Over 212,500 Patients Impacted by 2020 Email Account Breach at Florida Digestive Health Specialists

The gastroenterology healthcare company located in Bradenton, FL, known as Florida Digestive Health Specialists (FDHS) has recently informed around 212,000 patients concerning the potential compromise of their protected health information (PHI) due to a cyberattack last December 2020.

Attorney Jason M. Schwent of Clark Hill mailed breach notification letters to the affected patients on December 27, 2021. The notification letters stated that there was suspicious activity found in the email account of a worker on December 16, 2020. An unauthorized individual used the email account to send email messages.

This was a business email compromise attack. BEC attacks entail an attacker obtaining access inside an email account, typically by means of a phishing email, and then using it to impersonate the employee and persuading other individuals to do fake wire transfers. On December 21, 2020, FDHS found a fraudulent money transfer to an anonymous bank account.

FDHS engaged Clark Hill’s expert services and a third-party cybersecurity firm to check into the cyberattack. According to the investigation, unauthorized persons got access to several employees’ email accounts. The email accounts were known to be “voluminous” and contained the personal information and protected health information (PHI) of 212,509 patients. The goal of this type of attack is to obtain payments through bogus wire transfers and not to get patient data; still, data theft could not be ruled out.

The amount of data contained in the breached email accounts were used as a reason for delaying the sending of notification letters to the impacted patients for 12 months. FDHS explained that it took a long time to audit the email accounts, which only concluded on November 19, 2021.

As a result of the breach, several changes were done to its IT systems to improve safety. The safety procedures consisted of a password reset in all its IT networks, use of multifactor authentication, strengthening password criteria, and re-establishing of its firewall.

Affected individuals were provided zero-cost credit monitoring and identity theft protection services for one year.

Learnings from a Big Healthcare Ransomware Attack

One of the most severe healthcare ransomware attacks happened in Ireland at the beginning of 2021. A serious attack on the Health Service Executive (HSE), the national health system of the Republic of Ireland, allowed Conti ransomware to be deployed and shut down the National Healthcare Network. Consequently, healthcare specialists throughout the country could not access the HSE IT systems, which include patient records, clinical care systems, laboratory systems, payroll, as well as other clinical and non-clinical systems. This disrupted the healthcare services throughout the country.

After the attack, the HSE Board called on PricewaterhouseCoopers (PWC) to perform an independent post-attack analysis to confirm the facts associated with technical and operational readiness and the conditions that permitted the attackers to obtain access to its systems, copy sensitive information, encrypt data files, and extort money from the HSE.

Cybersecurity Problems that are Prevalent in the Healthcare Sector

PWC’s recently released report shows several security problems that permitted the infiltration of the HSE systems. Although the report refers to the HSE cyberattack, its results could be applied to numerous healthcare companies in the United States that have the same unresolved vulnerabilities and insufficient readiness for ransomware attacks. The PWC recommendations may be employed to reinforce security and prevent the same attacks from happening.

Although the HSE ransomware attack impacted a substantial number of IT systems, it began with a phishing email. On March 16, 2021, a staff got an email having a malicious Microsoft Excel spreadsheet attachment. Upon opening the attachment, the malware was installed on the unit. Even though the HSE workstation had an installed antivirus software, it failed to detect the malicious file because the virus definition list was not updated for more than a year.

After one device was infected, the attacker moved laterally inside the network, accessed a number of accounts having high-level privileges, obtained access to many servers, and exfiltrated information. On May 14, 2021, 8 weeks from the first compromise, Conti ransomware was widely deployed to encrypt files. The HSE discovered the encryption and de-activated the National Health Network to control the attack. However, healthcare specialists throughout the country could not access applications and vital information.

In that 8 weeks of systems compromise, suspicious activity was found on over one occasion which must have prompted an investigation into a possible security breach, however, there was no response on those notifications. If proper action was carried out, it would have been possible to prevent the deployment of ransomware and the exfiltration of sensitive information.

Simple Strategies Employed to Devastating Result

As per PWC, the attacker used well-known and straightforward attack techniques to maneuver around the network, determine and exfiltrate sensitive information, and use Conti ransomware in many areas of the IT network easily. The attack may have been a lot worse. The attacker may have exploited medical devices, damaged data at scale, employed auto-propagation systems like those employed in the WannaCry ransomware attacks and may have targeted cloud systems as well.

The HSE clearly stated that it wouldn’t pay the ransom. On May 20, 2021, after 6 days of shutting down the HSE IT system access to control the attack, the ransomware attackers released the decryption keys. Thanks to a strong attack response and the release of the decryption keys, severe effects had been prevented. But despite having the decryption keys, it was only on September 21, 2021 that the HSE had completely decrypted all files in its servers and reestablished about 99% of its software. The HSE approximated the cost of the attack can grow to as much as 500 M Euros.

Ireland’s Biggest Company Had No CISO

PWC stated the attack happened because of a low level of cybersecurity readiness, weak IT systems and controls, and workforce problems. PWC stated there was not enough cybersecurity leadership, since there was no person in the HSE in charge of giving leadership and guidance over its cybersecurity initiatives, which is quite uncommon for a company with the size and sophistication of the HSE. The HSE is Ireland’s biggest company and had more than 130,000 personnel and over 70,000 devices during the attack, although the HSE only had 1,519 employees with cybersecurity functions. PWC stated that the staff members responsible for cybersecurity didn’t have the required skills to execute the tasks required of them and the HSE should have a Chief Information Security Officer (CISO) having overall accountability for cybersecurity.

Insufficiency of Monitoring and Cybersecurity Controls

The HSE had no capability to efficiently check and respond to security notifications throughout its entire system, patching was slow and updates were not employed immediately throughout the IT systems linked to the National Health Network. The HSE was additionally dependent on one anti-malware solution which wasn’t being checked or efficiently maintained through all its IT environment. The HSE at the same time kept on using legacy systems having known security problems and staying greatly dependent on Windows 7.

The same vulnerabilities in people, procedures, and technology could be seen in a lot of health systems around the globe, and the PWC advice is applicable beyond the HSE to strengthen cybersecurity and make it more difficult for attacks like this to be successful.

The PWC report, advice, and learnings from the attack are available here.

New Data Reveals Degree of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has introduced new data on cyberattacks in the healthcare sector. Based on the most recent statistics, 295 cyberattacks are known to have been performed on the healthcare industry in the previous 18 months between June 2, 2020, and December 3, 2021. The attacks were occurring at a rate of 3.8 each week and have happened in 35 countries.

