – higher than only more than $5 million in 2019 – and the average ransom payment increased two times more from only $303,539 in 2019 to $797,620 in 2020.

In health care, the average preliminary and median ransom demand were $4,583,090 and $1.6 million, respectively. The average and median payments were $910,335 and $332,330, respectively. The average and median numbers of people impacted were 39,180 and 1,270, respectively. The average time to acceptable recovery of data was 4.1 days. The average and median price of the forensic investigation were $58,963 and $25,000, respectively.

Throughout all industry groups, 70% of ransom notes stated sensitive information was stolen and 90% of investigations discovered some proof of data exfiltration. 25% of cases led to data theft therefore, notifications were sent to affected persons. 20% of victims paid the attackers although they can get their data from backups.

Upon payment of ransoms, in 99% of cases, the transaction was done by a third party for the affected company, and in 98% of instances, a valid encryption key was given to enable data recovered. It required an average of 13 days from encryption to retrieval of data.

24% of all security occurrences were due to phishing. Phishing attacks usually caused Office 365 account control (21%), data theft (24%), ransomware attacks (26%), and network intrusion (33%).

2020 had a persistent spike in ransomware along with a growth in large supply chain matters, and more stretching of the capability of the incident response industry. Companies worked to rapidly control incidents – in spite of difficulties in merely having passwords altered and endpoint, detection and response tools implemented to remote employees.

It is more widespread now for breach victims to file legal action. The pattern for lawsuits being submitted when breaches affect less than 100,000 people continued to grow in 2020, which is escalating the cost of data breaches. HIPAA enforcement activity additionally kept on at higher levels, though in 2020 most of the financial penalties given were for HIPAA Right of Access violations, instead of fines associated with security breaches.

PHI Exposed Because of Cyberattacks on HME Specialists and Sapphire Community Health

HME Specialists LLC, dba Home Medical Equipment Holdco, encountered an email security breach that resulted in the likely exposure of 153,013 individuals’ protected health information (PHI).

HME Specialists identified suspicious activity in its email system and immediately secured all breached email accounts and engaged an expert cybersecurity agency to do a forensic analysis to know the extent and nature of the security breach. The cybersecurity agency revealed on March 11, 2021 that a number of breached email accounts held PHI and that unauthorized people had email account access between June 24 and July 14, 2020.

The accounts contained information including names, birth dates, medical diagnosis and/or other clinical records, along with a number of driver’s license numbers, credit card numbers, account information, usernames, passwords, and Social Security numbers. There isn’t any particular evidence identified that indicates the attacker obtained or misused any information within the breached accounts.

HME Specialists sent by mail notifications to the impacted individuals who had an existing address in the storage system and advised them to keep monitoring their financial accounts and explanation of benefits and beware of fake transactions. All individuals whose Social Security numbers were compromised received free credit monitoring services.

Additional technical safety actions were set up for employee email accounts like multi-factor authentication. The employees also get more training on increasing awareness of the risks of malicious emails.

Ransomware Attack on Sapphire Community Health

Sapphire Community Health established in Hamilton, MT was attacked by ransomware resulting in the probable exposure of 4,000 patients’ PHI. On February 18, 2021, the provider found out about the ransomware attack because the employees couldn’t access files. To manage the problem, the healthcare provider deactivated data systems and took the appropriate scanning and recovery measures.

The breach didn’t affect the medical record system, nonetheless several encrypted files containing patient data such as names, birth dates, and addresses. A few people also had their financial account data and/or Social Security numbers for a few people were exposed.

The investigators of the breach didn’t come across any proof that indicates the exfiltration of any patient information prior to the ransomware deployment. The healthcare provider sent breach notifications to all affected people and implemented more security measures to stop other attacks.

NSA/CISA/FBI: Patch Immediately to Avoid Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension between Russia and the United States is growing due to the ongoing cyberattacks on public and private sector institutions and the U.S. government by Russian government hackers. The National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) issued a joint alert alerting about the ongoing Russian Foreign Intelligence Service (SVR) exploitation of software vulnerabilities.

