657,392 Northern Light Health Foundation Donors Affected by Blackbaud Cyber Attack

The 10-hospital integrated healthcare system known as Northern Light Health Foundation, which is based in Brewer, ME, has stated that the recent ransomware attack on Blackbaud Inc. has affected its databases.

The affected databases contained the information of donors, prospective donors, and people who may have joined a fundraising event previously. Patient medical data were stored separately and were not impacted. The databases included information about 657,392 individuals.

Blackbaud based in South Carolina is one of the world’s largest providers of education, fundraising, administration, and financial management software. A firm as big as Blackbaud is clearly targeted by cybercriminals. Blackbaud mentioned it experiences hundreds of attacks per month but its cybersecurity staff efficiently defends the firm against those attacks, though in May 2020 an attack prevailed.

The ransomware attack may have been a lot worse. Blackbaud discovered the ransomware attack immediately and took action to prevent the attack. Blackbaud had stopped the ransomware from totally encrypting its records, and just a subset of the firm’s 25,000+ clients was affected. The attack failed to impact its cloud system and the bulk of its self-hosted environment was not affected.

As is right now typical in manual ransomware attacks, prior to encryption of files, the attackers exfiltrated data. Blackbaud stated in a breach notice that the attackers just copied a subset of data and did not steal highly sensitive information such as bank account information, Social Security numbers, and credit card information.

Because safeguarding customers’ information is Blackbaud’s main priority, the firm paid the cybercriminal’s ransom demand with the assurance of deleting the copied information. According to the findings of the investigation, it is thought that the cybercriminal held no information, and will not misuse, disseminate, or make it accessible to the public.

It is presently uncertain how many Blackbaud clients were impacted by the ransomware attack. Northern Light Health Foundation stated in its breach notice that it was impacted. A number of other healthcare companies in Maine stated the same. Other healthcare companies identified to have been impacted were the Cancer Research Institute based in New York City and the Prostate Cancer Foundation based in Santa Monica, CA.

The BBC states that no less than 10 universities in the UK, Canada, and the US were impacted, which includes Emerson College in Boston, Rhode Island School of Design, and Harvard University, together with charities, media companies, and a number of private-sector firms. Although the attack took place in May 2020, the affected clients did not receive notices until July 16, 2020. It is not clear why alerting the impacted clients was late, particularly considering plenty of those clients are based in the EU. The EU General Data Protection Regulation (GDPR) necessitates the sending of notices to data protection government bodies in 72 hours of a breach incident. Data controllers must likewise be informed quickly.

NIST Makes Available Final Guidance on Building Zero Trust Architecture to Enhance Cybersecurity Defenses

NIST has released the finalized copy of the zero trust architecture guidance document (SP 800-207) to enable private companies to utilize this cybersecurity principle to enhance their security position.

Zero trust is an idea that entails altering defenses from fixed, network-based perimeters to concentrate on users, materials, and resources. By using zero trust, resources and user accounts aren’t absolutely trusted according to their physical or network position or asset ownership. With the zero trust strategy, authentication and permission are discreet features that take place with subjects and devices prior to setting up a session with a business resource.

The usage of credentials for getting access to resources has been a useful security precaution to avoid unauthorized access; nonetheless, credential theft – by means of phishing campaigns for example – is currently common, thus cybersecurity defenses must change to better safeguard resources, workflows, services, and network accounts from cyberattacks.

Commonly, threat actors steal credentials and use them to obtain access to business networks unnoticed. Threat actors frequently get access to networks for a number of days, weeks, or months prior to the discovery of an attack. At this time, they can freely move laterally and exploit a whole system. The rise in remote employment, bring your own gadget initiatives and using web-based tools that aren’t based inside the traditional network border has caused the traditional perimeter-based strategy to network protection to become less efficient.

A zero trust architecture will help to resolve these problems and boost cybersecurity defenses. As per NIST, zero trust works on safeguarding resources (resources, services, workflows, system accounts, etc.), since the network position is not seen anymore as the primary aspect to the security position of the resource.

The guidance document offers an abstract description of zero trust architecture (ZTA), discusses the zero trust fundamentals and logical elements of zero trust architecture, and consists of general deployment models and utilize instances where the zero trust approach could enhance a company’s IT security standing.

NIST points out in the guidance how to merge the zero trust model with the NIST Risk Management Framework, NIST Privacy Framework, and other established federal guidance and describes how companies could more to zero trust architecture.

At first, companies ought to look to restrict resource access to people who need access in order to do their work responsibilities and to just give minimum privileges like read, write, delete. In several companies with perimeter-based security, people usually have access to a much bigger selection of resources as soon as they are verified and signed in to an internal system. The difficulty with this strategy is unauthorized lateral movement is very easy for internal or external actors by means of stolen data.

The zero trust security model assumes that an attacker is present in an environment, therefore there’s no implied trust. Business networks are viewed in a similar way as non-enterprise systems. With the zero trust strategy, organizations continuously evaluate and analyze risks to assets and company functions and then enact protections to offset those dangers.

Moving to zero trust isn’t about the extensive replacement of systems or procedures, instead, it is a journey that requires slowly bring in zero trust concepts, processes, technology options, and workflows, beginning with safeguarding the top value assets. The majority of companies will stay in a hybrid zero trust and perimeter-based setting for a while as they carry out their IT modernization strategy and completely move to zero trust architecture.

The guidance is the end result of the effort of a number of federal bureaus and was monitored by the Federal CIO Council. The guidance was created for business security architects and is additionally a helpful reference for cybersecurity professionals, network managers, and managers to obtain a greater knowledge of zero trust.

The document is downloadable at NIST.

Healthcare Data Breach Costs Increase by 10% As Per IBM Security

IBM Security just published its 2020 Cost of Data Breach Report and revealed a 1.5% cut down in expenses caused by global data breaches, from $3.92 million per breach in 2019 to $3.89 million.

There was a significant deviation in data breach costs in varied areas and industry sectors. Businesses in America encountered the largest data breach costs, having a common breach with costs at $8.64 million, higher by 5.5% from 2019.

COVID-19 Envisioned to Raise Data Breach Costs

This is IBM Security’s 15th year of doing the research. Ponemon Institute carried out the study and included facts from 524 breached institutions, and questioned 3,200 persons from 17 nations and places and 17 industries. Research for the study was performed between August 2019 and April 2020.

The study was generally performed prior to the COVID-19 outbreak, which is possible to have a consequence on data breach expenditures. To look into how COVID-19 will impact the data breach costs, the Ponemon Institute called again research contributors to question about their perspectives. 76% of research participants believed the rise in remote working would expand the time it takes to identify and control a data breach and 70% mentioned remote working could raise data breach costs. The average data breach cost increase as a result of COVID-19 was determined to be $137,000.

Healthcare Data Breaches are the Most Expensive
Healthcare data breaches were the priciest to deal with. The average expenditure of a healthcare data breach is $7.13 million around the globe and $8.6 million in the U.S.A. The total data breach cost may have dropped all over all places and industries, but healthcare data breach costs have heightened by 10.5% year-over-year.

The worldwide average cost per breached record is $146, which has gone up to $150 per breached record the moment PII was breached, then it has gone up to $175 per record the moment PII was breached due to a malicious attack.

