Search This Blog

Showing posts with label Healthcare. Show all posts

FDA Issues Cybersecurity Alert on Medtronic Insulin Pumps

The U.S. Food and Drug Administration issued a warning on Tuesday regarding the vulnerability of some insulin pump devices made by Medtronic. The flaw makes the devices vulnerable to cyberattacks while presenting a possibility for hackers to interfere with insulin delivery by gaining access to the device.

The FDA, a U.S. government organization, has issued an advisory regarding the MiniMed 600 Series Insulin Pump System from Medtronic, which includes the MiniMed 630G and MiniMed 670G devices.

The Department of Health and Human Services safeguards the public's health by ensuring the efficacy, security, and safety of pharmaceuticals for use in humans and animals, medical devices, and vaccinations. The agency is in charge of regulating tobacco products as well as the safety and security of our country's food supply, cosmetics, nutritional supplements, and devices that emit electronic radiation.

The FDA pointed out that many parts, including the insulin pump, constant glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device, connect wirelessly. A technical malfunction could make it possible for someone to break in and trigger the pump to administer the patient with either too much or too little insulin.

The insulin pumps are offered by Medtronic's diabetes division, which generated $2.41 billion in sales in 2021, or 8% of the business's overall revenue.

In the aftermath of the security incident, Medtronic cautioned users about the dangers and offered suggestions, such as advising them to permanently disable the 'Remote Bolus' function on the pump, refrain from disclosing the serial number of the device to unauthorized individuals, and avoid connecting or linking devices in public.

The business warned that patients should never accept remote connection requests and other remote activities unless patients or support persons initiated them and should always detach the USB device from their laptop while it is not being used to download pump data.

Although medical equipment is frequently connected to the internet, hospital networks, and other devices, the FDA warned that these same characteristics may pose cybersecurity threats.

According to the FDA advisory, "Medical devices, like other computer systems, might be subject to security breaches, possibly affecting the device's safety and effectiveness."

The MiniMed 508 and Paradigm insulin pumps have security flaws that Medtronic is unable to fully fix with software updates or patches. The FDA said that it was working with Medtronic to identify, discuss, and anticipate the negative consequences of this risk.


Rapid7 Finds Four Flaws in SIGMA Spectrum Infusion Pump and WiFi Battery



Rapid7 discovers four vulnerabilities

Rapid7 on April 20, 2022 found vulnerabilities in two TCP/IP enabled medical devices found by Baxter Healthcare. The four vulnerabilities impacted the company's SIGMA Spectrum Infusion Pump and SIGMA Wifi battery. 

After five months when Rapid7 reported the issue to Baxter, the organizations are now disclosing they have collaborated to discuss the effect, solution, and a team strategy for these flaws. 

InfoSecurity reports: all these vulnerabilities have now reportedly been fixed, but in the new disclosure report, Heiland clarified that even before the patches were released, the issues could not have been exploited over the internet or at a great distance.

About the vulnerability 

Rapid7 has covered the findings in a recent report, where the firm mentioned Sigma bugs were found by Deral Heiland, Rapid7’s main IoT (Internet of Things) expert. 

To give readers a general idea, Baxter’s SIGMA infusion pumps are generally used by hospitals to give medicine and nutrition directly into a patient's circulatory system. 

The first vulnerability (known as CVE–2022–26390) discovered by Rapid7 made the pump to send the WiFi credentials to the battery unit when it was connected to the primary infusion pump and the infusion pump got power. 

The second vulnerability (known as CVE–2022–26392), on the contrary, observed the exposure of the command 'hostmassage' to format string vulnerability while executing a telnet session on the Baxter SIGMA WiFi battery firmware version 16. 

The third vulnerability (known as CVE–2022–26393) is also a format string vulnerability on WiFi battery software version 20 D29. 

The last and fourth vulnerability (known as CVE–2022–26394) observed WiFi battery units (versions 16, 17 and 20 D29) enabling remote unauthorised modification of the SIGMA GW IP address (used in configuration of back-end communication services for devices' working). 

How does the attack take place?

The threat actor has to be within atleast WiFi range of the impacted devices, and in few instances, he will need to have a direct physical access. 

