Growing Improper Use of Password Managers

Passwords can offer a good level of security, however too often users select weak passwords that do not challenge hackers. A lot of the most often-used passwords could be cracked pretty much instantly. According to a recent NordPass study that analyzed a 3TB database of passwords, a password was utilized to secure 4.9 million accounts. Of all the passwords used, the weakest password, which is 123456, was used on 1.5 million accounts.

Awareness of security today is increasing, nevertheless, a lot of users still use weak passwords for simplicity in spite of the threat of compromised accounts. It is additionally typical for end users to set a similar password for several accounts. This poor practice could lead to credential-stuffing attacks. When the password is compromised on one program, all other accounts using the same username and password combo can also be accessed.

One of the most budget-friendly and simplest ways to enhance password security is to let employees use a password manager. Password managers recommend good, unique passwords, auto-fill them whenever they are required, and keep the passwords securely in an encrypted vault. Though password managers can substantially enhance security, according to the Password Manager Annual Report 2022, a new Security.org survey involving 1,047 U.S. adults revealed a poor practice that puts users of password managers in danger of identity theft.

Password managers could help to remove awful password practices since they make it simple and convenient to use a strong password. When users set strong and distinct passwords for every account, that is more effective than setting quick-to-remember passwords or reusing identical passwords on several accounts. One possible weakness is the master password that is utilized to protect the password vault. In case a hacker guessed that password, it doesn’t matter if all the other passwords are strong because a hacker can decrypt them and get them from the password vault. Therefore, the master password should be long, difficult, and unique.

The survey of Security.org showed that a number of users fail to set a distinct password for their password vault, and those committing this mistake is very high. 25% of survey respondents that have a password manager confessed they reuse their master password for a number of accounts, in spite of that practice is very risky. Worryingly, although security awareness is better, the practice of master password reuse is escalating. In 2021, 19% of password manager end users confessed they reuse their master password on a number of accounts. The survey additionally revealed that about 50% of password manager users whose identities were stolen had used their master password on several accounts.

Companies that are thinking of giving a password manager to their workers to boost password security ought to take note and make sure that they stress the value of using a good, unique password for the password manager and the significance of likewise having 2-factor authentication for the password manager.

Confidence in Using Password Managers Stays High

Confidence in the protection offered by password managers is still high, however, the data breaches encountered by LastPass have had bad effects. Last year, LastPass was the most preferred password manager, but the survey reveals it has dropped to the fourth rank, behind Google Password Manager, iCloud Keychain, and Bitwarden. The data breach at LastPass did not expose passwords, yet it was enough to prompt a lot of end users to go for alternate providers. In spite of these two breaches, just 23% of participants think password managers are unsafe.

Oddly enough, 28% of non-password manager users stated they didn’t utilize these tools since they think they are unsafe; nonetheless, 50% of users mentioned utilizing the same few passwords for all accounts, 46% mentioned their passwords are stored in a file on their computers, and 43% store passwords in their web browsers, all of which are much riskier security habits than utilizing a password manager.

Privacy Risks Discovered in Websites Employed to Provide Opioid Addiction Treatment and Recovery Assistance

A new report from the Opioid Policy Institute (OPI) and Legal Action Center (LAC) states that a number of websites employed for providing opioid addiction treatment and recovery assistance have data sharing and privacy issues. Addiction treatment and recovery assistance are more and more provided on the internet and through mobile applications, with the websites managing several functions. They are employed to correspond with patients, do telehealth visits, register and screen patients, and get recommendations.

All sites that gather patient information must have strong privacy and security settings, however, this is particularly vital for websites utilized to provide opioid addiction treatment and recovery solutions because of the stigma connected with drug addiction as well as the possibility of discrimination towards individuals with substance use problems. Issues regarding confidentiality often rank among people’s most frequent motives for not getting substance use disorder treatment.

At the government level, HIPAA and other privacy regulations have stringent demands for protecting the privacy of patient data, and lots of providers of substance use disorder treatment services adopt the core assurance of anonymity, nevertheless the confidentiality and security of the sites utilized by providers of these solutions were not properly examined. OPI and LAC partnered for the research and examined sites of 12 virtual care systems within the time period of 16 months utilizing the Blacklight tool created by The Markup to evaluate the privacy defenses on websites, which got 57,000 visits on average in June 2022. The Blacklight tool was employed to evaluate various data collection methods, such as advertisement trackers, keylogging, session recording, third-party session cookies, and third-party tracking code for example the code snippets supplied by Meta (Pixel) and Google (Analytics).

Although it wasn’t possible to find out precisely what information was obtained by the websites or know how the obtained information was utilized, all websites regularly utilized tools within the 16-month period of observation that had the ability to acquire and transfer sensitive data and all sites has problems that jeopardize patient privacy. All 12 sites utilized advertisement trackers that could determine the people who visited the sites. 11 of the 12 websites used third-party cookies that enable the tracking of people going to the virtual care websites online.

In the 16-month time period, about 50 % of the sites employed Metal Pixel tracking code. The Meta Pixel code snippet is utilized to monitor visitor activity on sites to determine preferences and fads to enhance the user experience; nevertheless, the code snippet can record sensitive information and transfer it to Meta. This 2022, lots of health systems used the code on their sites and patient hub, which sent sensitive patient information to Meta without permission. Sometimes, the data transmitted was purportedly utilized to serve people with targeted advertisements associated with their health issues. Meta has a policy that calls for users of Meta Pixel not to talk about sensitive data like healthcare information, nevertheless, numerous healthcare companies were known to have sent patient information to Meta. In this research, 4 OUD mHealth sites were found to have transmitted identifiable data to Meta.

10 of the 12 sites utilized Google Analytics on their web pages, in spite of Google’s policy that the code must not be utilized to gather personally identifiable information (PII) or protected health information (PHI). All 12 websites utilized marketing, with at least certain information transmitted by all 12 firms to ad tech companies that purchase and sell user information for marketing uses. The researchers noted an increase in the usage of trackers on websites in the last 16 months. In spite of the data sharing and privacy threats discovered on the websites, these OUD websites typically promoted themselves as exclusive, secure, and 100% private.