Those attacks consist of 263 incidents that were either affirmed as ransomware attacks (165) or are believed of involving ransomware (98), with those attacks happening in 33 nations at 3.4 incidents per week. Over the past 18 months, a minimum of 39 different ransomware groups have carried out ransomware attacks on the healthcare sector. Those attacks have mainly targeted patient care services (179), then pharma (35), medical manufacturing & development (26), and other medical agencies (23).

The CyberPeace Institute analyzed darknet publications, communication with ransomware gangs, and interviews and recognized 12 ransomware gangs that had mentioned they would not carry out attacks on the healthcare industry during the pandemic, yet still carried on to attack healthcare companies, with at least six of the 12 having done attacks on hospitals.

The definition of healthcare employed by the groups varies from what a lot of individuals would believe to be medical care. For instance, although all 12 of the ransomware gangs stated they wouldn’t target hospitals, many utilized vague words to describe healthcare, for instance, medical companies. Although that may show all healthcare was off-limits, numerous gangs regarded the pharmaceutical market to be fair game, considering that pharma firms were profiting from the pandemic.

Three ransomware operations confessed mistakes had been made and healthcare companies were attacked in error. They mentioned publicly that if a mistake is committed, the keys to decrypt files would be provided at no charge. Nonetheless, there were instances where there was some argument with regards to whether an entity was considered in the gangs’ definitions of exempt institutions.

It must be mentioned that whenever an attack happens and files are encrypted, the ruin is already there. Even when the keys to decrypt information are given cost-free, the attacked agencies still experience interruption to business functions and patient services. The way to restore data from backups is not an easy process and attacked companies still need to cover substantial mitigation fees. 19% of attacks were established as causing canceled consultations, 14% had patients redirected, and 80% had suffered the exposure or a leak of sensitive information.

The CyberPeace Institute stated a number of threat actors have specifically targeted the healthcare market. One example given was a member of the Groove ransomware operation who was actively looking for preliminary access brokers who can give access to healthcare sites. The Groove ransomware operation had the biggest percentage of healthcare targets than other fields according to its data leak website.

Data from Mandiant have shown that 20% of ransomware victims are in the healthcare industry, indicating the industry is being greatly targeted. The FIN 12 threat actor is well-known to target the healthcare industry, and ransomware operations for example Pysa, Conti, and Hive have big percentages of healthcare institutions in their listings of victims (4%, 9%, and 12% respectively).

Though there was some targeting of the medical care industry, a lot of ransomware gangs utilize spray and pray techniques and indiscriminately perform attacks that lead to the attack of healthcare providers being attacked together with all other industries. These attacks frequently involve attacks on Remote Desktop Protocol (RDP), indiscriminate phishing campaigns, or brute force attacks to guess weak passwords.

Regardless of whether the targeting of healthcare companies is by mistake, design, or indifference, ransomware operators are operating with impunity and are de facto characterizing which companies represent legitimate targets and what is off-limits. Their simplified distinctions disregard the complexities and interconnectedness of the healthcare field, in which assaulting pharmaceuticals during a pandemic can have an equally harmful human impact as attacking hospitals.

Planned Parenthood Los Angeles Facing Class Action Lawsuit for the October 2021 Ransomware Attack

A class-action lawsuit was filed against Planned Parenthood Los Angeles (PPLA) over a ransomware attack that was uncovered on October 17, 2021. The cyberattack compromised the protected health information (PHI) of more than 409,759 patients. The notification letters given to the affected people on November 30, 2021, PPLA explained the breach of its systems on October 9, 2021. The hackers got access to files that contain PHI until October 17, when they were evicted from the network.

The data files on the impacted systems included names, birth dates, addresses, diagnoses, treatment, and prescribed medicine information, and a number of files were exfiltrated from its system prior to encrypting of files. PPLA stated it did not receive any evidence to suggest patient data has been misused.

A PPLA patient who was affected by the data breach filed a lawsuit at the U.S. District Court of Central California concerning the incident. The lawsuit claims the patient, along with class members, were placed at certain risk of harm due to the theft of their sensitive health information, which included electronic health records that list the procedures done by PPLA like abortions, treatment of sexually transmitted diseases, emergency contraception drugs, cancer screening details, other very sensitive health data.

The lawsuit additionally references the timing of the attack, which was simultaneous with the Supreme Court debates on abortion, and states the exposure of data on abortion processes at such a time makes it more probable that patients will face harm. Besides confronting an impending threat of harm, affected persons are probable to continue suffering economic and actual hurt and have lost handle of their healthcare records. They have likewise sustained out-of-pocket costs as a direct result of the data breach like expenses and time spent protecting their accounts, checking for identity theft and fraud, and taking action to avoid misuse of their personal information. The lead plaintiff states she has experienced actual harm because of the breach, such as stress and anxiety, and has additionally endured damage and a decrease in the value of her personal details.

Although the Health Insurance Portability and Accountability Act (HIPAA) has no private cause of action, the lawsuit claims PPLA has violated HIPAA by not being able to make sure the confidentiality of patient information and inadequate cybersecurity measures are in place to avoid unauthorized PHI access. The legal action furthermore claims that this is the third data breach suffered by PPLA in the past three years.

Aside from the HIPAA violations, the lawsuit states PPLA likewise breached the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit wants injunctive relief, compensatory and statutory damages, investment in cybersecurity solutions to make certain more breaches do not occur, and for impacted persons to have identity theft protection and restoration services and to have an identity theft insurance coverage policy.

Ransomware Attack Impacts 81,000 Patients of Howard University College of Dentistry

Howard University College of Dentistry found out on September 3, 2021, that unauthorized people had acquired access to its system and utilized ransomware for file encryption. The university announced soon after the attack that it was pressured to stop online and hybrid classes when its systems were repaired, and that a nationally known computer forensics company was called in to check out the incident to find out the scope of the attack and if sensitive data was accessed or compromised.

The university confirmed on September 24, 2021 that a system keeping the dental information of patients was compromised during the ransomware attack. There was no particular proof of unauthorized access or files exfiltration received, though dental records were encrypted. The encrypted information associated with dental appointments from October 5, 2019, to September 3, 2021, and included data like names, contact details, birth dates, dental record numbers, medical insurance details, dental history data, and Social Security numbers for some patients.

The university has sent notifications to all impacted patients through the mail and told them to keep track of their account statements for any indication of bogus activity and mentioned it has additionally improved its cybersecurity procedures to better secure against potential attacks and data breaches.