The attacks have been ascribed to the Cozy Bear Advanced Persistent Threat (APT) Group – also known as APT29/The Dukes – which is connected with the SVR. The APT group is doing extensive scanning and exploitation of software flaws in vulnerable systems to obtain access to credentials that permit them to obtain more access to devices and networks for spying activities. The FBI, NSA and CISA, have given information regarding five software vulnerabilities that the SVR still successfully exploit to get access to networks and devices.

The FBI, NSA, and CISA have earlier provided mitigations that could be applied to protect against these vulnerabilities’ exploitation. Patches are accessible to resolve all software vulnerabilities. Although a lot of organizations have now patched the vulnerabilities, they might have actually been exploited and systems compromised. Steps ought to be taken to know whether systems were breached and if actions were done to offset the loss of sensitive information that can enable Russia to acquire a strategic or competitive advantage.

The SVR hackers commonly exploited the following 5 software vulnerabilities:

1. CVE-2018-13379 is identified in Fortinet FortiGate VPNs. Unauthenticated attackers will be able to obtain system files through HTTP resource requests. The affected versions include Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12

2. CVE-2019-9670 is discovered in the Synacor Zimbra Collaboration Suite. It is an XML External Entity injection (XXE) vulnerability. The affected versions include 8.7.x before 8.7.11p10.

3. CVE-2019-11510 is identified in Pulse Secure VPNs. An unauthenticated remote attacker may send a specially designed Uniform Resource Identifier (URI) to carry out an arbitrary file read. The affected versions include PCS 8.2 before 8.2R12.1, 8.3 prior to 8.3R7.1, and 9.0 before 9.0R3.4.

4. CVE-2019-19781 is discovered in Citrix Application Delivery Controller and Gateway Directory. This traversal vulnerability allows an unauthenticated attacker to carry out arbitrary code The affected versions include the Citrix ADC and Gateway versions prior to 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.

5. CVE-2020-4006 is identified in VMware Workspace One Access. This Command injection vulnerability permits an attacker to have a valid password to implement commands with unlimited privileges on the root operating system. The affected versions include the VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Vrealize Suite Lifecycle Manager 8.x, and VMware Cloud Foundation 4.0 – 4.1.

NSA, CISA, and FBI strongly urge all cybersecurity stakeholders to examine their networks for signs of compromise associated with all five vulnerabilities and the strategies mentioned in the alert and to urgently carry out proper mitigations,” stated in the notification.

Official Association of SolarWinds Orion Supply Chain Attack

The United States government has likewise formally charged the Russian government of organizing and running the massive SolarWinds Orion supply chain attack, which allowed the SVR to acquire access to about 18,000 computers around the world and perform more comprehensive attacks on cybersecurity organizations of the United States and its allies Malwarebytes, FireEye, Mimecast – and federal agencies in the U.S. Russia has additionally been officially incriminated of being involved in activities with the intention of troubling the U.S. presidential election in November 2020.

Sanctions Enforced on Russia by President Biden

President Biden has approved an executive order hindering property and putting new limitations on Russia’s sovereign debt to make it more difficult for the government to raise cash. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken steps against 16 entities and 16 people for their part in the campaign to affect the 2020 U.S. presidential election, under the command of the Russian government.

All property and assets of those entities and persons that are covered by U.S. jurisdiction were blocked and the entities and people were included in OFAC’s SDN list. U.S. people were forbidden from having dealings with them. Russian Technology businesses under the sanctions were Neobit, SVA, AST, Pasit, Positive Technologies, and ERA Technologies.

VMware Patches High Severity Vulnerabilities Identified in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

VMware has introduced patches to fix two high severity vulnerabilities that affected vRealize Operations, which is its AI-powered IT operations management system for private, hybrid, and multiple-cloud environments. The vulnerabilities likewise impacted its other products – vRealize Suite Lifecycle Manager and VMware Cloud Foundation.