Minimal Changes to ISO 27001 Password Management Controls Anticipated in Updated Standard

The latest version of ISO 27001 standard will be published next month. Although the control domains are going to be considerably changed, there are just minimal modifications anticipated to the ISO 27001 password management settings.

The ISO 27001 standard is an international data security standard collectively released by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). The goal of the standard is to enable companies to better protect information by listing the important requirements for building an efficient information security management system.

Companies that satisfy the ISO 27001 requirements can opt to get certification from an authorized certification body. Certification helps to improve a company´s reputation for data protection (which could help entice new clients), minimizing the number and duration of security audits, and – in the healthcare sector – restricting enforcement action in case a data breach happens.

Additionally, companies that don’t like to enforce a complete information security management system could implement selected settings. Though this means the companies won’t be eligible for ISO 27001 certification, the controls nevertheless help to keep data secure, increase awareness of information security among the employees, and mitigate the threat of a data breach.

Current ISO 27001 Password Management Controls

At this time, the ISO 27001 password management controls are in Subsection 9 of Annex A, which is The “Access Controls” domain. This domain has fourteen controls split into four control groups. Due to the intricacy of provisioning, controlling, examining, and changing users´ access rights, a lot of companies wanting to adopt the ISO 27001 password management controls use a vault-based password manager like Bitwarden with a Security and Compliance Program based upon the ISO 27001 standard.

The merits of vault-based password managers are that they are useful in all operating systems and devices, password guidelines could be employed universally, by group, or per person, and each vault could be kept secure with 2FA. Admins could add and delete users, apply and alter RBACs, and share passwords with authorized users safely using the password manager.

Vault-dependent password managers are likewise zero-knowledge solutions. What this means is that even though it is still required to enter into a Business Associate Agreement with the vendor whenever sharing ePHI via the password manager – no one besides the authorized user(s) can access and see information kept in a vault without using a master password and get access using the 2FA authenticator approach.

Expected Modifications to the ISO 27001 Controls in 2022

In July 2022, the latest version of ISO 27001 – the “Final Draft International Standard” or “FDIS” was sent out to the National Standards Bodies for official approval. The National Standards Bodies are going to vote on the latest version in late September; and if the vote supports the updates, ISO 27001:2022 is going to be released in October 2022.

Though the ten conditions of the standard just have language modifications, Annex A included the necessary controls. The fourteen control domains (A.5 to A.18) were crammed into just four control domains. 11 new controls were created, 23 controls were given other names, and 24 controls were combined with other controls. The four new control domains are as follows:

  • A.5 Organizational Controls (37 Controls)
  • A.6 People Controls (8 Controls)
  • A.7 Physical Controls (14 Controls)
  • A.8 Technological Controls (34 Controls)

In the framework of ISO 27001 password management controls, the majority of the current controls in the past Access Controls domain (A.9) are going to be distributed to the 4 new domains. Nevertheless, a number of current controls are going to be combined into new controls – for instance, the content of A.9.2.4, A.9.3.1, and A.9.4.3 will be put in control A.5.17 “Authentication Information”.

Other new controls that are applicable to password management (based on whether a company saves information online or utilizes an activity monitoring software program) consist of:

  • A.5.23 “Info Security for Use of Cloud Services”
  • A.8.12 “Data Leakage Prevention”
  • A.8.16 “Monitoring Activities”
  • A.8.32 “Change Management” might likewise be appropriate to some companies.

Modify Your Password Management Controls as Needed

When the new ISO 27001:2022 is released, certified companies can do the required changes to their data security management system in 3 years so as to keep their certification. Non-certified companies that have applied selected controls may carry on utilizing the current controls as guidelines or change them as needed.

Definitely, vendors of password managers are going to give information concerning how companies can conform to the revisions to the ISO 27001 password management controls. If your company has already implemented a password manager, make sure to subscribe to their newsletter or blog, or follow them on social media to receive updated news.

North Shore University Hospital, PracticeMax and Ascension Michigan Report Data Breaches

North Shore University Hospital (NSUH) based in Manhasset, NY has reported a case wherein an ex-worker got access to protected health information (PHI) without a valid reason. 7,614 patients had been informed that a former worker viewed their PHI without consent.

It is unsure when NSUH noticed the unauthorized access to PHI. As per NSUH, it was determined on April 11, 2019 the occurrence of unauthorized access between October 2009 and February 2019. In the beginning, the employee was stopped from going to work while investigating the breach. Afterward, his/her employment was terminated as a result of unauthorized access. The breach report was submitted to the respective authorities, which requested a delay in giving notification letters so as not to block the investigation. NSUH mentioned it didn’t get any report of improper use of patient data and no charges were sent in against the ex-employee with respect to the unauthorized access.

PracticeMax

PracticeMax, a business management and IT solution business, recently advised the Maine Attorney General that a data breach has affected 165,698 people. PracticeMax stated it started having technical problems on May 1, 2021 and began looking into the likely security breach.

The forensic investigation affirmed that unauthorized people got access to its systems starting April 17, 2021 probably until May 5, 2021. The attackers got access to a server and possibly copied files that consist of patients’ PHI as well as those of the health plan members of its clients, prior to ransomware.

PracticeMax stated it issued breach notification letters on behalf of affected clients on October 19, 2021, but the review of the server wasn’t completed yet. The review was concluded on February 2, 2022, and affected clients got updates on February 14, 2022. The types of data stored on the server varied from one person to person and may contained names and Social Security numbers. PracticeMax explained that on March 4, 2022, it started mailing more notification letters to individuals who were not informed before.

According to the most recent website announcement, PracticeMax is still determining the safety of its systems and bettering present guidelines and processes, including imposing additional technical and administrative security steps.

Ascension Michigan

Ascension Michigan started telling 27,177 people about an incident of prolonged unauthorized access to electronic medical records. Ascension Michigan stated it immediately stopped the user’s access to the network upon being aware of the unauthorized access. The investigation of the incident revealed that the hacker had gotten access to patient records in the EHR system from October 15, 2015 up to September 8, 2021.

An audit of the unauthorized access was completed on November 30, 2021, and confirmed the exposure of these types of data: complete names, addresses, email addresses, dates of birth, telephone numbers, health insurance ID numbers and providers, health insurance data, dates of service, diagnoses, treatment-related records, and, in a number of cases, Social Security numbers.