Howard University College of Dentistry lately sent the data breach report to the HHS’ Office for Civil Rights stating that up to 80,915 individuals were affected.

PHI of Great Plains Manufacturing Health Plan Members Impacted by Cyberattack

Great Plains Manufacturing located in Kansas has informed 4,110 workers that some of their protected health information (PHI) was possibly exposed due to a cyberattack that was identified on October 11, 2021.

The investigation affirmed that unauthorized persons first obtained access to its network on September 28, 2021, and got access until October 11, 2021, when the organization detected the breach and ejected the hackers from its network. An analysis of the compromised file server revealed on November 1, 2021, that the accessed files contained information including names, Social Security numbers, dates of birth, health insurance numbers, and members’ health plan choices.

The breach merely impacted personnel and their dependents who had coverage by the Great Plains Manufacturing, Inc. Employee’s Beneficiary Association Trust health plan. The company sent breach notifications to affected persons on December 1, 2021, and all impacted people were provided with 12 months of complimentary identity theft monitoring services.

Biomanufacturing Industry Informed of High Risk Attacks by Tardigrade Malware

A highly sophisticated malware able to aggressively spread inside networks is being employed on biomanufacturing industry targeted attacks. Security researchers named the malware Tardigrade and based on initial research, it might be a SmokeLoader variant. SmokeLoader is commonly utilized as a malware loader and backdoor, however, Tardigrade and SmokeLoader are different from each other.

The sophisticated character of the malware combined with the targeted attacks on vaccine companies and their partners clearly indicates an Advanced Persisted Threat (APT) actor created and use the malware. The first detection of the malware was in attacks on the biomanufacturing industry in spring 2021. At that time, an infection was identified in a big American biomanufacturing company. The malware was discovered for a second time in an October 2021 attack on a biomanufacturing company. Most likely, the malware has been employed in cyberattacks on a number of companies in the industry.

Compared with SmokeLoader, which needs sending of instructions to the malware from a command-and-control system, Tardigrade malware could make use of its internal logic to decide about lateral activity and which files to alter. The malware possesses a distributed command-and-control system and utilizes various IPs that don’t match a particular command-and-control node. The malware is likewise metamorphic meaning its code frequently changes, at the same time retains its performance. Therefore, it is not effective to use signature-based detection mechanisms to identify and block Tardigrade malware.

Tardigrade malware is sneaky and may be employed to get persistent access to the system of victims for surveillance. The malware makes a tunnel to exfiltrate data and prepares systems for other malicious activities like ransomware attacks. The malware was initially discovered while investigating what seemed like a ransomware attack.

The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) issued an alert regarding the malware because of the considerable threat the malware brings to the biomanufacturing industry and its associates. The HHS’ Health Sector Cybersecurity Coordination Center (HC3) likewise issued an advisory about the malware recently.

BIO-ISAC states all biomanufacturing websites and their partners must have the assumption that they will be targeted and should do something to strengthen their defenses versus this new threat. The main method of malware distribution is thought to be phishing emails, though the malware can spread using USB drives and can pass on autonomously all over the victims’ systems.

It is vital to make sure cybersecurity guidelines are adopted, like closing open remote desktop protocols, updating outdated operating systems and software programs, aggressively segmenting systems, using multifactor authentication, and making sure antivirus software program is employed on all devices that can do the behavioral evaluation.

BIO-ISAC additionally advises performing a “crown jewels” analysis, which must include evaluating the effect of an attack in case particular critical devices be made inoperable, making sure offline backups are done on biomanufacturing system, examining backups to make sure recovery is achievable, giving phishing awareness training to the employees, questioning about lead times for acquiring critical infrastructure parts like chromatography, microbial containment systems, endotoxin, and speeding up the upgrade of obsolete equipment.

Additional details on the Tardigrade malware threat can be found on the pages of BIO-ISAC and HC3.

PHI of 57,000 TriValley Primary Care Patients Possibly Exposed in Cyberattack

TriValley Primary Care based in Perkasie, PA has begun informing 57,596 patients concerning a cyberattack that resulted in the potential breach of their personal data and protected health information (PHI).

Suspicious activity was observed in its IT network on October 11, 2021. The healthcare company took action right away to protect its systems and block further unauthorized access. Third-party forensic professionals assisted in the conduct of an investigation to find out the nature and extent of the attack.

The investigation into the incident came to the conclusion on November 4 and though no proof of actual or attempted patient data misuse, unauthorized access and possible theft of protected health information cannot be overlooked. As a result, affected patients were told to stay alert for activities involving identity theft and fraud. The impacted persons were given free credit monitoring services.

An analysis of the files stored on the compromised systems affirmed that these types of patient information were probably exposed: Last and first name, sex, residence address, email address, telephone number, birth date, Social Security number, medical insurance policy/group plan number, group plan agency, claim details, medical background, diagnosis, treatment data, dates of service, laboratory test data, prescription details, medical account number, name of provider, and other facts included in the health records.

TriValley Primary Care stated it is aided by cybersecurity specialists to strengthen its cybersecurity guidelines, processes, and standards to lessen the risk of even more data breaches and the staff members will be given extra cybersecurity instruction.

Patients Do Not Know the Scope of Healthcare Cyberattacks and Information Breach

Armis, the unified asset visibility and security platform provider, had a new survey to investigate the status of cybersecurity in the healthcare sector and the security challenges that healthcare companies are now facing.

The study was done by Censuswide involving 400 IT experts at healthcare institutions all over the United States, and 2,000 American patients to acquire their ideas on cybersecurity and information breaches in the healthcare industry.

The survey established the growing cyber threat, with 85% of respondents stating cyber risk has expanded during the past 12 months. Ransomware groups have attacked the healthcare field in the past 12 months, and a lot of those attacks were successful. 58% of the participating IT specialists mentioned their corporation had encountered a ransomware attack in the last year.

13% of IT security professionals consider ransomware attacks as a source of concern, stating the majority are convinced that they could bring back data when an attack occurs. Nevertheless, data breaches that cause the loss of patient data were a big concern, with 52% of IT experts ranking data loss as a number one problem, with attacks on hospital operations considered as a key issue by 23% of healthcare IT professionals.

