According to the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), the most common types of cyberattacks targeting the healthcare sector include cloud compromises and attacks in the supply chain resulting from stolen or compromised credentials. These stolen or compromised credentials can then be used to commit further malicious activity. NJCCIC said that data breaches cost the healthcare sector more than any other sector, with additional costs from regulators for HIPAA violations. Cybersecurity threats can also endanger patient safety and care delivery.
In NJCCIC’s latest weekly bulletin, they said that threat actors continue to target healthcare organizations with phishing attacks, ransomware, and Internet of Things (IoT) device attacks. Social engineering techniques are often used to launch their attacks. For example, the Zeon threat group impersonates healthcare software solution vendors focused on patient data in order to create a sense of trust and lure potential victims with fraudulent invoices to a malicious call center. NJCCIC said this is similar to the BazarCall spearphishing attacks initially used by Ryuk ransomware operators and later relaunched by Conti ransomware operators. The threat actors silently install malware to obtain unauthorized access and steal data.
Furthermore, insecure or outdated systems and devices connected to the network are a top concern for the healthcare sector. Threat actors continue to target healthcare environments consisting of traditional IT infrastructure, industrial control systems, operational technology (OT), IoT devices, and Internet of Medical Things (IoMT) devices. As the number of connected, unmanaged devices surges, healthcare organizations are more vulnerable to attacks and are advised to proactively protect their systems and devices, especially when patient safety is at risk.
NJCCIC said they highly advise healthcare sector organizations to actively secure systems and medical devices, regularly scan to identify and address vulnerabilities, and increase employee awareness reporting in order to reduce the risk of compromise from cyber threats. They also said organizations should exercise caution with emails, particularly from unknown senders, and refrain from enabling macros in email attachments, reduce or eliminate external-facing systems, have a comprehensive data backup plan that includes offline backups, and ensure there are incident response and continuity of operations plans in place, particularly for ransomware.
Compliance Perspective
Issue
The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