Following the breach, Ascension Michigan examined its internal settings and modified its processes to better protect patient information. It also provided credit and identity theft protection monitoring services to affected individuals.

Patient Data Exposed in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital

Family Christian Health Center (FCHC) based in Illinois has reported experiencing a ransomware attack last November 2021 that led to the breach of the protected health information (PHI) of 31,000 patients. The ransomware attack was discovered on November 30, 2021, and the investigation affirmed that the hackers initially acquired access to its IT systems on or approximately November 18, 2021.

The attackers breached FCHC’s old dental system that held the PHI of individuals who had gotten dental services before August 31, 2020. The system stored the patients’ names, dates of birth, driver’s license numbers, insurance card numbers, and duplicates of patients’ driver’s licenses and insurance cards. FCHC stated details regarding the dental care delivered, Social Security numbers, and credit card numbers of impacted dental patients were not exposed. The PHI of non-dental patients who got medical services in the period of December 5, 2016 to August 31, 2020, was likewise exposed. The information included names, addresses, birthdates, insurance identification numbers, and Social Security numbers.

FCHC and third-party IT companies worked jointly to check the breach. A forensic specialist was involved to know how the attackers obtained access to the network and to propose extra security options to stop more attacks. FCHC mentioned it has executed supplemental technical safeguards.

Patient Information Likely Exposed in Jackson County Hospital Attack

Jackson County Hospital located in Florida lately reported that unauthorized persons got access to selected systems inside its system and likely viewed or acquired the personal and health data of a number of patients. The security breach was noticed on or about January 9, 2022, when a number of systems became unavailable.

Third-party forensic professionals looked into the cyberattack and confirmed the exfiltration of limited patient data from its systems, such as names, addresses, dates of birth, phone numbers, Social Security numbers, healthcare histories, medical disorders/treatment details, patient account numbers, medical record numbers, diagnosis codes, Medicaid/Medicare numbers, financial account data, and usernames/passwords. At this point, Jackson County Hospital didn’t get any proof that indicates there was improper use of patient information nevertheless affected patients were cautioned to be wary and to examine their account statements and explanation of benefits statements for clues of fraudulent transactions.

Jackson County Hospital stated the cyber attack investigation is continuing and steps are being undertaken to boost security. Existing guidelines and procedures are being looked over and more administrative and technical safety measures will be applied to further safeguard the data in its systems.

The breach was reported to the HHS’ Office for Civil Rights however it’s not yet displayed on the breach site, thus it is still not clear how many people were impacted.

PHI Breaches Reported by Advent Health Partners and Loyola University Medical Center

Email accounts that held the protected health information (PHI) of patients were compromised at Advent Health Partners and Loyola University Medical Center.

Loyola University Medical Center

Loyola University Medical Center (LUMC) has informed 16,934 patients regarding the potential compromise of some of their PHI because an unauthorized person acquired access to a worker’s email account. On October 31, 2021, upon noticing suspicious activity with the email account, LUMC secured the account quickly and launched an investigation to find out the nature and extent of the attack.

The investigation showed the account had been accessed from October 29, 2021 to October 31, 2021, however, it wasn’t possible to find out whether any email messages or file attachments were viewed or obtained. There was no proof found that suggests actual or attempted improper use of patient data.

An analysis of the email messages within the account showed they included these types of patient data: Complete name, address, phone, birth date, email, and medical data like medical record number, ailments, prescription drugs, test data, healthcare facility, type of service and a number of health plan details.

Although the incident is considered to have a low risk of identity theft and fraud, impacted persons were offered a free 12-months membership to a credit monitoring and dark web monitoring service.

LUMC stated it has spent a considerable amount in cybersecurity and has a solid security program that consists of dedicated cybersecurity staff, assessment of security controls, and 24/7/365 tracking.

Advent Health Partners

Advent Health Partners based in Nashville, TN provides hospital groups with claims management services. It was found at the beginning of September 2021 that an unauthorized person had acquired access to selected employee email accounts. An investigation into the incident confirmed the magnitude and nature of the data breach. On December 8, 2021, a number of files in the breached email accounts were possibly accessed.

Advent Health Partners is provided with limited data sets for regular operational purposes linked to communications with medical insurance providers, and a number of that data was kept in email file attachments.

The company sent notifications to all impacted persons and provided a free membership to credit monitoring and identity theft protection services. Advent Health Partners stated it has evaluated and updated its security guidelines and has enforced more safety measures to enhance email security.

The HHS’ Office for Civil Rights breach portal has not yet exhibited the breach, and so it is presently uncertain how many people were impacted.

CISA Provides Companies With Mobile Device Cybersecurity Checklist

The Cybersecurity and Infrastructure Security Agency (CISA) has released new information for companies to help them safeguard mobile gadgets and securely access business resources employing mobile units.

The Enterprise Mobility Management (EMM) system checklist was designed to support businesses in the enforcement of guidelines to minimize vulnerabilities and obstruct threats that may endanger mobile devices and the business networks to which they link. The tips stated in the checklist are simple and easy for companies to put in place and can considerably strengthen mobile gadget security and enable mobile gadgets to be carefully utilized to access organization systems.

CISA endorses a security-targeted solution to mobile device control. If picking mobile devices that satisfy business specifications, analysis ought to be carried out to determine probable supply chain problems. The Mobile Device Management (MDM) system ought to be tweaked to update instantly to make certain it is continually using the most recent version of the software program and patches are employed on auto-pilot to correct identified vulnerabilities.

A policy must be enforced for trusting devices, restricting access to company resources when the device lacks the most current patch level, is not set up to enterprise criteria, is unlocked or rooted, and in case the device isn’t consistently supervised by the EMM.

Strong authentication settings should be used, such as strong passwords/PINs, with PINs containing at least 6 digits. When possible, fingerprint or face recognition ought to be activated. Two-factor authentication must be enforced for business networks that need a password/passcode as well as one added way of authentication like an SMS message, alternating password, or biometric input.

CISA suggests using good app protection, which includes only downloading applications from reliable app vendors, separating organization applications, decreasing PII kept in apps, turning off sensitive permissions, restraining OS/app synchronization, and vetting company-designed applications.