But if the hacker gets a network access to the pump unit, with a single unauthorised packet, he can make the unit to redirect all back-end system to a host they control, making a scope for for a possible man in the middle (MiTM) attack.

Rapid7 reports:

This could impact the accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept Drug library data updates to the pumps — which could potentially be dangerous."



HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

Data of 1.3M Patients of Novant Health was Leaked on Meta


More than 1.3 million users have received notices from healthcare provider Novant Health that their private health data (PHI) had unintentionally been leaked to Facebook parent firm Meta.

Facebook marketers can add JavaScript a monitoring script known as Meta Pixel to their website to monitor the effectiveness of their advertising. Unauthorized patient records access and disclosure started in May 2020, when Novant launched Facebook ad-based marketing campaigns to promote the COVID-19 vaccine.

The company said that Novant Health was employing a misaligned pixel on both its website as well as the Novant Health MyChart patient interface and the pixel carried code that allowed businesses to track website activity.

The healthcare company placed the Meta Pixel code on its website to track these advertisements and evaluate their effectiveness.

After a reporter contacted and questioned about the use of MetaPixel, the pixel was introduced to the portals in May 2020 and disabled in May 2022, after Novant Health learned of the potential data exposure.

Depending on a user's activity on the Novant Health website and MyChart interface, it was possible PHI would have been shared to Meta, Novant Health decided in June 2022.

Email addresses, phone numbers, computer IP addresses, contact information patients entered into Advanced Care Planning or Emergency Contacts, appointment information, the doctor they chose, and data like button/menu selections and or content typed into free text boxes were all potentially impacted information.

64 healthcare service providers in the United States use the MyChart portal, which enables their users to schedule medical appointments, ask for prescription refills, get in touch with their clinicians, and more.

Unfortunately, this means that due to the tracker's improper setting, even people who haven't actually used Novant's services may nonetheless have been exposed.

"Advertisers shouldn't send private data about individuals through our business tools. This is against our policies, and to avoid it from happening, we instruct advertising on how to set up business tools correctly. Our technology is built to weed out any potentially sensitive information it can find. We'll keep trying to get in touch with Novant," a Meta spokeswoman stated.

Only those who received notices may consider themselves victims of a breach, according to the company, which claims it has identified the affected persons following a thorough investigation that was finished on June 17, 2022. Novant claimed that it's not aware of any "improper or attempted use" of the information by Meta or any other third party. 

Neuro Practice Says 363,000 Users' Personal Info Leaked


About the leak

An Indiana neurology practice is informing around 363,000 people that their personal data was leaked in a recent ransomware attack and that a few of it was posted on the dark web.

The practice doesn't know which ransomware group or data leak site, however, the Russian ransomware group Hive - which was the topic of a recent federal advisor for the healthcare industry- is hinted at in the attack. Hive has been wildly attacking the U.S healthcare sector. 

What do experts have to say?

Nerve and gray matter experts Goodman Campbell Brain and Spine, in a data breach report to the attorney general of Maine in July, said a "sophisticated" ransomware attack that compromised its computer network and communications system- which includes phones and e-mails, compromised employees and patients data. 

"A healthcare entity informing individuals in a breach notification letter or statement that their information has been potentially listed on the dark web is a highly uncommon level of transparency," reports Bank Info Security. 

How did Practice combat the issue?

Once the attack was discovered on May 20, the practice took immediate steps to safeguard its systems and did a forensic analysis and incident response firm. Goodman Campbell also notified the FBI. An inquiry into the case revealed that a malicious third party had acquired info from the practice's systems.

However, the hacker didn't access the electronic medical record system, but accessed patient info and records in other locations in the internal networks, like appointment schedules, insurance eligibility documentation, and referral forms. 

Info compromised in the attack includes date of birth, names, telephone number, address, e-mail IDs, medical record number, patient account number, physician name, dates of service, diagnosis and treatment information, insurance info, and social security numbers. 

"While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the dark web," says the practice notification. 


Data of 4,000 Patients at VCU Health Exposed

 

A recent incident compromising the privacy of user-protected health information has been reported by Virginia Commonwealth University Health System. 

The institution revealed the confidential health information of almost 4,000 individuals for 16 years. According to VCU Health's research, the information was available to donors, and recipients as early as January 4, 2006.