Guarding against cyberattacks is getting even more challenging because of the growing attack surface. Armis states there are already 430 million linked healthcare devices around the world, and that number will keep on rising. When questioned concerning the riskiest devices and systems, building systems like HVAC were the major issue s 54% of IT experts rated them as the main cybersecurity risk. Imaging machines were ranked as among the riskiest by 43% of survey participants, and then medicine dispensing devices (40%), check-in kiosks (39%), and vital sign tracking machines (33%). Though there is concern regarding the safety of these systems and medical gadgets, 95% of IT experts mentioned they assumed their interconnected systems and devices were patched and using the most up-to-date software program.

The growth in cyberattacks in the healthcare field is affecting healthcare decisions. 75% of IT specialists stated the latest attacks had a powerful effect on decision making and 86% of survey respondents mentioned their company had assigned a CISO; nonetheless, only 52% of survey participants mentioned their firm was putting more than enough finances to take care of IT safety.

The survey of patients showed 33 % had become the victim of a healthcare cyberattack, and though more or less one-half of patients (49%) stated they would change healthcare company if it suffered a ransomware attack, lots of patients are not aware of the scope of the latest cyberattacks and how often they are currently being documented. In 2018, healthcare data breach reports were sent at a rate of 1 each day. In the last 12 months, 7 months showed data breach reports of over 2 every day.

Even with comprehensive media reports regarding healthcare data breaches and vulnerabilities in healthcare devices, 61% of potential patients mentioned they didn’t learn about any healthcare cyberattacks during the past two years, evidently showing a lot of patients are uninformed of the threat of ransomware as well as other cyberattacks. Nonetheless, patients know the consequences those attacks might have, with 73% of prospective patients knowing a cyberattack can affect the quality of health care they are given.

When potential patients were asked concerning their privacy issues, 52% stated they were troubled that a cyberattack would stop hospital operations and will likely impact patient care, and 37% mentioned they were bothered about the confidentiality of information accessible via websites.

There undoubtedly seem to be trust concerns, as merely 23% of prospective patients claimed they relied on their healthcare service provider with their sensitive personal information. In comparison, 30% stated they depended on their best friend with that data.

$10 Million Reward Offered by the State Department for Information on REvil and DarkSide Ransomware Operations Leaders

People who have information associated with the REvil and DarkSide ransomware group leaders, or affiliates who carried out attacks, are being urged to come out. The U.S. State Department is offering a reward of as much as $10 million in exchange for details that points to the identification or whereabout of REvil/DarkSide ransomware groups leaders, with as much as $5 million paid for data that brings about the capture and sentencing of any person who conspired to take part or tried to get involved in a REvil/DarkSide ransomware attacks. The amount of the rewards offered in exchange for information undoubtedly shows how serious the United States is with its efforts to take the ransomware attackers to justice.

The effort to pressure the ransomware gangs seems to be somewhat effective. According to U.S. National Cyber Director Chris Inglis, there was a noticeable reduction in cyberattacks based in Russia. The DoJ states it is looking at a few more apprehensions associated with the REvil and DarkSide ransomware attacks in the upcoming weeks.

Worldwide Law Enforcement Efforts See Several Arrests

The United States isn’t just the nation that is focused on taking ransomware attackers to justice. An international law enforcement operation called GoldDust joined by 17 countries has lately led to the apprehension of 7 hackers thought to be engaged in the REvil and GandCrab ransomware attacks. The Europol, Eurojust, and INTERPOL-synchronized operation resulted in the arrest of two individuals in Romania, three people in South Korea, one person in Kuwait, and one in an unidentified European country, with the most current takedown happening on November 4 in Kuwait and Romania.

The three people in South Korea were formerly detained in February, April, and October because of their part in the GandCrab ransomware attacks, which is thought to be the forerunner of REvil/Sodinokibi. In 2018, the GoldDust operation began to be active and was started because of the GandCrab ransomware attacks.

The past week, Europol made an announcement of the arrest of 12 persons in raids in Switzerland and Ukraine because of their supposed participation in ransomware attacks that involve the LockerGoga and other ransomware attacks. Those people are considered to have had expert functions in different phases of the attacks, starting from infiltration up to taking the cash and laundering the ransom payments amounting to millions.

In September, the Ukrainian National Police, a French National Gendarmerie, INTERPOL and Europol operation led to the arrest of 2 people thought to be affiliates of two prolific ransomware attacks. That ransomware operation likewise resulted in the seizure of $375,000 cash and luxury cars, and the freezing of $1.3 million of cryptocurrency.

Furthermore, a 30-month campaign, called Operation Cyclone, which engaged law enforcement services in several countries led to the capture of 6 people thought to be engaged in the Clop ransomware campaign, with those apprehensions happening in June 2021. The operation had conducted searches at 20 places and seized $185,00 cash and computer devices believed to have been employed in the attacks. The Clop ransomware group had performed a lot of attacks in the U.S., such as those on Stanford Medicine, the University of Colorado, the University of Maryland Baltimore, and the University of California.

Although these apprehensions will result in certain interruptions to the operations of ransomware gangs, they stand for just a portion of the people engaged in ransomware attacks, who may be quickly substituted. The key untouchable members of the ransomware campaigns are thought to be residing in Russia.

PHI Likely Compromised in Hacking Incidents at Three Healthcare Organizations

Hacker Gains Access to Server of New York Psychotherapy and Counseling Center

New York Psychotherapy and Counseling Center (NYPCC), which is a non-profit provider of mental health services, has reported a cyberattack that was detected in September 11, 2021.

The provider immediately took steps to protect its systems and stop more unauthorized access. It engaged a third-party cybersecurity company to carry out a forensic investigation to find out the nature and extent of the incident. NYPCC stated there was no breach of its electronic medical record system; nonetheless, it is believed that the attacker had accessed certain files on its server that included the protected health information (PHI) of patients.

An analysis of the files found on the server showed the potential compromise of these data: names, addresses, birth dates, dates of service, and Medicaid IDs. NYPCC mentioned it is determined to constantly review and update its security practices associated with the PHI of patients.

Impacted persons received notifications by mail and offers of free credit monitoring, identity monitoring, and other similar services to secure their data against any misuse.

NYPCC has reported the incident to the HHS’ Office for Civil Rights, however, there is no information yet on the OCR breach website, consequently, it is presently uncertain how many people were impacted.

Prairie Lakes Healthcare System Hacked

Prairie Lakes Healthcare System based in Watertown, S.D. has uncovered that an unauthorized person has acquired access to some of its IT systems.