Network communications need to be secured by turning off unnecessary network radios (Bluetooth, NFC, Gps Wi-fi) if not used, deactivating user certificates, and merely utilizing safe communication software and protocols for instance a VPN for linking to the business network.

Mobile devices ought to be safeguarded always. A Mobile Threat Defense (MTD) system must protect against harmful applications that could damage applications and operating systems and locate incorrect settings. Devices must just be charged employing the proper chargers and cables, and the lost device functionality needs to be turned on to make sure the devices are wiped once a specific number of erroneous login tries (10 for instance). It is likewise necessary to safeguard critical business systems and keep them from being accessed from mobile gadgets as a result of the danger of transmitting malware.

The checklist provided by CISA mobile device cybersecurity is downloadable on this page.

Vulnerabilities Discovered in Philips IntelliBridge, Efficia and Patient Information Center Patient Monitors

Five vulnerabilities were identified that have an effect on on the following products:

the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities were found that impact C.00.04 and earlier versions of the IntelliBridge EC 40 and EC 80 Hub. An unauthorized individual could exploit the vulnerabilities with success and be able to execute software, modify system configurations, and update/see files that might consist of unidentifiable patient data.

CVE-2021-32993 – The first vulnerability is a result of the use of hard-coded credentials within the software program for its own inbound authentication, outbound communication to external components, or the encryption of internal files.

CVE-2021-33017 – The second vulnerability concerns an issue with authentication bypass. Although the regular access path of the product calls for authentication, a substitute path was determined that does not need authentication.

Both vulnerabilities were designated a CVSS v3 severity score of 8.1 out of 10.

Philips has not released a fix to address the vulnerabilities, however expects to correct the vulnerabilities before 2021 concludes. For the time being, Philips advises just using the devices within Philips authorized specs, and just utilizing Philips-authorized software program, software setting, security settings and system services. The gadgets must be physically or logically separated from the hospital system.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities were discovered to have an effect on the Philips Patient Information Center iX and Efficia CM series patient monitors. The vulnerabilities can be taken advantage of to obtain access to patient information and to execute a denial-of-service attack. Though exploitation has a low attack difficulty, the vulnerabilities may merely be exploited through an adjacent network.

The vulnerabilities have an impact on these Philips products:

  1. Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  2. Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable models of the PIC iX do not properly confirm input to ascertain if the input has the attributes to be processed securely and properly. The vulnerability is monitored as CVE-2021-43548 and has an assigned CVSS severity rating of 6.5 out of 10.

A hard-coded cryptographic key was utilized meaning encrypted data may be retrieved from vulnerable models of the PIC iX. The vulnerability is tagged as CVE-2021-43552 and was given a 6.1 CVSS score.

A broken or risky cryptographic algorithm indicates sensitive information can be compromised in communications between Efficia CM Series and PIC iX patient monitors. The vulnerability is monitored as CVE-2-21-43550 with a 5.9 CVSS score.

CVE-2021-43548 has been fixed in PIC iX C.03.06 and patches to repair the other two vulnerabilities are going to be available by the end of 2022.

To minimize the possibilities for vulnerabilities exploitation, the devices ought to only be employed according to Philips authorized specs, which consist of physically or logically separating the products from the hospital’s local area network, and making use of a firewall or router that could have access control lists limiting access in and out of the patient monitoring network for only needed ports and IP addresses.

Philips-released hardware has Bitlocker Drive Encryption activated by default and this must not be deactivated. Before disposal, NIST SP 800-88 media sanitization rules need to be implemented. Patient data is not put in archives automatically, therefore when archives are exported that consist of patient records, the data need to be saved safely with good access controls.

82% Of Healthcare Providers Have Encountered an IoT Cyberattack during the Past 18 Months

Medigate and CrowdStrike conducted a new study that featured the magnitude to which threat actors are targeting healthcare Internet of Things (IoT) devices and gives warning regarding the troubled condition of IoT security in the healthcare field.

The quantity of IoT devices being utilized in healthcare has gone up substantially in recent years as connected health drives a trend in the delivery of health care. Healthcare organizations are progressively reliant on IoT devices to do a variety of important functions, and although the devices provide massive clinical rewards, cybersecurity must be taken into consideration.

Cyber threat actors have unfairly targeted healthcare companies for a number of years because of the great value of healthcare information, the simplicity at which it may be monetized, and the reasonably bad cybersecurity protection in healthcare in comparison to other industries. The fast usage of IoT devices has caused a big growth in the attack surface which gives cyber actors much more chances to carry out attacks. Additionally, IoT devices frequently have weaker cybersecurity adjustments compared to other devices and could offer an easy access point into healthcare systems.

The research involved a survey of healthcare companies to find out what risks they have experienced in the last 18 months. 82% of surveyed healthcare companies stated they have encountered no less than one form of IoT cyberattack during the past 18 months. 34% of survey participants mentioned the attackers used ransomware. The scenario will probably grow worse since the number of IoT devices in healthcare is increasing. Based on the report, spending money on connected medical devices has been forecasted to grow at a CAGR of 29.5% until 2028.

One of the primary issues with protecting IoT devices is insufficiency in tracking all connected devices, considering that this is particularly weak in the healthcare sector. IoT security threats may be handled and minimized to an acceptable level, however, if healthcare providers have no visibility into the IoT devices that hook up to the internet, important security enforcement systems cannot function at the necessary levels.

Healthcare institutions should have a clear visualization of the security posture of every device and be mindful of network standing, place, and device usage. There can be 100 or even more devices being used, therefore monitoring those devices and the protection status of each one could be a big problem and will just worsen as the number of devices rises.

The researchers make a number of suggestions regarding enhancing IoT security, such as endpoint detection and response (EDR), network segmentation, and orchestrated visibility, and permitting attacks to be quickly secured. It is additionally essential to make sure insurance policies get enough coverage.

HDOs should have a complete understanding of their overall connected landscapes, or else, threat intelligence can’t be correctly processed or linked to the appropriate devices, and remediations won’t give the sought-after impact. Processes that constantly enhance visibility and its orchestration, EDR, and containment capacity should be set up, or these extra defense layers cannot do their maximum intended levels.

