Cybersecurity Dive

From the cybersecurity front, Health IT Security interviewed Senator Mark Warner (D Va) “about the healthcare cybersecurity challenges discussed in his recent policy options paper and how he plans to address them.”

The healthcare sector will likely remain an enticing target for threat actors in the coming years, but a more streamlined approach to tackling cyber risk at the federal level is urgently needed. Warner shed light on this issue by first addressing the current patchwork of cyber leadership within the federal government.

“There are four different cabinet secretaries and sixteen different federal agencies that touch on healthcare,” Warner pointed out.

Even within HHS, agencies such as the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the Health Sector Cybersecurity Coordination Center (HC3) all have varying levels of oversight and expertise.

The question now, Warner explained, is “how do you put somebody in charge, or at least in charge of coordinating, so that you can take a holistic approach?”

This role would ideally help HHS “speak with one voice regarding cybersecurity in [healthcare],” the policy options paper stated, facilitating communication and collaboration between HHS and other entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

Interesting.

From a cybersecurity vulnerabilities front,

Cybersecurity Dive informs us

The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released Wednesday by insurance provider Coalition.

The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

and

A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from SecurityScorecard and the Cyentia Institute. 

Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 

The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5. * * *

A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021. 

The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite. 

While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.

On a related note, an ISACA expert considers trends in cyberattacks.

Looking deeper into the crystal ball, Security Week discusses

The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade. 

At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.

Beckers Health IT informed us on February 1, 2023:

More U.S. hospitals and health systems have reported that their websites went down this week after a cyberattack that Russian hacking group Killnet claimed responsibility for.

Becker’s reported Jan. 31 on 17 hospitals and health systems that were affected. These six organizations were also reportedly hit, according to news reports and tech company BetterCyber:

1. Banner Health (Phoenix)

2. Boulder City (Nev.) Hospital

3. CHA Hollywood Presbyterian Medical Center (Los Angeles)

4. ChristianaCare (Newark, Del.)

5. Presbyterian Healthcare Services (Albuquerque, N.M.)

6. University of Iowa Health Care (Iowa City)

On January 30, 2023, the Heath Sector Cybersecurity Coordination Center (HC3) released an analyst note on this threat. The next day, HC3 issued a sector alert about “Multiple Vulnerabilities in OpenEMR Electronic Health Records System.”

Three vulnerabilities were identified in an older version of OpenEMR, a popular electronic health records system, which can allow for a cyberattacker to access sensitive information and even compromise the entire system. The prevalence of ransomware attacks and data breaches impacting the health sector make these vulnerabilities especially important. These vulnerabilities were fixed in newer versions of OpeEMR, and therefore upgrading to the most recent version will fully patch them.

On a related note, Cyberscoop points out, “ChatGPT isn’t a malware-writing savant, and much of the hype around it obscures just how much expertise is required to output quality code.”

From the cyber breach front, last Thursday, the HHS Office for Civil Rights announced a HIPAA Security Rule alleged violation settlement with Banner Health,

a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.  The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks.  The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.  As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

From the ransomware front, all the FEHBlog has this week (do we really need more?) is Bleeping Computer’s The Week in Ransomware.

While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.

The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.