[metaslider id=2951] … Read More
Archives for December 2016
US hospitals lack new technologies and best practices to defend against threats, new report says.
Some 93 major cyberattacks hit healthcare organizations this year, up from 36 in 2015, new research shows.
TrapX Labs, a division of TrapX Security, found this 63% increase in attacks on the healthcare industry for the period between January 1, 2016 and December 12. Some may have been ongoing prior to Jan. 1, but for consistency, researchers only used official reporting dates to the Department of Health and Human Services, Office of Civil Rights (HHS OCR).
Among the largest attacks were those on Banner Health (3.6M records), Newkirk Products (3.4M records), 21st Century Oncology (2.2M records), and Valley Anesthesiology Consultants (0.88M records).
The hippa compliance training is always recommended for any organization that requires it, regardless of size or annual budget. Everyone, from multibillion-dollar healthcare conglomerates to a country doctor with one administrative worker, must follow HIPAA training rules in order to protect patient data. However, even after all these measures, sophisticated attackers have now invaded that also. They are responsible for 31% of all major HIPAA data breaches reported this year, a 300% increase over the past three years, according to the report. Cybercriminals were responsible for 10% of all major data breaches in 2014 and 21% in 2015.
Despite the rise in attacks, the number of records breached dropped to about 12,057,759. That said, so many millions of health records have been stolen that the value of individual records decreased this year, TrapX reported.
Researchers pinpointed two major trends from 2016: the continued discovery and evolution of medical device hijacking, which TrapX calls MEDJACK and MEDJACK.2, and the increase of ransomware across a variety of targets.
MEDJACK involves the use of backdoors in medical devices like diagnostic or life-support equipment. Hackers use emailed links, malware-equipped memory sticks, and corrupt websites to load tools into these devices, most of which run standard/older operating systems and proprietary software.
“Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data,” says Moshe Ben-Simon, co-founder and VP of services at TrapX Labs.
One successful penetration is often enough to give hackers access to the network, where they can find unprotected devices to host attacks, chat with humans, and access information. It’s difficult to mitigate the effects of MEDJACK; many hospitals don’t even know it happens.
“Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it,” Simon explains. “The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices.”
Ransomware attacks on large and mid-sized healthcare organizations have also become more diverse. The financial depth and criticality of operations make them easy targets. It’s one thing to close a business for one day; it’s entirely different to force a hospital shutdown. For hospitals to prevent such attacks on their financial information, they may need secure and reliable Hospital revenue cycle management software. It is possible to neutralize most cyber-attacks with the help of such advanced technologies
A July 2016 survey conducted by Solutionary discovered healthcare is the industry most frequently targeted by malware, accounting for 88% of all detections in Q2. Hackers target healthcare because organizations will usually pay ransom for valuable patient data.
TrapX researchers predict ransomware will reach “unprecedented levels” next year as quick ROI, and easy access to untraceable money such as Bitcoin, make it easier for hackers to launch more attacks at once.
It’s one prediction among many that spell trouble for the healthcare industry in 2017.
Experts anticipate cyberattacks targeting the industry will continue to set records, as most hospitals are unaware of breaches and will remain vulnerable to advanced attacks via medical devices. Mid-sized healthcare businesses will be targeted more often, they predict.
However, more advanced equipment may not necessarily solve problems. The Internet of Things is expected to generate new attack vectors, as most IoT devices don’t have built-in security and don’t let third parties install protective software. If compromised, they provide a backdoor for hackers that can be used for months without hospitals noticing.
Going forward, healthcare organizations will be forced to implement sorely needed security practices. A study from the Healthcare Information and Management Systems Society (HIMSS) found most fail to adopt basic safeguards like anti-malware tools, firewalls, and encryption.
Even as major breaches make headlines, it’s difficult to get healthcare execs to tighten their focus on security.
“Traditionally healthcare providers are in the business of saving lives, so the IT security staffs have a difficult time competing for budget dollars,” says Lee Kim, HIMSS director of privacy and security. “As recent as five years ago, you would hear people saying that people wouldn’t want to attack a healthcare facility because they didn’t believe anyone would want to do harm to the patients.”