The healthcare system discovered the incident on October 6, 2021, when parts of its network had encountered disruption. Quick action was undertaken to isolate the affected systems and stop more unauthorized access. A third-party cybersecurity company investigated the occurrence and helped with remediation efforts.

Prairie Lakes Healthcare explained all the impacted systems were already in operation; nonetheless, the security breach investigation is still in progress. At this point of the investigation, there is no proof of unauthorized access or patient data exfiltration. In case patient information is considered to have been breached, the company will send notification letters to the affected persons.

Unauthorized Network Access of the Urology Center of Colorado

The Urology Center of Colorado (TUCC) has found out that an unauthorized individual gained access to parts of its computer system. The security breach was discovered and blocked on September 8, 2021. An inquiry into the breach confirmed that the attack started the preceding day.

The compromised sections of its network were examined to know whether any patient information might have been accessed. TUCC said the assessment identified the exposure of the following types of protected health information: name, Social Security number, date of birth, address, email address, phone number, medical record number, diagnosis, treating physician, insurance company, treatment fee, and/or guarantor name.

TUCC stated it altered account passwords to stop further unauthorized access and it considered supplemental security steps to avoid further data breaches. As a safety precaution, TUCC is providing complimentary credit monitoring and identity protection services to impacted people.

TUCC already reported the incident to the HHS’ Office for Civil Rights, however, it has not appeared yet on the breach portal of OCR, consequently, it is currently uncertain how many individuals have been impacted.

PHI of 45,262 Desert Pain Institute Patients Possibly Exposed in Cyberattack

Baywood Medical Associates, dba Desert Pain Institute (DPI) located in Mesa, AZ, has found out that unauthorized persons acquired access to sections of its computer network containing patients’ protected health information (PHI).

The security breach was discovered and blocked by DPI on September 13, 2021, and a third-party cybersecurity firm was hired to help investigate and find out the nature and extent of the cyberattack. On October 15, 2021, the forensic investigators affirmed the proof found showing the attackers had gained access to areas of its network that stored patients’ PHI.

An analysis of the data on systems the hackers had accessed revealed that these data might have been accessed or exfiltrated: Complete names, addresses, birth dates, Social Security numbers, driver’s license/state-issued ID card numbers, tax identification numbers, military identification numbers, medical data, medical insurance policy number, and financial account numbers. The types of information possibly exposed differed from one patient to another.

Since the breach was discovered on September 13 up to the date of sending notifications, there is no proof found to suggest any attempted or actual patient data misuse; nevertheless, affected persons were cautioned to watch out for signs of identity theft and fraud and to register for the free credit monitoring services, which are being given.

DPI reported that it has improved security options for its computer systems and servers, which consists of new end-point tracking tools to determine unauthorized activity.

The Department of Health and Human Services’ Office for Civil Rights breach portal has no report of the breach yet. However, the breach report given to the Maine attorney general indicated that 45,262 persons had their protected health information potentially exposed.

Securing Legacy Systems and Devices for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has informed HIPAA-covered entities to evaluate the security of their legacy IT programs and devices.

A legacy system refers to any system that includes one or more parts that were replaced by more recent technology and hit end-of-life. Whenever software programs and devices hit end-of-life, support also ends, and there will be no more patches issued to resolve identified vulnerabilities. That’s why legacy systems and devices are prone to cyberattacks.

Healthcare companies must be mindful of the date when support won’t be available. They must develop a plan to change obsolete software programs and devices; nonetheless, there are usually legitimate reasons for still using legacy systems and products.

Legacy systems could still function well and be customized to a company’s business design, therefore there may be an unwillingness to switch to current systems that have support. Changing to a current system might necessitate time, money, and human assets that aren’t readily available, or it might mean that replacing a legacy system would disrupt critical services, affect information integrity, or make ePHI inaccessible.

HIPAA-covered entities must make sure that all software programs, systems, and gadgets are always patched and updated, however in healthcare, there are usually competing goals and commitments. When the choice is made to keep on utilizing legacy systems and devices, it is crucial to consider security and implement safeguards to make sure that those systems and gadgets won’t be hacked. That is particularly crucial when it’s possible to use legacy systems and devices to access, hold, create, retain, receive, or transfer electronic protected health information (ePHI).

Continuing to use legacy software and devices does not violate HIPAA Rules, as long as compensating controls are put in place to make sure ePHI is secured. If security considerations are overlooked when using legacy systems, that is a violation of the HIPAA Rules.

There are many legacy systems used in the healthcare field that need protection. Healthcare companies should have complete knowledge of the legacy systems that are used in their company. If the IT team is not aware of the use of legacy systems, there won’t be compensating controls implemented to make sure they are properly secured.

It is important to create a detailed inventory that lists all legacy systems and devices and to do a security risk analysis on every system and device. It is required by the HIPAA Security Rule that covered entities and their business associates should perform a correct and complete evaluation of the likely risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI, which include ePHI found in legacy systems.

Risks should be determined, prioritized, and addressed to minimize them to a low and tolerable level. Mitigations consist of updating to a supported system or version, getting a vendor that offers extended support, moving the system to a secured cloud-based option, or separating the system from the network.

When HIPAA-covered entities decide to keep a legacy system, current security controls must be toughened, or compensating controls must be applied. OCR states consideration must be given to the problems of upkeep, as they may offset the advantages of continually using the legacy system and there must be plans to eventually remove and replace the legacy system.

For the time being, OCR recommends these controls to enhance security:

  • Improve system activity checks and audit recording to identify unauthorized activity, with particular attention given to security settings, authentication events, and ePHI access.
  • Limit legacy system access to a small number of users.
  • Reinforce authentication prerequisites and access controls.
  • Limit the legacy system from executing functions or actions that aren’t really essential
  • Make certain to perform backups of the legacy system, particularly when improved or compensating controls affect previous backup solutions.
  • Create contingency plans that take into account a higher probability of failure.
  • Carry out aggressive firewall regulations.
  • Use secure anti-malware programs.

Put Cybersecurity First This Cybersecurity Awareness Month

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First.” The focus is on getting businesses to know about the requirement for cybersecurity procedures to deal with vulnerabilities in products, procedures, and people.

Cybersecurity Tips for Organizations

One study states 64% of firms around the world have suffered some sort of cyberattack and the rate at which attacks are happening is growing. It is important for businesses to make sure that cybersecurity steps are integrated when making apps, goods, or new services and for cybersecurity to be thought of at the design phase. Safeguards must be integrated into products from the beginning. Cybersecurity should never be an afterthought.