The average days to identify and control a breach is 280 days, however, it requires 315 days to identify and resolve a malicious attack, with each one rising by 1 day beginning 2019. In the U.S.A. the average days to recognize a data breach is 186 days but 51 days to resolve the malicious attack. The healthcare sector took the most time of 236 days to recognize data breaches and control it in 93 days for 329 days in total.

The expenditures of a data breach are extended over a few years, with 61% of costs encountered in the year 1first year, 24% in the second year, and 15% in the third year and further. In seriously regulated industrial sectors like healthcare, the rates were 44% (in the first year), 32% (in the second year), and 21% (in the 3rd year).

For the third year, IBM Security computed the costs of huge data breaches – those affecting over 1 million records. The cost of a data breach affecting 1 million – 10 million records is an average of $50 million, the cost of breaches affecting 10 million – 20 million records is $176 million on average, and the cost of a breach affecting 50 million records is $392 million.

Most Prevalent Reasons for Malicious Data Breaches

19% of breaches were a result of malicious attacks and were mostly a result of wrong cloud settings and breached credentials.
16% of breaches were because of vulnerabilities in a third-party application
14% of cases were as a result of phishing
10% were because of compromises of physical security
7% were a result of malicious insiders
6% were attributable to system errors and other wrong settings
5% were caused by business email compromise attacks

Breaches associated with compromised credentials were the priciest. Breaches caused by vulnerabilities in a third-party application and cloud misconfigurations were the second most costly.

Of all the attacks, 53% were financially driven, 13% were due to nation-state hacking organizations, and 13% were a result of hacktivists. The attackers associated with 21% of the breaches were not known. Financially inspired attacks were the least pricey, having a global average cost of $4.23 million and the most pricey were attacks brought on by nation-state hackers, which cost $4.43 million on average. The average expense of a malicious attack was $4.27 million. Detrimental data breaches associating ransomware cost $4.4 million on average and detrimental malware, which includes wipers, costs $4.52 million on average.

50% of data breaches in the healthcare industry were a result of malicious attacks, 23% were caused by system glitches, and 27% were a result of human mistake.

Research Shows COVID-19 Research Organizations are At Risk to Cyberattacks

The biomedical community is spending a lot of time creating a vaccine to protect against SARS-CoV-2 and finding new cures for COVID-19. Cybercriminal groups and nation-state hackers and are focusing their campaigns against those organizations to get research information.

Lately, security agencies in Canada, the United States, and the United Kingdom published an advisory regarding the attack of Russian state-sponsored hackers on institutions engaged in COVID-19 study and vaccine creation. The security agencies discovered information that the APT29 Russian hacking group was actively scanning the external IP addresses of the organizations engaged in the COVID-19 study and vaccine development. Also, the information stated that hackers are connected with the Russian intelligence services.

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI also released a joint advisory stating that the hackers associated to China were doing the same attacks on pharmaceutical firms and academic research centers to get intellectual property and sensitive information relevant to COVID-19. There were also information about hackers from Iran that carry out identical attacks.

Considering the latest attacks and targeting of research centers, BitSight carried out an investigation to assess the COVID-19 vaccine producers and biomedical firms with regards to their capability to protect their programs and information from hackers. BitSight researchers evaluated 17 firms that played a big role in COVID-19 research and development of vaccines. Those firms included small companies having less than 200 workers and big companies having over 200,000 workers.

BitSight discovered a number of security vulnerabilities that hackers could exploit to access data related to intellectual property, the vaccine and the COVID-19 study. The security vulnerabilities fall under four aspects: Open ports, web app security, unpatched vulnerabilities, and systems that were already compromised.

BitSight discovered 8 of the 17 firms had compromised systems last year and their computer systems were made part of a botnet. Seven firms had their computers included in a botnet in the last 6 months. BitSight looked for software operating on the systems not installed by the firms. Nine company systems had these Potentially Unwanted Programs (PUPs)and 8 firms had PUPS installed in the last 6 months. Five firms had computers used to send spam and the investigators discovered unsolicited messages at three firms. Compromised systems indicate the failure of the companies’ security controls and the likelihood that the companies may or were already hacked by people trying to get COVID-19 data access.

Most firms had open ports that showed insecure services online, which include 7 firms having exposed Microsoft RDP and 7 more with LDAP compromised. 5 firms had insecure MySQL, MS SQL or Postgres SQL databases and 5 more had a compromised Telnet service. The compromised Microsoft RDP was of distinct concern because hackers and ransomware groups are actively looking for compromised RDP devices.

Of the 17 firms, 14 had unpatched vulnerabilities that hackers could possibly exploit remotely. 10 firms had over 10 unpatched vulnerabilities, 6 of which had unpatched vulnerabilities with a greater than 9 CVSS score.

Web application security concerns were additionally prevalent, for example, insecure redirects from HTTPS to HTTP, a combination of secure and insecure information on websites and insecure authentication. A lot of the firms had at least one web application security problem. These security concerns put the companies in danger of cross-site scripting and man-in-the-middle attacks, which could probably allow hackers to capture sensitive information, get credentials, and compromise email systems.

Knowing about these threats, the bioscience community needs to improve its cyber vigilance. A hacker could gain access to systems with just a misconfigured software, unintentionally insecure port, or a vulnerable remote office system and get scientific data, intellectual property, and the personal information of individuals engaged in clinical trials. Companies should review basic cybersecurity hygiene procedures and find established and efficient methods to continually find and deal with risk exposure — throughout the expanded attack surface and third-party environment. This is to ensure the prioritization of remediation and life-saving science development.

10% of Ransomware Attacks Involve Data Theft Before Encryption

A number of threat actors are currently doing dual extortion attacks. They steal data before deploying the ransomware payload. The first to do this is a Maze ransomware gang, which threatened the victim to publish the data in case of not paying the ransom. The gang did publish the data on its web page in November 2019. A number of other ransomware gangs followed this tactic, such as REvil/Sodinokibi, NetWalker, and DoppelPaymer.

These groups often deploy ransomware after several days, weeks, or sometimes months following the first system breach. While waiting for deployment time, the attackers proceed laterally to access many systems and then appoint their attacks to bring about the utmost trouble. It is very likely that the systems of a number of healthcare companies are already compromised, even if the ransomware is not yet deployed.

These high profile ransomware gangs are targeting entities in industries that have a lot to lose from having their data published or sold, such as legal companies, healthcare organizations, and companies in the financial industry. These attacks usually get headline news, however, they just represent about 10% of successful ransomware attacks. Beginning January 1, 2020 until June 30, 2020, there were 100,001 ransomware attack reports to ID Ransomware and just about 11% or 11,642 submissions were about ransomware variants employed by groups well-known for stealing data before encrypting files.

Emsisoft remarks however that although a number of ransomware gangs notify the victim about stealing their data to boost the chances of getting ransom payment, some ransomware gangs are probably discreetly stealing information.

Emsisoft explained that all ransomware groups could exfiltrate information. Although certain groups discreetly steal information and use it to threaten the victim as extra leverage to get ransom payment, other groups probably discreetly steal it. Although groups stealing discreetly may not exfiltrate all the information that groups seeking to utilize it as leverage, they could extract information that obviously has considerable market value or could be used for attacking other entities.