There is no proof, according to VCU Health, that any information has been exploited. There were 4,441 donors and beneficiaries in total for this incidence.

On February 7, 2022, a data leak was discovered. On March 29 and May 27, 2022, additional details about the categories of data involved, were disclosed. The information which could be seen in the medical records of other transplant patients or donors included names, Social Security numbers, lab results, medical record numbers, and dates of service.

Customers who are notified have been reminded to keep an eye out for any fraudulent behavior by regularly monitoring their financial account statements. Individuals who may have had their Social Security data exposed have been provided free credit monitoring. 

''Many health care systems are built in a way that sensitive data, such as SSNs, DOBs, or other PII/PHI, is either not shared at all, is at least hidden on the screen by default, and reading them requires additional step-up verification.'' The Synopsys Software Integrity Group's Ashutosh Rana, a senior security consultant, stated. 


Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

Hackers Use Insulin Pump Management Vulnerability To Compromise Device

 

A recent study by Lyrebirds, a cybersecurity consultancy organization from Denmark, reveals that a design protocol vulnerability in the Insulet Omnipod Insulin Management System, aka Omnipod Eros, allows a hacker to take command of the device and send programming commands, which includes instant insulin injection. The flaw was found in the communication protocol, that makes it possible for a threat attacker to cut the signal through jamming or via sending messages after the nonce transmission, without the nonce being invalidated by the device. 

The nonce, alone, isn't linked to the device, meaning it can be used for any command the threat actor would like to execute and lets both devices to return to the anticipated, instant program flow, meanwhile continuing to send or set the harmful tactics. The controller and its pump communicate above 433 MHz radio with three packaging layers that exist on top of radio communication, which includes command and respond message and packet. The controller sends an order to the pump and it replies. The programming commands need a 4-byte nonce as the first parameter. 

Upon setting off a pump, the pump and the controller exchange the LOT and serial identification of the pump used for seeding a pseudo-random generator within both the pump and the controller. Once paired, the generators stay in synchronization for the lifetime of a pump. If it gets out of sync, a re-sync process is done but the new seed depends on the identification number sent during pump setup. The device needs a message with a serial number to deliver any packet, but it doesn't involve encryption within the system comes. 

Experts say that the information sent between controller and device isn't encrypted. As a result, the information in the message and packet headers can be exposed. "For example, the report shows a passive observer could parse the needed information from the pump status before a scheduled time. An attacker could also extract the data directly from the headers they’re trying to exploit from the programming command," SC Media.

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.

UMass Memorial Health Suffers Data Breach, 209,000 Users Affected

 

UMass Memorial health, a health care network based in Massachusetts reported a phishing incident that might have leaked personal information of hundreds of thousands of victims. An unauthorised access to restricted employee mail accounts lasted for around seven months, from June 2020 to Jan 2021, before the attack was identified, UMass Memorial said in its statement on the official website. UMass Memorial health consists a medical center, three other healthcare institutes along with a medical group, in a report to Department of Health and Human services mentioned about an email incident affecting around 209,000 individuals. 

According to UMass Memorial health, it confirmed the breach (on 7 January) when some employees' mail accounts were accessed by an unauthorised user. The information was posted on HIPAA-Breach Reporting Tool website (belonging to HHS' Office for Civil Rights.' Generally known as the "wall of shame," the website contains health data breaches impacting 500 or more users. The healthcare institute (on 25 August) concluded identifying the affected users whose information might have been leaked. 

For patients who have been affected with the breach, the leaked data includes names, ID numbers, subscribers, and election beneficiary information. Whereas for few individuals, driver's license number and social security numbers were also there in the breach. For health plan participant victims, the leaked data includes names, dob, health insurance information, medical record numbers and treatment information, like date of service, diagnoses, prescription information, procedure information and provider names. According to UMass, it does not have any evidence that any information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised. 

UMass also says that there is no proof to suggest data misuse, however, the affected individuals would be offered one year complimentary credit and identify monitoring. "UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication," reports Gov Info Security.

Cyber Attacker had Prior Access to the IT Systems of OSF Healthcare Before Outage

 

The Journal Star reported that OSF HealthCare's computer systems were back up on April 25 following a two-day outage that forced the Peoria, Ill.-based health institution to implement downtime processes and policies. The outage occurred around 3:45 a.m. on April 23, as per the report. 

