computer security

Ransomware Targets Healthcare Entities

/in /by

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Because of these documented threats, Eagle Associates strongly recommends that you share the following link with your IT personnel/vendor to ensure that precautions are taken for your network and systems:

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

The alert includes valuable best practices for ransomware, and several no-cost resources available to you through CISA.  Taking action before a cyberattack occurs will help you to get back to regular operations more quickly and will also reduce costs and stress.

A critical component to your overall cybersecurity efforts is conducting a Security Risk Analysis to identify threats and vulnerabilities to your electronic protected health information (EPHI). It is equally important to follow through with corrective actions after the SRA to document risk management and mitigation.  NOTE:  Subscribers to the Eagle Associates HIPAA Compliance System have a Security Risk Analysis tool included with their program.

If you have any questions regarding this or any other compliance issue, reach out to our team at (800) 777-2337 or via email at info@eagleassociates.net.

OCR Issues Cybersecurity Alert

/in /by

On September 22, 2020, the Office for Civil Rights (OCR) shared an update from the Cybersecurity and Infrastructure Security Agency (CISA), addressing a critical vulnerability that could significantly compromise information systems.  This vulnerability affects Microsoft Windows Server Operating Systems Netlogon Remote Protocol:

CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol

Original release date: September 18, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive (ED) 20-04 addressing a critical vulnerability— CVE-2020-1472—affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker with network access to a domain controller could exploit this vulnerability to compromise all Active Directory identity services. Earlier this month, exploit code for this vulnerability was publicly released. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access. Given the nature of the exploit and documented adversary behavior, CISA assumes active exploitation of this vulnerability is occurring in the wild.

ED 20-04 applies to Executive Branch departments and agencies; however, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. Review the following resources for more information:

OCR Issues Alert on HIPAA Postcard Scam

/in /by

The Office for Civil Rights (OCR) has issued an alert regarding postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment. The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard is addressed to the health care organization’s HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-governmental website marketing consulting services.

The OCR urges HIPAA covered entities and business associates to alert their workforce members to this misleading communication. The communication is from a private entity – it is NOT an HHS/OCR communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR. The addresses for OCR’s HQ and Regional Offices are available on the OCR website at: https://www.hhs.gov/ocr/about-us/contact-us/index.html

All OCR email addresses will end in @hhs.gov. If your organization has questions or concerns, you may send an email to: OCRMail@hhs.gov. 

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

Eagle Associates, Inc.

Your service with us includes Live Support, which means our Consultants are available to answer unlimited questions at no additional cost. Please contact us by email (info@eagleassociates.net) or phone (800-777-2337).

Cyber Attackers Exploiting COVID-19

/in /by

Increased teleworking has provided bad actors with the opportunity to exploit potentially vulnerable services, such as virtual private networks (VPNs).  The attacks may take several different forms.  The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) outlines attacks and suggested steps to prevent them.  Note that this is not an exhaustive list of all potential attacks that may occur.

Cybercriminals are using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities and deploying a variety of ransomware and other malware. Threats observed include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure,
  • Malware distribution, using coronavirus- or COVID-19- themed lures,
  • Registration of new domain names containing wording related to coronavirus or COVID-19, and
  • Attacks against newly deployed remote access and teleworking infrastructure.

The objective in many schemes is to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:

  • Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
    • -For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access, which is then used to install “CovidLock” ransomware on their device. 
  • Open a file (such as an email attachment) that contains malware.
    • -For example, email subject lines contain COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency)”

To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with “Dr.” in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization’s human resources (HR) department and advise the employee to open the attachment. Malicious file attachments containing malware may be named with coronavirus- or COVID-19-related themes.

Exploitation of New Teleworking Infrastructure

Many organizations have had to rapidly deploy new networks and remote work in response to the COVID-19 epidemic. This includes VPNs and related IT infrastructure to shift their entire workforce to teleworking. Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, actors have been observed scanning for publicly known vulnerabilities in Citrix. Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. 

Malicious cyber actors are also seeking to exploit the increased use of popular communications platforms—such as Zoom or Microsoft Teams—by sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits that have been reported online). In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.   For more information regarding teleconference attacks and security, click here.

The surge in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online. The increase in RDP use could potentially make IT systems—without the right security measures in place—more vulnerable to attack. 

Mitigation

Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception.  Malactors are using the desire for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC), WHO, local public health departments, reputable news sites, etc.

Phishing Guidance for Individuals

The following are tips for you and your staff to recognize a phishing scheme:

  • Authority– Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
  • Urgency– Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.

More details on the types of phishing attacks being deployed and how to protect against them may be found in the full CISA alert at the link below.

CISA and the NCSC have developed the following resources to which you can direct your IT vendor/department/specialist for help in protect your organization from these types of attacks:

Refer here for the full document:  https://www.us-cert.gov/ncas/alerts/aa20-099a

Beware of Teleconferencing Hijacking

/in /by

If you have begun or increased your use of Teleconferencing/Telehealth to provide health care, be aware of cyber-attacks.  The FBI issued a notice on 3/30/2020, which warned that bad actors have been hijacking Zoom and other teleconference platforms, disrupting them with pornographic or hate images and language.

The following steps can help to secure your teleconferences:

  • Do not make meetings public.  In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.  Other platforms also offer security settings such as meeting passwords and waiting rooms.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

If you were a victim of a teleconference hijacking, or any cyber-crime for that matter, report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Additionally, if you receive a specific threat during a teleconference, please report it to us at tips.fbi.gov or call the FBI Boston Division at (857) 386-2000.

OCR Issues Notice of Enforcement Discretion in Regard to Telehealth

/in /by

The Office for Civil Rights has issued a document titled Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency that communicates a relaxation in compliance requirements during these challenging times. The document states “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency…This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”

Health care providers are permitted to use any audio or video applications to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with HIPAA requirements during the public health emergency. However, the OCR does encourage providers to notify patients that use of third-party applications may pose privacy risks.  

We recommend that our clients use Form 7.34-Patient Authorization for Disclosure of PHI via Alternative Means* to communicate this risk to patients and to obtain the contact information (cell phone number, email address, etc.) that is needed to initiate the communication.

The OCR document lists several vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA business associate agreement (BAA). These vendors should be used if available to the practice and feasible for the patients involved. However, the OCR notice clearly states that it “will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”

Your practice may accept the BAA that is provided by video communication vendors or, if none is offered, you may seek to obtain a signature on Form 7.22-Business Associate Agreement*.

Use of encryption is normally required in any transmission of PHI over an open electronic network (i.e. the Internet), and if encryption or other privacy modes are available in a particular application they should be used. However, if these security measures are not available in the particular app that is chosen for telehealth, the OCR will not take enforcement action against the healthcare provider according to the statement in the above paragraph.

Please refer to the OCR document in its entirety here:

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

* The forms mentioned in this article may be found in the Forms section of Eagle Associates’ HIPAA Policy Manual or in the Member Services area of our website. Forms are provided in Microsoft Word™ format in the Member Services area if you wish to modify the form with a specific telehealth application or other relevant information.

Please note that this enforcement discretion applies only to the provision of telehealth during the current nationwide public health emergency. The OCR will otherwise continue to enforce the Privacy and Security Rules during the emergency.

If you have any questions about telehealth or other compliance matters, our Consultants remain available by phone (800) 777-2337 or email at: info@eagleassociates.net.