Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Nov 17, 2021 | Compliance News, EHR & Interoperability
Armis, the unified asset visibility and security platform provider, conducted a recent survey to take a look at the condition of cybersecurity in the healthcare industry and the security risks that healthcare organizations are now facing.
The survey was performed by Censuswide on 400 IT specialists at healthcare companies throughout the U.S., and 2,000 U.S. patients to get their opinions on cybersecurity and data breaches in the healthcare industry.
The survey affirmed the increasing cyber risk, with 85% of respondents claiming cyber risk has grown in the last 12 months. Ransomware gangs have targeted the healthcare sector over the past 12 months, and many of those attacks have been successful. 58% of the surveyed IT experts mentioned their company had encountered a ransomware attack during the past 12 months.
13% of IT security professionals see ransomware attacks as a reason for concern, saying many are confident that they can retrieve data in case of an attack. Nevertheless, data breaches that bring about the loss of patient information were a serious concern, with 52% of IT experts rating data loss as a major problem, with cyberattacks on hospital operations ranked as the main issue by 23% of healthcare IT pros.
Protecting against cyberattacks is growing to be more and more difficult considering the broadening of attack surfaces. Armis says there are now 430 million interconnected healthcare devices globally, and that number will continue to rise. When asked regarding the riskiest systems and devices, building systems including HVAC were the greatest issue with 54% of IT specialists rating them as a serious cybersecurity risk. Imaging machines were considered as among the riskiest by 43% of survey respondents, then medication dispensing equipment (40%), check-in kiosks (39%), and vital sign checking devices (33%). Although there is concern concerning the protection of these systems and medical devices, 95% of IT experts stated they thought their linked devices and systems were patched and operating on the most recent software.
The increase in cyberattacks on the healthcare industry is impacting decisions in healthcare. 75% of IT specialists mentioned recent attacks have had a formidable impact on decision making and 86% of survey participants stated their company had designated a CISO; nevertheless, only 52% of survey respondents reported their firm was allocating more than adequate funding to pay for IT security.
The survey of patients suggested one third had been the target of a healthcare attack, and although nearly half of patients (49%) mentioned they would change healthcare service provider if it suffered a ransomware attack, a lot of patients are not aware of the magnitude of current cyberattacks and how frequently they are currently being reported. In 2018, healthcare data breach reports were submitted at a rate of 1 each day. In the last year, 7 months had data breach reports of more than 2 every day.
In spite of substantial media reports concerning healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients stated they did not hear about any healthcare cyberattacks in the last two years, obviously showing numerous patients are uninformed of the danger of ransomware and other cyberattacks. Nonetheless, patients are aware of the effect those cyberattacks may have, with 73% of prospective patients understanding a cyberattack could impact the quality of medical care they get.
When potential patients were questioned regarding their privacy considerations, 52% mentioned they were concerned that a cyberattack would close down hospital operations and will possibly affect patient care, and 37% stated they were worried about the privacy of information accessible using online portals.
There definitely appears to be trust issues, as just 23% of prospective patients stated they respected their healthcare company with their sensitive personal data. In contrast, 30% stated they relied on their best friend with that data.
by Maria Perez | Nov 9, 2021 | Compliance News
An advanced persistent threat (APT) actor continues to conduct an espionage campaign that resulted in the compromise of the systems of no less than 9 companies. The campaign targeted companies in a variety of critical industries, such as healthcare, defense, energy, technology, and education.
Security researchers at Palo Alto Networks identified the campaign and although there is no confirmed identity of the hacking group yet, the researchers think the Chinese state-sponsored hacking group APT27, also known as Iron Tiger, TG-3390, Emissary Panda, and LuckyMouse
likely conducted the attacks because of the usage of hacking resources and strategies that match past APT27 activity.
The campaign took advantage of a critical vulnerability (CVE-2021-40539) found in the ManageEngine ADSelfService Plus, which is a business password management and single sign-on tool created by Zoho. Remote attackers had successful exploitation of the vulnerability to carry out arbitrary code and seize total control of vulnerable programs.
