Killnet racks up 22 more healthcare cybervictims and data thefts; whitepaper on best defense practices

Ransomware attacks keep rolling through healthcare organizations. The latest tally just for Killnet, the rogue group of pro-Russian hacktivists, is up to 22 hospitals from Los Angeles to Egg Harbor, NJ. Becker’s HealthIT on Tuesday reported on 17 listed by BetterCyber on 31 January with another six yesterday. (BetterCyber’s Twitter feed subtracted Dartmouth Health Cheshire Medical Center from the victim list yesterday, thus 22.) Most affected are regional and community hospitals.

According to SC Media’s report on an HHS Cybersecurity Coordination Center (HC3) Alert, health and personal data were ‘exfiltrated’ onto the Killnet list. Quite oddly, and this Editor is sure it’s just a coincidence, the HC3 analyst note linked is offline; on a search to cross-check the link, the HHS pages show up in index form. Also Becker’s HealthIT 1 Feb 

The attacks were DDoS (distributed denial of service), described by HC3 as “thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.” This ties up IT and slows down services such as websites or information portals. The danger in DDoS attacks, as noted in previous coverage [TTA 22 Dec 22] is that DDoS can be cover for other cybercrimes or information gathering in preparation for same. 

How can a healthcare organization ‘keep calm’ and lessen the impact of cyberattack, as it’s ‘not if, but when?’ A whitepaper by Cynerio,  focuses on microsegmentation, a network security technique that logically divides the data center into distinct security segments down to the individual workload/workflow level, and then defines security controls. (In marketing, market profiling down to buyer personas is similar.) The paper looks at how organizations should focus on four areas: visibility, risk mitigation, real-time defense, and regulatory compliance, then work through multiple considerations. Happily, the whitepaper (no registration required) is mostly understandable to those outside of IT. It also provides three case studies and checklists. Cynerio is a NYC-based healthcare-focused cybersecurity management company that helps hospitals to manage risk and secure their IoT, IoMT, and unmanaged IT and mobile devices.

‘KillNet’ Russian hacktivist group targeting US, UK health info in Ukraine revenge: HHS HC3 report

Warnings about DDoS (distributed denial of service) ramped up at the end of last year–only three weeks ago. Here’s one reason why.KillNet” is a pro-Russian hacktivist (hackers who advance a cause) group that recently claimed responsibility for DDoS attacks as payback for US and UK military support of Ukraine. A senior member of KillNet with the nom de guerre Killmilk has threatened the US in general “with the sale of the health and personal data of the American people because of the Ukraine policy of the US Congress”. 

The US Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3)’s Analyst Note (link to PDF) gave two examples of KillNet claims:

  • A “US-based healthcare organization that supports members of the US military and claimed to possess a large amount of user data from that organization”
  • Hacking threats against the NHS, specifically ventilators in hospitals and the Ministry of Health. This was in reaction to the May 2022 arrest of a 23-year-old alleged KillNet member accused of being connected to attacks on Romanian government websites. KillNet demanded his release in return for not attacking. Daily Mail  

Other institutions are hardly exempt. In the UK, KillNet DDoS attacks in November reportedly affected Bankers Automated Clearing Service (BACS), the London Stock Exchange, and the official website of the Prince of Wales. Computer Weekly

DDoS attacks are their leading weapon. KillNet uses publicly available DDoS scripts and IP stressers for most of its operations although it has its own. Before aligning with Russian state interests, it was a hacking-for-hire operation available for $1,350 per month, including a single botnet with a capacity of 500GB per second and 15 computers. This Editor noted previously that DDoS attacks may be a convenient cover or smokescreen for other cybercrime activity. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks may be taking place. [TTA 22 Dec 22].

This updates an earlier Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Advisory (CSA) jointly issued by the US, UK, Australia, and New Zealand (the Five Eyes group), that broadly assessed multiple threats from Russian state organizations such as the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR), as well as cybercrime groups like KillNet which have aligned themselves for the duration with Russia. KillNet has grown over the past year and now has subgroups organized under Cyber Special Forces of the Russian Federation and LEGION 2.0. SOC Radar

The best defense is a good offense. HC3’s advice on preparation to mitigate a DDoS threat includes enabling web application firewalls to mitigate application-level DDoS attacks and implementing a multi-content delivery network (CDN) solution to minimize the threat of DDoS attacks by distributing and balancing web traffic across a network. The HC3 Analyst Note is heavily footnoted with other sources for additional incidents. SC Media, Cybernews

News roundup: DDoS attacks may be ‘smokescreen’, DEA slams Truepill with ‘show cause’, telehealth claims stabilize at 5.4%, Epic squashes patent troll, Cerner meeting exits KC, MedOrbis, Kahun partner on AI intake

Readers won’t get out of 2022 without one last cybercrime…article. DDoS attacks–distributed denial of service–escalated worldwide with Russia’s invasion of Ukraine in February. (Ukraine and military aid is a hot topic this week with President Zelenskyy’s visit to the US and Congress speech.) Xavier Bellekens, CEO of Lupovis, a cybersecurity company and a cyberpsychologist (!), postulates that DDoS attacks, as nasty as they are, may be a smokescreen for far more nefarious and damaging attacks. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks are taking place. Russian cyber groups focus on large organizations and move down the line into the most vulnerable, using both manual and automated approaches. Worth reading given the vulnerability and IT short staffing in healthcare organizations. Cybernews

