1www.intsights.comwww.intsights.comwww.intsights.com

Health Scare: Data Privacy Concerns in the Age of COVID-19

Health Scare: Data Privacy Concerns in the Age of COVID-19

Executive SummaryHealthcare organizations around the world are making strides in implementing cutting-edge technologies that save more lives and cure more ailments than ever before. But despite tremendous innovations in medical knowledge and devices, the healthcare sector continues to fall behind in its cybersecurity protocols. As data privacy regulations issued by global governments grow in both scope and importance, healthcare organizations are responsible for more sensitive data than ever before.

Meanwhile, hackers continually find new ways to access safeguarded medical information and use it for malicious purposes. Ever-expanding attack surfaces, vulnerabilities of legacy systems, and third-party risks have conspired to peg healthcare as the most-targeted industry when it comes to cyberattacks. A third of all data breaches in the US happen in hospitals, and the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from 15 million to 40 million.

The ongoing COVID-19 pandemic has placed further strain on the already insufficient security protocols in place across the healthcare sector. The primarily remote global workforce poses severe security challenges, and protected health information (PHI) is more critical – and more sought-after by threat actors looking to score a profit – than ever.

For more on the COVID-19 threat landscape, download IntSights’ March 2020 report, The Cyber Threat Impact of COVID-19 to Global Business. The report touches on some of the cyber threats targeting the healthcare sector and exposes numerous scams selling fake virus tests and vaccines.

This report is the first in a two-part series of research reports that will explore challenges healthcare organizations face in 2020. This edition tackles the sector’s myriad cyber maladies from a compliance and risk perspective, and the forthcoming report will break down security risk and cyber threats.

Key findings from this report include:

• The healthcare threat surface grows exponentially in tandem with data privacy liability as businesses are forced to operate in remote settings.

• The healthcare sector is the most frequently targeted industry due to the sensitive data it harbors and the relatively lax security protocols in place.

• HIPAA-covered entities are under increased scrutiny and pressure to comply with Breach Notification Rules and OCR investigations.

• Third-party providers like medical device manufacturers and others in the supply chain increase the risk for already vulnerable hospitals.

• Medical records are selling for massive profits on dark web black markets and forums.

The Risk Landscape in the Healthcare SectorSuffering a cyberattack can be devastating for healthcare organizations, and the penalties incurred for failing to comply with data privacy laws can wreak further havoc.

The resilience of critical healthcare facilities is being tested as these epicenters attempt to counteract threats posed to disrupt their systems while under extreme pressure. Bad actors have been increasing their focus on targeting valuable PHI and critical data, taking advantage of the COVID-19 pandemic.

People are working from home in record numbers, and some may be required to transfer intellectual property (IP), personally identifiable information (PII), and PHI data to be stored on local drives and processed on their private computers. This practice has several possible implications to multiple data security regulations like HIPAA and PCI DSS, as well as jurisdictional

2

Health Scare: Data Privacy Concerns in the Age of COVID-19

privacy laws, most notably the GDPR and the CCPA. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which serves as the governing body of the HIPAA HITRUST healthcare regulation, has relaxed a few measures pertaining to the security rule during the pandemic but has not abandoned enforcement of the requirement by any stretch.

Conversely, the digital footprint of the data that healthcare entities use to conduct business continues to grow in conjunction with the many new approaches evolving in the fight to counter the pandemic. In addition, proposed tracing and ID applications pose new complexity and risk to private data and PII.

This adds stress to overwhelmed security resources across all types of healthcare entities, from hospitals to insurance providers and payment providers. There are a few actions healthcare entities can take to counter the situation in order to enhance both existing data security processes and available intelligence. This can add clarity for next steps and near-term results, giving healthcare organizations some much-needed breathing space.

Medical Mal(ware)practice: Cyber Threats to Healthcare OrganizationsIntSights researchers have found numerous examples of successful ransomware attacks on the healthcare industry, indicating many organizations have system vulnerabilities and weak security controls.

Studying the associated exploits that led to the successful ransomware attacks will help security teams discover weaknesses across these systems, including missing security controls used to provide coverage in place of unavailable technical controls (i.e., unpatchable security vulnerabilities or end-of-life systems). Along with the security burden comes increased liability for data custodians and processors. Once attackers secure data via ransomware attacks, there are several data privacy violations that could apply, depending on where the offending organization is located.

The following examples of exploits were identified using IntSights Vulnerability Risk Analyzer, which leverages real-time threat intelligence to enable users to automate prioritization of vulnerability patching efforts.

Studying the associated exploits that led to the successful ransomware attacks will help security teams discover weaknesses across these systems, including missing security controls used to provide coverage in place of unavailable technical controls (i.e., unpatchable security vulnerabilities or end-of-life systems). Along with the security burden comes increased liability for data custodians and processors. Once attackers secure data via ransomware attacks, there are several data privacy violations that could apply, depending on where the offending organization is located.

Figure 1: Recent attack against Champaign-Urbana Public Health District in Illinois hospital system hit with NetWalker ransomware

Figure 2: Ransom note hackers sent to the Champaign-Urbana Public Health District

3

Health Scare: Data Privacy Concerns in the Age of COVID-19

The following examples of exploits were identified using IntSights Vulnerability Risk Analyzer, which leverages real-time threat intelligence to enable users to automate prioritization of vulnerability patching efforts.

Figure 3. Evidence of increased attempts to exploit vulnerabilities found within unsupported systems frequently associated within healthcare systems

Figure 4. A sudden spike in exploit activity aligned with the pandemic outbreak related to a negative-zero-day vulnerability found in healthcare systems that hasn’t been utilized since 2015

Figure 5. A recent resurgence in activity associated with the credential spoofing vulnerability. This type of activity relates directly to the types of exploits that lead to data request spoofing targeting critical PHI data within healthcare and leading to privacy law violations.