Simply because data center endpoints don’t have the same threat profile as general desktops doesn’t mean they don’t need anti-malware software. Here’s why.
People often ask about the value of anti-malware software on data center endpoints (to learn what a data center is, read the blog posts of Fortinet) such as Web servers, databases, file servers – the list goes on. This is a reasonable question because, with respect to malware, data center endpoints simply don’t have the same threat profile or business use-cases as general desktops, where users click on things all day, every day. Also, when endpoints don’t have all those pesky users, it would seem malware would have a much harder time getting onto data center endpoints. Yet, it happens all the time. How?
Before providing the best practices for a successful data center relocation, a security guidance is required. I would first like to share the most common attack patterns seen in the wild, and recommendations backed up by data. For this, I rummaged through the Verizon Data Breach Investigations Report (DBIR) 2016, which combines knowledge from more than 3,000 confirmed data breaches, and has a lot to say about malware usage.
The figure below, from the DBIR, presents an insightful attack pattern. What’s happening is, through a variety of extremely common techniques, such as phishing and others, a user’s desktop is compromised and infected with malware. While the data on this particular compromised endpoint may not be of high value, the malware is used to harvest static credentials (user names and passwords) just the same.
The next step in the breach is often to leverage the stolen credentials to pivot across the network, logging into point-of-sale systems, databases, Web servers, and file servers – where the real crown jewels are located – and infecting them with malware for command and control, and data exfiltration purposes. Since the threat actor is using valid credentials to access these data center endpoints, and not exploits, intrusion detection alarm bells are less likely to be triggered. So, in this case, if anti-malware software had been installed on these endpoints, that’s one more effective security control a threat actor would have had to bypass in order to obtain what they were after.
Another topic the Verizon DBIR discusses is “secondary motives.” For example, threat actors will compromise Web servers in the data center, often through exploiting SQL Injection or a PHP Remote File Include, and implant malware on the endpoint. The malware will typically have a couple of common purposes separate from data exfiltration.
One purpose is what’s referred to as a watering hole attack. The threat actor selects a certain website to compromise and serves up malware to a particular set of users – their primary targets – who are likely to visit the website. Another purpose is for the malware to launch spam campaigns or DDoS attacks on more primary targets.
Websites often have far more computing resources and bandwidth at their disposal than a typical user PC, which makes them attractive targets. Again, if sufficient anti-malware technology had been installed on Web servers, it would have made it that much harder for the bad guys to establish a foothold, even though they successfully exploited a vulnerability.
Count of Hashes by Lifespans in Seconds
Source Verizon DBIR
These examples show how important anti-malware software would have been in protecting against these unwarranted attacks. When reviewing common attack patterns, anti-malware software absolutely has value in the data center. With the introduction of new, signature-free next-generation approaches that use machine learning and dynamic behavior tracking, organizations can deploy this technology in a minimally invasive manner.
This is crucial to understand. As the Verizon DBIR also said, and the figure above illustrates, “99% of malware hashes are seen for only 58 seconds or less.” If we can disrupt the way adversaries generally conduct their operations, we can make the biggest impact in protecting our systems.
Predictions are never easy, and they are seldom right or very useful: but they are always fun. And as the holiday season is upon us and the New Year approaches so does the time of year reflection and, you guessed it: cybersecurity predictions.
Here’s my attempt at highlighting what I see as some of the bigger trends that are likely to keep security professionals struggling to keep up in the year ahead, and how I see these trends continuing.
Big cybersecurity trend 1: The information wars heat up
If cybersecurity taught us anything in 2016, it’s that data breaches can now be as much about the damage that can be wrought when private information is made public than data theft for financial gain or competitive advantage. The hacking of the Democratic National Committee (DNC) and email systems, for instance, brought the resignation of Debbie Wasserman Schultz as chairwoman of the DNC. Email server security also plagued candidate Hillary Clinton to the very end of her campaign to become the 45th President of the United States of America. And as 2016 was quite the eventful year when it came to cybersecurity, it’s forgivable to have forgotten Sigmundur Davíð Gunnlaugsson, Iceland’s Prime Minister, for having to step down because of the Panama Papers breach.
