Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.
The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.
Petya, or NotPetya as some call it, has shown itself to either be very poorly thought out ransomware, or more likely a full on destructive malware attack thinly veiled as ransomware. In essence, a “traditional” ransomware threats will encrypt specific important file types and show the user a ransom note telling them to pay or lose their data. In the last week of June, we saw something stranger, on the surface it appeared to be a modified version of a known and fairly common ransomware variant called Petya, hence the NotPetya name. However, unlike standard ransomware, where the entire purpose of it is to make money, the ransom payment and recovery mechanisms built into this new Petya variant were very weak. It relied on a single email address (that was promptly shut down) and a single Bitcoin wallet meaning there was virtually no way for the criminals to know who had paid, or which key might be the right one to unlock the data.
Hospital administrators are reporting challenges in hiring and retaining cybersecurity professionals needed to mitigate the new cyber threats. The issue is getting broad attention outside of healthcare, including a National Public Radio’s All Things Considered aired a segment addressing the issue on July 26, 2017. This is due in part to reports that there are over one million open security positions that can’t be filled. The challenges are real, but they can be managed when properly framed.
IT and InfoSec professionals have been playing catch up with users since the beginning of time (as long as you consider the first computer the beginning of time like I do). This is at least partially caused by an all-encompassing misunderstanding that has been rarely noticed at best and certainly never been remediated.
WannaCry, Petya, NotPetya—recent news reports have been filled with coverage of massive ransomware attacks that swept across the globe, wreaking havoc on public utilities, companies, health systems and government offices. Ransomware is a type of malware that prevents or limits access to a system until a ransom is paid. In the face of these attacks and other emerging cybersecurity threats, what can healthcare organizations do to identify vulnerabilities and protect sensitive patient data?
There is no shortage of professionals and experts talking about security, but if you want to understand security, or even just IT in general, you have to understand human beings. The users and those that administer the systems are all people. If one strives to understand and impact security overall, they must fully understand the human condition.
Airway Oxygen reported the largest ransomware attack to date to OCR’s wall of shame on June 16th, 2017. It affected 500,000 individuals, making it the second largest breach so far in 2017. I believe there are several takeaways from this incident that the industry show know about.
In the United States, we got lucky, very lucky, that a malware researcher known only as @MalwareTechBlog on Twitter found the “kill switch” domain in the code of the WannaCry ransomware. Had he not found and purchased this domain, effectively neutering the ransomware, I believe that the incident could have been much worse. It was already quite bad around the world with estimates of over 200,000 systems infected including many healthcare providers in the United Kingdom.
Recently, incidents involving the internet of things (IoT) have had no shortage of media coverage. In fact, I would suggest that the IoT has become one of the top buzzwords in IT right now. Large, more mature organizations have started to realize the growing attack surface that IoT is creating for the enterprise they manage, but whether large or small organizations are feeling the pressure to allow IoT on their networks even though in many cases they are not equipped to deal with it effectively. In healthcare, this is particularly troubling as IoT attacks generally cause some form of disruption which can affect both operations and patient safety.