News roundup: Hacks, ransomware of medical records, security cameras spike; Withings launches new mobile-direct devices; Bluestream Health adds Leon Medical (FL) to telehealth

March 13, 2021 | by

In recent weeks, hackermania has been romping in healthcare. A compilation of incidents revealed just in the past few weeks have affected hundreds of thousands of patients, employees, and providers:

  • Security cameras produced by Verkada, Inc. were hacked across the US, including at Tesla. Healthcare organizations affected by the hack were Daytona Beach, Fla.-based Halifax Health, where the video showed “what appeared to be eight staffers tackling a man and pinning him to a bed.” Texarkana, Texas-based Wadley Regional Medical Center and Tempe (Ariz.) St. Luke’s Hospital were also hacked. The means in was described by one of the hackers (appropriately female for this month) as through a “super admin” account where the username and password appeared online. Becker’s Health IT 10 March, Bloomberg News
  • 210,000 MultiCare patients, providers, and employees of Tacoma, Wash.-based MultiCare had personal information exposed in a December ransomware attack on their medical practice management company’s IT services vendor. Becker’s Health IT 9 March
  • A clinic in North Carolina had a six-day ransomware attack starting 23 February. Hackers demanded a $1.75 million payment in exchange for giving back the clinic access to its data. The clinic came back online 1 March but did not disclose any payment. Becker’s Health IT 5 March
  • NBC News revealed that hackers stole employee files from Gallup, New Mexico-based Rehoboth McKinley Christian Health Care Services after a ransomware attack on its computer network in February. Those employee files were posted online; information included employee job applications and background check authorizations with Social Security numbers. Earlier attacks by the same hacker group included Leon Medical Centers of Miami-Dade Florida (see following) and Nocona (Texas) General Hospital resulted in the online publishing of tens of thousands of patient records. Becker’s Health IT 4 March
  • Hackers attacked biochemical machines used to prepare samples in Oxford University’s Division of Structural Biology. Forbes received the information from Hold Security chief technology officer Alex Holden, who provided screenshots of the hackers’ access to Oxford University systems, and notified the university.
  • The cutely-named DopplePaymer attacked a county government office in Chatham County, North Carolina, and stole residents’ PHI and PII between November 2020 and this past January. Becker’s 10 Feb 
  • And on the ‘Someone Got Fired For This One’ list is the response to hacking at Boise, Idaho’s Saint Alphonsus Health System. The health system had a data breach in January. Patients were routinely notified. However, the mail merge, not the hack, created an incorrect status for some patients, sending them letters as if they were deceased or a minor. Becker’s Health IT 10 March

It’s cold comfort when the US Department of Justice announces that they are indicting three North Korean hackers who inflicted the WannaCry malware and $1.3 bn in extortion damage on the world back in 2018. All three were members of North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). The likelihood of their extradition is one word: none.

And in other news….

Withings unveils new professional devices. The Body Pro smart scale and BPM Connect Pro, distributed to doctors, out of the box will transmit health data directly from patient to doctor. Neither require Wi-Fi nor a mobile phone, since they have embedded SIM cellular cards to directly connect to a mobile network. They are both sold through Withings’ professional division. FierceHealthcare

Telehealth provider Bluestream Health has added Leon Medical Centers, a seven-location Miami-Dade FL provider. Bluestream Health provides whitelabeled secure telehealth services that combine with medical workflows to approximately 50,000 providers in 500 facilities. Release.

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

July 1, 2020 | by

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

Healthcare cybersecurity breaches multiply like measles as far away as Singapore. Is it a matter of time before hacking kills someone?

July 26, 2018 | by

Even if you are the Prime Minister of Singapore, you can be hacked. Prime Minister Lee Hsien Loong joined 1.5 million of his fellow Singaporeans in what they have termed an unprecedented data breach of SingHealth, considered to be a world model. There are the usual state actor suspects: Russians, Chinese–and North Koreans–starting less than two weeks (27 June) after hosting the meeting between President Donald Trump and Maximum Leader Kim Jong Un. (That is hardly a gracious thank you if it’s them (s/o).  POLITICO Morning eHealth reported on Monday 23 July. 