Preventing Ransomware and Limiting Damage

The ransomware attacks will continue as long as they stay highly profitable and pretty low risk. Therefore, healthcare companies need to make a move to strengthen their protection against cyber attacks. To prevent attacks and minimize the resulting damage of successful attacks, Emsisoft gives healthcare organizations the following advice:

Use patches right away, control admin rights, set up multi-factor authentication, shut off PowerShell when not required, use network segmentation, use the internet and email filtering tools, and disable RDP if not being used and use securely if necessary. Workers should have security awareness training regularly. Service providers that are given access to healthcare data should undergo audits to be sure they are HIPAA compliant.

70% of Firms Have Experienced a Public Cloud Data Breach Last Year

The latest study done by Sophos showed that 96% of firms are worried about the condition of their public cloud security. There seems to be a legitimate rationale for that issue, as 70% of firms that host information or workloads online have encountered a breach of their public cloud environment in the last year. Attacks most frequently include malware (34%), data exposure (29%), ransomware (28%), compromises of account (25%), and cryptojacking (17%).

Information for the study were sourced from a study done by Vanson Bourne that was participated by 3,521 IT managers from 26 countries such as Canada, the United States, France, India, Germany, and the United Kingdom. Over 10 industry markets were represented. Participants employed at least one public cloud provided by Azure, AWS, VMWare Cloud on AWS, Oracle Cloud, Alibaba Cloud, IBM Cloud and Google Cloud. Sophos published the results of the survey in a report entitled The State of Cloud Security 2020.

The three major areas of concern seem to be detection and response, loss of data, and multi-cloud management. Firms that utilize two or more public cloud providers encountered more security breaches compared to firms with only one cloud service provider. Firms using several cloud service providers encountered up to two times more breaches as those only utilizing one public cloud provider.

India had the most number (93%) of companies that encountered a cloud security breach. Italy had the least number (45%) of companies that experienced a breach. The United States reported that 68% of companies experienced a public cloud data breach last year. Sophos explained that the United States’ comparatively low number of cloud security breaches is because U.S. companies have a lot better understanding of their security responsibilities. 90% of the survey participants from the United States state that though the cloud service provider makes certain the platform is safe, each cloud customer is also responsible for its security. Firms must diligently manage and keep track of cloud environments to always stay one step ahead of attackers.

The top prevalent reason for public cloud security breaches include:

  • In the U.S., 75% of breaches were because of misconfigurations and 23% were because of stolen credentials.
  • 66% of public cloud security breaches were due to wrong system configurations and problems in firewall apps allowing cybercriminals to access sensitive information.
  • 44% of attacks were associated with misconfigured web program firewalls
  • 22% were because of the wrong cloud resource configurations.
  • 33% involved the theft of account details.

As firms bring in much more cloud services, complexity and the attack surface increases, and there is more opportunity for misconfigurations. It is consequently crucial for firms to have the appropriate tools to give complete awareness into their cloud environments and to have personnel with competence in cloud security. In spite of the high volume of public cloud data breaches, just one in four companies were thinking about a shortage of staff competence, indicating that a lot of organizations ignore the skills needed to make a great cloud security posture.

Organizations must constantly track their cloud resource settings to detect misconfigured cloud services. The latest study done by Comparitech revealed that cybercriminals are performing automated scans to find misconfigured cloud services and unprotected resources are quickly located and attacked. In the Comparitech research, which employed a compromised Elasticsearch honeypot, the initial data access attempt happened within 9 hours of creating the resource.

Companies likewise must proactively process cloud access. The Sophos study showed that 91% of participants had over-indulged identity and access management functions. By making sure users just get access to the needed cloud resources, problems can be lessened in case of a breach.

The growth of remote working because of COVID-19 has likewise introduced new options for cybercriminals. Remote employees must use VPNs to make sure they have secure access to cloud resources. Monitoring of access attempts must is also necessary. There must also be a multi-factor authentication implemented. 98% of survey participants stated they had deactivated MFA with the use of their cloud provider accounts.

Microsoft Shuts Down COVID-19 Phishing Campaign and Gives Warning on Malicious OAuth Apps

Microsoft shut down a big-scale phishing campaign performed in 62 countries. Microsoft’s Digital Crimes Unit (DCU) first identified the campaign in December 2019. The phishing campaign aimed at firms and was executed to acquire Office 365 credentials. The attackers use the credentials to gain access to user accounts to get sensitive information and contact lists. The attacker then uses the accounts for business email compromise (BEC) attacks to get bogus wire transfers and redirect payroll.

Primarily, the emails utilized in the campaign seemed to have come from an employer and included business-related information along with a malicious email attachment entitled Q4 Report – Dec19. Lately, the phishing campaign evolved and the attackers used COVID-19 lures to take advantage of financial concerns associated to the pandemic. One of the baits utilized the phrase “COVID-19 bonus” to get the victim’s attention to open malicious email attachments or malicious links.

Upon clicking the email attachments or links, users were led to a site holding a malicious application. The web programs closely look like genuine web applications that are frequently utilized by businesses to enhance work productivity and security and help remote workers. Users were asked to give Office 365 OAuth applications to get access to their Office 365 accounts.

When permission is given, the attackers get access and refresh tokens that permitted them to get access to the Office 365 account of the victim. Besides getting access to contact lists, emails, attachments, notes, projects, and profiles, they at the same time got access to OneDrive for Business, the SharePoint document management system and any information in those online storage accounts.

Microsoft executed technical measures to obstruct the phishing emails and registered a civil case in the U.S. District Court for the Eastern District of Virginia to acquire a court order to take six domains from being utilized by the scammers to hold the malicious applications. Lately, the court order was acquired and Microsoft has now shut off the domains. Without access to their infrastructure, the scammers are unable to perform cyberattacks. A cybercriminal organization is considered to be behind the campaign rather than a nation state-sponsored group.

Microsoft additionally shared guidelines to assist businesses to enhance defenses against phishing and BEC attacks:

  • The initial step to take is to allow multifactor authentication on every email accounts, whether for business or personal.
  • Organizations ought to give training to personnel on identifying phishing and BEC attacks.
  • There must be security alerts enabled for suspicious links and files.
  • Any email forwarding guidelines must be examined to identify suspicious activity.
  • Companies must instruct their staff about Microsoft permissions and the consent framework.
  • There must be audits conducted on applications and consent permissions to make sure that programs are simply given access to the data needed.

Magellan Health Ransomware Affects Over 364,000 People

The ransomware attack on Magellan Health in April 2020 is now published on the HHS’ Office for Civil Rights breach portal. There were 6 Magellan entities impacted, each of which reported the incident. A few other organizations likewise filed breach reports to affirm the effect on their patients and customers.

It is still premature to say precisely the number of persons impacted by the ransomware attack, although by July 1, 2020, the total is over 364,000. Hence, this breach incident is currently the third biggest healthcare data breach in 2020. Certain entities might have not documented the impact of the breach yet.

The entities which have affirmed being affected by the breach are mentioned below.

  • Merit Health Insurance Company – 102,748 people impacted
  • Magellan Healthcare, Maryland – 50,410 people impacted
  • Magellan Rx Pharmacy – 33,040 people impacted
  • Magellan Complete Care of Florida – 76,236 people impacted
  • Magellan Complete Care of Virginia – 3,568 people impacted
  • National Imaging Associate – 22,560 people impacted
  • University of Florida, Health Shands – 13,146 people impacted
  • University of Florida Jacksonville – 54,002 people impacted
  • University of Florida – 9,182 people impacted
  • Total people impacted were 364,892

Numerous healthcare ransomware attacks that were reported recently utilized brute force attacks on remote desktop services or took advantage of VPN vulnerabilities. But this attack is totally different as it utilized spear-phishing email which impersonated a Magellan customer. The attacker sent the email on April 6 and installed the ransomware under a week after.