These types of events, where large amounts of data are made public as part of a whistleblowing campaign or to publicly embarrass some type of opponent in government or business, are going to increase. And they will continue to be extremely disruptive to our institutions and those who currently have power.
Big cybersecurity trend 2: Nation state meddling
We saw accusations of nation state driven data breaches increase this year. It was in the summer of 2015 that the Obama administration decided to retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management. This year, U.S. Senator Marco Rubio (R-Fla.) warned Russia that there should be consequences to election meddling.
This is another trend that will continue, and the risks of a (hopefully) measured cyber-conflict exchange between nation states increases every year.
Enterprises need to understand if they are operating in a critical infrastructure industry (healthcare delivery, finance, power generation and distribution, manufacturing, etc.) or support such industry than they need to prepare for the possibility of getting caught in the crossfire.
Big cybersecurity trend 3: Fraud is dead, long live credit fraud
As the US, has deployed chip cards, and more people have embraced chip-enabled EMV cards and digital wallets such as Apple Pay and Google Wallet, point of sale system fraud rates have fallen, and this category of fraud is expected to continue to fall. However, card not present fraud was only $10 billion in 2014, it will be more than $20 billion by 2018.
According to this story, New Trends in Credit Card Fraud, in 2015, identity thieves moved from cloning counterfeit cards of existing accounts to opening new fraudulent accounts through identity theft. Expect that to continue, as well as more online fraud. Crime never goes away, it just moves to the paths of least resistance.
That means fraudsters will take aim at your website systems, especially any that accept payments. Watch your online systems and look for ways to detect fraud, such as behavior analysis.
Big cybersecurity trend 4: The Internet of Things (IoT)
For a couple of years now, experts have been predicting that the Internet of Things was creating an emergent set of risks – but as with the rise of most new technologies the hype arrives long before reality. Unfortunately for us, the cybersecurity predictions around IoT began to come true in 2016. A big part of this is not only because these devices have been adopted by so many consumers, but they are also being embraced by enterprises. In fact, roughly 31 percent of organizations, per IDC’s Global IoT Decision Maker Survey, have launched an IoT initiative, with 43 percent planning to deploy IoT in the next twelve months. Most enterprises don’t view these initiatives as trials, but strategic.
This situation is going to get considerably worse. One of the biggest challenges with IoT isn’t enterprises securing these devices – it’s that the device makers are shipping inherently insecure devices. They are too often shipping with default passwords that don’t require they be changed, or communication with the devices doesn’t require proper authentication, firmware updates can occur without being properly signed. And the list goes on.
Organizations are going to continue to get hit by attacks directly attributable to IoT weaknesses, whether a continuation of distributed denial of service attacks – or by encroachments onto their networks made possible by IoT weaknesses.
Big cybersecurity trend 5: Regulatory upheaval
Government and industry regulations that affect cybersecurity are about to get volatile. In the European Union, IT will face data security and breach notification operational changes from the General Data Protection Regulation (GDPR). And in early 2018 the GDPR becomes a legal requirement. Many expect that the GDPR will increase the costs of doing business as new data protection measures are put into place to control how, who, and when data is accessed. For those who are new to the concept of GDPR or lack enough knowledge about the same, it might be prudent to click through to these guys to avail better consultancy services and understand every concept of GDPR.
Expect more data privacy and security harmonization changes, government surveillance law changes, as well as the potential for Internet of Things cybersecurity design and implementation regulations (maybe not next year for this one, but it’s likely coming soon.).
The regulatory landscape will be changing swiftly, and enterprises will need to be ready to have their security, privacy, and overall risk posture adapt.
This paper, based in part on Rob McGoverns conversation with Randy Franklin Smith, describes common security threats and how to detect them through your network using Network Monitor Freemium.
In this paper, you can read about how to use Network Monitor to answer questions, such as:
- Where is your network traffic going? Do you know all the outbound IP and URL destinations? Are they safe?