To be able to scale the provision of connected health, the researchers point out security and asset management procedures need to converge. The researchers suggest making a common reference foundation, not just to modernize current infrastructure where feasible but to make certain the performance of long-term investments in layered capacities.

127,000 NorthCare Patients’ PHI Potentially Exposed Due to Ransomware Attack

NorthCare, a mental health clinic based in Oklahoma City, OK, suffered a ransomware attack last June 2021 that resulted in the compromise of patients’ protected health information (PHI).

NorthCare discovered suspicious system activity on June 1, 2021, the moment ransomware was employed for file encryption. The investigation of the ransomware attack affirmed the system breach on May 29, 2021. The threat actors immediately deployed ransomware to block access to files and issued a ransom demand in exchange for the keys to decrypt data files.

Northcare immediately took steps to control the impact of the attack and although it wasn’t possible to stop file encryption, the health clinic could restore its network and data using backups even without giving any ransom payment.

The attackers had accessed areas of the network that stored the protected health information of patients. Although the investigators did not confirm any data exfiltration, NorthCare is supposing the threat actors got access to patient information. The types of information possibly exposed in the attack were the patients’ full names, birth dates, addresses, Social Security numbers, and medical diagnoses.

After the attack, third-party forensics specialists helped with the investigation as well as remediation work. Northcare already notified the Federal Bureau of Investigation and is working together with technical professionals to strengthen the security of its network and restrict its access.

Considering that the attackers possibly accessed and acquired protected health information, NorthCare has provided identity monitoring, identity theft restoration, and fraud consultation services to persons affected by the breach for 12 months for free.

The breach notification received by the Maine attorney general revealed that the ransomware attack potentially affected the protected health information of 127,883 patients.

Medical AI Database Made up of More Than 800 Million Records Exposed On the Web

Security researcher Jeremiah Fowler and Website Planet discovered an unsecured database that belongs to Deep6.ai, an American medical AI platform provider. The database had more than 800 million files of patients and doctors and can be accessed online by any person without asking for a password.

Deep6.ai has created AI-based software that could be utilized on raw data to determine people with medical ailments that are not stated in their medical files. The software program is especially helpful for searching individuals who fit the conditions for clinical tests and can considerably reduce the time to locate appropriate trial participants.

The database included 68.53 GB of files and had 886,521,320 documents, the majority of which were related to persons in America. Although a few of the information was encrypted, physician notes and doctor data were in plain text and may be seen by anybody.

Fowler and Website Planet discovered the following information in the dataset: Date, document type, physician note, encounter IDs, patient IDs, uuid, noteId, patient type, note type, date of service, and specific note text. Physician notes comprised details of patients’ health problems, treatment, medicines, and in a number of cases, details regarding patients’ household, emotional and social concerns.

The dataset included three parts: A concept index made up of 21 million records that disclosed lab test results and medicines; a patient index that contain 422 million records that revealed internal patient logging and tracking procedures, though patient names were not kept in plain text; and a provider index, which contained 89,000 details that revealed doctor names, internal patient ID numbers, record locations and .CSV files, and other possibly sensitive details, with files stating where information is saved.

Besides compromising the information to anybody who can connect on the Internet, the database was additionally vulnerable to a ransomware attack. After exploring the database, Fowler and Website Planet were able to learn the database belonged to Deep6.ai. Adhering to responsible disclosure protocols, Deep6.ai was informed and the database was quickly protected. It is uncertain for how long the database was exposed on the internet and whether any person viewed the records during that time.

About 54,000 Patients Impacted by Ransomware Attack at OSF HealthCare

The not-for-profit Catholic health system based in Peoria, IL, OSF HealthCare, started sending notifications to 53,907 patients regarding a cyberattack that was identified on April 23, 2021.

OSF HealthCare stated upon awareness of the breach, it took action to avoid continuing unauthorized access and engaged a third-party forensic specialist to do an investigation into the attack to find out the magnitude of the breach. The investigator affirmed the attackers got access to its systems first on March 7, 2021 and possibly had continuing access until April 23, 2021.

OSF HealthCare mentioned the attackers accessed a number of files on its system that were associated with patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center. As of August 24, the investigators confirmed that the following types of patient data might have been exposed:

Names, contact details, birth dates, driver’s license numbers, Social Security numbers, state/government ID numbers, treatment data, diagnosis data and codes, physician names, hospital units, dates of service, prescription details, medical record numbers, and Medicare/Medicaid or other health insurance details.

A part of patients additionally had financial account data, credit/debit card details, or credentials for an online financial account compromised.

People who had their Social Security number or driver’s license number was exposed in the attack have been provided complimentary credit monitoring and identity protection services via Experian. OSF HealthCare states it has enforced further safeguards and technical security measures to avoid other attacks.

OSF HealthCare published a substitute breach notice on its website, which did not mention the nature of the cyberattack. But this seems to be a ransomware attack plus information theft that potentially occurred 7 months earlier.

Databreaches.net reports that it was informed about the publication of stolen information on a dark web leak website in June and notified OSF HealthCare concerning the patient data exposure. A ransomware operation recognized as Xing Team professed it was responsible for the cyberattack and uploaded information to its dark web leak site that contained patients’ protected health information. Databreaches.net explained that the site listing was viewed above 350,000 times, according to the site counter.

K and B Surgical Center & Healthpointe Medical Group Alert Patients Regarding Hacking Incidents

K and B Surgical Center located in Beverley Hills, CA found out that an unauthorized individual acquired access to its computer system. The healthcare company detected the security breach on March 30, 2021, and a third-party forensic investigation affirmed the breach of its network from March 25 to March 30.

As soon as K and B Surgical Center discovered the breach, it took steps to avoid the attacker from further accessing its compuer system. It started an investigation to identify the magnitude of the breach. On April 27, 2021, the investigation came to the conclusion that the attacker acquired access to areas of the system that comprised the protected health information (PHI) of patients.

Data analysis was conducted on the breached servers to know which types of data were breached and which patients were impacted. K and B Surgical Center stated in its breach notification letters issued on September 3, 2021 that it just obtained the complete list of affected patients on July 27.