In the substitute breach notification letter of Magellan submitted to the California Attorney General’s Office, it was stated that the attacker deployed malware that was created to swipe login information and passwords, and obtain access to just one of Magellan’s corporate server and stole personnel data. The attackers stole information linked to active personnel and contained these details: Address, employee ID number, and 1099 or W-2 information like Taxpaper ID number or Social Security number. For certain workers, the attacker likewise obtained their usernames and passwords.

The notice of breach incident published on the Magellan Health websites verifies that Patients of Magellan Health and its affiliates and subsidiaries were affected, too. These types of information were compromised: Treatment details, medical insurance account data, member ID, other details associated with health, telephone numbers, physical and email addresses. Social Security numbers were likewise impacted in some cases.

On the June 12, 2020 website notice, it was not mentioned if there was stolen protected health information (PHI) in the attack. In all instances, Magellan Health claims there is no proof found thus far that indicates the improper use of any patient or worker data.

Ransomware Attacks on North Shore Pain Management and Florida Orthopaedic Institute

North Shore Pain Management (NSPM) located in Massachusetts began informing 12,472 patients about the theft of some of their protected health information (PHI) by hackers. NSPM detected the breach on April 21, 2020 and upon investigation, it was confirmed that the hackers initially accessed its systems on April 16, 2020.

NSPM did not give any information regarding the nature of the attack on its substitute breach notice posted on its website. However, Emsisoft and databreaches.net confirmed the incident as a ransomware attack using AKO ransomware. The group behind the attack dumped 4GB of stolen data on their Tor site when no ransom payment was made.

The dumped data consist of a variety of sensitive information of employees and patients. The NSPM breach notice stated that the stolen data included patient names, birth dates, medical insurance data, account balances, financial data, diagnosis and treatment data. For a number of patients, ultrasound and MRI images were also included. Some patients who used their Social Security numbers as health insurance /member number also had their SSNs exposed.

Because cybercriminals exposed the stolen data on the internet, affected patients were instructed to keep track of their financial accounts and explanation of benefits statements for any indication of data misuse. NSPM offered free credit monitoring and identity theft protection services to the patients who had their Social Security numbers compromised. NSPM hired a new IT management vendor to strengthen cybersecurity.

The AKO ransomware attackers are similar to a lot of gangs that manually deploy ransomware. They steal data before encrypting files to have greater chances of getting ransom payment. The AKO group usually demands two ransom payments from companies with big incomes. One is for covering the cost of the decryptor and the other is for ensuring the deletion of the stolen data. The cost of ransom payment to delete files varies from $100,000 to $2,000,000.

The group said that certain healthcare providers pay only the ransom for deleting data and not for the decryptor. It is uncertain if NSPM paid a ransom.

Ransomware Attack on Florida Orthopaedic Institute

Florida Orthopaedic Institute based in Tampa, FL reported a ransomware attack on April 9, 2020 and the encryption of patient data stored on its servers. The institute conducted an internal investigation, which showed potential theft of personal data and PHI of patients before file encryption. Florida Orthopaedic Institute has not received any report of patient data misuse that resulted from the attack.

Florida Orthopaedic Institute hired a third-party computer forensic company to help with the investigation and took steps to recover the encrypted information and secure its servers. The institute already notified the affected patients and offered free credit monitoring, identity theft restoration services and fraud consultation.

The data encrypted and potentially acquired by the attackers included names, birth dates, Social Security numbers, medical data associated to appointment times, doctor’s locations, diagnosis codes, the amount paid, insurance plan ID numbers, claims addresses, payer ID numbers, and/or FOI claims history.

Florida Orthopaedic Institute hired third-party specialists to improve security to avoid other cyberattacks down the road.

The HHS’ Office for Civil Rights breach has not yet posted the incident to its breach portal, thus the number of affected patients is currently uncertain.

Survey Reveals Upsurge in Phishing and Email Impersonation Attacks

The latest Mimecast State of Email Security report states that during the COVID-19 pandemic, there’s been a surge in email impersonation attacks on companies. In the initial 100 days of 2020, there was an increase of email impersonation attacks by 30%.

Vanson Bourne on behalf of Mimecast conducted a survey on 1,025 IT decision-makers in the UK, U.S., Germany, Australia, Netherlands, South Africa, Saudi Arabia and the United Arab Emirates (UAE) from February to March 2020. The survey was performed while firms were fighting the COVID-19 pandemic. Mimecast analyzed over 1 billion emails processed by the firm’s email security solutions.

60% of survey respondents claimed a rise in email impersonation attacks like business email compromise (BEC) in the last 12 months. Respondents detected an average of 9 email or web spoofing cases last year, though some others were not identified.

DMARC is vital for defending against email impersonation attacks and avoiding brand ruin. Although 97% of respondents knew about DMARC, only 27% of the survey respondents mentioned they implement it.

Ransomware is still a concern among businesses. 51% of survey respondents reported having ransomware affecting their business last year, and the attacks caused 3 days of downtime on average.

58% of surveyed participants noted an increase in phishing attacks in the last year. 72% of participants this year reported having an increase or retaining the same level of phishing attacks compared to 69% of participants in the last 2019 survey.

IT decision-makers doubt that the circumstance will get better. 85% of participants mentioned they think that email and internet-based spoofing attacks will possibly keep on at a similar level or go up in the following 12 months. There is also little confidence with regards to repelling the attacks. 60% said that the situation is either inescapable or an email-related data breach is very likely.

The rather hopeless outlook is influenced by the change in working practices due to the pandemic. Shifting from a predominately office-based labor force to one that’s nearly completely home-based has presented new problems and made it more difficult for IT security teams to keep out attacks.

Even if there is a great risk of encountering an attack, there’s still insufficient cyber resilience readiness, and the value of standard employee security awareness training doesn’t seem to be highly sought. In spite of the threat of phishing and other email-based attacks, as much as 55% of respondents reported that no security awareness training was provided to the employees regularly and 17% mentioned that security awareness training was offered only once a year.

Businesses pay a high cost because of the attacks. 31% of study participants said they suffered data loss and business disruption because of an email attack, and 29% stated having a downtime because of not being prepared.

The report additionally indicates that many businesses lack email security protection.

  • 40% have no system for tracking and safeguarding against email-based attacks or information leakage in internal mail systems
  • 39% don’t have monitoring or protection against email-based malware
  • 42% have no system that instantly eliminates malicious or unwanted email messages from the inboxes of employee

The survey showed that businesses know the value of having a strategy on cyber resilience. In 2019, 75% of survey respondents stated that they have or were preparing a strategy. This year, the percentage is higher at 77%. Looking at the number of survey respondents that have encountered a loss of data, downtime, and a decline in performance because of email attacks, implementation of the strategies cannot be expected soon.

Surge in Mobile Phishing Attacks During the COVID-19 Health Crisis

Cybercriminals are changing their tactics, methods, and procedures during the COVID-19 health crisis and are targeting remote employees by using COVID-19 related lures in their phishing emails. The number of phishing attacks focused on people using mobile devices such as smartphones and tablets has sharply increased as per the latest report by Lookout mobile security company.