Businesses must have a complete understanding of their IT environment and what assets should be secured. An inventory ought to be made for all resources and the location of all sensitive information must be known. A plan then has to be created to safeguard those assets, which ought to include overlapping layers of protection utilizing technologies like firewalls, antivirus software, spam filters, web filters, endpoint detection systems, encryption tools, and backup solutions. Patch management is likewise crucial. Software and firmware program updates must be employed quickly, with priority given to patching the major vulnerabilities.

Businesses need to embrace a mentality of a cyber breach being unavoidable, which means they must know how they will react to an attack if it happens. A business continuity plan needs to be created and tried. The plan must include emergency procedures while systems and data are not accessible, the restoration of systems and information, communication with stakeholders, compliance, and reporting breaches to proper authorities. Having an incident response plan ready makes certain the organization can still work in the event of a cyber breach and it will considerably accelerate the recovery time period and help to lower breach costs.

FBI Boosts Awareness of the Ransomware Threat

The Federal Bureau of Investigation (FBI) is raising awareness of the risk from ransomware. A ransomware attack can result in the encryption of files making them inaccessible. The attacker issues a ransom demand in exchange for the keys to decrypt data files, though there are no assurances that files will be recovered after the ransom payment. It is likewise typical for sensitive information to be stolen prior to file encryption, and the attacker threatens to publish or sell the information when the victim doesn’t pay the ransom.

Computer and systems access is acquired by taking advantage of vulnerabilities, performing brute force attacks to determine weak passwords, and in most cases, by means of phishing emails. Hyperlinks are contained in emails, which lead users to sites that asked for the users’ login credentials or install files that contain malware. Quite often, emails have attachments with macros and other scripts for downloading malware so that the attackers get persistent access to equipment and systems.

The FBI suggested steps suggested to steer clear of ransomware attacks such as updating software, using patches immediately, using anti-malware solutions on all devices, backing up files on a regular basis and keeping backups off the internet, and teaching employees about identifying phishing emails as well as other risks.

It is vital for employees to have security awareness training. Cybercriminals often target employees, so employees ought to get security awareness training in the process of onboarding. They should be given the tools needed to keep their organizations secure including regular training.

Healthcare CISOs Need Government Support to Manage Increased Cyber Threats

The College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has conducted a new survey involving Chief Information Security Officer (CISO) members. The results presented the effect of cybersecurity occurrences on the healthcare sector and the requirement for government assistance to take care of the threats.

Cybercriminals have been targeting the healthcare sector, however, attacks surged throughout the pandemic. 67% of survey respondents stated their company had encountered a security event in the last 12 months with nearly half stating they were had suffered a phishing attack. The most often used security exploits in cyberattacks are malware ransomware, phishing and business email compromise (BEC) attacks, hacking, and insider threats.

Cyberattacks can cause patient safety concerns. One new study reveals mortality rates, medical issues and the length of hospital stays
increase after a ransomware attack. The survey established the effect on patient safety, as 15% of survey respondents reports a patient safety problem following a cyberattack, and 10% stated they were compelled to redirect patients to other hospitals after an attack.

More attacks mean greater costs. Over 80% of surveyed CISOs claimed increased costs connected with cyberattacks last year. 20% of survey respondents mentioned a 50% increase in costs in the past year. One of six reported doubled costs. Aside from remediation costs, the cost of cyber insurance policies also increased because of the greater threat of cyberattacks.

Without a doubt, the situation will probably worsen as there are a number of rising threats of big concern, like the surge in IoT and other linked devices, growing remote staffing, supply chain risks, API security problems, and risks connected with 3rd party consumer health applications.

Cybersecurity funding has always been a problem in medical care, however, the higher costs have worsened the situation and a lot of CISOs are having difficulties.

The survey revealed that healthcare companies need additional help addressing the growing threat of attacks. Congress is looking at various ways to enhance protection against cyberattacks for critical infrastructures, such as healthcare. However CHIME and AEHIS state that medical care is usually left out, although the healthcare sector is one of the most attacked and most vulnerable critical infrastructures.

40% of respondents stated that they need assistance like grants or government assistance to boost cybersecurity. One-third stated that the guidance and expertise of cyber professionals of regional extension centers, and 16.7% stated they would profit from closer associations with government authorities like CISA and the FBI.

52% of survey respondents stated they had registered at an Information Sharing and Analysis Organization (ISAO) or Information Sharing & Analysis Center (ISAC), however, additional guidance is required, as 10% of respondents stated they were uncertain when it was appropriate to reveal threat details. When assistance is given, it must be conveyed more appropriately. For example, 45% of respondents stated they were uninformed of 405(d) recommendations that the HHS published.

Based on this survey, it is obvious that healthcare companies will need a number of tools to deal with the risks to the provision of patient care. More resources, training, and ongoing assistance for the healthcare sector are necessary.

Centers to Secure Critical Infrastructure and Public Health Launched by MITRE

MITRE announced two new companies that were assigned to deal with crucial healthcare challenges and enhance cybersecurity to better safeguard critical infrastructure.

MITRE is a nonprofit company that deals with federally financed research and development centers to assist government institutions in defense, healthcare, homeland security, cybersecurity, and other industries. MITRE Labs was founded in 2020 in association with the reorganization of MITRE, with the new unit tasked with driving innovations in applied science and advanced technology to improve the potential of American scientific and economic leadership.

Two new companies were established now within MITRE Labs – The Cyber Infrastructure Protection Innovation Center and the Clinical Insights Innovation Cell.

The Cyber Infrastructure Protection Innovation Center was created to link the gap in technology between the public and private sector and make sure the industrial control systems, operational technology, and cyber-physical systems of critical infrastructure institutions are secured.

Cybercriminal gangs and nation-state actors are performing attacks on critical infrastructure, as shown by the recent cyberattacks on the meat processor JBS, Colonial Pipeline, and a Florida water treatment plant. These cyberattacks can have a debilitating effect on economic security, national security, and the health and safety of all people in America.

Critical infrastructure is generally managed and maintained by private firms. The new Cyber Infrastructure Protection Innovation Center is supposed to work across industry and government to have more knowledge about the cyber threats confronted by the critical infrastructure industry and to know practical measures that can be done by operators of critical infrastructure to enhance security against cyber threats.

The Clinical Insights Innovation Cell was started to gather frontrunners from the private and public sector to help deal with critical healthcare problems and aims to provide clinical and data science leadership, information, and innovative artificial intelligence approaches.