OSF HealthCare, based in Peoria, Ill.- started informing patients on October 1 that their personal health information had been exposed for more than six weeks as a result of a cyberattack on its IT systems earlier this year. At numerous OSF HealthCare hospitals and sites, the computer systems included patient information and records.

OSF HealthCare is a non-profit Catholic healthcare organization based in Illinois and Michigan that administers a medical group, hospital system, and other healthcare facilities. OSF HealthCare is owned and run by the Sisters of the Third Order of St. Francis and is headquartered in Peoria, Illinois. 

"During the outage, downtime procedures and protocols were closely followed, which included rescheduling some appointments and procedures," an OSF HealthCare spokesperson informed. "Patient safety is at the forefront of everything we do, and any decision to delay an appointment or procedure was made with safety in mind." 

OSF HealthCare announced on its website on Oct. 1 that the outage was caused by a data security problem. After conducting an investigation, the health system learned that an unauthorized entity obtained access to its networks from March 7 to April 23. The hacker gained access to various files relating to OSF Little Company of Mary and OSF Saint Paul patients. 

The compromised data include personally identifiable information, name, birthdates, Social Security numbers, treatment information, medication information, and health insurance information. As per the warning, financial information from a "smaller subset of patients" was also compromised. 

Patients whose Social Security numbers or driver's license information were disclosed will receive free credit and identity monitoring services from the health system. OSF HealthCare further stated that new precautions and technical security procedures have been adopted to safeguard its network infrastructure. 

OSF HealthCare operates 14 hospitals and a variety of other institutions throughout Illinois and Michigan. All institutions and facilities continued to operate and also admitted new patients during the April outage.

HC3 Issues a Warning About a LockBit Ransomware Variant

 

The Health Sector Cybersecurity Coordination Center issued a threat briefing on LockBit, a ransomware gang that recently published a new variation. The hackers were behind the widely publicized ransomware attack on Accenture this summer, in which the firm was supposedly held hostage for $50 million. Threat actors claimed to have acquired more than six terabytes of data, according to researchers from the cyber intelligence firm Cyble. 

"Through our security controls and protocols, we identified irregular activity in one of our environments," said Accenture in a statement. "We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup. There was no impact on Accenture's operations, or on our clients' systems." 

According to Eleanor Barlow, content manager at SecurityHQ, LockBit attacks are recognized for their ability to encrypt Windows domains using Active Directory group settings. When a domain is compromised, the malware generates new group policies and sends them to networked devices. The policies in this case disable antivirus protection and allow malware to be installed.

"Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion," wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief.

LockBit was founded in September 2019 and began advertising its "ransomware as a service" affiliate scheme in January 2020, according to HC3. In May 2020, it began collaborating with Maze, another ransomware organization, and in September of the same year, it launched its own leak site. LockBit v2.0 was released in June of this year. Now, according to HC3, it employs a double extortion scheme involving the StealBit malware. It has improved encryption and circumvents user account control methods.

It also relaunched its affiliate programme, in which affiliates determine the ransom, choose the payment method, and receive the majority of the money before paying the gang. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are not part of the Commonwealth of Independent States. 

According to HC3, hospitals are simple targets, but the LockBit affiliate showed "a great dislike for people who attack healthcare companies while providing contradicting information regarding whether he targets them himself." Although the United States has lucrative targets, data privacy regulations mandating victim organizations to notify all breaches have lowered the incentive for such entities to pay the ransom, according to HC3.

16.17 GB of User Data Stored in Fitness Bands, Exposed

 

The development and sudden boom in IoT equipment in the healthcare sector have resulted in the surge of cyber attacks. The use of wearable equipment such as health trackers and fitness bands has recently grown common. The safety and security features of these fitness trackers are an ongoing worry since they have a lot of important information about the user. 

Recently, 16.18 GB of unencrypted database disclosing over 61 million records of users stored in their fitness wearables was identified in the latest security analysis at WebsitePlanet. A substantial percentage of disclosed records were all related to IoT fitness and health monitoring devices. 

Following additional research, several references were made to "GetHealth," a New York City-based firm that claims a unified solution for hundreds of wearables, healthcare devices, and apps to access health and wellness data. The GetHealth database was not encrypted by default and allows easy accessibility for everyone. After researchers have notified GetHealth, the database is now encrypted. 