Throughout the world, there was a 37% increase in mobile phishing attacks on corporate users from Q4 of 2019 to the end of Q1 of 2020. In North America, there was even a 66.3% increase in mobile phishing attacks. Attackers are targeting remote employees in particular industry sectors like healthcare and financial providers.

Though the big increase in mobile phishing attacks is ascribed to the shift in working practices because of the COVID-19 pandemic, mobile phishing attacks have been steadily rising in the past few quarters. The success rate of phishing attacks targeting mobile device users appears to be higher because users are more inclined to click links than if they are working on a desktop or laptop computer since the phishing URLs are more difficult to recognize as malicious on little screen sizes.

Although the full link is probably shown on a laptop computer or desktop, a mobile device will just show the last part of the link, which would make the link look authentic on mobile devices. If doing a job from home, workers more likely to choose to use their mobile phones to do tasks to remain productive particularly those who have no large screens or multiple monitors at home.

Mobile devices usually do not have a similar level of security as laptops and office computers, so it is less probable to stop phishing messages. There are additionally more ways that phishing links may be delivered to mobile devices than laptop computers and desktops. On a desktop, phishing links will typically be delivered via email, but on mobile devices, they can easily be delivered via email, messaging apps, SMS, and social media and dating apps. There is also a tendency for mobile device users to work more quickly and not stop to consider whether a request is legit, even if they may be especially cautious on a laptop or desktop.

The increase in phishing attacks directed at mobile gadget users is a security issue and one that must be dealt with by company employers via education and training on security awareness, particularly with remote workers. Phishing awareness training must tackle the threat of mobile phishing attacks and demonstrate how links can be previewed on mobile gadgets and other measures that must be taken to check valid requests.

If the message seems to comes from somebody you know but appears like a weird ask or takes you to a peculiar webpage, get in touch with that person directly, and confirm the communication. When doing remote work, it’s even more essential to confirm any sort of unusual communication.

Education only may not be adequate. Security software must also be utilized on mobile devices to better protect end-users from phishing and malware attacks.

AHA and AMA Issues Joint Cybersecurity Guidance for Telecommuting Doctors

The American Hospital Association (AHA) and the American Medical Association (AMA) have created joint cybersecurity guidance for doctors working from home because of the COVID-19 outbreak to help them keep their mobile devices, computers, and home networks secure and offer patients safe remote care.

Doctors can utilize their mobile gadgets to access the medical records of patients over the web just like they were in the clinic. They can use teleconferencing solutions to do virtual visits, using audio, video and text messages to check and treat patients. However, working from home presents risks that could endanger patient data privacy and security.

The AMA/AHA guidance is meant to help doctors secure their computers and network at home and keep patient data and their work environment protected from cyber threats including malware and ransomware that could negatively affect patent safety and health. It provides essential steps to help make sure that a home office is tough against viruses, malware and cybercriminals.

The guidance consists of a checklist for computer systems, which details a number of steps that ought to be taken to reinforce security and minimize vulnerability to threats like phishing, ransomware and malware. The guidance additionally gives a collection of best practices to adopt, including using multi-factor authentication, account lockout feature, more verbal authentication processes, and consistently backing up records.

The AMA and AHA advise the usage of virtual private networks (VPNs) whenever accessing EHRs and other information databases. Physicians need to communicate with their EHR vendors to get advice on using VPNs and web-based technologies to enhance security.

The guidance additionally addresses mobile device and tablet security and offers a comparable checklist for keeping those devices secure. The AMA and AHA advise doctors to use apps on mobile gadgets and tablets to connect to the office to secure medicines and tests. Applications like TigerTouch may also be employed on these gadgets to enable doctors to offer telemedicine assistance to patients. These applications also wholly integrate with EHRs.

Besides securing devices, physicians should take steps to reinforce the security of their home networks. Vulnerable home networks can be exploited and any device that links to the network may be compromised allowing an attacker to access patient information. The guidance additionally details how to use medical equipment and determine and minimize cyber threats.

To view the guidance on working from home during the COVID-19 pandemic, go to this page.

Kwampirs APT Group Continues to Attack Healthcare Firms via the Supply Chain

An Advanced Persistent Threat (APT) group called Kwampirs, otherwise known as OrangeWorm, is still attacking healthcare providers and infect their websites with the Kwampirs Remote Access Trojan (RAT) along with other malware payloads.

The threat group continues to be active since around 2016, however activity has gone up recently with the FBI currently having given three warnings regarding the APT group to date in 2020. Symantec’s report in April 2019 was the first to file a report of attacks on healthcare providers through the supply chain.

The APT group is targeting various industries, including healthcare, energy, engineering, and software supply store. The attacks on the healthcare industry are considered to have happened via the vendor software supply chain and hardware merchandise.

According to the FBI, the attacks were very successful. The APT group has compromised a lot of hospitals all over the United States, Asia and Europe, including local hospital associations and big transnational healthcare organizations. The campaigns typically infect local equipment and enterprise with malware.

The APT group to start with gets access to the devices of victim companies and makes a wide and consistent presence utilizing the Kwampirs RAT so as to carry out computer network exploitation (CNE) activities. The attacks comprise of two stages. The first entails using the Kwampirs RAT to obtain broad and prolonged access to hospital networks which frequently includes delivery of a number of secondary malware payloads. The second involves adding extra modules to the Kwampirs RAT to permit further exploitation of the victims’ networks. The added modules are customized according to the organization that has been attacked. The reports of the FBI states that the threat actors maintain control on a victims’ networks for long time periods, from 3 months to 3 years and carry out detailed reconnaissance.

The threat group has targeted major and secondary domain controllers,  software development servers, engineer servers, and file servers that are utilized as repositories for R&D data. As soon as deployed, the Kwampirs RAT executes an everyday command and regulates communications with IP addresses and domains hard-coded in the malware and exfiltrates data.

The primary purpose of the APT group seems like cyber espionage, however the FBI states that an analysis of the RAT showed a number of code similarities with the Shamoon (Disttrack) wiper that was utilized in the attack on Saudi Aramco in 2012. Nevertheless, the FBI states that it has not noticed the integration of any wiper modules in Kwampirs up to now.

The FBI has provided a number of recommendations and best practices to do to enhance security and minimize the threat of infection. These guidelines include:

  • Update software and operating systems and apply patches
  • Utilize user input validation to limit local and remote file inclusion vulnerabilities
  • Utilize a least-privileges scheme on the Web server to decrease the possibilities for escalation of privileges and pivoting side to side to other hosts, and to regulate file creation and execution in specific directories.
  • Setting up a demilitarized zone (DMZ) from the internet-facing systems to the company network
  • Make sure all Web servers have got a safe configuration and all unneeded and unused ports are deactivated or blocked
  • Utilize a reverse proxy to limit accessible URL paths to identified legitimate ones
  • Use a Web application firewall
  • Carry out frequent virus monitoring and code reviews, application fuzzing, and server network examinations
  • Do frequent system and application vulnerability checks to avoid areas of threat.