The first vulnerability CVE-2021-21975 is a server-side request forgery vulnerability that a remote attacker could exploit to use the functions of a server and gain access to or manipulate data that must not be directly accessed. An attacker can exploit the vulnerability by transmitting a specially created request to an insecure vRealize Operations Manager API endpoint that will enable the attacker to steal admin credentials. The vulnerability has an assigned CVSS rating of 8.6 out of 10.

The second vulnerability identified in the vRealize Operations Manager API is monitored as CVE-2021-21983, which is an arbitrary file write vulnerability. It has an assigned CVSS rating of 7.2 out of 10. An attacker could exploit the vulnerability to write files to the root photon operating system. But the attacker must first have admin credentials to be authenticated and be able to take advantage of the vulnerability.

The problem is that the two vulnerabilities can be chained together so that an attacker could do execute arbitrary code remotely in the vRealize Operations system. To be able to exploit the vulnerabilities, it is necessary that the attacker has access to the vRealize Operations Manager API.

The vulnerabilities in vRealize Operations Manager versions 7.5.0 to 8.3.0 had been fixed by VMWare. End-users of the vRealize Operations system are instructed to update and get a secure edition of the platform immediately to avoid vulnerabilities exploitation.

If a user can’t do a prompt update, VMware has given an option that entails working with the casa-security-context.xml and taking away a configuration line and then rebooting the CaSA service on the impacted device. Igor Dimitenko of security company Positive Technologies identified the vulnerabilities.

Hacker of Verkada Security Camera Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The US. government has indicted the Swiss hacktivist who acquired access to the surveillance cameras of the California startup company Verkada in March 2021 for computer criminal activities spanning from 2019 to present. Her crimes included obtaining and publicly exposing source code and exclusive information of company and government victims in and outside the United States.

Till Kottmann, 21 years old, also known as ‘tillie crimew’ and ‘deletescape’ lives in Lucerne, Switzerland. She is a member of a hacking collective called APT 69420 / Arson Cats. Lately, Kottman confessed to getting access to the Verkada security cameras utilized by a lot of big corporations, such as Tesla, Cloudflare, Okta, Nissan, and also educational institutions, correctional establishments, and hospitals. He accessed the live streams of security camera and archived video footage from March 7 to March 9, 2021, and published their screenshots and videos online.

Ethical hackers generally exploit vulnerabilities and access systems to address the vulnerabilities before bad actors can exploit them. They report the vulnerabilities to the entities involved, and then steps are undertaken to resolve the security issues before publicly announcing the details. In Kottmann’s case, she did not follow responsible disclosure procedures. She publicly disclosed sensitive data attained from victims’ networks, and did not notify the breached organizations instantly before disclosing the stolen information.

On March 18, 2021, a grand jury in the Western District of Washington indicted Kottmann for a number of computer breach and identity and data theft activities from 2019 up to today. The Kottmann’s indictment includes charges of one count of aggravated identity theft, one count of conspiracy to commit computer fraud and abuse, a few counts of wire fraud, and one count of conspiracy to commit wire fraud.

Conspiracy to commit computer fraud and abuse bears a prison term of 5 years maximum, the wire fraud and conspiracy to commit wire fraud charges bears a prison term of 20 years maximum, and the identity theft charge has a obligatory 24-month prison term, which extends consecutively to other sentences.

Based on the indictment, Kottmann and co-conspirators accessed the computer systems of over 100 corporations and government agencies and exposed the stolen data on the Internet. Kottmann frequently attacked git and other source code databases, and copied the source code, files, and other top-secret data, which usually involved access codes, and hard-coded information, and other ways of getting access to company networks. She utilized the stolen information for further attacks, normally cloning more data from victims’ networks prior to publishing the stolen information on the web.

The indictment states that Kottmann will speak with the press and publish data on social media platforms regarding what she does to involve others and expand the hacking activity as well as her own name in the hacking community.