GetHealth platform can synchronize health-related information from a multitude of sources, such as Fitbit, Misfit Wearables, Microsoft Band, Strava, Google Fit, 23andMe, Daily Mile, FatSecret, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, and S Health.

Plenty of the information leaked comprised the first and last names of users, date of birth, body weight, height, sex, geolocation, etc. “This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in America/New_York, Europe/Dublin and revealed that users were located all over the world,” WebsitePlanet said. 

Whereas the researchers analyzed a sample of 20,000 records, the majority of leaked data were from Fitbit (2.766 times) as well as from Apple HealthKit (17,764). This security flaw affects a majority of the customers of Apple Healthkit because Healthkit gathers deeper health information than any other instruments or applications, like blood pressure, body weight, sleep levels, and blood glucose. 

Fitness trackers are equipped with vital information to monitor the user's health. This might also lead to several privacy problems, regrettably. The confidential material of users is a financial enterprise for individuals in charge of threats. In tailored phishing attacks, identity thefts, or social engineering attacks, the data may be abused by cybercriminals. 

“This case sets an example of how lack of care with sensitive data can make risks escalate indefinitely, as millions of people were exposed simply by wearing tracking devices during their workout sessions,” WebsitePlanet added.

COVID19 Vaccine Fraudsters Targeted Health Authorities in 40 Countries

 

INTERPOL has issued a global alert regarding organized criminal organizations approaching governments and peddling COVID-19 vaccinations through fraudulent offers. 

After INTERPOL reported about 60 incidents from 40 nations, the international law enforcement organization sent a warning to all 194 member countries. 

The staff of hospitals and health ministries was targeted, with fraudsters promising to offer COVID-19 vaccinations that had been licensed for distribution in their respective countries. To mislead their victims, the hackers pretended to be executives of vaccine manufacturers or government officials in charge of vaccine distribution. 

To finalize the deal, the fraudsters targeted their victims' work and personal email accounts, as well as tried to contact them over the phone, cold calling, and pitched about fraudulent vaccines. The fraudsters' techniques should raise certain red flags as vaccination purchases are negotiated on a government level or, in the case of the European Union (EU), by a special Joint Negotiation Team.

Vaccine producers also played a key role in drafting the warning, since INTERPOL based it on information supplied by the manufacturers, stressing additional scam strategies such as the use of counterfeit websites and social media profiles. 

The INTERPOL Secretary General Jürgen Stock stated, “As we see with cybercrime, usually it is the private sector which has the most information about attacks and trends, which is exactly what has happened with these attempted vaccine scams. Even when a fraud fails, it is important that it is reported to the police so that potential links can be identified and also, as in the case of the alert INTERPOL has issued, to warn law enforcement about these threats.” 

He further said that with the pandemic still spreading and nations striving to vaccinate their citizens promptly and safely, the vaccine rollout process needed to be safeguarded from the beginning of the production process until the vaccines are distributed. 

An Ongoing Issue

INTERPOL and the Homeland Security Investigations (HSI) of the United States published a joint alert earlier this year advising against the purchase of fraudulent COVID-19 vaccinations and treatments. 

Throughout the COVID-19 pandemic, cybercriminals have been highly active, attacking everyone from ordinary individuals to medical companies and government agencies engaged in the vaccine development, approval, and distribution process.  

Scammers have deployed a series of COVID-19 vaccine-related frauds in the past year, hacked an Oxford University research lab working on strategies to prevent the COVID-19 pandemic, and even hacked the European Medicines Agency and disclosed stolen vaccine papers. 

To avoid being scammed, using a trustworthy security solution with a spam filter is one of the simplest ways to remain secure. If people get an unsolicited email from someone they don't know, they should be extremely cautious and look out for general red flags.

St. Joseph’s/Candler (SJ/C) Suffered a Data Breach

 

A ransomware attack on one of the leading healthcare organizations in southeast Georgia compromised personnel and patients' protected health information (PHI.). Based on the current press release, on 17 June 2021, the Georgian healthcare system, with 116 sites around the state, noticed suspicious activities in its network. 