4

Health Scare: Data Privacy Concerns in the Age of COVID-19

The intelligence documented numerous attacks targeting extended healthcare providers, businesses, and clinics, resulting in the sale of access to third-party systems and businesses. This data reemphasizes that attackers who are familiar with the healthcare vertical understand that there are distractions and gaps in the security policies of Business Associates (BAs) that they can take advantage of during the crisis.

These Covered Entities (CEs), also known as Business Associates, have third-party relationships with healthcare entities that must be maintained in order to do business. BAs also have regulatory contracts to uphold with their network, as well as insurance policies and liability agreements that can all be jeopardized when they are breached. It is recommended to closely inspect results on third-party exploits to ensure there is no data relevant to the core healthcare business and to also review any existing third-party business associate contracts to ensure they are still current. As a precaution, custom searches and rule alerts may be set up to indicate the presence of compromised BAs to facilitate timely response to the threat.

Adhering to Data Privacy Regulations Amidst the COVID-19 PandemicThe presence of intelligence with pointers to leaked PHI data on illicit databases illustrates the magnitude of healthcare records that have already been breached by adversaries. This suggests that active functional data exploits could already be in process. When PHI is stolen, there are multiple regulatory consequences, ranging from HIPAA violations to local jurisdiction regulations (i.e., GDPR in EMEA or CCPA in California). The data leakage findings can be incorporated into data risk assessment to reinforce and remediate the data threat policy.

Figure 6: Access to a network of American clinics offered for sale on a Russian cybercrime forum (exploit.in) by “network.” The threat actor claims that the network includes 70 servers and more than 100,000 employees, and that he sells access to 30 administrator accounts.

Figure 7: Patient records leaked from a hospital in Florida and offered for download on several dark web forums

5

Health Scare: Data Privacy Concerns in the Age of COVID-19

Extensive third-party contracts across the supply chain are commonplace within healthcare. Most critical healthcare entities are dealing with multiple BA contracts, which are mandatory for delivering essential services, as well as reactively adding many new BAs into the mix during the frenzy to prepare for resource demands. Many third-party contracts span the globe, introducing risk associated with data privacy in multiple jurisdictions and exposure to multiple data privacy laws. The current threat environment presents security implications that could threaten, disrupt, and damage existing and new BA contracts with healthcare providers across the entire vertical. It could also affect security controls surrounding technology, jeopardizing both physical and information security.

Moreover, at a time of heightened security threats, many existing third-party contracts have not been scrutinized to the degree necessary. Healthcare entities need to understand the scope of risk that can be attributed to their extended supply chains to determine if any of the administrative, business, or technical controls protecting them are at risk. A quick security audit of existing third-party and BA contracts will help ensure that basic security controls are in place to counter the increased threat.

Reviewing the HIPAA Security Rule and noting the cybersecurity recommendations will provide initial guidance on how effective those controls are, as well as give a sense of the overall security posture of a provider’s extended business. In addition, many of these third-party businesses, such as information providers, may now rely on home-based resources, providing another factor to take into account when auditing the threat surface. Regulatory and data privacy concerns need to be acknowledged and addressed to ensure the business is not unknowingly accepting increased data liability.

The HHS OCR has relaxed a few measures pertaining to the security rules during the pandemic, but has not abandoned enforcement of the requirement by any stretch. There is still a pressing need to ensure security protection of critical data, such as PHI.

Recommendations for Bolstering Data Privacy Compliance Efforts Healthcare organizations face significant challenges when it comes to securing their networks and protecting the troves of sensitive records they are tasked with safeguarding. Data privacy regulations around the world increase the severity of the challenge for these organizations. IntSights recommends security and risk teams in the healthcare sector adhere to the following practices to ensure their organizations are adequately protected in this unprecedented era of the remote workforce:

• Assess risk and potential liability. Newly remote workers may be required to transfer IP, PII, and PHI data to local drives on their private computers, which introduces several possible implications to multiple data security regulations (HIPAA, PCI DSS) as well as jurisdictional privacy laws, most notably the GDPR and the CCPA. Measuring the business against any data security standard or framework to get a temperature reading on data security and existing controls can help to ensure that the organization is poised to combat increased threats and address resource requirements.

• Use threat intelligence to identify organizational risk. Threat intelligence solutions can help security teams automate and reduce manual data collection to prove security control efficacy with required industry compliance standards. Explore core CTI use cases that lead to quick security control and compliance wins.

• Align your data privacy policy with global privacy laws. Take the first step in securing sensitive and critical data by ensuring your program will meet the rigor of current cybersecurity and global data privacy laws. Assess your core audit requirements to achieve regulatory and security confluence.

• Protect compensating security controls. Policies can be constructed to target, tag, and monitor core assets that are critical to the security policy (i.e., Windows systems that are no longer supported). This will help identify when legacy systems are at risk. The presence of intelligence showing the use of specific negative-zero-day exploits will help to prioritize weak spots in the business security posture.

• Locate exploited data and credentials. Global rules can be set up to target specific critical data leakage or exploitable data. This will help ensure proactive remediation of threats from data request spoofing attacks and find any references to PHI data that has been compromised.

6

Health Scare: Data Privacy Concerns in the Age of COVID-19

About IntSightsIntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with security infrastructure for dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in the world. IntSights has offices in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more, visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.

Visit: Intsights.com Call: +1 (800) 532-4671 Email: info@intsights.com 7