Microsoft’s Assistance in Securing Healthcare Against Human-Controlled Ransomware Attacks

The COVID-19 outbreak is driving a lot of employees to work from home and human-operated ransomware gangs arr targeting the system employed to support those employees. Although a number of ransomware gangs have expressed they would stop attacking healthcare providers while the COVID-19 public health emergency is in effect, not every gang does the same.

A number of cybercrime gangs are taking advantage of the COVID-19 outbreak. Tactics, techniques, and procedures (TTPs) were altered due to the pandemic. Cybercriminals are currently applying social engineering techniques to target fears regarding COVID-19 and to access credentials that would allow them to exploit healthcare networks.

In general, a ransomware attack on hospitals could result in substantial disruption. But during this time that hospitals are responding to the pandemic, a ransomware attack could seriously hinder the treatment of COVID-19 patients. Microsoft has decided to help secure critical services throughout the COVID-19 crisis and give guidelines to healthcare providers to defend against human-controlled ransomware attacks.

Microsoft is actually monitoring the ransomware gangs’ activities and based on the information acquired from its comprehensive network of threat intelligence sources, certain human-controlled ransomware gangs are taking advantage of vulnerabilities in gateway gadgets and virtual private network (VPN) equipment that permit remote employees to sign in to their networks.

REvil (Sodinokibi), one of the high profile human-controlled ransomware gangs, has been taking advantage of vulnerabilities in gateways and VPN equipment for a while. After exploiting vulnerabilities to steal credentials and escalate privileges, the attackers compromise a lot of devices prior to deploying ransomware or other malware payloads.

Microsoft states that the attackers have a high level of skills, substantial expertise in systems management, and know-how to exploit prevalent network security misconfigurations. The threat actors adjust their strategies according to the defense weaknesses and vulnerable services they find when investigating healthcare networks and frequently deploy ransomware after several weeks or months within networks.

Microsoft’s report talks about how the REvil gang scans the internet to discover vulnerable systems and exploit the growing use of VPNs and gateways to help remote employees for the duration of the COVID-19 outbreak. Because the exploited vulnerabilities are typically regarded as a low priority, they stay unresolved for a long time.

Microsoft discovered a number of hospitals that have vulnerable gateways and VPN devices in their system. The identified vulnerabilities are like those which the REvil gang exploited. Microsoft has informed the hospitals about the vulnerabilities and has strongly advised the performance of updates immediately to avoid exploitation.

Microsoft discussed that running VPNs and virtual private server (VPS) infrastructure calls for an understanding of the present state of associated security patches. It is a must for all organizations with VPN and VPS infrastructure to perform a comprehensive review and identify available updates and implement those updates immediately.

For many months now, nation-state and cybercriminals are targeting unpatched VPN systems. Exploits target remote employees, usually using the updater services employed by VPN clients to release malware payloads.

Microsoft issued the following recommendations for healthcare organizations:

  • Apply all VPN and firewall configurations security updates
  • Keep track of remote access infrastructure and inspect anomalies right away
  • Do a password reset upon identification of a compromise
  • Initialize attack surface reduction guidelines to prohibit credential stealing and ransomware action.
  • Obstruct macros, executable content, process creation, and injection started by Office apps.
  • Activate AMSI for Office VBA when using Office 365.
  • Strengthen internet-facing assets and utilize the most recent security updates
  • Protect Remote Desktop Gateway and utilize Multi-Factor Authentication (MFA) or activate network-level authentication (NLA).
  • Implement the rule of least-privilege
  • Sustain good credential hygiene.
  • Keep track of brute-force attacks and check out too much unsuccessful authentication attempts
  • Check clearing of Event Logs, particularly the PowerShell Operational logs and Security Event log.
  • Find out where highly privileged accounts are signing in and disclosing credentials.
  • Make use of the Windows Defender Firewall as well as your network firewall to avoid RPC and SMB transmission between endpoints

Organizations uncertain regarding the best way to protect their VPNs and VPS infrastructure could get more data from the National Institute of Standards and Technology (NIST) as well as the DHS Cybersecurity and Infrastructure Security Agency (CISA). The two are the agencies behind the publication of the guidance on VPN/VPS infrastructure security.

Cybersecurity Best Practices for Safeguarding Remote Employees Throughout the COVID-19 Crisis

With attacks escalating it is crucial to follow cybersecurity measures for keeping remote workers protected against phishing attacks and malware infections.

Companies need to make sure to utilize the newest versions of VPNs and apply patches immediately. The DHS Cybersecurity and Infrastructure Security Agency (CISA) gave another caution on March 13 regarding patching and making updates VPNs for remote employees to address vulnerabilities. Companies were additionally advised to employ multifactor authentication with regard to all VPNs to improve security. VPNs must likewise be configured to begin automatically whenever devices are turned on instead of depending on workers to manually set.

It is likely that the COVID-19 outbreak will last for a few months. In this time period, numerous software and operating systems will need updating. Scanning devices and making certain that patches are used becomes much more complex with remote employees. Because it is hard to keep a persistent and routable connection to end-users’ devices when working via a network, the cloud ought to be taken into consideration for dealing with cybersecurity rather than in-house corporate cybersecurity strategies.

Ensure to implement multifactor authentication for all applications used by remote employees. More phishing attacks aimed towards remote workers suggests it is very likely for account credentials to be compromised. With multifactor authentication. stolen account credentials could not be utilized for accessing company resources.

It is essential for people working from home to have efficient security solutions on their devices. IT teams must be sure to deploy email security, web security, and anti-virus software on worker-owned devices that are permitted to link to the network.

Use a zero-trust protocol on the network for remote employees and enforce the rule of least privilege. Make sure that remote workers only get access to the resources they require to do their work responsibilities and limit privileges as much as is possible. In case credentials are compromised, this will restrict the damage that could result.

There is a greater risk of device thievery whenever employees work from home. To avoid data loss and impermissible disclosures, make sure to encrypt all data on portable devices. On Windows 10 devices, this is uncomplicated to execute by activating BitLocker. Make sure to encrypt all web and FTP information in transit. Firewalls must also be enabled on the devices of remote workers.

IT departments are currently seeing big numbers of new devices remotely linking to their networks, a few of which have not connected to the network in the past. That makes it harder to determine attackers and less difficult for them to conceal their associations from the security team. Therefore, monitoring should be stepped up to determine malicious and suspicious actions to track down cyberattacks in progress.

Make sure to have adequate licenses for software programs and SaaS applications to manage the growing number of remote workers. Adequate bandwidth should be provided to deal with the growth in remote traffic. Determine how much bandwidth is needed, then double it.

It is essential not to undervalue the value of training. A big proportion of cyberattacks happen due to user error. Refresher training is crucial for all remote workers to remind them concerning the dangers of phishing and spoofing. Because phishing attacks on remote workers are soaring, phishing simulations and training are more vital than ever.

Certain workers may be using laptops to link to work networks initially. It is important for them to get training in using new applications and security programs. Unfamiliarity heightens the potential for errors.

Remote employees must also be told about fundamental IT security procedures that should be used when working from home. Remote workers should also be reminded regarding the steps for reporting risks and possible compromises, and what must be done if they think they have been victimized by a scam.

Phishing Attacks Reported by LifeSprk, University of Utah Health and Oregon DHS

The senior care provider LifeSprk based in Minnesota is sending notifications to 9,000 of its clients regarding the potential compromise of some of their protected health information (PHI) because of a phishing attack in November 2019.

Lifesprk discovered on January 17, 2020 that an unauthorized person had accessed the email account of an employee. The email account was secured promptly and investigation of the breach by a third-party cybersecurity company was launched. The cybersecurity company confirmed the compromise of some employee email accounts from November 5 up to November 7, 2019.

For most of the impacted persons, the compromised information in the accounts included names, medical record numbers, medical insurance details, and certain health data. The financial data and/or Social Security number of some patients were also exposed.

The breach investigation is still ongoing. Thus far, there is no evidence found that indicate the theft or misuse of data or PHI.

The sending of breach notification letters to affected patients began on March 17, 2020. It was delayed because of the unparalleled actions that need to be taken to cope with the Covid-19 pandemic. Lifesprk offered free credit monitoring and identity theft protection services to the people whose Social Security number was compromised. Lifesprk is currently improving email security and is going to reinforce the awareness of employees regarding phishing emails.

Patients’ PHI Potentially Compromised at University of Utah Health

The University of Utah Health made an announcement that unauthorized persons accessed the email accounts of some of its employees from January 7 to February 21, 2020 and possibly accessed patients’ PHI.

The University of Utah Health found out on February 3, 2020 that there was malware installed on the workstation of an employee and that potentially allowed unauthorized persons to access the PHI of patients.

The PHI contained in the email accounts and on the compromised computer included names, dates of birth, medical record numbers, and certain clinical data associated with the healthcare services given by the University of Utah Health.

The University of Utah Health already notified the affected patients, reviewed the security procedures and made necessary updates, and will further provide security training to the employees.

The number of patients affected by the breach is uncertain at this time.

Spear Phishing Attack at the Oregon Department of Human Services

The Oregon Department of Human Services found out that an unauthorized person accessed the email account of an employee because of responding to a spear-phishing email.

There are information technology security processes in place, which identify email account compromises swiftly, therefore the possibility for data theft was limited. The Oregon DHS discovered the email security breach on March 6, 2020 and secured the account quickly. A third-party firm will give assistance in reviewing the incident to figure out what data was exposed and who were the people affected. The affected persons will be notified sooner or later.

At this time, there is no evidence that the hacker accessed, copied or misused any PHI; nevertheless, the Oregon DHS will offer identity theft protection services to all impacted clients.

Rising Number of Medical Devices are Vulnerable to Exploits Like BlueKeep

The healthcare sector is digitizing business operations and data management procedures. New technology is being employed to enhance efficiency and save money. However, that technology, most of the time, is integrated with infrastructure, processes, and software programs from another time and consequently introducing many vulnerabilities.

Cybercriminals are targeting the healthcare industry more than any other industry with one-third of U.S. data breaches happening in hospitals. They are seeking any loophole to launch their attacks, and plenty of those attacks are succeeding.

Based on the latest published CyberMDX 2020 Healthcare Security Vision Report, about 30% of healthcare delivery organizations (HDOs) had encountered a data breach last year, obviously showing the struggle of the healthcare industry to deal with vulnerabilities and stop cyberattacks.

One reason is the huge attack surface considering the number of hard-to-secure devices connected to the healthcare network. Approximately, there are 450 million medical devices hooked up to healthcare networking globally with 30% of the devices located in the U.S.A. That equals about 19,300 linked medical devices and clinical assets for every U.S. hospital. It’s not unusual for big hospitals to have over 100,000 {connected|linked} devices. Typically, one out of 10 devices connected to hospital networks is medical equipment.

The report shows 80% of device manufacturers and HDOs noted the difficulty of securing medical devices because of a lack of (1) understanding about the ways to secure them, (2) training about protected coding practices, and (3) pressure to fulfill product due dates.

71% of HDOs state they lack an extensive cybersecurity plan that involves medical equipment, and 56% think a cyberattack targeting medical devices would happen next year. That number gets to 58% if you ask medical device producers. Although an attack happened, only 18% of HDOs state they would be able to discover the attack.

Medical Devices Vulnerable to BlueKeep

CyberMDX’s study showed that 61% of medical devices are vulnerable to a level of cyber risk as follows:

  • 15% are vulnerable to BlueKeep
  • 25% are vulnerable to DejaBlue
  • 55% of imaging devices operate on out-of-date software that is prone to exploits like BlueKeep and DejaBlue

In general, about 22% of Windows medical devices linked to hospital networks are susceptible to BlueKeep.

An attacker can exploit the BlueKeep and DejaBlue vulnerabilities via Remote Desktop Protocol (RDP) and take complete control of vulnerable devices. And because BlueKeep is wormable, malware can be deployed to infect other vulnerable devices connected to a network without the need for user interaction.

BlueKeep impacts earlier Windows versions including Windows XP, Windows, Windows Server 2003 to 2008 R2. However, a lot of medical devices use those outdated OS and were not updated to safeguard against exploitation. DejaBlue impacts Windows 7 as well as subsequent versions.

Linux-based OS is also vulnerable. Around 30% of medical devices and 15% of linked hospital assets are susceptible to a vulnerability called SACK Panic. About 45% of medical devices are susceptible to at least one vulnerability.

Prompt Patching Needed

CyberMDX’s research discovered that 11% of HDOs fail to fix their medical equipment and when applying patches, the process is slow-moving. After 4 months from the discovery of BlueKeep, a typical hospital had patched just about 40% of vulnerable gadgets.

The report further reveals that 25% of HDOs have no full inventory of their linked devices and 13% have no reliable inventory. 36% have no official BYOD policy and CyberMDX states a typical hospital is not tracking about 30% of its linked devices.

It’s not easy to patch medical devices. Patching these devices requires technicians to personally investigate and physically inspect the impacted devices.

Alarmingly, although medical devices are prone to attack, most of HDOs overlook granular network segmentation. They segment their networks not considering security, therefore the segments have many different connected devices open to the web.

In case of an attack of the vulnerability, a lot of HDOs would have difficulty detecting it. Over 33% of HDOs don’t continually track their connected devices and 21% tag, profile, and track their devices physically.

The Solution

Strengthening the security of medical devices needs a consistent review of a lot of things including configuration practices, network restrictions, segmentation, credential administration, vulnerability tracking, patching & updating, access and function controls, compliance assurance, live context-aware traffic monitoring & analysis, and third-party security practices. Additionally, not being aware that the devices have networked, it would be impossible to fully fully grasp their specific attack vectors.

Fortifying security is surely a challenging task, however, the goal is not to have a 100% secure organization 100% secure. The goal must be to deal with the most crucial concerns and to substantially minimize the attack surface.

Healthcare Organizations Have Misplaced Confidence on Their Ability to Secure PHI and Manage Data Sharing

Healthcare companies are confident they are securing regulated information and are taking care of data sharing. However, that confidence seems to be misplaced in a lot of cases as per the latest report from Netwrix.

If data is not required anymore, it must be deleted, although quite often sensitive information could stay hidden on networks for a long time. Documents that contain sensitive data could be saved in the wrong location where they are not protected from unauthorized access. Misplaced information could be exposed for months or weeks.

A current survey done by Netwrix has uncovered the severity of the issue. Netwrix surveyed 1,045 IT experts from a variety of industries for its 2020 Data Risk & Security Report and discovered that 91% were positive about the safe storage of their sensitive information. But one-fourth of the survey participants said they had discovered sensitive information stored outside the specified storage areas in the last year, proving the misplaced confidence. 43% of survey participants said they had found sensitive information in the wrong location exposed for days and 23% said it was exposed for weeks before being discovered.

Healthcare companies that participated in the survey were less convinced about the secure storage of all sensitive information. 52% of healthcare participants expressed their certainty that all regulated information was stored safely. Of the 52% that were sure they were keeping all regulated information safely, 24% stated they had found sensitive information in the wrong location in the last year.

65% of surveyed healthcare companies felt confident that their employees aren’t using cloud applications to share sensitive information to circumvent controls used by the IT division, however that confidence seems to be misplaced. 32% of survey respondents who were certain that there is no unauthorized data sharing taking place could not validate their claim since they don’t monitor data sharing by any means, and 17% could only monitor data sharing via a manual process.

Of all the surveyed industries, healthcare has the worst performance for controlling repetitive, outdated, and unimportant (ROT) files. 60% of CIOs from healthcare companies stated they have trouble identifying ROT files that must be cleared. It is easier to determine ROT with a data classification technology. 43% of healthcare providers that categorize their data claim it’s faster to determine ROT when compared to 13% that do not categorize their {records|information}.

Based on the study, just 20% of healthcare companies delete ROT data on a regular basis. The small number is because of the lack of a policy on data retention. 69% of healthcare companies have no such policy that would help them systematically remove data if it is not needed anymore. That number was the largest of all the surveyed industries.

HIPAA calls for the implementation of access controls to stop unauthorized people from viewing protected health information (PHI). Access rights need to be evaluated regularly. If access to regulated information is not required anymore, access rights should be kept up to date appropriately. Netwrix discovered that 55% of healthcare providers don’t often review PHI access rights consistently and 70% of healthcare providers don’t review access rights to archived information, thus violating HIPAA.

The HIPAA Right of Access grants patients to get a copy of their health records and the California Consumer Privacy Act (CCPA) gives people the right to access their information. 55% of healthcare companies said coping with data subject requests (DSARs) puts stress on their IT staff. The pressure could be eased by employing data classification technology. Companies that have used data classification technology and categorize information at collection say they could fulfill DSARs in 1/3 of the time.

Having the money to warrant budgeting for data classification technology can be challenging, as to be able to raise funds IT teams must have the security metrics to show the senior managers to rationalize costs. While 47% of companies expect higher budgets this year, merely 16% stated they possess the security metrics to rationalize the higher budget. Senior managers ask for metrics to explain expenses and to see a return on investment.

Cybersecurity management must look for more efficient ways to handle data security threats and present a return on investment to the executive team. Becoming more informed of the data, internal operations and user activity will allow them to prioritize their projects, offset security and compliance hazards more effectively, and validate the efficiency of their investment strategies.

MyEyeDr. Notifies Patients of Ransomware Attack and Improper Records Disposal Incident

Before the recent ransomware attack on MyEyeDr. Optometry in Colorado P.C, which is a network of offices offering vision care, some protected health information (PHI) of 1,475 Colorado residents were potentially compromised.

The attacker accessed part of the MyEyeDr. systems on December 11, 2019 then downloaded and deployed the ransomware. MyEyeDr. immediately took action to block further unauthorized access and regain all impacted patient records. The network did not pay the ransom demand.

Although most of the encrypted data can be restored, certain files were not recovered and stayed encrypted. An independent computer forensics company investigated the attack to know if the attackers stole any information before file encryption. The forensics company did not find any evidence that indicates the exfiltration of data and believed that the attackers only encrypted files with the intent to extort money from MyEyeDr.

The patient information contained in the affected systems included names, birth dates, diagnoses, clinical data, and treatment details. The attack only affected the patients who received services at Colorado MyEyeDr. locations from December 1 to December 10, 2019.

7,983 Today’s Vision Willowbrook Patients Affected by Improper Disposal Incident

MyEyeDr. also encountered another breach that resulted in the compromise of the PHI of 7,983 patients from Today’s Vision Willowbrook. Capital Vision Services, dba MyEyeDr. acquired Today’s Vision Willowbrook in February 2019.

Some time in May 21, 2019, MyEyeDr. found out that Today’s Vision Willowbrook patients’ historic records were disposed of in an inappropriate manner. The patient records should have been securely destroyed. Instead, they were discarded in a dumpster within Tomball, Texas.

The compromised records included the following patients’ data: names, addresses, birth dates, Social Security numbers, clinical data, and billing data. The information belonged to patients who went to Today’s Vision Willowbrook from 1997 t 2003.

The media reported about the improper disposal and local law enforcement officials went to the dumpster and gathered the patient records. According to MrEyeDr., because of the quick action of Tomball’s police in getting the records, it is believed that unauthorized third parties did not have any opportunity to misuse any of the information included in the patient records.

MyEyeDr. stated that no MyEyeDr. employee had possession of the records and that employees of Today’s Vision Willowbrook did not appear to have dumped the patient records.

$157 Million Cost of Ransomware Attacks to the Healthcare Industry Since 2016

A new Comparitech study has revealed the degree of ransomware attacks on healthcare organizations and their real cost on the healthcare industry.

The study showed that healthcare organizations in the United States have encountered at least 172 ransomware attacks in the past three years. The attacks had affected 1,446 hospitals, clinics, and other medical facilities and at least $6,649,713 patients.

The number of attacks decreased from 53 incidents in 2017 to 31 incidents in 2018. But the attacks in 2019 had the same level as in 2017 with 50 reported attacks on healthcare companies.

Since 2016, the target of 74% of healthcare ransomware attacks were the hospitals and health clinics. The 26% of ransomware attacks were on healthcare establishments such as nursing homes, dental practices, medical testing laboratories, health insurance companies, plastic surgeons, optometry practices, medical supply firms, government healthcare organizations, and managed service providers.

Ransom demands vary substantially ranging from around $1,600 to $14 million. Some attacks on healthcare organizations had ransom demands of $16.48 million since 2016. Comparitech stated that healthcare companies have spent about $640,000 to attackers to get the keys to unlock encrypted files, nevertheless, the real cost is probably to be substantially greater as a lot of victims choose not to publicize that information.

Because of attacks, appointments are usually canceled and data could be permanently lost. The time, effort, and cost of remediating attacks can be too much for a number of smaller healthcare organizations. Two healthcare clinics have discontinued their practices because of ransomware attacks in 2019.

Ransom payments are only a small percentage of the total cost of an attack. Fixing systems from backups, or even utilizing the decryption keys from the attackers, can take a substantial amount of time. Repairing systems and data could take several hours to a number of weeks or months. The downtime as a result of ransomware attacks also adds to the total costs.

Comparitech chose several diverse data breach reports, IT news sources,, healthcare resources, and HHS’ Office for Civil Rights data, together with information from studies on the cost of downtime resulting from ransomware attacks. The researchers produced a low and high estimation of the downtime cost for all 172 verified attacks since 2016 based on that data. The low and high estimate for the downtime cost were $157,896,000 and $240,800,000, respectively.

Considering that hospitals and other health providers are often easy targets for hackers, ransomware will continue to be a rising issue for both organizations and patients. Most ransomware attacks thus far have targeted patient data and hospital systems, but the potential is a lot worse without implementing the right safety measures. Ransomware attacks may target life-saving equipment and crucial patient data and systems.