St. Joseph's/Candler of Savannah in Georgia is a national magnet certified nursing excellence institution focusing on state-of-the-art technology and research. This non-profit health system comprises two of the oldest existing hospitals in the United States – St. Joseph's (1875) and Candler Hospitals (1804), serving 33 counties in southeast Georgia and the Low Country in South Carolina, and is also the region's leading and only religious healthcare organization. 

St. Joseph's/Candler (SJ/C) declared on 10th August that it had encountered an incident of data security leading to unauthorized access to information for patients and employees. 

SJ/C promptly took action to disconnect and protect their systems, informed federal law enforcement, and initiated a cyber-security probe. Through the inquiry, SJ/C found that, between the periods of 18 December 2020 and 17 June 2021, an unauthorized entity gained access to its IT network. During a Ransomware attack on SJ/C's IT network, this unauthorized party made documents inaccessible to the SJ/C's IT systems. 

According to the evidence provided by the publication, hackers may have accessed files containing information for both patients and personnel, including protected health information during the data breach. 

"SJ/C cannot rule out the possibility that, as a result of this incident, files containing patient and co-worker information may have been subject to unauthorized access,” it states. “This information may have included individuals' names in combination with their addresses, dates of birth, Social Security numbers, driver's license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, and medical and clinical treatment information regarding care received from SJ/C.” 

In this data breach, the healthcare system began to send messages to the affected employees and patients. SJ/C provides free credit monitoring and identity protection assistance to those persons affected by the breach. The healthcare provider has also developed a dedicated incident response line for all those who require more knowledge about the breach. 

SJ/C suggests that the statements received from its healthcare practitioners be checked by patients whose information might have been implicated in this occurrence in its press statement. Patients shall call the provider promptly if they see services that they do not receive. 

SJ/C stated that improved security is implemented to address the ransomware attack and “will continue to adopt, additional safeguards and technical security measures to further protect and monitor its systems.”

Healthcare Vendor Practicefirst Reveals It Suffered Cyberattack In 2020, No Data Lost

 

Practicefirst, a New York-based practice management vendor said that a cyberattack on healthcare that happened last year might have exposed personally identifiable information (PII) of patients and staff. Practicefirst said in a statement that the company hasn't found any fraud or misuse of the information yet, the hacker also assured the vendor that the information was not leaked to anyone and all data was destroyed. Practicefirst is one of the leading organizations in coding, credentialing, medical billing, practice management solutions, and bookkeeping. The vendor found about the issue last year in December, it closed down all its systems, informed the authorities, and changed passwords. 

The attacker tried to install ransomware and was able to retrieve files stored in vendor's systems which contained employees' and patients' PII. The data, which was later destroyed, contained names, addresses, driver's license numbers, social security numbers, tax id numbers, and email ids. Besides this, medical information, lab and treatment data, diagnosis, employee usernames and passwords, health insurance information, and financial information were also exposed. Practicefirst said, "we immediately reported the incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices." 

"We worked with a leading privacy and security firm to aid in our investigation and response and will report this Incident to relevant government agencies. We also implemented additional security protocols designed to protect our network, email environment, and systems," it said in a statement. The affected users were informed about the incident and the vendor also started a helpline for providing assistance to the users. "In other data breach news, University Medical Center of Southern Nevada recently announced that it faced a ransomware attack at the hands of the infamous REvil hacker group, responsible for a number of high-profile attacks."

"In addition, Aultman Health Foundation in Ohio announced that a now-terminated employee had been inappropriately accessing patient EHRs for over a decade. The employee continuously committed HIPAA violations and accessed over 7,000 patient records," reports HealthITSecurity. As of now, no further information about the attack has been revealed. However, it is evident that cyberattacks on the healthcare industry have become a major threat.

Scripps Health: The Non-Profit Healthcare Giant Hit by Cyberattack

 

According to many press reports and the San Diego Union-Tribune, the San Diego-based Scripps Health still tries to assemble certain parts and coordinate sensitive patient data following a ransomware attack on the computers of the healthcare system over the weekend. 

In a declaration, Scripps accepted the intrusion but did not indicate that it was a ransomware incident or not. Whether adversaries affected medical records, or any other confidential data is also unclear. 