The FBI’s cyber task force headed Kottmann’s investigation. With Swiss law enforcement’s release of a search warrant of Kottmann’s house located in Lucerne on March 12, 2021, the FBI was able to seize computer equipment. Lately, the FBI took over a domain, which Kottmann managed and used to publicly disclose stolen information.

Stealing credentials and information, and publishing source code and private and sensitive data online can increase vulnerabilities for everybody from big corporations to individual customers.

AllyAlign Health Ransomware Attack Impacts Tens of Thousands of People

AllyAlign Health based in Glen Allen, VA, offering Medicare Advantage health plan management, has begun informing members and companies regarding a ransomware attack attempt that happened on November 13, 2020.

Based on the breach notification letters received by impacted persons, AllyAlign Health knew about the attack first on November 14, 2020. The investigator of the incident learned that the attackers accessed systems containing members’ information such as first and last names, birth dates, addresses, Social Security numbers, Medicare beneficiary identifiers, Medicare health insurance claim numbers, medical claims backgrounds, medical insurance policy numbers, and other medical data.

Healthcare providers impacted by the breach received notification that names, addresses, birth dates, Council for Affordable Quality Healthcare (CAQH) credentialing data, and Social Security numbers might have been breached.

It is uncertain precisely how many people were impacted by the attack. Based on the breach notification provided to the Maine Attorney General, the protected health information (PHI) of 76,348 persons was possibly affected by the breach. AllyAlign Health submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that 33,932 people were impacted. The 33,932 people are probably members and the others are healthcare providers.

The Attorney General notification reveals the breach was identified on February 2, 2021. This may be the particular date when they completed the breach investigation and knew about the number of people affected.

AllyAlign Health stated it worked immediately to take care of the breach and called in IT experts to secure its network environment. After the breach happened, guidelines and procedures were modified to address the security of its systems, servers and data life cycle control. The provider sent notification letters to affected persons on February 26, 2021 and offered them credit monitoring and identity theft protection services. During the issuance of notifications, there was no report received that indicates the misuse of the data of members or providers.

Ransomware Attacks on Ramsey County and Crisp Regional Health Services and Update on Vaccine Scheduling Application

The County Manager’s Office of Ramsey County, MN sent notifications to 8,700 clients of its Family Health Division about unauthorized persons that potentially accessed some of their personal information because of a ransomware attack on Netgain Technology LLC, one of its vendors.

Netgain Technology LLC located in St. Cloud is Ramsey County’s provider of technology solutions such as an application that the Family Health Division uses for documenting home sessions. Threat actors possibly viewed and downloaded data within the application prior to ransomware deployment. The information in the application included names, birth dates, addresses, dates of service, telephone numbers, account numbers, medical information, medical insurance details, and, the Social Security numbers of selected individuals.

It would seem that the motive behind the ransomware attack was to extort money from Netgain. There was no intention of getting access to personal information; nonetheless, the possibility of unauthorized access or data theft cannot be ruled out.

Ramsey County was advised regarding the ransomware attack on December 2, 2020 and immediately stopped using the services and program of Netgain and followed backup processes. The company had reported the ransomware attack to the respective authorities and implemented measures to fortify security to prevent other attacks.

Ransomware Attack at Crisp Regional Health Services

A January 27, 2020 ransomware attack on Crisp Regional Health Services in Cordele, GA led to the taking down of selected systems by the provider. The ransomware attack affected the hospital’s telephone system. Workers were forced to use radios to facilitate internal communications. Patients and their family members had to use social media to get in touch with each other during the time that the telephone system was unavailable.

Crisp Regional Health Services quickly took steps to secure the information and regulate the attack. Third-party cybersecurity professionals helped investigate the attack and find out the extent of the breach, as well as the likelihood that the attackers accessed or exfiltrated patient data.

Crisp Regional Health Services’ community relations and foundation Director Brooke Marshall mentioned that the attack did not jeopardize workflow, nor compromised patient care.

