HIPAA Enforcement Discretion Expires on May 11, 2023 and Cobalt Strike News

The Secretary of the Department of Health and Human Services (HHS) made an announcement that the COVID-19 Public Health Emergency that will expire on May 11, 2023 will not be renewed. According to the HHS’ Office for Civil Rights (OCR), the issued Notifications of Enforcement Discretion as a response to the COVID-19 Public Health Emergency are due to expire on May 11, 2023.

The OCR issued four Notifications of Enforcement Discretion in 2020 and 2021 as a response to the COVID-19 Public Health Emergency and to support the healthcare industry during the pandemic. With the Notices of Enforcement Discretion, financial penalties are not imposed by OCR when certain provisions of the HIPAA Security, Privacy and Breach Notification Rules are violated. The leniency allowed by OCR is applicable to the following:

  • Community-based COVID-19 testing areas
  • uses and disclosures of protected health information (PHI) by business associates for public health monitoring activities
  • the usage of online or web-based booking apps for getting   appointments for COVID-19 vaccinations
  • usage of telehealth services that would not normally be HIPAA-compliant.

OCR stated before that enough time will be given to healthcare companies to  comply with the HIPAA Rules with respect to telehealth. When the notice of enforcement discretion expires on May 11, 2023, there will be a 3-month or 90-day transition period, during which time  HIPAA-covered entities will not be issued financial penalties for non-compliance with the HIPAA Rules associated with the provision of telehealth services. The transition period is from May 12, 2023 to August 9, 2023.

The transition period given to healthcare companies is to allow them to apply necessary changes to their operations to make their telehealth service private,  secure, and compliant with HIPAA regulations.

From the time the telehealth Notice of Enforcement Discretion became effective, healthcare companies could utilize any non-public-facing remote communication platform for video and audio communication to offer telehealth services, even when those platforms aren’t HIPAA compliant.  For example, when a healthcare provider uses a communication platform without signing a business associate agreement (BAA) with the owner of the communication platform, the latter will not be issued a financial penalty.

Since the Notice of Enforcement Discretion will be expiring soon, healthcare companies should now sign a HIPAA-compliant BAA with the owner of the communication platform if they want to continue using the service after August 9, 2023. Healthcare providers must do what is necessary to get a BAA or shift to a HIPAA-compliant communications platform immediately to avoid interruption to their telehealth services and to avert the risk of financial penalties for non-compliance.

Read the OCR announcement here.

Microsoft, Fortra, and Health-ISAC Join Forces to Disrupt Malicious Use of Cobalt Strike

The Health Information Sharing and Analysis Center (Health-ISAC), Microsoft’s Digital Crimes Unit, and the cybersecurity company Fortra are working together to stop malicious actors from illegally using Cobalt Strike, the legit red team post-exploitation tool, for sending ransomware and malware.

Cobalt Strike consists of tools utilized for adversary simulation that may be employed for duplicating the tactics and techniques of advanced threat actors in a system and copying silent, long-term threat actors with continuing access to systems. The tool was used first in 2012 and it quickly became a  widely used tool by penetration testers. Cobalt Strike has become more sophisticated and has improved functionality. It has become part of the cybersecurity portfolio of Fortra.

Although the tool helps in red team operations, there are cracked copies of the tool circulating within the cybercriminal community. More cybercriminals are using the tool for malicious purposes. Several ransomware groups use Cobalt Strike including Lockbit and Conti. According to Microsoft reports, Cobalt Strike was used in over 68 ransomware attacks on healthcare companies located in over 19 countries.

Cobalt Strike attacks resulted in:

  • blocked access to electronic health records
  • critical patient care services disruption
  • Delays to diagnosis and treatment
  • Million-dollar cost to healthcare companies for recovery and repair

Cobalt strike was likewise employed in the damaging attack on the Health Service Executive in Ireland and the recent ransomware attack on the Costa Rica Government.

To avoid the illegal usage of Cobalt Strike, Fortra applied strict vetting processes for new clients. Still, malicious actors use older, cracked versions of Cobalt Strike to get backdoor access to systems for installing malware and hastening the use of ransomware. Microsoft states the malicious actors using the tool aren’t identified, however, malicious infrastructure employed by those malicious actors was discovered in China, Russia, and the U.S. Besides the financially driven cybercriminals misusing the tool, there are advanced persistent threat actors from China, Russia, Iran, and Vietnam that utilized cracked versions of Cobalt Strike.

Together, Microsoft, Health-ISAC and Fortra have increased their efforts to stop the use of cracked, legacy copies of Cobalt Strike and misuse Microsoft programs. Microsoft is trying to fight cybercrime by altering the malware families’ command-and-control infrastructure and removing illegal, older copies of Cobalt Strike to stop malicious actors from further usage.

The U.S. District Court for the Eastern District of New York released a court order on March 31, 2023 permitting Microsoft, Health-ISAC and Fortra to mess up the infrastructure utilized by criminals to launch attacks in over 19 countries. Associated Internet Service Providers (ISPs) will get notifications regarding the malicious use of the tool.   Computer emergency readiness teams (CERTs) will help take down the infrastructure from the web and disrupt cracked legacy Cobalt Strike copies and breached Microsoft software programs. Fortra, Microsoft, and Health-ISAC will additionally be joining forces with the National Cyber Investigative Joint Task Force (NCIJTF), the FBI Cyber Division, and Europol’s European Cybercrime Centre (EC3) to stop Cobalt Strike misuse.

Hindering the use of cracked legacy  Cobalt Strike versions will substantially stop these illegal copies and limit their use in cyberattacks, compelling criminals to re-assess and alter their tactics. Microsoft and Fortra also filed Copyright claims against misuse of altered software code for intended harm.