In the report, an email from Jaime Pitner, Co-ordinator of County Emergency Services, said that Scripps had all four major hospitals in Chula Vista, Encinitas, La Jolla, and San Diego. The patient was transferred to other emergency facilities for strokes, traumas, and heart attacks. 

In September, Universal Health Services (UHS) staff members, a Fortune-500 owner of a national hospital network, announced extensive failures leading to delayed laboratory results, falling back into style and paper, and diverting patients. The suspect was the ransomware group Ryuk, which encrypted hospital systems over days. 

“No patients died tonight in our [emergency room] but I can surely see how this could happen in large centers due to delay in patient care,” as stated by a nurse. 

A ransomware attack in a hospital in Germany at the Dusseldorf University led to emergency department diversions to several other hospitals. A study from the Ministry of Justice of the State North Rhine-Westphalia indicates that a patient was killed, who had to be brought to a farther hospital in Wuppertal owing to some kind of clinic server attack. The patient died. However, the original murder charges in the case were subsequently dismissed. 

“Showing just how low cybercriminals will go, the attack on a major healthcare facility like Scripps highlights the dark side of ransomware, disturbingly putting lives at risk,” said Edgard Capdevielle, CEO of Nozomi Networks, via email. 

Employees have also stopped their everyday activities. The network of electronic health records has been broken and the nurses, physicians, and other staff have used manual procedures and paper records. This also happened during the UHS assault. And the "telemetry at most sites," which is used to track and warn electronically has been unavailable for the time being, says Scripps, prompting routine patient manual inspections. A source said the paper was influenced by medical imagery as well as other "resources." 

However, Scripps has affirmed that while the systems are offline, “patient care continues to be delivered safely and effectively at our facilities, utilizing established back-up processes, including offline documentation methods.” 

In their efforts to take advantage of and use the most insecure networks, health organizations, these malicious actors and attackers are relentless. According to Purandar Das, CEO, and co-founder at Sotero, Hospitals are indeed the top target for attackers – their vital position in communities will lead them to pay rapidly. 

He added, “Criminals are targeting organizations that have been slow to adopt a more robust and resilient architecture. Organizations have to move towards protecting data, via new encryption technologies, that keep them secure while enabling privileged access. This prevents a ‘data held hostage’ situation. Secondly, organizations have to move towards a resilient deployment architecture that enables them to bring up a failover system without risking long term outages.”

Medical Records of Two US Based Hospitals Leaked on Dark Web

 

Two major US hospitals, the Leon Medical Centers in Miami, and Nocona General Hospital in Texas have recently been hit by active ransomware attacks that have allowed hackers to steal and compromise medical records connected with tens of thousands of patients and employees. These two hospitals have eight facilities in Miami and three facilities in Texas. Patients of these two US hospital chains had their addresses, birthdays, and colonoscopy results published on the dark web as a result of the hack. Hackers released detailed patient information in an obvious effort to defraud them for money. 

The documents that have been uploaded to a website on the dark web that attackers use to identify and extort victims contain the personal identity records of patients, such as their names, addresses, treatment history as well as medical diagnosis. The posted information also includes letters to health insurers. One folder includes background inspections on the hospital personnel. The "2018 colonoscopies” Excel file includes 102 complete names, dates, and treatment information and a 'yes' or 'no' area to show whether the patient has a “normal colon.” 

Cybersecurity experts are well acquainted with the gang of hackers who released the files. Usually, the actors first encrypt the files of the victim and ask them to pay but this happens very occasionally that they post such files openly on the dark web without asking to pay. But it seems a similar incident happened with Nocona and therefore the explanation why the files are released is still unknown. In comparison to a more enigmatic situation, while an attorney representing the Nocona General Hospital said that no malware infection or ransom demands appeared to exist. 

On the other hand, Leon Medical has taken immediate action in detecting problems that caused unauthorized access to its systems to take place and aims to tackle them. "Leon Medical is still in the process of a thorough review to identify all individuals whose information was impacted by this incident and will be providing written notice as soon as possible to individuals that Leon Medical determines have been impacted by this incident," it said. 

Since the cyberattack has been discovered, the Leon Medical Centre, with the assistance of Internet security experts, promptly took over the compromised networks and conducted an inquiry into the existence and severity of the incident. The FBI and the Department of Health and Human Services (DHS) have both been alerted about the misuse of patient information by the healthcare business. 

