[BreachExchange] Thwarting Healthcare Cyberattacks: New Guidance

[Audrey McNeil]

http://www.govinfosecurity.com/thwarting-healthcare-cyberattacks-new-guidance-a-9015

Federal regulators have issued new guidance urging healthcare organizations
and business associates to bolster their cyberattack defenses. The advice
comes after several high-profile attacks, including one targeting MedStar
Health that forced the 10-hospital system to temporarily shutter many of
its systems to minimize the spread of malware.

The Department of Health and Human Services' Office for Civil Rights' alert
warns about the dangers posed by ransomware, nation-state attacks and
emerging attacks targeting smartphones. It urges organizations to implement
a series of key measures to defend against those threats.

"Recent cyberattacks on major healthcare entities have been eye-opening for
some healthcare professionals and have changed many views on security for
the healthcare sector," says a March 30 update from the Department of
Health and Human Services' Office for Civil Rights. The latest update is
part of a cyber awareness initiative that OCR launched in January. The
first update focused on ransomware and tech support scams (see OCR:
Cyber-Awareness Effort: Will it Have an Impact?).

In the latest alert, OCR notes, "In the past, security compliance personnel
and their leadership at healthcare entities may have been more focused on
issues like security breaches that involve workforce members losing
unencrypted laptops or other mobile devices containing patient's protected
health information. While lost or stolen devices still represent a large
portion of health industry breaches, healthcare sector organizations must
consider new cyber threats, as well."

Cyberattacks involving hackers targeting the databases and network systems
of healthcare sector organizations "are becoming more common and
sophisticated, and may be different from the privacy breaches many entities
have seen previously," OCR notes.

Hospital Attacks

The latest OCR guidance was issued as MedStar Health struggled to recover
from a malware attack that shut down its IT systems. As of April 3, MedStar
said in a statement that it had brought its virtual private network back
online, enabling physicians to remotely access MedStar clinical systems.

Although the Washington Post reported last week that the malware attack
involved a request for a ransom, MedStar hasn't confirmed that account, and
it has not responded to repeated inquiries from Information Security Media
Group.

The attack on MedStar followed ransomware attacks that targeted Methodist
Hospital in Kentucky, two California hospitals and Ottawa Hospital in
Canada (see Hospital Ransomware Attacks Surge; So Now What?). Plus,
Hollywood Presbyterian Medical Center in California grabbed headlines in
February when it announced it paid extortionists a $17,000 bitcoin ransom
to unlock its data.

In addition to those attacks, Mercy Iowa City on March 25 reported a
malware attack potentially exposing information on almost 16,000
individuals. That incident was recently added to the OCR "wall of shame"
website of health data breaches as affecting 500 or more individuals.

In a statement, Mercy Iowa City says that it learned of the attack on Jan.
29, when law enforcement advised it that a computer virus had potentially
infected some of its systems on Jan. 26, 2016. The organization's
investigation determined that some of its computers were infected by a
virus designed to capture personal data. However, to date, Mercy Iowa City
says it has no evidence that patient information has been used improperly.

The organization is working with law enforcement in its investigation. A
Mercy Iowa City spokeswoman declined to discuss details of the attack or
type of malware involved, but tells ISMG that ransomware was not part of
the incident.

Disruptions to Care

OCR's new guidance notes the various ways that "cyber threats and attacks
can disrupt healthcare entities' information systems and cause delays in
patient care." For example, certain attacks can slow down the process of
providing patients their daily medication or meals; printing patients'
labels, ID badges or discharge papers; and accessing patient medical
records, the alert notes. "Some attacks can affect life-saving medical
devices."

In fact, security experts, as well as government agencies, including the
Department of Homeland Security and Food and Drug Administration, have been
warning healthcare entities for the past several years about the potential
cybersecurity risks to medical devices and other healthcare equipment
connected to the internet (see Security Flaws in Legacy Medical Supply
Systems Spotlighted).

Ransomware Attacks

As for the recent string of ransomware attacks on hospitals, OCR notes that
"hackers and ransomware tools are becoming more sophisticated." But to fend
against these attacks, which involve attackers locking up databases and
files with encryption, OCR suggests healthcare entities take a number of
steps that are recommended by the U.S. Computer Emergency Readiness Team,
including:

Performing regular backups of all critical information, keeping data on a
separate device and keeping backups stored offline;
Maintaining up-to-date anti-virus software and keeping operating system and
software up to date with the latest patches;
Not clicking on unsolicited web links in emails, and using caution when
opening email attachments.

OCR also notes that the FBI discourages healthcare entities and business
associates from paying the ransom, "as this does not guarantee files will
be released."

Privacy and security expert Kate Borten, founder of consulting firm The
Marblehead Group, says that the FBI's advice about not paying a ransom is
well grounded, but likely unrealistic for some organizations struggling
desperately to unlock their data in the wake of a ransomware attack. "While
I understand the reasons behind the FBI's message, I suspect CEs and BAs
who find themselves in this position are likely to pay the ransom rather
than play chicken with the bad guys."

Privacy attorney David Holtzman, vice president of compliance at the
security consulting firm CynergisTek, notes: "It is most important to note
that the cyberattacks - whether they be ransomware, infiltration of malware
or keyloggers - that permit exfiltration of data have a common denominator
of an email phishing attempt that activates when a link included in the
message is selected by the recipient." He says healthcare entities must
"recognize that the best ways to battle this is through monitoring what is
going on in your information system along with user education on how to
recognize and avoid opening up emails from sources that are not recognized."

Nation-State Attacks

OCR also warns that it's not only ransomware attacks that healthcare
entities and business associates need to be worried about. For example,
healthcare entities may be the target of hackers in China, Russia and
several countries in Eastern Europe, OCR notes. "The motivation for this
type of attack varies from collecting protected health information for sale
and collecting data for intelligence-building and potential espionage, to
stealing intellectual property from medical technology companies."

To mitigate the risk of nation-state attacks, OCR advises covered entities
and business associates to refer to advice from the FBI that includes:

Recognizing internal and external security threats to the entity's
sensitive data and implementing a plan for safeguarding it;
Confining access to an entity's sensitive data to a need-to-know basis;
Providing training to employees about its data security plan and how to
avoid email attacks involving phishing;
Avoiding storing private information on any device that connects to the
internet.

Smartphone Attacks

OCR also warns healthcare organizations to be on the lookout for emerging
attacks targeting smartphones. "Patients, staff and third-parties of
covered entities are using smartphones to interact with new healthcare
applications and medical devices. Although smartphones have beneficial
features, entities must ensure these devices have appropriate safeguards
against cyberattacks," the guidance says.

OCR notes that the U.S. CERT advises organizations to mitigate the risks of
a cyberattack on smartphones by implementing such security practices as:

Enabling the password feature on mobile phone, as well as enabling
encryption, remote wipe capabilities and antivirus software;
Checking what permissions mobile applications require. If the permission
seems beyond what the application should require, do not install the
application;
Setting Bluetooth-enabled devices to non-discoverable;
Avoiding using unknown Wi-Fi networks and using public Wi-Fi hotspots;
Deleting all information stored in a device prior to discarding it.

While the OCR updates include important information, OCR should consider
other ways to draw more attention to the advice, Holtzman contends.

"OCR is missing an opportunity to provide meaningful assistance and updates
to the healthcare sector with a monthly 'newsletter' on cybersecurity," he
says. "The threats posed by cybercriminals evolve too quickly to justify
this response from the front-line agency responsible for safeguarding
American's health information privacy. A more effective approach would be
to pass along the weekly bulletins and alerts provided by the US-CERT."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160404/4b410c46/attachment-0001.html>