What’s happened since: Singapore banks have been instructed to tighten data procedures and use additional verification methods. The government believes 1) they are next and 2) that the healthcare breach data could be used to impersonate customer identities. SingHealth records include full name, national identification number, address, gender, race, and date of birth. (ZDNet)

The National (UAE) reported that the hack specifically targeted the PM. Their angle was that Singapore has ambitions to host a ‘smart city’ as does the UAE and testing Singapore means that the UAE may be next. Singapore is covering a different angle–the ‘inside job’ one. They moved to disconnect computers from the internet at public centers which may inconvenience patients and healthcare staff but which weakens data collection for this very busy centralized system. (Reuters) Watch the government press conference here.

Will the next WannaCry or NotPetya kill someone? That is the premise in this article in ZDNet and one we’ve discussed previously. It’s not a targeted attack on a particular life, but could be an infrastructure failure–for instance, an industrial control for electricity that destroys systems including those to dependent homes or hospitals. What this article doesn’t include are all those aging hackable connected devices in operating rooms, hospital rooms, and in-hospital Wi-Fi powering tablets and other connected devices. KRACK can be very wack indeed! [TTA 18 Oct 17]

WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

May 16, 2018 | by

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Orangeworm malware running wild in hospitals for three years: multiple reports

May 2, 2018 | by

Orangeworm hacker group finds easy pickings in hospitals and healthcare. Reports have multiplied in recent weeks of the Orangeworm hacker (or hackers) threatening healthcare organizations, frequently hospitals. Major info security groups have issued warnings: Symantec, Cynerio, BlackBerry, and Rubicon Labs. Symantec’s report states that 39 percent of the victims come from healthcare, with the remainder coming from manufacturing (15 percent), IT (15 percent), and logistics (8 percent), most with ties to the healthcare sector, and suspected vectors for a supply-chain attack.

‘Easy pickings’ include invading the old computer systems and controls prevalent worldwide in healthcare organizations: devices designed to control X-ray machines, MRIs, and even systems that help patients fill out consent forms. Orangeworm accesses IT systems using the Kwampirs trojan, taking advantage of the fact that most hospital IT systems are old, and as we know from the Petya and WannaCry attacks a year ago, their old, unprotected, and unpatched systems are uniquely vulnerable.

The semi-shocking fact is that this has been spreading quietly in healthcare organizations for over three years. The attackers used, according to both Symantec and Bleeping Computer,  malware that infected systems by copying itself across network shares, methods that are considered antiquated and “noisy”. Orangeworm also didn’t change its command and control (C&C) communication protocol over the three years, seemingly unconcerned about discovery.

The attacks appear targeted and coordinated. Speculation is that Orangeworm is a hacker or a small group of hackers targeting the rich information in healthcare records to sell on black markets. 17 percent of the attacks have been in the US, with UK, Germany, the Philippines, and Hungary at 5 percent each.

Symantec’s advice is extensive and detailed here, but can be summed up as: quit using Windows XP based systems, patch and update software and systems, use anti-virus, protect file sharing. Also Digital Health, Information Security Buzz News, Security Intelligence.

Petya no pet as it spreads: is it ransomware or a vicious design for data destruction? (updated)

June 28, 2017 | by

Breaking–The ‘more and worse’ experts predicted after WannaCry is here.  In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business

Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)

The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.

Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:

Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

**  The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.

What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.

And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping ComputerHealthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

May 16, 2017 | by | 1 Comment

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

Updated 15 May: 20% of NHS organizations hit by WannaCry, spread halted, hackers hunted

May 15, 2017 | by

Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.

It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”

Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!

Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News

According to cybersecurity site Krebs on Security, (more…)