On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory alert that exploits for the vulnerability were accessible in the public domain and APT actors are using it to install web shells on compromised servers to obtain persistent access.
Palo Alto Networks identified another campaign that concerned substantial scans for vulnerable servers utilizing rented infrastructure in the United States. Vulnerable systems that were not patched had been attacked since September 22, 2021, and the attacks continued until October.
The attackers used a web shell known as Godzilla, with a part of victims had installed a new backdoor named NGlite. The web shell or backdoor was then utilized to execute commands and proceed laterally in the victims’ environments, exfiltrating sensitive information from victims’ systems. As soon as the attackers find a domain controller, they put in a new credential-stealing program called KdcSponge, and gathered credentials and took files like the SYSTEM hive from the registry and the Active Directory database file (ntds.dit).
Palo Alto Networks mentioned its scans reveal there are presently about 11,000 servers utilizing the Zoho software program, but it is uncertain how many had been patched to protect against the CVE-2021-40539 vulnerability. The APT group tried to attack no less than 370 Zoho ManageEngine servers located in the United States only.
by Maria Perez | Nov 7, 2021 | Compliance News
Catbird is the pioneer in security and compliance for virtual, cloud and physical networks. The company has now entered into a partnership agreement with Forsythe, a leading IT infrastructure consultant and integrator, according to which Forsythe will offer Catbird’s vSecurity® software to bring PCI, HIPAA and SOX compliance to its customers who are moving to virtual and cloud-based infrastructure.
This software from Catbird harnesses the power of virtualization to deliver the industry’s most comprehensive security and compliance solution for virtual and cloud systems. The software introduces a new model for data center security and enforces controls on virtual machines, their network attributes, virtual networks, and the switch fabric – protecting the whole data plane.
“Security and compliance are critical components for every IT infrastructure. As environments are virtualized, new risks are introduced due to a loss of process control across four change dimensions,” says David Poarch, VP, security of Forsythe. “Catbird has developed a solution specifically for virtualized environments that delivers dynamic, elastic security and integrated compliance for sensitive and mission-critical applications.”
“Recent guidance from PCI, NIST and SANS proves that relying on traditional physical firewalls and physical network inspection is risky and will not pass an audit. Catbird vSecurity® was built from the ground up to do virtual and cloud security better, faster and cheaper,” said Edmundo Costa, Catbird CEO. “Forsythe’s extensive experience in integrating not only virtualized solutions, but also physical infrastructure solutions, across security, servers, networks and storage make them a strong partner in helping our virtualization clients with their security needs.”
“Virtualization security opens the door for mission-critical applications that have traditionally been left out of virtualization roll-outs,” added Costa. “vSecurity will provide Forsythe customers with the ability to meet the new requirements and maximize their virtualization and cloud ROI by being able to include in their deployment plans most applications that were previously excluded, such as, for example, applications that handle PCI data.”
by Maria Perez | Nov 3, 2021 | Compliance News
Unauthorized individuals possibly accessed the protected health information (PHI) of over 650,000 patients of Community Medical Centers (CMC) located in California.
CMC is a non-profit group of community health centers that provide care for patients in the Solano, Yolo, and San Joaquin counties in Northern California. CMC discovered suspicious activity in its computer systems on October 10, 2021, and turned off its systems to avoid further unauthorized access. An investigation was started to know the nature and magnitude of the breach, with help provided by third-party cybersecurity specialists.
The forensic investigation established that unauthorized people had gotten access to sections of its system where PHI was kept, such as first and last names, birth dates, postal addresses, Social Security numbers, health data, and demographic data.
Considering the sensitive character of the compromised information, CMC is providing free identity theft protection, identity theft resolution, and credit monitoring services to affected persons. CMC stated that its systems are already secure, policies and procedures have been assessed and made current to boost security, and data management policies were evaluated and updated.
CMC has informed the authorities concerning the breach, together with the relevant state attorneys general and the Department of Health and Human Services.
The breach notification given to the Maine attorney general shows that the PHI of 656,047 people was possibly exposed.