The investigation is still ongoing and more information will be announced when it is available.

Vaccine Scheduling Application Vulnerability Allowed People to Skip Queue and Get Vaccination Appointments

Michigan-based Beaumont Health experienced a breach last January 30/31 that affected its Epic COVID-19 vaccine scheduling system. An unauthorized person who exploited a vulnerability in the system publicly made known an unauthorized method of making a reservation. 2,700 people were able to book COVID-19 vaccination appointments using this unauthorized method.

Beaumont Health advised Epic concerning the breach on January 31, 2020 and together they dealt with the issue. The vaccination schedules of the 2,700 persons who made unauthorized reservations were canceled. People who fulfilled the eligibility requirements and made legit COVID-19 vaccination appointments were not affected.

Epic further made an announcement that the breach had not allowed any unauthorized person to access patient medical records.

VMWare Carbon Black Reviews the Status of Healthcare Cybersecurity in 2020

All through 2020, the healthcare sector provided health care to patients battling with COVID-19, at the same time, it had to manage growing numbers of cyberattacks because cybercriminals increased their activities.

Lately, VMware Carbon Black carried out a retrospective evaluation of the status of healthcare cybersecurity in 2020 that showed the degree to which the healthcare sector was attacked by cybercriminals, how attacks succeeded, and what must be done by healthcare companies to avoid cyberattacks this 2021.

VMware Carbon Black examined information from attacks on its healthcare clients in 2020 and discovered 239.4 million cyberattack attempts in 2020, which translates to 816 cyberattack attempts per endpoint on average. That shows an increase of 9,851% from 2019.

With the pandemic, cyberattacks on healthcare companies increased. From January to February 2020, cyberattacks on healthcare clients were 51% higher and continued to go up all through the year, the peak was from September to October when attacks had an 87% month-over-month increase. The big surge in attacks happened in the fall because of greater ransomware activity as the Ryuk ransomware gang particularly increased attacks on the healthcare community.

Attacks were done to get access to healthcare information for identity theft and fraudulence. Stolen information was sold on darknet marketplaces, however, the greatest threat was from ransomware. The effect of ransomware was mainly assisted by affiliates. A lot of ransomware groups offer ransomware-as-a-service (RaaS), so ransomware deployment is easily accessible to many cybercriminals who formerly had no resources to execute the attacks. The huge potential rewards for doing attacks have attracted a lot of people into ransomware distribution. Cybercriminals are additionally hiring insiders that could give them access to networks in exchange for paying big amounts of money or a percentage of ransoms earned.

Double extortion strategies have likewise been broadly used by ransomware gangs to boost the probability of victims paying, so as to avert the publicity of the stolen information instead of just getting the keys to restoring encrypted files. A great deal of the stolen information is being sold on dark websites, particularly stolen protected health information (PHI) and COVID-19 test result information.

In 2020, numerous threat actors had partnered and shared resources and swap strategies, with access to systems being given to other threat groups to perform their own attacks. The venture between threat groups is growing and threat actors are finding new ways to gain access to systems in order to deploy their malicious payloads.

The increasing attacks throughout 2020 would likely not slow down in 2021. Actually, the attacks will likely keep on increasing.

VMWare Carbon Black gave three recommendations for CISOs to make sure that they remain one step in advance of attackers. The majority of AV solutions simply emphasize the delivery step. For greater protection healthcare companies must deploy next-generation antivirus software that safeguards against each stage of ransomware attacks, starting from delivery to distribution to encryption. Endpoint protection software must be selected that could be quickly scaled and deployed to secure new users, at the same time maintain data protection, compliance, and security procedures.

Finally, healthcare CISOs must be proactive and deal with vulnerabilities well prior to exploitation. This means IT tracking applications must be deployed that offer complete visibility into devices that link to the system. This is going to let CISOs to monitor configuration drift and immediately remediate problems and make sure all gadgets are patched and secured.