The types of information that the attacker possibly viewed and/or exfiltrated included the following: Names, telephone numbers, addresses, driver’s license numbers, diagnoses, treatment and prescription details, names of provider, Medicare/Medicaid numbers, patient IDs, laboratory test data, medical insurance data, and treatment expense details. Upon issuance of breach notification letters, there were no reports obtained concerning any incidents of actual or attempted improper use of patient information caused by the security breach.

Altogether, there were 14,772 individuals that received the notification letters. K and B Surgical Center has provided the affected individuals 12 months of free credit monitoring and identity theft restoration services as a safety measure against identity theft and fraud.

Following the security incident, passwords were altered for all user accounts, VPN connections, and email accounts. K and B Surgical Center also installed new anti-virus security systems and threat monitoring programs on all computers. The employees were retrained about security, its Security Rule risk analysis was updated, and regular security audits will be carried out to check potential vulnerabilities.

Healthpointe Medical Group Informs Patients Regarding Hacking Incident

Healthpointe Medical Group based in Portland, OR has informed some patients regarding a hacking incident and the compromise of their protected health information.

Healthpointe uncovered suspicious activity on selected servers on or around June 9, 2021 and promptly took steps to secure its IT systems. A top-rated computer forensics agency investigated the nature and magnitude of the breach. On July 7, 2021, the investigation report revealed the attacker had obtained access to files or folders that had patient records. An evaluation of those files and directories was finished on July 27 and affirmed they included names, addresses, and Social Security numbers. Healthpointe began sending notification letters to affected people in late August.

Healthpointe has done a company-wide password reset, updated its firewalls, broadened the use of multi-factor authentication, and did other steps to improve its security practices. Affected persons were advised they can get a year of identity theft protection services via IDX free of charge and will get protected by a $1 million identity theft insurance policy.

Patient Data Compromised Via Walgreens’ Covid-19 Test Registration System

The personal information of people who had taken a COVID-19 test at a Walgreens pharmacy was exposed online because of vulnerabilities found in its COVID-19 test registration system.

It is presently uncertain how many persons were impacted, even though they may well be in the millions considering the number of COVID-19 testing Walgreens has done beginning April 2020. It is uncertain when the site got the vulnerabilities, however, they date back to at least March 2021 when Interstitial Technology PBC consultant Alejandro Ruiz identified them. He found a security problem when a relative had a COVID-19 test completed at Walgreens. Ruiz got in touch with Walgreens to advise them concerning the data exposure, however, said the firm had no response.

Ruiz talked to Recode regarding the problem. Two security specialists affirmed the security vulnerabilities. Recode mentioned the problem to Walgreens, and the organization stated they routinely evaluate and integrate more security improvements when considered either needed or appropriate. Nevertheless, till September 13, 2021, the vulnerabilities were not yet resolved.

Recode says that utilizing the Wayback Machine, which consists of an archive of the Web, blank test confirmations dating back to July 2020 may be viewed, suggesting the vulnerabilities were existing since that time.

Based on the security experts, the vulnerabilities were caused by the basic mistakes in the Walgreens’ Covid-19 test scheduling registration system. After a patient fills up an online form, they are provided a 32-digit ID number as well as the generation of an appointment request form, which includes the unique 32-digit ID number in the web link. Anybody who has that link will be able to access the form. No authentication is necessary to access the page.

The pages simply consist of a patient’s name, type of test, booking schedule and location in the seen part, however by means of the developer tools screen of an internet browser, other data can be accessed, such as date of birth, address, email address, phone number, and gender identity. Considering that the OrderID and the name of the facility that conducted the test are also contained in the information, it is possible to view the test result, at least at one of Walgreens’ lab partners’ test result sites.

An active page may be seen by an unauthorized person if making use of a computer of somebody who had set a test through their Internet history. An employer, for instance, can see the data in case the page was used on a work computer. The information would likewise be viewable to the third-party ad trackers existing on the Walgreens appointment confirmation pages. Researchers take note that the confirmation pages include ad trackers from Adobe, Facebook, Akami, Dotomi, Google, Monetate, and InMoment, all of which may possibly access private details.

The links of all confirmation pages are similar besides the unique 32-digit code contained in a “query string”. The researchers stated there are probably millions of active booking confirmation pages since Walgreens has been doing COVID-19 tests at about 6,000 websites throughout the United States for nearly 18 months.

The researchers mentioned a hacker can make a bot crank out 32-digit identification numbers, add them to web links, and then identify active pages. Thinking about the number of digits in the link would be a lengthy task, although it is not impossible.

Any firm that made such simple errors in an app that manages health care data is one that does not think about security seriously, mentioned Ruiz to Recode. It’s simply one more example of a big company that prioritizes its income over data privacy.

Password Recommendations by NCSC

There are updates to UK’s NCSC password recommendation. This new strategy satisfies the password strength requirements and is still user-friendly.

There are several schools of thought with regards to making passwords, however, all are dependent on the assumption that passwords must be adequately complex to make sure they are not quickly guessed, not just by humans, but the algorithms employed by hackers during their brute force attacks.

Every year, there are lists published of the worst passwords that are put together from credentials compromised in data breaches. These listings clearly show that certain people are not very good at selecting passwords. For instance, “password,” “12345678,” and “qwertyuiop” are passwords that are often included in the lists. Because of the risk of users making weak passwords, a lot of companies currently have minimum prerequisites for password difficulty, however, that doesn’t always suggest that strong passwords shall be set.

The Issue with the Need for Password Complexity

Usually, the minimum specifications for password difficulty are to have a minimum of a number, one lower- and upper-case letter, and usually a special character. Including these elements results in harder to guess passwords – at least in theory. In reality, people bypass these requirements by using passwords like “Passw0rd!” or “Qwertyuiop1!” that satisfy complexity prerequisites although are still unbelievably weak and very prone to brute force attacks.

From a security viewpoint, all accounts must have a unique password that should never be employed for several accounts. Passwords must preferably be made up of random numbers, letters, and characters and be adequately long – at least 8 characters. The problem is that although these random difficult passwords are tough and will be resilient to brute force attacks, they are likewise virtually difficult for the majority of people to recall since the average individual has around 100 passwords.

The National Institute of Standards and Technology (NIST) showcased this problem in its most recent password guidance (SP 800-63B), and advises the usage of passphrases instead of passwords, since the length of a passphrase of, for example, 16 characters, provides the necessary difficulty while still user-friendly.