The Clinical Insights Innovation Cell team is composed of data scientists, doctors, informaticists, and specialists in the fields of artificial intelligence, digital health, and clinical research trials, and has the objective of creating a new system of performing clinical trials so that health systems are more dependable and resilient.

MITRE Labs has made a substantial improvement to broaden MITRE’s effect, inspire revolutionary disruption, speed up risk-taking and discovery, and provide technical functionality, mentioned MITRE Labs’ Charles Clancy. These new groups will allow us to move faster, be bolder, and take action as better associates for protecting our nation’s critical infrastructure and using clinical and genomic data to deal with the challenges of infectious disease and the promise of precision medicine.

Ransomware Attack on Johnson Memorial Health’s Network

Johnson Memorial Health has reported a ransomware attack last October 1, 2021 resulting in the encryption of files that sabotaged its IT systems. Emergency procedures were quickly enforced and staff members manually recorded patient data and wrote prescriptions up to the time systems were restored.

Ransomware groups usually obtain systems access some time, perhaps weeks or months, before ransomware deployment. At that time, they go laterally inside networks to obtain access to many systems they possibly can prior to deploying the ransomware; however, not at all times.

The ransomware attack on Johnson Memorial Healthcare happened really fast. As per Dr. David Dunkle, Johnson Memorial Health’s President and CEO, the attackers acquired access to its IT systems at 10:31 p.m. on October 1 and deployed ransomware at 10:33 p.m., which is 2 minutes later. The hospital’s IT team discovered abnormal activity at about 10:40 p.m. and de-activated its network at 10:45 p.m. to limit the resulting problems.

The attackers issued a ransom demand, however, Dunkie did not give any ransom payment. An investigation is currently ongoing to find out the scope of the encryption and the particular systems and data files affected.

Dr. Dunkie stated that Johnson Memorial Health continued to provide medical care to patients. Surgeries and consultations continued as usual but with no computer access, patient registration may be delayed. Ambulances were diverted to other hospitals to lessen the load on the hospital staff. The investigation is just in its beginning stages and the extent of affected patient information is still presently unknown.

This is the third report of a ransomware attack in Indiana by a healthcare provider. Last week, Schneck Medical Center in Seymour reported a ransomware attack. Eskenazi Health based in Indianapolis also reported a ransomware attack last August. There seems to be no relationship between the attacks.

Do Your Part, #BeCyberSmart This National Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, which highlights the importance of cybersecurity for the whole month. Resources will be available to help institutions enhance their security posture by means of adopting best practices in cybersecurity and building up employees’ security awareness.

The United States Department of Homeland Security Cybersecurity and the National Cyber Security Alliance launched Cybersecurity Awareness Month in 2004 to increase understanding of the value of cybersecurity. Every year, there is a different theme, though the general purpose is similar – To enable men and women and the companies they work for to enhance cybersecurity so that it is more difficult for hackers and con artists to be successful.

The October, the focus is bettering education regarding cybersecurity guidelines, increasing awareness of the digital dangers to privacy, inspiring companies, and people to put in place tougher safety measures to secure sensitive information, and showcasing the value of security awareness training.

The general theme of this 2021 is – “Do Your Part, #BeCyberSmart.” It is centered on talking about the significance of every person doing his part in cybersecurity and safeguarding systems and sensitive information from attackers and cybercriminals. All through October, the National Cyber Security Alliance along with its partners are going to have programs to increase awareness of particular areas of cybersecurity. Each week has the following theme:

  • Week 1 of October: Be Cyber Smart.
  • Week 2 of October: Fight the Phish!
  • Week 3 of October: Explore. Experience. Share.
  • Week 4 of October: Cybersecurity First

Cybersecurity Awareness month begins week one with the subject of “Be Cyber Smart.” Recommended cybersecurity practices will be featured to safeguard the great amounts of personal and business information that are kept on Internet-linked systems.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this timeless theme urges people and institutions to do their part in safeguarding their area of cyberspace, emphasizing personal liability and the value of taking active steps to boost cybersecurity.

Highlighted in week one are the best practices that organizations and consumers must be putting into action such as

  • Setting up strong passwords at all times
  • Employing multi-factor authentication on accounts
  • Updating and patching software promptly
  • Creating backup copies to make sure data are recoverable in case of a ransomware attack or any detrimental cyberattack.

Since Cybersecurity Awareness Month started, the key role of cybersecurity in the country’s security and economy had been elevated. This October, President Biden announced the beginning of Cybersecurity Awareness Month in a White House statement, emphasizing the commitment to carry out the best practices to protect internet-connected devices, systems, and technology from cyber threats whether at home, work, school, or any place that the internet is accessed. . All Americans must conscientiously secure their sensitive information and enhance their cybersecurity awareness by taking on this 2021’s theme: “Do Your Part. Be Cyber Smart.”

U.S. Vision Subsidiary Announces Hacking Incident Impacting 180,000 Persons

USV Optical Inc., a U.S. Vision Inc. subsidiary, has reported that unauthorized people have acquired access to some servers and systems that contained patients’ protected health information (PHI). The data breach was discovered on May 12, 2021, with the following forensic investigation affirming that the attackers got access to its systems for nearly a month between April 20, 2021 and May 17, 2021, during which its systems were made secure.

Third-party computer forensics experts are still investigating the breach to find out the full scope and extent of the attack, however, have come to the conclusion that unauthorized persons possibly accessed and exfiltrated patient information during the attack.

It was confirmed that these types of personnel and patient information were compromised: Names of patients, eyecare insurance data, and eyecare insurance application and/or claims details. A part of the people may likewise have had this information exposed: Address, birth date, and/or other personal identifiers. There is no report received thus far of any instances of attempted or actual improper use of personal data and PHI due to the security incident.

The data breach was already reported to the Department of Health and Human Services’ Office for Civil Rights as impacting 180,000 people. The healthcare provider is sending breach notifications to those persons together with instructions on steps to do by breach victims to secure their identities, in case they consider those steps to be suitable.

USV Optical stated it worked hard to check and respond to the incident and is presently working to determine and inform possibly affected individuals. An analysis is being done of guidelines associated with data protection and these are going to be improved to better secure patient information.

This is the second big data breach that an eye care provider reported in the last couple of days. Simon Eye Management lately announced that it encountered an email security breach wherein the PHI of 144,000 people was compromised.