Professional Healthcare Management Reports Ransomware Attack
Professional Healthcare Management (PMH) has begun informing a number of patients concerning the likely exposure of some of their PHI during a ransomware attack that occurred in September 2021.
PMH noticed the attack on September 14 and immediately took action to secure its databases and workstations. Third-party cybersecurity and incident response professionals helped PMH to immediately protect and regain its networks and operations. The healthcare company carried out an investigation to find out the nature and extent of the breach and affirmed that hackers might have acquired the personal information and PHI of patients.
The breach inquiry is in progress yet, at this time, no proof of patient data misuse or theft has been determined; nonetheless, notification letters are right now being mailed to impacted persons and the breach report was submitted to the HHS’ Office for Civil Rights.
PMH stated these types of patient data were likely breached: Social Security numbers, first and last names, medical insurance details (Medicare number, Medicaid number, and insurance ID number), diagnosis code(s), and medicine name(s).
More safety measures are being enforced to strengthen IT security, cybersecurity guidelines, and processes are being upgraded, and supplemental cybersecurity training was given to the labor force.
by Maria Perez | Oct 28, 2021 | Compliance News, EHR & Interoperability
A new study has pointed out extensive security breakdowns at healthcare institutions, which include inadequate access controls, few prohibitions on access to protected health information (PHI), and terrible password practices, which are placing sensitive information in jeopardy.
The study, done by Varonis, a data security and insider threat detection platform provider, analyzed about 3 billion files at 58 healthcare companies, such as healthcare providers, pharmaceutical corporations, and biotechnology organizations. The purpose of the study was to know whether security controls were put in place to safeguard sensitive data and to allow establishments to better recognize their cybersecurity weaknesses in the face of escalating threats.
The Health Insurance Portability and Accountability Act (HIPAA) demands access to PHI be confined to workers who must view PHI for work reasons. Whenever access is approved, the HIPAA minimum essential standard is applicable, and merely the minimum amount of PHI must be accessible. Each user needs to be given a unique username to track PHI access. Passwords are needed to check users, according to the HIPAA Security Rule.
The results of the Varonis research were circulated in the 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech. It revealed that an average healthcare staff has access to 31,000 sensitive records made up of PHI, fiscal, and proprietary information on their first day on the job. Those files were saved on sections of the network that all employees can access.
In general, 20% of each firm’s files are available to every staff, though in many occasions access is not necessary to carry out work tasks. 50% of companies investigated had over 1,000 sensitive data accessible to all staff, and one in four records at small healthcare companies can be seen by every worker. There were no controls on access to 1 in 10 records that had PHI or intellectual property.
It was discovered that smaller companies have an outrageous volume of exposed records, which include sensitive data files, intellectual property, and patient reports. On the first day at work, new personnel at small organizations have quick access to above 11,000 exposed data, and approximately one-half of them have sensitive details.
To lower risk, it is important to follow the principle of least privilege. When employees are granted extended access to sensitive details, there is a higher possibility for insider data theft. In case their credentials are compromised in a phishing attack, it gives external threat actors easy access to large volumes of information.
The issue is worsened by weak password practices. 77% of organizations studied for the research had 501 or more accounts having passwords that never expire, and 79% of institutions had over 1,000 ghost accounts. Hackers can make use of these accounts to get a quick way to access sensitive records and navigate networks and file structures unseen.
According to the Verizon Data Breach Investigations Report, there is a 58% rise in data breaches in 2020 and cyber attackers are actively targeting the healthcare, pharma, and biotech companies to steal sensitive information, intellectual property, and vaccine research files. The health care field has the largest data breach expenditures which the IBM Security Cost of a Data Breach Report stated as $7.13 million for each breach. Businesses that don’t control access to protected healthcare information can likewise face serious financial penalties as much as $1.5 million per annum, per violation classification.
To address significantly malicious and innovative cyberattacks, hospitals, pharmaceutic businesses, and biotech’s should double down on perfecting incident response processes and mitigation initiatives. Enforcing least privilege, locking down sensitive records, and controlling lateral movement in their networks are the utter basic minimum preventative measures that healthcare businesses must take.