Currently, the National Cyber Security Centre (NCSC), part of the UK Government Communications Headquarters (GCHQ) has advised a new strategy for making passwords that bring together safety with functionality.

NCSC Password Advice

The NCSC’s proposed password is in contrast to the recommended arbitrary complexity password. Complex passwords containing numbers, lower- and upper-case letters, and special characters are usually not complex and offer a false sense of protection. This is because the character combinations chosen by end-users are typically not random. There are hints that a lot of people utilize so that passwords are easy to recall and satisfy password complexity specifications, and those hints are well-known to hackers. For instance, changing an E with a 3, a 1 with an exclamation mark, an O with a zero, or a 5 with an S.

There are also letters and numbers combinations that are more typical than others, and those more typical combinations are integrated into the password guessing tools of hackers. It’s counterintuitive that the observance of these complexity prerequisites leads to using more predictable passwords.

The NCSC password advice puts sufficient complexity and at the same time makes passwords quick to recall. The recommendation is to use 3 random words to create a password. Using 3 random words results in passwords that are reasonably long, adequately complex, yet quick to recall.

This three random word strategy of creating passwords is effective in a number of various ways:

  • Length – Passwords are typically lengthier
  • Novelty – Encourages using words that were not considered in the past
  • Impact – The technique is simple to describe
  • Usability – It is easy to come up with three words and keep them in mind

NCSC’s technical director Dr. Ian Levy explains that the traditional password advice to recall several complex passwords is just silly. By adopting this recommendation, people are less vulnerable to cybercriminals and people should create such passwords for their vital accounts, and consider using a password manager.

The last piece of advice is crucial, as the tactic of utilizing 3 random words doesn’t work if unique passwords must be made for 100 online accounts. Using 3 random words isn’t a panacea that resolves the problem of recalling many passwords in just one stroke and utilizing it together with secure storage.

The goal of the most recent NCSC password recommendations is not to fix the password issue totally, but just to improve password variety – which is, minimizing the number of passwords that are guessed by inexpensive and effective search algorithms, driving an attacker to perform several search algorithms (or utilize inefficient algorithms) to get a handy number of passwords.

The Most Effective Password Strategy

Based on the NCSC password recommendations, the most effective password strategy is to create a password made of 3 random words and to utilize a password manager. With a password manager, users can create absolutely random strings of letters, numbers, and characters that are extremely complex, yet users don’t need to remember them. The passwords are saved in encrypted form within a safe password vault and are going to be auto-filled whenever a user wants. It’s not necessary to remember or type the passwords. These tools are quite secure, and a lot of work under the zero-knowledge design, which means even the developer of the password manager doesn’t get access to the password vaults.

All that a user must do is to create a protected, master password for the password vault and establish 2-factor authentication. The technique of utilizing 3 random words will work nicely for the master password that gives access to user’s vault of really random, lengthy complex passwords.

There are low-cost or even free password managers. For instance, Bitwarden offers a safe, open-source password manager tool that is free. The individual premium package is only $10 a year. Despite the low cost, very few still use it.

If companies and people start to use a password manager and use the most recent NCSC password recommendations, there will be a substantial improvement in password security and usability.

4,400 Individuals Impacted by Wisconsin Dermatology Practice Reports Data Breach

Forefront Management, LLC and Forefront Dermatology, S.C. based in Manitowoc, WI found out on June 4, 2021 that unauthorized persons had obtained access to its system and possibly viewed personal and confidential staff and patient data.

The impacted systems were promptly taken off the internet to block unauthorized persons from further accessing the network. An investigation was started to identify the nature and extent of the breach. On June 24, 2021, Forefront confirmed that selected files kept on its system had been viewed and the hacker possibly acquired the personal data of a small number of Forefront workers, such as their names and Social Security numbers. According to the results of the investigation, the first breach of the network happened on May 28, 2021 and the hacker possibly accessed it until June 4, 2021.

Throughout the investigation, Forefront confirmed that the unauthorized person likewise accessed files that contained the personal data and protected health information (PHI) of a small number of present and past Forefront patients.

Patient data possibly exposed during the breach included names, addresses, birth dates, patient account numbers, health record numbers, medical insurance member ID numbers, dates of service, names of provider, and/or medical and clinical treatment data.

Forefront submitted a breach summary to state attorneys general indicating that 4,431 people were impacted by the breach. Although there is no hint that any misuse of data in the files, Forefront is giving impacted persons a free membership to TransUnion’s myTrueIdentity Credit Monitoring Service for 12 months.

Forefront stated that it is improving its security standards to help avoid the occurrence of the same incident in the future.

Data Breach of W Health MyChart Portal and Jones Family Dental Computers

University of Wisconsin Hospitals and Clinics Authority has announced a breach of its Epic MyChart website which impacted 4,318 patients of UW Health. The hospital detected strange activity in the website and launched an investigation on April 20, 2021, to find out the nature and magnitude of the data breach.

The investigation continued until May 4, 2021, and confirmed that unauthorized persons got access to the website for approximately 4 months, starting from December 27, 2020 up to April 13, 2021.

UW Health stated the person had accessed the MyChart patient website homepage which shows clinical data including dates of hospital admission, consultation reminders, care team, subject lines of emails from health providers, and requests to see new test results data. Pages were furthermore viewed that contained some patient consultation and admission dates, demographic data like names, addresses, telephone numbers, and email addresses, medical insurance and claims data, diagnoses, prescription drugs, and test results. Breach notification letters were mailed to impacted patients beginning on June 18, 2021.

UW Health also took the necessary steps to strengthen security like increasing password security, employing 2-factor authentication for the MyChart portal access, disabling accounts that were non-active for 15 months, and improving its tracking processes.

Hacking of the Jones Family Dental Computers

Jones Family Dental based in Ashland, OR, reported a hacking incident that potentially compromised the protected health information (PHI) of 6,493 present and past patients. An investigation was started after the recognition of suspicious computer activity, which showed that an unauthorized person accessed its computers from April 15, 2021 to April 18, 2021.

It cannot be determined if the computers with patient data were accessed, however, the likelihood cannot be eliminated. The practice doesn’t think any patient information was viewed or exfiltrated; nevertheless, it sent notification letters to impacted persons as a safety measure.