- What is your network traffic? Does it behave properly? Do you have surprising protocols using well-known ports?
- What’s going on with DNS? Are you missing security threats hiding in low-level chatty protocol?
- What’s the frequency of your traffic? Do you have beaconing or C2 traffic hiding in the noise?
- Are you sure you’ve got your security set up correctly? Can you verify that you aren’t seeing protocols or traffic that you think you’ve blocked?
- Are you sure you are covered by DLP? Do you have personally identifiable information (PII) moving around your network in clear text?
The European Union Agency for Network and Information Security reviewed top smart hospital data security threats, mitigation techniques, and good practices.
Malware is the most common type of potential attack scenario for smart hospitals that poses a data security threat, according to a recent study from the European Union Agency for Network and Information Security (ENISA).
Smart hospitals have become more prevalent as Internet of Things (IoT) components support core functions of a hospital, ENISA stated in its study.
Information security is a key issue for these organizations, and malicious actions, human errors, system and third-party failures, and natural phenomena should all be considered as a potential threat.
“The risks that result from these threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals which comprise good practices,” the report’s authors wrote. “With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant.”
ENISA investigated the current status of Smart Hospitals and related information security issues, focusing on deployments in the EU for the study.
Respondents included hospital representatives, industry representatives, and policy makers.
Along with malware, those surveyed said that device tampering, social engineering, denial of service attacks, and theft, were also top attack scenarios for smart hospitals.
Traditional hospitals may also be vulnerable to these types of attacks, researchers noted. However, the consequences can be much more severe in connected organizations.
“Protection becomes difficult because, with the high number of networked devices, many potential points of attack are emerging,” the report states. “The consequences become more severe because information systems and devices are more intensely connected within hospitals and across organisational boundaries.”
Respondents also rated threat categories according to their likelihood of occurrence on a scale from 1 (low likelihood) to 5 (high likelihood). Human errors were the most likely to occur, according to the survey, while a natural phenomena was given the lowest likelihood of taking place.
“With respect to human errors, user errors, non-compliance with policies and procedures and loss of hardware, for instance, were perceived as posing considerable risk to smart hospitals,” the researchers explained.
However, malicious actions, which include threats from malware, social engineering, hacking, denial of service and device tampering, were considered particularly critical for smart hospitals by a larger group of respondents than human errors.
Specifically, 77 percent of respondents said that malicious actions were a critical threat, while 70 percent said human errors were the top threat. Just over half of those surveyed – 53 percent – listed system failures as a critical threat.
ENISA recommended that hospitals establish effective enterprise governance for cybersecurity, and also provide specific IT security requirements for IoT components in the hospital. Conducting a risk assessment and vulnerability assessment was also recommended, which can be essentially necessary for US organizations under HIPAA regulations.
Industry representatives should perform the following measures to enhance smart hospital data security:
- Incorporate security into existing quality assurance systems
- Involve third parties (healthcare organisations) in testing activities
- Consider applying medical device regulation to critical infrastructure components
- Support the adaptation of information security standards to healthcare
Several of these recommendations are also already being considered for US-based healthcare organizations.
For example, the National Health Information Sharing and Analysis Center (NH-ISAC), the Medical Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) recently signed a memorandum of understanding to help organizations identify, mitigate, and prevent medical device cybersecurity threats.
The Information Sharing and Analysis Organization Standards Organization (ISAO SO) also released several documents in October 2016 on cybersecurity information sharing guidance, which focused on cybersecurity risks, incidents, and best practices. In terms of healthcare cybersecurity information sharing, one document discussed privacy and security aspects of cybersecurity risk.
“At a minimum, privacy considerations should include the individual members of an organization, the privacy of any individuals whose data may be included in cyber threat indicators to the extent provided by law, and a full range of other constituencies, customers, and individuals,” the document stated. “To adequately protect privacy while accomplishing the goals of an ISAO, it is important for the ISAO to provide guidance to members, participants, and ISAO staff that will be helpful in striking a balance between allowable sharing of cyber threat information and protecting privacy.”