The leak reveals how hackers have attacked American hospitals, small companies, colleges, and public computers in recent years, infecting them frequently with extortion malware that locks computers and makes them inoperative. Further hackers ask for payment to open files, normally in Bitcoin. The majority of health institutions are not prepared for cyber threats as well as fewer services are available to answer such concerns and therefore they are the primary target of such hackers.

Cerber Ransomware Returns: Targeting Healthcare Industry

 

Cerber, a type of ransomware that once was the most popular choice for cybercriminals, has returned and is used for targeting health care organizations. In 2020, COVID-19 test technology, healthcare firms have driven digital innovation. However, it is important to note that unprecedented safety flaws also emerged with these advances, which cybercriminals rapidly sought to take advantage of. 

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker authorizes Cerber ransomware over the internet. Cerber has climbed up the category of sophisticated ransomware. In 2017, it was the most powerful ransomware family with 90 percent of all ransomware attacks on Windows systems at one point. Usually, the attacker can adapt and deliver the ransomware while retaining the entire currency, however by setting up Cerber, the developer and partner can send further execute the attack with less effort. 

Usually, ransoms were amounted to a few hundred dollars – a tiny sum relative to today's ransomware strikes that demanded hundreds of thousands or millions for a decryption key, yet Cerber's influence led several victims to settle ransom demands and provide Cerber's creators and affiliates with a lucrative business model. At times cyber attackers also spread ransomware via phishing e-mails or compromised websites. 

The cybersecurity researchers at security company - VMware Carbon Black have identified Cerber as the most common ransomware targeting healthcare as of late. Back in 2020, they found that there were 239.4 million attempted cyberattacks targeting VMware Carbon Black healthcare customers. The average number of attempted attacks in 2020 was 816 on average, a stupefying rise of 9,851 percent from 2019. 

The rise in attacks started in February when the pandemic began to spread globally. The number of attempted attacks rose by 51 percent between January and February when hackers turned their focus to vulnerable healthcare institutions, which witnessed a huge improvement in their way of working and handling patients. 

"Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques," stated Greg Foss, senior cybersecurity strategist at VMware Carbon Black. 

He further added, "All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it's unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware.” 

Unfortunately, hospitals are a frequent target for cyber criminals who spread ransomware because health care is focused on networks that are open to patients. This can also lead to hospitals making fast decisions to pay a ransom request because observably, it is the only way to prevent jeopardizing patients' privacy and to stop hackers from releasing compromised records, which can be very serious threat in healthcare.

Ryuk Ransomware: What Can We Learn From DCH Cyberattack?

Hackers have profited a lot from the Covid-19 pandemic by targeting health institutions, let us look back and learn from these attacks. For a very long time, cybercriminals have been attacking healthcare institutions, one fine example is the "DCH ransomware" attack. E Hacking News in this article analysis the events of the DCH ransomware incident, and how Alabama healthcare dealt with the attack.  

About the attack
Alabama's DCH health system was hit by a ransomware attack in October 2019. The attack forced DHS to shut down its 3 state units named- Fayette Medical Center, Northport Medical Center, and Tuscaloosa’s DCH Regional Medical Center. Because of the attack, the computer systems in the 3 hospitals stopped working and the hospital staff couldn't access important files and patient records. DCH took applied emergency measures to deal with the crisis, the hospitals took in critical patients, whereas non-critical cases were transferred off to other health institutions, and only admitted after 10 days.  

About DCH Ransomware 
Hackers attacked DCH systems using a strain of Ryuk ransomware, the malware used by Wizard Spider, a Russian hacking group. Ryuk uses malicious social engineering techniques and uses phishing attacks to trick users into opening false links. Once opened, the malware deploys itself with the target device. When Ryuk is successfully deployed, it gets into the system codes and stops the device from functioning. It is followed by encryption and the last step is demanding ransom.  

Aftermaths of the Ransomware Attack 
DCH couldn't continue it's healthcare services for 10 days due to the partial disruption caused by the ransomware. Four patients filed a lawsuit against DCH for violating "information privacy law" and affecting their medical treatment during the ransomware attack. The lawsuit stated, "because of the ransomware attack, plaintiffs and class members had their medical care and treatment, as well as their daily lives, disrupted." "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment."