- RSS Channel Showcase 6730428
- RSS Channel Showcase 4695262
- RSS Channel Showcase 6922621
- RSS Channel Showcase 9114351
Articles on this Page
- 06/15/17--09:59: _WannaCry hackers ju...
- 06/16/17--07:44: _Former US CISO call...
- 06/20/17--08:07: _Expert tips on brac...
- 06/22/17--10:57: _It's not just Wanna...
- 06/27/17--09:17: _Global ransomware a...
- 08/03/17--11:25: _WannaCry hackers ca...
- 08/29/17--09:13: _WannaCry victim NHS...
- 09/14/17--06:47: _Experts back Senate...
- 09/20/17--13:27: _Hackers hate ransom...
- 10/24/17--07:16: _New WannaCry varian...
- 11/30/17--12:08: _After WannaCry knoc...
- 12/19/17--07:34: _Trump administratio...
- 02/19/18--06:08: _Penn Medicine CISO:...
- 03/06/18--13:12: _NIH, experts warn h...
- 03/22/18--09:38: _Sidelined HHS Deput...
- 04/17/18--09:59: _US, UK accuse Russi...
- 04/20/18--10:19: _Nearly a year since...
- 06/15/17--09:59: WannaCry hackers just getting started, former federal CISO says
- 06/16/17--07:44: Former US CISO calls for Trump to fill that post
- 06/20/17--08:07: Expert tips on bracing for future WannaCry attacks
- 08/03/17--11:25: WannaCry hackers cash out $143,000 in ransom money
- 08/29/17--09:13: WannaCry victim NHS Lanarkshire hit by new ransomware strain
- 09/14/17--06:47: Experts back Senate IoT security legislation
- 09/20/17--13:27: Hackers hate ransomware, but it's quickly becoming the new DDoS
- 10/24/17--07:16: New WannaCry variant takes down North Carolina provider
- 02/19/18--06:08: Penn Medicine CISO: 3 Strategies every security team should have
- 03/06/18--13:12: NIH, experts warn healthcare pros to stay vigilant to thwart hackers
- 04/17/18--09:59: US, UK accuse Russia of actively targeting internet routers, devices
The initial WannaCry attack on May 12 rocked the globe and security experts are now saying it infected at least a million more systems than originally thought.
While conservative estimates place the number of impacted computers at about 300,000 in some 150 countries, security firm Kryptos Logic CEO Salim Neino said in actuality WannaCry struck 1-2 million computers.
Not only that, but Kryptos Logic — the firm responsible for finding the killswitch that stopped the majority of the spread — has thwarted an additional 60 million infection attempts. Seven million of these attempts were made in the U.S. alone, and Neino estimates these attacks could have impacted 10 to 15 million unique systems, at a minimum.
Further, the initial incident in May was just a small start and, indeed, the bulk of the attacks happened in June.
The largest attempt Kyptus Logic thwarted and measured to date was on a well-funded hospital on the east coast.
“WannaCry is a slow pitch soft ball, whereas the next one may be a high and tight fast ball coming in,” Gregory J. Touhill, former federal CISO and adjunct professor of cybersecurity and risk management at Carnegie Mellon University, told a Science, Space and Technology committee on Thursday. “We need to be ready.”
And the bulk of the attacks didn’t happen in May -- but in June. The largest attempt Kyptus Logic thwarted and measured to date was on a well-funded hospital on the east coast.
“It’s very likely the health system is unaware of the attempt,” explained Neino. “Most organizations don’t know they’re being exploited… Because WannaCry is self-propagated, the actors don’t even need to be in existence. The virus continues to proliferate in the actors’ absence.”
WannaCry was just manifestations among many new kinds of disruptive threats, Symantec CTO Hugh Thompson said. “The threat landscape continues to evolve quickly, not just in technology, but in the social engineering methods used. The explosive growth of attacks like WannaCry and Mirai, demonstrate the need for layered defense.”
All of the security experts pointed to the need to better plan an organization’s security program. And it’s not necessarily about a need for more sophisticated technology.
“Cybersecurity is a risk management issue. But many people mistakenly recognize it solely as a tech concern,” said Touhill. “Cybersecurity is a multidisciplinary risk manage issue, and an essential part of a healthy risk management program.”
Thompson added that the U.S. must be prepared to fight a determined adversary that penetrated initial defenses.
“There’s no question that WannaCry was an important event,” he said. “But it won’t be the last. It’s more of an indicator of what’s to come. We lucked out, but next time we won’t be so lucky.”
At a House subcommittee meeting focused on the WannaCry threat and security needs, the first government chief information security officer pointed out the most obvious security need for the country: for President Trump to appoint a new federal CISO.
“I urge the Congress to continue its great efforts to strengthen our enterprise risk posture, and I urge you to authorize and empower the federal CISO -- which is currently not authorized or specified,” Touhill implored the House Science, Space and Technology committee on Thursday.
Touhill, who currently serves as adjunct professor of cybersecurity and risk management at Carnegie Mellon University, was deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security, before Barack Obama called Touhill to the position in September.
Obama created the CISO position as a crucial component of the administration’s $19 billion Cybersecurity National Action Plan unveiled in February 2016. The role is designed to oversee the federal government’s cybersecurity policy and implementation.
Touhill left the position in February after the Trump transition. In an exit letter he cited: The government should concentrate less on new policy and more on improving organizational architecture and culture to support what exists.
Trump has left the position vacant, which is concerning given the increase in cyberthreats and cybercriminal sophistication not least of which because, without a federal CISO, there’s no one in the administration to determine best practices.
Touhill also called for a renaming of the NIST Cybersecurity framework to the National Cybersecurity Framework. While NIST did a great job in crowdsourcing to create the framework, it should reflect that it’s a national need.
Touhill said the Inspector General and auditing committees should assess the entire government IT systems and reinforce the need to conduct appropriate audits using the renamed NIST framework. Cybersecurity groups like NIST should be giving those auditing direction.
“Cybersecurity is a risk management issue, but many people mistakenly recognize it solely as a tech concern,” Touhill. “We need to harden the workforce, treat information as an asset and make risk management a priority.”
The WannaCry cyberattack has implications for the future of healthcare security, especially as the recent Health Care Industry Cybersecurity Task Force report came out essentially saying that the healthcare industry is in the midst of a staffing crisis.
Greg Touhill, former federal CISO and adjunct professor of cybersecurity and risk management at Carnegie Mellon University equated the initial WannaCry attacks to a slow-pitch softball, said more attempts are coming and the next one might be a fast ball during a Congressional hearing last week.
With WannaCry, there’s the good, the bad and the ugly. First the good. Ransomware attacks like WannaCry aren't particularly hard to avoid, said Lance Hayden, chief privacy and security officer at clinical trials technology vendor ePatientFinder. Hayden’s career spans more than 25 years in the security field, including positions with the CIA and Cisco.
“Regular backups, effective user training and updated software stop the majority of these attacks dead,” Hayden explained. “The security industry has lots of smart ‘good guys’ who are attacking the problem; case in point, the researcher who triggered the WannaCry kill switch.”
Then there is “the bad” to contend with. WannaCry was different in that it propagated on its own, rather than through phishing e-mails, and that’s disturbing.
“Although good hygiene is enormously effective, most organizations don’t practice good hygiene until it’s too late: after an attack,” he said. “The security industry is up against lots of smart ‘bad guys’ who only have to be successful once to cause lots of problems.”
And of course, with something as big and bad as WannaCry, there is “the ugly.” The recent Health Care Industry Cybersecurity Task Force report, for instance, shows systemic problems in healthcare that represent huge risks to the industry.
“Tools like WannaCry will only get more sophisticated; WannaCry took advantage of tools stolen from the government and released into the wild,” he added. “Healthcare CIOs and CISOs need to prepare, not panic. Healthcare security is a challenge, but no different than any of the other challenges the industry has had to face and overcome during its history. It’s not magic.”
Hayden advised healthcare CIOs and CISOs to put more effort and resources into their security program and understand that the preventative costs one thinks they cannot afford today pale in comparison to the reactive costs one will incur during a breach.
“Embed security into the culture: The human firewall is the single most effective security solution,” he said. “However, like safety or innovation, security is a cultural attribute that is hard to just embed by fiat. If creating an innovative culture was that easy, every company would be as innovative as a Google, Apple or Facebook just by implementing annual innovation training.”
There are “strategic intangibles,” and security is one of these, Hayden said. “The only way to make it happen is for the entire organization to decide that it’s important, and then to take it seriously. That kind of commitment usually starts at the top.”
One of the most notorious and seemingly indestructible ransomware variants is back. And as its hackers rushed the latest campaign, Locky is only zeroing in on outdated Windows systems.
Talos, Cisco’s cyber threat intelligence arm, was one of the security teams who discovered the reemergence of Locky.
The group responsible, Necurs, launched the favorable Jaff this year in lieu of Locky. However, Kaspersky Labs discovered a flaw in Jaff that allowed the team to create a decryptor, which shut down Jaff operations.
The researchers presume this is why Necurs reintroduced their most successful virus.
The latest round of Locky is still being distributed via email with two zip attachments that contain the virus in .exe format. It’s not unlike those in the past: the emails contain order confirmations, payment receipts and other business needs. The goal is to use social engineering to dupe its victims.
Further, the latest Locky campaign accounted for 7.2 percent of email volume on just one of the security firm’s systems in the first hour of its launch. It appears the hackers have since slowed the campaign, but Necurs still continues to send the virus in smaller quantities.
Talos realized the virus was ineffectual on its systems, as the company is running on the latest operating platforms. But there are many hospitals in the U.S. that run on outdated systems. And as Locky has launched numerous hospital-specific campaigns in the past, it’s important to fix security issues now.
Further, as the hackers are likely aware of the flaws and have slowed its current campaign, the latest Locky campaigns are only going to increase in frequency -- and skill.
“It's always risky clicking on links or opening attachments in strange email messages,” wrote Talos researchers. “Users that fail to heed this advice can easily become ransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks.”
“As always, organizations are encouraged to make regular backups of their data, practice restoring said data, and store your backups offline far out of the reach of potential criminals,” they added.
A massive, data-scrambling ransomware attack is sweeping across Europe and causing mass disruption, the AP reports.
Global pharma giant Merck confirmed via Twitter that its computer network was compromised as part of the massive ransomware campaign. Company officials said the incident is under investigation.
Pennsylvania-based Heritage Valley Health System's network was also hit with the attack, officials told CBS Pittsburgh. The incident is spread throughout the $480 network, including satellite and community locations. The health system is running on downtime procedures to ensure there's no disruption to care.
Ukraine is being hit the hardest, with both company and government officials reporting serious intrusions at the Ukraine power grid, banks and government offices. The darkened computer screens read: “The whole network is down.”
Russia-based Rosneft Oil Company, Denmark-based shipping giant A.P Moller Maersk also fell victim to the hacking. Container shop terminals in Rotterdam run by Maersk were affected, which officials said could have led to serious consequences. However, the company was able to switch to a reserve control system.
“We are talking about a cyberattack,” said Anders Rosendahl, a spokesman Maersk told AP. “It has affected all branches of our business, at home and abroad.”
The number of victims is rapidly increasing, and it’s quickly turning into a crisis -- much like May’s WannaCry attack that shut down networks across 150 countries. Security experts at Bleeping Computer say the virus is already running rampant in the U.K., India, the Netherlands and Spain, among others.
The security researchers said it’s currently not as big as WannaCry, but the volume is considerable.
At the moment, there is little information to who might be responsible for the attack, but security experts are certain it’s ransomware. The strain is most likely Petya, which encrypts Master File Tree (MTF) tables and overwrite the Master Boot Record.
The virus is known to be much more intrusive than other ransomware strains, as it reboots systems and prevents computers from working. It’s spread by email through infected Microsoft Office documents. These documents execute the SMB worm and spreads to other computers (much like WannaCry).
As for why the strain has suddenly become more virulent, Bleeping Computer said it’s likely the Petya author was inspired by the WannaCry attacks. So far the attackers have already pocketed $2,000 -- the amount it took WannaCry actors to make in a day.
Most of Europe is still attempting to recover from WannaCry. The U.K. National Health Service was one of the hardest organizations hit, with over 20 percent of its trusts shut down by the virus. Security experts recently told Congress that WannaCry is still attempting to hack into unpatched systems and that these types of attacks were inevitable.
We will update the story as more information becomes available.
The cybercriminals behind the global WannaCry ransomware attack have finally cashed in the $143,000 -- or 52.2 bitcoins -- paid by some its victims, according to an online bot tracking payments made to WannaCry hackers.
The bitcoin payments made by victims were withdrawn Wednesday night -- with the last withdrawal made at 3:25 a.m. Thursday. All of the online wallets associated with WannaCry are now empty. Only 338 victims paid the $300, but the hackers waited until now to withdraw funds.
Cryptocurrencies like Bitcoin are preferred by hackers as it’s incredibly difficult to trace the payments. It’s likely whoever withdrew the funds will launder the money to ensure the payment can’t be traced.
There’s been no official confirmation as to the identity of the hackers. However, many security experts have made connections to the hacking group Lazarus, which has ties to North Korea.
Tom Robinson co-founder of Elliptic, a London firm that helps law enforcement track down cybercriminals, told CNBC that the bitcoins are likely being converted into a different cryptocurrency: Monero, a privacy-focused cryptocurrency.
Robinson is working with law enforcement to trace the movement of these funds, in hopes to find the owners likely responsible for perpetrating the attack.
WannaCry struck organizations with file-encrypting ransomware around the globe in May, infecting more than 300,000 computers and crippling systems in the U.S., Brazil, Europe, Russia and China. It devastated the U.K National Health System and two large U.S. hospital systems.
The hackers leveraged a Windows SMB vulnerability. Microsoft issued a patch for the specific flaw in a March 2017 update and a secondary patch for outdated systems soon after the attack. The patch prevented system exploits, but not computers already infected with WannaCry.
The virus continued to claim victims after the initial attack, as late as June.
Scotland’s NHS Lanarkshire was hit by ransomware on Friday, delaying some services and operations at a few of the trust’s hospitals.
NHS Lanarkshire makes up of Hairmyres, Monklands, Wishaw General and Community Hospitals, along with several health centers and treatment centers.
Lanarkshire officials quickly acknowledged the attack, citing IT difficulties. And patients were encouraged to think before visiting the emergency departments, while systems were down. However, “emergency care will still be provided for those who do require to be seen."
The following day, officials reported it was malware and that its staff “have worked hard to minimize the impact on patients and our contingency plans have ensured we have been able to continue to deliver services while the IT issues were resolved.”
“Unfortunately a small number of procedures and appointments have been cancelled as a result of the incident,” officials said. “I would like to apologize to anyone who has been affected by this disruption, however I can assure you that work is already underway to reappoint patients.”
By the weekend, a majority of services had been restored, but officials said it will still be some time until operations are back to normal. Wait times have been longer than normal during the incident.
The investigation revealed the attack was ransomware, specifically a new strain called Bit Paymer -- a well-coded strain that looks like the work of experienced programmers, a report from BleepingComputer found.
Other samples of Bit Paymer were found by the security-researching site in mid-July, while other security researchers saw similar campaigns in June. The ransomware spreads using brute-force campaigns on unpatched RDP endpoints.
Once the hacker is in, the attackers move across the victim’s network and install the virus on each computer within the breached system. There’s currently no way to decrypt the Bit Paymer, and the ransomware asks for up to $230,000 to decrypt infected files.
This is the second time NHS Lanarkshire has fallen victim to ransomware. It was one of the hardest hit hospitals of the WannaCry attacks in May that crippled services at the majority of the U.K.’s National Health System.
The security of the Internet of Things is a key concern today. But in healthcare, IoT security literally can be a matter of life or death.
Healthcare could be on the brink of massive security standard changes when it comes to the IoT. For example, a new U.S. Senate bill – The Internet of Things Cybersecurity Improvement Act of 2017– would require IoT devices sold by vendors to the federal government to meet minimum security standards. This includes sales to Defense Department and Veterans Affairs healthcare facilities, which would filter out to the rest of the healthcare industry as a result.
This legislation targets the low-hanging fruit of healthcare device cybersecurity, said Josh Jabs, vice president of public key infrastructure and IoT solutions at Entrust Datacard, a security technology company.
“It requires vendors of Internet-connected healthcare devices to have a higher minimum standard of security,” Jabs said. “For healthcare provider organizations, they can expect their device vendors to supply equipment that can be patched. Healthcare devices have a lifecycle that may include the need to modify the original firmware that controls the device, especially if security issues are found after design and manufacture.”
Additionally, the legislation requires vendors to provide devices configured so that their single-factor authentication credential, the username and password, can be changed, rather than being hard-coded. The Mirai botnet, for example, was an example of an attack against default and unchangeable credentials.
The time is ripe for IoT security legislation. Healthcare providers in the U.S. have very little guidance on how to protect IoT/medical devices within their infrastructures today.
Aside from some guidance from the FDA and PII-centric HIPAA requirements, there are no federal requirements in terms of how to protect, detect and respond to security threats affecting IoT/medical devices that could lead to device manipulation, data exfiltration or, worse, direct patient harm, said Chris Sherman, a security and risk analyst at Forrester Research who specializes in the Internet of Things and medical device cybersecurity.
“Providers should prepare for legislation in this area,” Sherman said, “by formalizing their own medical device security policies, while demanding their device suppliers adhere to application security best practices and medical security certifications, as well as building out their own device monitoring capabilities.”
Jabs has suggestions for how provider organizations can better protect IoT/medical devices today.
“The WannaCry ransomware attack showed us that patching desktop systems is important for healthcare providers,” he said. “Providers also should take inventory of connected systems, which will help to identify risk beyond privacy measures specified by HIPAA. Even if the cybersecurity maturity of your healthcare organization is low, it is a good first step.”
And, he added, the Presidential Policy Directive 21 (PPD 21) has identified healthcare providers as critical infrastructure. Work is being done to help healthcare providers get the most out of the National Institute of Standards and Technology cybersecurity framework, he said, so that ultimately providers can understand how to measure and remedy risk.
As prolific and intrusive as ransomware has become, it would seem that the majority of cybercriminals are reveling in this lucrative attack vector. But a new report from security firms Anomali and Flashpoint found that there are many dark web forum administrators facing an ethical dilemma about its sale.
Money is the biggest priority for hackers, and ransomware is designed to be an easy attack vector. In just one click, they can send millions of messages, and with just a handful of paid ransoms, hackers can make thousands of dollars.
But prior to 2016, Russian underground administrators believed ransomware shouldn’t be used, as it wasted botnet installs and exploit kits, while others dubbed it a ‘low-end maneuver’ resulting in ‘intellectual death.’
An ethical dilemma
Ransomware first gained traction in 2016. The attack on Hollywood Presbyterian Medical Center was the first major hack on the healthcare industry that signaled what was to come. Hackers demanded the hospital pay about 40 bitcoin or about $17,000 at the time -- or risk a shutdown of operations.
The hospital paid up. And the attack again struck up the divisive conversation among hackers.
“The targeting and exploitation of Westerners -- in particular United States citizens -- is highly encouraged,” the researchers wrote. “Nevertheless, news of the attack against Hollywood Presbyterian was coldly received by Eastern European cybercriminals, many of whom regarded the incident as reckless and unacceptable.”
Some reputable members expressed frustration and condemned those who attack hospitals, while those who support and or sell the malware left emotion out of the equation: “[the attackers] scored. It means everything was done properly.”
In the months that followed in 2016 -- dubbed ‘The Year of Ransomware’ -- ransomware increased a whopping 6000 percent. Adding to its continued proliferation was the fact 70 percent of victims chose to pay the ransom, making it one of the most profitable attack vectors.
Citing issues like too much noise, low-level crime and unethical, the researchers found that many threat actors are contemplating a ban on ransomware.
“It attracts attention to malware and causes companies to introduce measures to increase their security,” said one hacker. “It increases general awareness of topics related to information security.”
Other concerns were about ransomware causing organizations -- or potential victims -- to block malware tools.
“Allowing ransomware operators on the forum, we are digging our own grave,” the hacker continued. “Of course, banning this work on the forum doesn’t stop this type of business, but as a minimum, we can use community disapproval to make it more difficult to enter into it.”
Nearly 49 percent of the threat actors shared support of the ban. Those hackers not on board stressed that ransomware use is a personal decision. In fact, some threat actors pointed out there is only one rule on the dark web: Don’t target Russia.
Will ransomware fall to the wayside?
Don’t count on it.
“These multi-stage attacks and the high success rate ensure that the propensity of ransomware attacks is not declining in the near future,” ICIT Senior Fellow James Scott said. “Too many victims remain susceptible.”
“Consider that if ransomware were in decline, the ethical debate concerning victim choice would not have remained as consistent on low-level forums before and after massive attacks such as Hollywood Presbyterian,” he added.
In fact, Scott said he thinks that ransomware’s focus has slightly shifted since the mass proliferation in 2016. While it’s not necessarily the fastest profit generator anymore, ransomware is the new distributed-denial-of-service (DDoS) attack.
Consider Petya: The hackers disguised the wiper malware as ransomware. It dictated the media coverage, which allowed the virus to follow through with its true purpose -- to destroy data. In just a few hours the massive attack shut down a large portion of the Ukrainian government, while many large organizations like FedEx, Merck and Nuance are still attempting to get operations back to normal.
To Scott, it’s important to note the research focused on forums where the administrators are more revered. But not all dark web forums are created equal.
“On other forums, ransomware is not as taboo,” said Scott. “Many Deep Web market users buy whatever malware suits their intended attack without consulting the opinions of moderators or other members.”
Further, “most vocal forum users are script kiddies, hacktivists, and cyber-criminals. They participate on forums for attention and launch attacks for profit,” he added. “These are the attackers who might question the ethical dilemmas before launching an attack because they are not as technologically sophisticated or as capable as higher level attackers.”
Scott also noted that the more advanced, sophisticated cybercriminals rely on ransomware as a distraction for larger, multi-stage attack campaigns. Essentially, while responders handle the initial ransomware attack, the hackers are already deploying malware across the networks and exfiltrating data.
“In addition to theft, if all or most backup and redundancy systems were infected with ransomware then the victim cannot know if an attacker altered critical data sets,” said Scott.
“Ransomware is not as profitable as some other malware campaigns, but it is much more distracting. It increases the success rate of other attacks, which may not be launched for profit.”
And for healthcare organizations, it’s these types of attacks that should be most alarming, as spikes in successful ransomware attacks are caused by low-level attackers hoping to find similar success.
The computer network of Pinehurst-based FirstHealth of the Carolinas was shut down by a new form of WannaCry last week.
The health system detected the virus on Tuesday afternoon, and the organization took its system offline while it attempted to remove the malware from its system, according to FirstHealth’s alert. FirstHealth’s staff initiated its downtime procedures at that time.
The site has not yet been updated with its current status, but officials said it will remain offline out of an abundance of caution to make sure all devices and its system are clear of the threat.
The organization developed an antivirus patch specifically for the WannaCry virus, which it's implementing across the entire network. FirstHealth will provide the tool for other healthcare organizations to use.
“As a result of the quick response by the information system security team, the virus did not reach any patient information, operational information or databases,” officials said. “Patient information has not been compromised. At this time, it appears that no damage has occurred to the network or devices.
“We are experiencing some delays and appointment cancellations as a result of the downtime event,” officials continued. “This does not apply to critical and emergent needs. We sincerely apologize for any inconvenience this has caused.”
WannaCry first struck in May, devastating organizations around the globe, including the UK’s National Health Service. The ransomware strain was part of April’s massive NSA leak from the cybercriminal group the Shadow Brokers.
Although a kill switch was found for the virus a day later, it merely slowed down the attack. Overall, 300,000 users from 150 countries fell victim to the virus.
The U.K. National Health Service recently launched a 20 million pound -- or about $27 million -- project on a new security operations center to help its hospital and health centers fend off cyberattacks.
The new Security Operations Center will improve the health system’s current security capabilities, including ethical hacking, malware analysis and pen testing. The center is also tasked with giving NHS Trusts cybersecurity guidance.
The announcement comes on the heels of the massive global WannaCry attack. Over 50 NHS Trusts were impacted by the attack, including about 600 surgeries and more than 19,000 appointment cancellations. In fact, five hospitals were forced to divert ambulances to other facilities.
The attack was the largest cyberattack ever experienced by the health system -- although individual trusts were hit by other hacks prior to the May 12 attack.
A National Audit Office report in October found that outdated and unsupported operating systems still in use by NHS and a lack of basic security measures left the organization vulnerable to attack.
One of the security center’s tasks will be to ensure all NHS Trusts are following best practices. Further, the center will perform ongoing monitoring. The funding will also invest in NHS Digital, the national IT partner of the health system, which will provide a monitoring service to analyze intelligence over multiple sources. NHS Digital will also share threat intelligence to all health providers.
The security center will give all NHS organizations dealing with a cybersecurity incident specialist support and on-site security assessments. To NHS Digital Security Center Head Dan Taylor, the partnership will provide needed resources during peak periods and help proactively monitor the web for emerging threats.
“It will also allow us to improve our current capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats,” said Taylor in a statement.
"By creating a national, near-real-time monitoring and alerting service that covers the whole health and care system, the SOC will drive economies of scale, giving health and care organizations additional intelligence and support services that they might not otherwise be able to access," he added.
North Korea was directly responsible for the WannaCry ransomworm that infected over 300,000 devices in more than 150 countries in May, the Trump administration’s Homeland Security Adviser Tom Bossert announced Monday night in a Wall Street Journal blog post.
“The attack was widespread and cost billions, and North Korea is directly responsible,” Bossert wrote. “We do not make this allegation lightly. It is based on evidence.”
“We are not alone with our findings, either,” he continued. “Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.”
Security firms Symantec, BAE Systems and Kaspersky Labs discovered a connection between the virus and the Lazarus Group in May, while Google Security researcher Neel Mehta was first to announce the tie. The hacking group is based in North Korea.
In June, the National Security Agency announced they had also uncovered ties between North Korea and WannaCry. The British government linked the two in October, and the CIA issued a similar statement in the following weeks.
This is the first public statement from the U.S. directly linking North Korea to the cyberattack.
WannaCry hit computers around the world on May 12, including many in the healthcare sector. Several U.S. health systems were impacted, while at least 16 U.K. National Health Services’ trusts were knocked offline. The attack crippled the organization: Staff were unable to access patient data, and ambulances were diverted to other locations.
This wasn’t the first major hack by the North Korean hacking group. Lazarus was responsible for the massive hack on Sony Pictures in 2014 and the theft of $81 million from Bangladesh Central Bank in 2016.
Why cybersecurity is top of mind for forward-looking healthcare orgs.
The U.S. Security Council has imposed severe sanctions on North Korea under the Trump administration, but those focus primarily on its nuclear actions. However, Bossert’s post appears to imply that the Trump administration will be further cracking down on the country’s “malicious behavior.”
“Stopping malicious behavior like this starts with accountability,” Bossert wrote. “It also requires governments and businesses to cooperate to mitigate cyber risk and increase the cost to hackers.”
“Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments,” he added. “We will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.”
The information security industry had no shortage of moments that kept us all on our toes in 2017. Among the top headlines, we saw new variations of ransomware, such as WannaCry using cryptoworms to infect an estimated 300,000-plus computer systems in just four days. One of the largest credit agencies in the U.S. suffered a breach that affected over 100 million consumers and researchers uncovered a hardware-level vulnerability in processors, affecting nearly every computer released since the mid-90s.
For those who are unaware of the cyber-threats present all around us, many believe 2017 was a year that served as another wakeup call for what the digital world is up against. Others, who are already highly-aware of the threats we face, understand that while some of these attacks and discoveries proved to be highly sophisticated, cyber-criminals will continue to do what they do best – go after the path of least resistance.
Information Security leaders need to use this new level of awareness as an opportunity to implement some of the fundamental security controls that are no-brainers to an outsider, but require an extraordinary amount of coordination, support, and understanding from the business.
Patch management. It’s been one of the number one recommended security controls for as long as we can remember, but getting patch management right continues to be a thorn in the side of many security programs around the world. This can be due to decentralized IT, fear of breaking applications and systems, or the worst-case scenario – you still have systems in your environment that are no longer supported. Getting this fundamental process in place will save organizations an incredible amount of time and pain, as seen from attacks such as WannaCry and Not Petya in 2017. When you break out basic cyber hygiene, patch management should always be part of the conversation.
Cloud Security. If you don’t think your business is already operating in the cloud some way or another, you’re probably wrong. That said, if a strategic data-center cloud model is in place or in the works, security teams should be inserting themselves into that planning or build-out as early as possible. Moving to the cloud without a security strategy incorporated can be a disaster waiting to happen. Your cloud environment should truly be an extension of your data-center, and for many security teams, it’s a fresh opportunity to get it right from the start.
Email Protection. The old adage “if it’s not broken, don’t fix it” rings true for cyber-criminals as well. The fact is, sophisticated breaches may make it to the top of the news headlines, but criminals will continue asking employees for their credentials and information as long as they keep handing them out. Implementing a strong email security program, including DMARC, layered with stronger identity protection, such as two-factor authentication, will put organizations in a much safer place. Don’t forget about security awareness. Achieving a level of awareness that turns your workforce into security advocates (not professionals) should be the goal.
These are just three of the many strategies information security teams should have on their roadmap for 2018. Key initiatives, such as medical device security, increased network segmentation, vulnerability management, and user behavioral analytics are a few others that many programs remain zeroed in on as we move into the future.
Dan Costantino is the Chief Information Security Officer at Penn Medicine.
LAS VEGAS – As hackers increase in sophistication and the threat surface expands, cybersecurity needs to be a priority for all healthcare organizations.
That’s especially true since many of the global cyberattacks in the last year -- like WannaCry and NotPetya, weren’t even targeting the healthcare sector, according to Albany Medical CISO, Kris Kusche during a HIMSS18 Allscripts’ meeting on data security best practices.
“That’s the scary proposition,” said Kusche. “The largest threat is essentially the thing that is coming at us that we don’t know about.”
Plus, technology is changing so quickly that it’s difficult to keep up, he added.
For the National Institutes of Health, said Jon Walter McKeeby, the CIO for its Department of Clinical Research Informatics, “there’s the fear of everything… everybody can be attacked. And it only takes one device, one system.”
But maintaining all vulnerabilities “at one time is a difficult proposition,” McKeeby said. “We have to be more vigilant.”
The trouble is that budget constraints make security tough for many providers, while for healthcare providers in the private sector, patching systems and taking vulnerable equipment like MRI equipment offline -- isn’t always an option.
“It needs to get to the point where we don’t need to fight for the budget,” said Dara Barrera, Michigan State Medical Society’s manager of Practice Management and health IT.
“I want to be routine. I don’t want IT to be specially funded,” said Kusche. “I don’t want to have to say I need this special budget because then I will know [security] is part of the culture, part of the DNA of the organization.” And having a culture of security within an organization is crucial, given that people are one of the greatest weaknesses.
So how do healthcare providers manage all of these threats? NetSmart CISO, Tony Maupin said it’s really about working closely with peers, the business unit, vendors, and getting “to know who is dealing with the same kinds of challenges you’re facing.”
“But also… challenge your vendors,” he added, to share best practices, think outside the standard practices and “get involved in those grassroots of security… Let’s just come together and work as a team.”
“To me it’s less about security, and more and more about risk management,” Maupin said. “We’re always going to have resource strains. It’s different for every one of you... but we’re all faced with more work than we can get done with our team.”
So organizations need to have a very clear understanding of risks, and clearly communicate the impact with the executives to make sure everyone grasps the gravity of the situation, Maupin explained. “Like anything else, you prioritize and do the best you can.”
Full HIMSS18 Coverage
An inside look at the innovation, education, technology, networking and key events at the HIMSS18 global conference in Las Vegas.
With reports that Health and Human Services Chief Information security officer Christopher Wlaschin stepping down at the end of this month, the department’s role in leading and facilitating security efforts in healthcare and other industries is more uncertain than ever.
The HHS Healthcare Cybersecurity Communications and Integration Center, in fact, has already been at the center of ongoing questions since Sept. 6, 2017, when HHS Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato were abruptly reassigned for what they said was an investigation into allegations for “ethics violations.”
The House Energy and Commerce Committee is currently investigating HHS to determine whether it penalized Scanlon and Amato for whistleblowing. While the investigation is pending, the committee is operating under the assumption these allegations appear credible.
The committee has two major concerns: interference with the constitutional duty to conduct oversight and cybersecurity.
150 days and counting
Scanlon and Amato were first temporarily assigned to unclassified duties in separate locations, while Scanlon was placed on full-time telework status. After a total of four new assigned positions over the course of a month, Scanlon was put on administrative leave and Amato resigned.
As of Wednesday, Scanlon has been on paid administrative leave for just over 150 days -- despite the 120-day limit on government leaves. Scanlon told Healthcare IT News that his treatment has “no precedent” and the OIG investigator, his attorney and other tech leaders have not seen anything like this.
To make matters worse, Scanlon said he was recently informed by HHS that neither he nor Amato are now or have ever been under investigation. The news came as quite a shock, given that Scanlon was told his leave and assignment shuffling was based on that fact.
"As a matter of policy, the U.S. Department of Health and Human Services does not comment on matters related to pending litigation," an HHS spokesperson said. "In regards to HCCIC – we are always working with our partners across the government and the private sector to continue to improve our Nation’s cybersecurity."
And since no one from HHS has contacted Scanlon about these details since Sept. 6. Scanlon said he has essentially been left in the dark. While others in the industry have told him that HHS procedures are notorious for being difficult, his situation is certainly unique.
An HHS spokesperson told Healthcare IT News said they were looking into Scanlon’s situation, but did not share further details. This story will be updated if more information becomes available.
The uncertain fate of HCCIC
HHS’ HCCIC had overwhelming support from Congress and industry leaders when it launched as part of a partnership with the National Health Information Sharing and Analysis Center (NH-ISAC).
It was designed to take a leadership role facilitating threat intelligence and other cybersecurity related information sharing and, in fact, played a pivotal role in fighting the global WannaCry attack in June of 2017.
“The threat has changed, the problem has changed,” Scanlon told the House Energy and Commerce Committee following the attack. “There are matters that need to be brought to light … Organizations are now being attacked on a level they aren’t capable of handling on their own.”
At that same meeting, Scanlon touted the efforts of the HCCIC and the progress it was making to coordinate on cybersecurity threats within the healthcare community.
But with the removal of HCCIC leadership and HHS Chief Information Security Officer Chris Wlaschin reportedly stepping down from his role on March 31, the future of HCCIC and, in turn, HHS taking a leadership role in healthcare cybersecurity, is uncertain, to say the least.
“At the moment, there is no HCICC. It’s been completely decimated,” said Scanlon. “There’s no active committee for response … The short-term trajectory was to be physically and organically aligned with the NH-ISAC.”
“The agency has abandoned the committee that was made with HCCIC and that’s a big loss for NH-ISAC, which now has no partnership,” he added. “The agency is trying to avoid a real answer to that question.”
Digging in his heels
When asked why he didn’t resign with Amato, he cracked a few jokes, but most notably Scanlon said: “You pick a fight with me -- you finish it.”
He added that he chose to fight because he’s at the apogee of his career.
“I felt it was important to have a dead body, lying on the floor, so no one could walk away from it. Because it was clear they were going to push this under the rug,” Scanlon said. “We just don’t understand what happened. That’s a shock that forces someone to say: What are you doing? What is going on here? To force the issue.”
There are a lot of administrative tools available to address the situation, and they can be put into place and set into motion, he explained.
Scanlon insisted that his situation is not dire, both financially and with his reputation. HHS recently approved his request to consult while on leave, and he also feels supported by his colleagues, friends and others in the industry.
“This is dirty politics,” said Scanlon. “Everyone needs delegation -- that’s the end game.”
Russian hackers are actively targeting devices that control the flow of internet traffic to gain access and spy on Western governments and businesses, according to a rare joint alert from the U.S. and U.K. released Monday.
Delivered by the Department of Homeland Security, FBI and U.K. National Cybersecurity Centre, the warning outlines Russian state-sponsored cyberattacks penetrating software programs and devices, including firewalls and internet routers, on a global scale.
The goal, according to officials, is to steal company secrets and spy on these countries. The hackers also are attempting to lay the foundation for future cyberattacks, the agencies said.
"The current state of U.S. network devices – coupled with a Russian government campaign to exploit these devices – threatens the safety, security and economic well-being of the United States," agency officials wrote.
Both the U.S. and U.K found Russia was responsible for the global NotPetya attack in May 2017. Hackers targeted and crippled Ukraine’s infrastructure, but a long list of other businesses were caught up in the destructive attack, including the U.K. National Health Service and several U.S. healthcare providers.
Healthcare organizations need to be aware of the increase of these Russian attacks. While the healthcare sector may not be an initial target, malware can proliferate quickly outside of its intended victim – as seen with NotPetya and also the global WannaCry attack this past June.
The alert comes at a critical time, with the recent departures of two top government cybersecurity officials. The White House announced on Tuesday that its Cybersecurity Coordinator Rob Joyce will leave his post to return to work at the National Security Agency.
The move comes just one week after Joyce’s boss, former White House Homeland Security Adviser Thomas Bossert, was reportedly forced out by new National Security Advisor John Bolton. Joyce had been filling Bossert's role in an active capacity since that announcement.
Their departures leave major holes in the Trump administration’s cybersecurity leadership.
The global WannaCry attack that crippled business operations across the globe happened almost a year ago. But since falling victim, the U.K. National Health Service has yet to fully implement the necessary cybersecurity requirements that would prevent a similar fate if an attack struck again.
A new report from the U.K. Commons Public Accounts Committee outlines how unprepared the health system was before the attack in May. Its hospitals and clinics were shutdown and 20,000 appointments were canceled. For some of its trusts, systems didn’t return to normal service for a number of weeks.
The crux of the issue was governance and silos, according to the report. Officials didn’t know whether organizations were prepared for a cyberattack and relied too heavily on the local trusts’ assessments of their governance.
But even a year out from the attack, both the government and NHS have a long way to go to ensure its systems are prepared for the next virus. In fact, none of the 200 trusts passed the cybersecurity assessment by NHS Digital.
The investigation into the health service by members of parliament found some of the trusts failed the assessment “not because they had not done anything on cybersecurity, but rather that the Cyber Essentials Plus standard against which they are assessed is a high bar.”
The Cyber Essentials Plus is comparable to the U.S. NIST Cybersecurity Framework.
“However, some trusts had failed the assessment solely because they had not patched their systems – the main reason the NHS had been vulnerable to WannaCry,” the report read. “It’s also concerned that trusts that were not infected by WannaCry could become complacent over cybersecurity and not keep on top of their cybersecurity risks.”
The lack of patching is concerning, as that was how WannaCry was able to inflict so much damage.
The malware was powered by the leaked NSA hacking tool EternalBlue, which targeted a vulnerability in outdated Windows software. While Microsoft released a patch for the flaw in March, it wasn’t applied by many organizations. As a result, WannaCry proliferated across the globe.
NHS England and NHS Digital officials told investigators they were still struggling to apply patches due to the size and scope of the trusts.
“Patching can disrupt the use of medical equipment and present a clinical risk to patients, and applying a patch in one part of an IT system can cause disruption elsewhere in that system,” NHS officials told the MPs.
But the MPs stressed that with proper segmentation and firewalls, those systems could still be protected.
Another issue hindering progress on its cybersecurity front is that the Department of Health “still does not know what financial impact the WannaCry cyberattack had on the NHS.” The MPs gave NHS until June to update the cost plans for its crucial cybersecurity investment.
And more concerning is that while NHS Digital told investigators understanding cybersecurity needs at a local level was a priority, officials lack some key information “to manage any future national attack on NHS such as on the use of anti-virus software and IP addresses.”
NHS is also struggling with the global security talent shortage and told the MPs “it has only 18 to 20 ‘deeply technically skilled people.’ Without the right staff in place, it will be difficult to apply the necessary changes.”
However, the investigation said WannaCry was “a wake-up call for NHS.” And since the attack, NHS and the government have “improved their understanding of local organizations’ readiness for another cyberattack.”
NHS Digital has assessed the cybersecurity readiness at 200 trusts, compared to just 88 assessed before that attack. And those assessments, despite all failing the readiness test, revealed to NHS Digital the most vulnerable trusts.
“WannaCry was a financially motivated ransomware attack, and as such relatively unsophisticated (it locked devices but did not seek to alter or steal data),” the report read. “However, future attacks could be more sophisticated and malicious in intent, resulting in the theft or compromise of patient data.”
“The department and its arms-length bodies accept that cyberattacks are now a fact of life and that the NHS will never be completely safe from them,” it added.