Patient data on the computer system during the breach contained these data elements: name, birth date, address, driver’s license number, treatment records, medical history, diagnostic data, and/or health/dental insurance details.

Security guidelines and procedures are under review and will be revised to stop the same breaches down the road.

Over 3.2 Million People Impacted by 20/20 Hearing Care Network Data Breach

The 20/20 Hearing Care Network has begun informing millions of present and previous members regarding the potential compromise or deletion of some of their protected health information (PHI).

On January 11, 2021, the provider detected suspicious activity in its AWS cloud storage account and immediately took steps to stop the hacker from further accessing the account. An investigation was started to find out the nature and extent of the data breach. Third-party forensics specialists who helped investigate confirmed the unauthorized access of the S3 buckets hosted in AWS, the download of data in those buckets, and the deletion of all files in the S3 buckets.

The forensic investigators affirmed at the end of February that certain data that was downloaded and deleted from the AWS storage account contained the PHI of several or all health plan members. Although data theft was ascertained, it wasn’t possible to know accurately which data was accessed or deleted from the S3 buckets. The potentially obtained types of data included names, birth dates, Social Security numbers, member ID numbers, and medical insurance data.

Beginning on or approximately May 28, 2021, 20/20 Hearing Care Network sent notification letters to all people possibly impacted by the breach. As a safety measure against improper use of member data, a number of impacted persons were provided with free credit monitoring and identity theft protection services.

In a breach notice, 20/20 mentioned that although there was confirmed data theft, it is convinced there was no misuse of member information. The report submitted with the Maine Attorney General categorizes this breach as ‘insider wrongdoing’.

Right after the security breach, 20/20 performed a tougher review of guidelines and procedures and took steps to strengthen security to avoid the same breaches later on.

The breach report was filed with the Maine Attorney General as impacting around 3,253,822 people, making this one of the biggest healthcare data breaches to be uncovered this 2021.

TitanHQ’s WebTitan OTG (on-the-go) Now Available for Chromebooks

TitanHQ has launched its latest version of its top-rated DNS filtering software program – WebTitan Cloud. It is a cloud-based cybersecurity program that enables users to stop web-based threats, regulate Internet access, and have complete visibility of the activities of their online users.

The most recent product, WebTitan Cloud 4.16, consists of DNS Proxy 2.06, which can filter users in the Azure Active Directory, and also directory incorporation for Active Directory and on-premise AD. TitanHQ has additionally introduced the expansion of WebTitan Cloud to offer security for Chromebooks.

The brand new Chromebook filtering solution – WebTitan OTG (on-the-go) for Chromebooks – allows educational organizations to implement filtering controls for BYOD and keep students safe when utilizing devices issued by the school.

According to TitanHQ CEO, Ronan Kavanagh, this brand new product launched after an intensive first quarter. The introduction of WebTitan Cloud 4.16 delivers remarkable new safety capabilities for our clients. After having considerable progress in 2020, TitanHQ wants these product innovations and new features to make 2021 yet another outstanding year for TitanHQ.

Protecting Chromebooks with WebTitan OTG (on-the-go)

Chromebook usage has been growing considerably, particularly in the education field. Chromebooks are the most affordable way for learners to gain access to the web and online learning solutions, however, controls must be put in place to adhere to state and federal regulations like the Children’s Internet Protection Act (CIPA).

WebTitan OTG for Chromebooks enables administrators to make sure students could only access safe, filtered internet information in-class and at home. The product may be utilized to implement Safe Search, prohibit accessing age-inappropriate or harmful web material, and Chromebooks may be closed down to stop the circumvention of blocking settings. Administrators additionally get on-demand data regarding internet access and could see locations, information accessed, attempts of viewing restricted material, which includes live views of internet activity.

Main Features of WebTitan OTG for Chromebooks

  • Affordable web filtering for educational institutions.
  • Quick to set up and manage remotely.
  • Complete reporting on all Chromebook end users and locations.
  • User level guidelines.
  • No extra on-premises hardware necessary.
  • No slow & costly VPNs or Proxies needed.
  • Chromebooks may be shut down to prevent circumvention.
  • Speedy, easy to customize & accurate DNS filtering.

Ransomware Attack on Home Healthcare Service Provider Impacts 753,000 People

Personal Touch Holding Corp based in Lake Success, NY is a home healthcare services provider. The company is notifying 753,107 patients concerning a potential breach of their protected health information (PHI).

Personal Touch Holding Corp manages approximately 30 Personal Touch Home Care subsidiaries in over six U.S. states. On January 27, 2021, Personal Touch learned it encountered a cyberattack that involved its private cloud. The attackers encrypted the business files of Personal Touch stored in the
cloud along with those of 29 of its indirect and direct subsidiaries.

The investigation into the incident is still in progress. At this time, it is uncertain how much PHI was affected; nevertheless, it is likely that the attackers acquired information kept in its private cloud before deploying the ransomware.

A review of its cloud storage showed that these patient data might have been breached during the attack: names, phone numbers, addresses, birth dates, Social Security numbers, financial data, such as credit card numbers, check copies, bank account details, health treatment data, medical record numbers, medical insurance card, and health plan benefit numbers.

Employee details were likewise affected, such as names, contact details, birth dates, Social Security numbers (like spouse and dependent Social Security numbers), passport numbers, driver’s license numbers, birth certificates, demographic details, background and credit reports, company usernames and passwords, individual email addresses, insurance cards, fingerprints, retirement benefits details, health, and welfare plan benefit numbers, health treatment details, check copies, and other financial data required for payroll.

Upon uncovering the breach, Personal Touch sought outside counsel and involved independent forensics professionals to help investigate the incident. The company has also alerted the FBI, the state attorneys general, and the HHS’ Office for Civil Rights. Advanced monitoring and detection software had been implemented as well.

This is Personal Touch subsidiaries’ second ransomware attack after a little over one year. The first attack was in January 2020 when Personal Touch reported the compromise of the PHI of patients of 16 subsidiaries due to a ransomware attack on Crossroads Technologies, its cloud vendor. Personal Touch used Crossroads Technologies’ cloud to host electronic health records. There were 156,400 breached medical records because of that ransomware attack.