LifeLong Medical Care & Beaumont Health Patients Impacted by Data Breaches at Business Associates

LifeLong Medical Care, a Californian healthcare company serving patients in Contra Costa, Marin, and Alameda Counties, has informed selected patients who had their protected health information (PHI) affected in a ransomware attack on Netgain Technologies, its third-party vendor.

Netgain Technologies uncovered a data breach on November 24, 2020 involving ransomware. An internal investigation into the breach confirmed on February 25, 2021 that the attackers acquired access to data containing the data of its customers. The attackers first of all compromised its systems on November 15, 2020.

LifeLong Medical Care mentioned it began a thorough investigation into the security breach and found out on August 9, 2021 that the personal information and protected health information of patients were accessed and/or exfiltrated from Netgain’s network. Impacted patients had their entire name compromised in addition to one or more of the following data elements: Social Security number, date of birth, patient cardholder number, and/or treatment and diagnosis details.

Affected people started to be advised concerning the breach on August 24, 2021, 9 months right after the breach took place. LifeLong Medical Care stated it doesn’t know of any instances of identity theft or incorrect use of patient information because of the incident nevertheless has advised patients whose Social Security number was breached to get no-cost credit monitoring services.

LifeLong Medical Care expressed in its August 24, 2021 breach notification letter that it is fully committed to the safety of information, and is cooperating with third-party vendors to strengthen security and oversight.

The HHS’ office for Civil Rights breach site has yet to report the incident, thus it is not clear yet how many individuals were affected at this period.

Beaumont Health Patients’ PHI Compromised Due to the January 2021 Accellion Data Breach

Beaumont Health, the premier healthcare service provider in Michigan, publicized on August 27, 2021 that the PHI of a number of of its patients was compromised in the attack on Accellion in January 2021. Beaumont Health mentioned it was informed by Goodwin Proctor LLP on February 5, 2021 that patient records were exposed in the attack. Goodwin Proctor had employed the Accellion File Transfer Appliance for transmitting sizeable files among clients, one of which was Beaumont Health.

Goodwin Proctor had acquired files that contain the personal data and PHI of patients of Beaumont Health in association with the legal services furnished by the law company. The breach investigation established that information on the Accellion appliance was saved by the threat actor on January 20, 2021 after taking advantage of a vulnerability. The threat actor, who had a connection with the Clop ransomware gang, then tried to extort cash to avoid the release/vending of the stolen files.

Beaumont Health stated “Goodwin advised Beaumont involving the Accellion security incident following finding out that the data stolen by the threat actor may have included Beaumont patient details. Beaumont eventually carried out its own independent examination of the data affected by the Accellion incident and uncovered on June 28, 2021 that the affected details comprised some patient health data of several Beaumont patients.

The PHI of roughly 1,500 patients was impacted in the breach, which contained patient names, procedure names, physician names, dates of service and internal medical record numbers.

Beaumont Health mentioned it has not acquired any reports of misuse of that details, the same is true with Goodwin Proctor. Goodwin Proctor issued notification letters to impacted persons on behalf of Beaumont Health beginning on August 27, 2021. Goodwin Proctor stated it has stopped its use of the Accellion File Transfer Appliance and is today further assessing its data security policies and operations.

This is the most current in a sequence of data breaches to have an effect on Beaumont Health. In late 2019, Beaumont Health found out a 20-month insider data breach that affected 1,182 patients, documented a phishing attack in April 2020 that impacted 112,000 patients, and an additional phishing-related breach was noted in July 2020 as impacting 6,000 people.

FBI & CISA Warning of Greater Risk of Ransomware Attacks over Labor Day Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have given an alert to all public and private sector institutions regarding the elevated risk of ransomware attacks during times when offices are usually closed, like long holiday weekends.

Although a lot of employees are going to be having a long weekend break because of Labor Day, this is a period when threat actors are generally very active. The small staff numbers at the time of holidays and weekends make it more unlikely that their attacks will be discovered and hindered. The CISA and the FBI revealed in the alert that they have seen a rise in extremely impactful ransomware attacks happening on holiday seasons and weekends, and gave several cases of threat actors performing attacks during holiday breaks in the United States in 2021.

Lately, the Sodinokibi/REvil ransomware actors carried out an attack on the Kaseya remote monitoring and management tool during the Fourth of July 2021 weekend break. The attack impacted lots of companies which include countless managed service providers and their downstream clients.

At the time of the Memorial Day weekend in May 2021, the same attackers performed a ransomware attack on JBS Foods, which affected the firm’s food production amenities in the United States, which stopped all production. JBS Foods paid for the $11 million ransom demand to obtain the keys for decrypting files and avoid the exposure of information stolen during the attack.

Before the Mother’s Day weekend break in May, the DarkSide ransomware gang performed its attack on the Colonial Pipeline that caused the closing of the fuel pipeline serving the Eastern Seaboard for one week. Colonial Pipeline had paid a $4.4 million ransom payment to speed up attack recovery.

The ransomware threat actors associated with the cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have stopped their operations, however, threat actors seldom stay inactive for very long. It is typical for them to appear with a new ransomware campaign after a time of apparent inactivity. There are additionally numerous other ransomware attackers that are presently very active that may attempt to make the most of the absence of crucial employees over the holiday break.

The ransomware attackers responsible for the Conti, LockBit, PYSA, RansomEXX/Defray777, Zeppelin, and Crysis/Phobos/Dharma ransomware variants were all active throughout the last month and attacks concerning those ransomware variants have usually been reported to the FBI in the last 4 weeks.

Though neither CISA nor the FBI has found any particular threat intelligence to suggest ransomware or another cyberattack will happen through the Labor Day weekend, according to the attack trends to date this 2021, there is a greater risk of a big cyberattack taking place.

As a result, the FBI and CISA are informing security teams to be particularly heedful and to make sure that they are thorough in their network defense routines, take part in preemptive threat hunt on their sites, adhere to recommended cybersecurity and ransomware guidelines, and carry out the proposed mitigations to minimize the risk of ransomware attacks and other cyberattacks.

Those mitigations consist of:

  • Create an offline backup copy of files and testing backups to make certain it’s possible to restore information
  • Not visiting suspicious links in email messages
  • Protect and keep track of RDP connections
  • Upgrade operating systems and software applications and check vulnerabilities
  • Use tough passwords
  • Utilize multi-factor authentication
  • Protect networks by employing segmentation, blocking traffic, and scanning ports
  • Safeguard user accounts
  • Create an incident response program
    Suggested guidelines, mitigations, and information are detailed in the advisory, which is accessible on this page.