Free EHR, EHR and Healthcare IT Newsletter Want to receive the latest updates on EHR, EMR and Healthcare IT news sent straight to your email? Get all the latest EHR News for FREE!

HHS ASPR/CIP HPH Cyber Notice: On-Going Impacts to HPH Sector from WannaCry

DISCLAIMER: This product is provided “as is” for informational purposes only. The Department of Health and Human Services (HHS) does not provide warranties of any kind regarding any information contained within. HHS does not endorse any commercial product or service referenced in this product or otherwise.

HHS is aware of two, large, multi-state hospitals systems that are continuing to face significant challenges to operations because of the WannaCry malware. Note: this is not a new WannaCry attack.

The behaviors that have been reported are typical for environments where the WannaCry scanning virus persists, even though the encryption stage has been blocked by anti-virus, or is not executing. The virus can persist even on a machine that has been patched. The virus will not spread to a patched machine, but the attempt to scan can disrupt Windows operating systems when it executes. The particular effect varies according the version of Windows on the device. For those devices or systems, we are providing additional guidance below.

We are also sharing FDA’s emergency phone line for those with questions or reports of malware affecting devices as part of the recommended reporting process below.

You may send additional questions to cip@hhs.gov

Mitigating risks of WannaCry

WannaCry ransomware is a fast-propagating worm which exploits Windows’ Server Message Block version 1 (SMBv1) protocol to move through a network or infect other systems on the Internet. However, SMBv1 might not be the only vector of infection for WannaCry, so even patched systems could still be infected if the malware is introduced to the system in a different manner.

Furthermore, a newly patched system could have been previously infected, and if so, would still scan for other vulnerable systems and/or encrypt files. Patching a system is similar to how in physical medicine, a quarantine will prevent an infection from spreading however will not cure the patient who has been quarantined. Reimaging removes the infection in the operating system no matter where the virus is residing.

Mitigate the risk of WannaCry infection by:

  • Patch vulnerable systems with the update from Microsoft which fixes the SMBv1 vulnerability: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Disable SMBv1 on all devices, across the network and disable it at the firewall if possible. If it is not possible to disable SMBv1, consider the business-impact for quarantining those devices off the network until another solution can be found.
  • See the Tech Support page from Microsoft below for instructions on disabling SMBv1: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server
  • Block port 445 on all firewalls
  • If possible, reimage potentially affected devices to mitigate risk that malware is on the system in the background.
  • Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
  • Work with vendors to make sure both the distribution stage and the encryption stage of WannaCry are detected and blocked.
  • Work with vendors or IT support staff to investigate and remediate systems exhibiting network-scanning activity consistent with WannaCry, which could reimaging per the previous bullet point.

If you are the victim of a ransomware attack

If your organization is the victim of a ransomware attack, HHS recommends the following steps:

  1. Please contact your FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/field-offices) or US Secret Service Electronic Crimes Task Force (www.secretservice.gov/investigation/#fieldimmediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
  2. Please report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).
  3. **NEW** If your facility experiences a suspected cyberattack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
  4. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov

Additional Resources

June 5, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Logicalis US to CIOs: Don’t be Held Hostage by Ransomware

Solution Provider IDs Five Proactive Steps CIOs Can Take Now

NEW YORK, September 12, 2016 – Ransomware, which holds business data hostage until a fee is paid, has taken a sharp upturn this year. In fact, a recent industry study found that nearly half of all U.S. businesses have experienced at least one ransomware attack in the past year alone. While organizations wrestle with the ever-pressing issue of whether to pay or not to pay if they’re victimized, Logicalis US, an international IT solutions and managed services provider (www.us.logicalis.com), suggests CXOs focus first on how to protect, thwart and recover from a potential attack before developing a pay or don’t-pay policy.

“Ransomware has become one of the most sophisticated criminal enterprises the world has ever seen,” says Ron Temske, Vice President, Security Solutions, Logicalis US. “As anyone in the business of cybersecurity knows, we’ve long battled those who simply wanted to create chaos and disruption. We’ve seen nation states attack both military and civilian targets and ‘hacktivists’ who act for various social causes.  But ransomware is different in one key way: It’s all about the money.  Ransomware is a business, complete with sophisticated cybercrime-as-a-service offerings and world-class customer support to ensure its victims’ files are returned expeditiously once the ransom is paid. It’s a service business approaching $1 billion in annual revenue, something that would be heralded as an accomplishment if it weren’t based on such nefarious principles. The business of ransomware has even spawned a network of affiliates that provide redirection of an exploit kit for a cut of the profits.”

Five Ways to Respond to the Threat from Ransomware

To be ready for an attack before it happens, to detect and stop it while it’s happening, or to recover from it after it happens takes planning. To help, Logicalis’ security experts have compiled a list of the top five ways to respond to the threat ransomware poses today.

  1. Create a Modern Defense: Traditional signature-based anti-virus solutions are good to have, but they aren’t up to the job of thwarting a sophisticated ransomware attack.  Neither is your traditional stateful firewall. As a result, it is critically important to plan for the possibility of an attack by developing comprehensive visibility and access to extensive details on how the malware entered the organization’s environment in the first place. IT pros who are serious about heading ransomware off at the pass should focus intently on modern next-generation anti-malware and firewall solutions that can stop an attack before it starts.
  2. Take an Architectural Approach: In some limited situations, point solutions can be effective, but not with ransomware. The most effective way to address the threat posed by ransomware and other pervasive cyberattacks is to take a holistic architectural approach to security that encompasses the entire network including its systems and endpoints as well as the organization’s cloud and mobile strategies. Because so many of today’s threats are automated, solutions that rely on human intervention to detect and respond are neither affordable nor effective, making automation and orchestration key principals in a solid security architecture design.
  3. Prevent the Spread of Malware: If an attacker’s malware does enter the network, it has the ability to spread like a fast-moving cold among passengers on an airplane.  The key at this stage is to compartmentalize data using network micro-segmentation strategies that make it more difficult for malware to spread laterally within the environment.
  4. Plan Your Recovery: The unfortunate truth is, despite the security industry’s best efforts, no organization is entirely immune to attack.  Therefore, it’s critical to examine how the organization will recover if it is breached. First, be sure you’re backing up. Second, test, test and re-test the backup and restore process; a backup is only valuable if the data can actually be restored when it’s needed.  It’s also important to ensure that the restore can be done at the system level since file-based recovery may not be enough. Consider, too, how much redundancy is required; if the organization is hit, do you have an uncorrupted source from which you can immediately recover? And be sure to weigh the costs of various solutions against the cost of potential loss or downtime – not all data is equally valuable, which means not all data needs the same level of protection.
  5. Create a Pay or No-Pay Policy: Finally, the big question: To pay or not to pay? No vertical market is having a tougher time facing this question than healthcare is today; whether it’s critical patient-care data that hackers hold hostage or the threat of hefty regulatory fines imposed when protected patient health information (PHI) is breached, healthcare organizations have become prime targets for ransomware attacks. Before any organization – healthcare or otherwise – pays a ransom, however, Temske suggests examining how much damage will be done if you don’t pay. Do you have an uncompromised data backup from which you can restore? What is the cost to restore vs. pay – both monetarily and in terms of the business’ ability to function in the meantime? Ultimately, the decision comes down to how business-critical the compromised data is to the organization. If you do decide to pay, Temske has one word of advice: “Negotiate. In most cases, you can talk the price down, so it may make sense to consider not paying the first amount offered.”

About Logicalis
Logicalis is an international multi-skilled solution provider providing digital enablement services to help customers harness digital technology and innovative services to deliver powerful business outcomes.

Our customers cross industries and geographical regions; our focus is to engage in the dynamics of our customers’ vertical markets including financial services, TMT (telecommunications, media and technology), education, healthcare, retail, government, manufacturing and professional services, and to apply the skills of our 4,000 employees in modernizing key digital pillars, data center and cloud services, security and network infrastructure, workspace communications and collaboration, data and information strategies, and IT operation modernization.

We are the advocates for our customers for some of the world’s leading technology companies including Cisco, HPE, IBM, NetApp, Microsoft, VMware and ServiceNow.

The Logicalis Group has annualized revenues of over $1.5 billion from operations in Europe, North America, Latin America and Asia Pacific. It is a division of Datatec Limited, listed on the Johannesburg Stock Exchange and the AIM market of the LSE, with revenues of over $6.5 billion.

For more information, visit www.us.logicalis.com.

September 12, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Survey Shows Insider Threats on the Rise: Organizations Experience an Average of 3.8 Attacks per Year

Survey by Crowd Research Partners Shows Endpoints Are by Far the Most Common Launch Point for an Insider Attack; Highlights Need for Robust Endpoint Security and Policies

VERO BEACH, FL − (June 24, 2015)SpectorSoft™, a leader in the user activity monitoring and behavior analysis market, today released results of the Insider Threat Report, a crowd-based research project that was done in cooperation with the 260,000+ member Information Security Community on LinkedIn and Crowd Research Partners to gain more insight into the state of insider threats and solutions to prevent them. The final report results were based on a comprehensive survey of over 500 cybersecurity professionals from organizations of varying sizes across many industries; the results highlight the increasing need for better security practices and solutions to reduce the risks posed by insider threats.

Among the report’s findings:

The Rise of Insider Attacks: A majority of security professionals (62 percent) saw a rise in insider attacks over the last 12 months, while 22 percent saw no rise, and 16 percent were unsure if they had been attacked or not.

Frequency of Insider Attacks: Forty-five percent of respondents cannot determine whether their organizations experienced insider attacks in the last 12 months. Twenty-two percent said they experienced between one and five attacks, and 24 percent of organizations believe they experienced no attacks at all. Of the respondents who were willing to admit they suffered an insider attack, the average number was 3.8 incidents per organization per year.

Cost of Remediation: The overall average cost of remediating a successful insider attack is around $445,000. With an average risk of 3.8 insider attacks per year, the total remediation cost of insider attacks can quickly run into the millions of dollars.

Monitor Insider Activity on the Endpoint: The survey highlights the need for robust endpoint security and policies; respondents identified endpoints as the most common launch point for insider attacks (56 percent); this was followed by networks (43 percent) and mobile devices (42 percent).

Top Insider Threats: Organizations overwhelmingly maintained that data loss was the top concern regarding insider threats. When asked which types of insider attacks were most concerning, 63 percent of respondents said data leaks, 57 percent said inadvertent data breaches and 53 percent said malicious data breaches.

Vulnerable Data: Sixty-four percent of respondents feel extremely, very or moderately vulnerable to insider threats. Due to its value to attackers, the most vulnerable type of data is customer data (57 percent). This was closely followed by intellectual property (54 percent) and financial data (52 percent).

Internal versus External Attacks: Sixty-two percent of respondents find it more difficult to detect internal threats than external threats, while 38 percent cannot determine which type of threat is most difficult to detect.

Monitoring the Threat: When it comes to threat monitoring, 75 percent of companies monitor the security controls of their applications, 60 percent monitor a majority of all of their key IT assets, while only 21 percent continuously monitor user behavior taking place on their networks.

“The survey and report called out a rise in insider threats, the difficulty in detecting them, and the significant costs in cleaning up after a successful insider attack,” said Mike Tierney, COO, SpectorSoft.  “Companies need the ability to detect for anomalies in user behavior to make sure they are aware of the threats that exist within their organizations, because insiders will deviate from their normal behavior patterns when planning and executing an attack.”

About SpectorSoft

SpectorSoft is the leader in user activity monitoring and an innovator in user behavior analysis software. SpectorSoft has helped more than 36,000 businesses, government organizations, schools and law enforcement agencies improve how they address security and achieve compliance. SpectorSoft award-winning solutions include enterprise-grade insider threat detection software, a powerful user activity monitoring solution deployed by thousands of companies in more than 110 countries, robust Event and Security Log Management, and the world’s leading employee investigation tool. For more information, please visitwww.spectorsoft.com.

June 26, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIPAA Secure Now! Helps Covered Entities Comply with HIPAA Privacy Rule; New Privacy Tools Augment Company’s HIPAA Security Compliance Services

MORRISTOWN, NJ – APRIL 8, 2015 – Today HIPAA Secure Now! began offering covered entities, a suite of HIPAA  Privacy Tools to help them meet requirements of the HIPAA Privacy Rule.  The suite includes an updated HIPAA privacy policy manual and training module, which complements its HIPAA security services package.  A secure portal gives customers access to policies and procedures, and all the forms needed to implement the HIPAA Privacy Rule.  An Education Center for training employees provides interactive slides and videos, a compliance quiz and completion certificates.

“While most medical practices have implemented the Privacy Rule to some degree they may lack written policies, all the necessary forms, or they may be falling behind on employee training,” said Art Gross, CEO for HIPAA Secure Now!  “Initially we concentrated on helping clients comply with the HIPAA Security Rule.  We guided them in protecting electronic patient information with a security risk analysis, policies, training and technology recommendations.  Now we’re adding Privacy Tools, which offers similar resources and training but is geared toward the overall use, management and distribution of patients’ health information, as laid out by the Office of Civil Rights.”

The HIPAA Privacy Rule obligates covered entities to comply with standards that address the protection, use and disclosure of an individual’s health information.  The Rule states how a medical practice can use a patient’s health information, whether it shares that information with another covered entity to provide additional care, or submits it to an insurer for reimbursement.

Likewise, the Privacy Rule sets standards designed to safeguard an individual’s privacy rights and gives the patient control over how his health information is used.  For example, a patient can put restrictions on a diagnosis if they don’t want it disclosed to a family member.  And they can file complaints if their health information has been shared without their permission.

With HIPAA Secure Now’s Privacy Tools, covered entities now have an online manual that they can search, and print out forms, including patient request for amendment of their protected health information, patient complaint forms, as well as patient restrictions on their protected health information, to name a few. The manual covers policies and procedures, including different scenarios of the privacy rules, such as when covered entities can share patient information with or without authorization.

An in-depth training program, also provided in an online format, helps employees understand the standards of the HIPAA Privacy Rule and what could put the practice at risk for breaking patients’ confidentiality.  Training information is updated annually and takes less than two hours to complete.

About HIPAA Secure Now!

HIPAA Secure Now! has been helping clients comply with the HIPAA Security Rule since 2009.  The company’s all-in-one solution provides risk assessment, which also satisfies Meaningful Use requirements, as well as privacy and security policies and procedures, and training.  HIPAA Secure Now! moves customers toward HIPAA compliance quickly and easily, and protects them in the event of an audit. Customers can complete the entire process in less than three hours, and regularly comment that it is painless and has made their lives easier.  For more information visit www.HIPAASecureNow.com.

April 8, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.