The fallout from Cerebral and Schedule 2 telehealth misprescribing expands. The Drug Enforcement Agency (DEA) issued a ‘Show Cause’ to online pharmacy Truepill for inappropriate filling of ADHD Schedule 2 medications, including Adderall. A ‘Show Cause’ order is an administrative action to determine whether a DEA Certificate of Registration should be revoked, which could put Truepill out of business. The red flag for the DEA: 60% of  Truepill’s prescriptions–72,000–filled between September 2020 and September 2022 were for controlled substances, including generic Adderall. Truepill was Cerebral’s primary mail order provider, though they also used CVS and Walmart. The company stopped filling Cerebral’s ADHD prescriptions in May 2022.

In the order, the DEA cites that “Truepill dispensed controlled substances pursuant to prescriptions that were not issued for a legitimate medical purpose in the usual course of professional practice. An investigation into Truepill’s operations revealed that the pharmacy filled prescriptions that were: unlawful by exceeding the 90-day supply limits; and/or written by prescribers who did not possess the proper state licensing.”

The company stated in an emailed statement that they were fully cooperating with the investigation. If it does move to a hearing, Truepill’s chances of a successful defense are statistically low.

Truepill also fills prescriptions for Hims & Hers, GoodRx and Mark Cuban Cost Plus Drug Company. It was valued in its 2021 funding round at $1.6 billion. Companies in telemental health and prescribing of Schedule 2 ADHD medications, such as Cerebral and Done Health, are under enhanced scrutiny over their business practices [TTA 1 June]. Mobihealthnews, DEA press release, HISTalk, Digital Health Business & Technology

Telehealth medical claims stabilize. FAIR Health’s latest reports for August and September report that the percent of medical claims coded as telehealth are back up to 5.4%. June and July dropped slightly to 5.2% and 5.3% respectively. Also steady are that the vast majority of claims are for mental health services. In September, they were 66% of diagnoses far ahead of ‘acute respiratory diseases and infections’ at 3.1%. In procedure codes, psychotherapy accounts for over 43%.

A patent troll Epically bites the dust. Back in the early to mid-2010s [TTA’s index here], patent trolls (technically non-practicing entities which have no active business) presented a significant threat to early and growth-stage health tech companies. One, MMR Global (which apparently no longer exists), was notorious for buying up EHR and PHR-related patents and then filing patent infringement lawsuits against both small and large healthcare organizations with similar patents–and their users–that were generally monetarily settled. But NPEs are still active. One in south Florida, Decapolis Systems, used the same techniques as MMR Global had, suing in this case multiple Epic customers for patent infringement. Epic not only defended its customers but also sued Decapolis in the US District Court, Southern District of Florida. The court found that both Decapolis patents were invalid, ending what Epic termed ‘vexatious patent litigation’. Decapolis had successfully sued 24 other entities, including other EHRs, which settled. Owned by an inventor, this company will have to find another line of honest business. Epic release, Thomson Coburg

Oracle’s message to Kansas City: no more Cerner meetings for you. And maybe more. Cerner’s site for its annual customer/partner conference since 2007 has been in Kansas City, attracting about 14,000 visitors. Not only will it be integrated into Oracle CloudWorld in Las Vegas, 18-21 September, it’s been retitled Oracle Health with no mention of Cerner. The loss to local KC business is substantial–estimated to be in the $18 million range. While it’s logical to integrate it into the massive CloudWorld conference, it’s also another message to KC after Oracle’s sudden real estate downsizing that Cerner’s presence there will shrink…and shrink..as it’s absorbed into Oracle Health, and further confirmation that the Cerner name is gradually being sunsetted. KansasCity.com, HISTalk

A new (to this Editor) specialty care telehealth company, MediOrbis, is partnering with Kahun for an AI-enabled digital intake tool. This is a chatbot capable of conducting an initial medical assessment. Based on the patient’s answers and Kahun’s database of about 30 million evidence-based medical knowledge insights, it provides a summary for the physician before the telehealth visit and highlights areas of concern. Mobihealthnews  MediOrbis also has partnered with remote care/engagement Independa to add its capabilities to Independa’s HealthHub on their LG TVs.

UK sets forth a Code of Practice for secure IoT for connected devices and smart homes

IoT security concerns moving forward. As IoT continues to move into homes, the UK Department for Digital, Culture, Media & Sport (DCMS), with the National Cyber Security Centre (NCSC), has published an updated guide on Gov.UK outlining a Code of Practice for consumer development of Internet of Things (IoT) products. It lays out 13 guidelines for IoT manufacturers, service providers, app developers, and retailers intended to improve the security of consumer IoT products and associated services. The aim is to protect consumer privacy and safety, plus mitigate the threat of Distributed Denial of Service (DDoS) hacking attacks which have vectored in on products from the simple–children’s toys–to the more complex systems in smart homes, home automation including security systems, and health trackers. Following the Code of Practice may also help with data compliance, notably the EU General Data Protection Regulation (GDPR).

The thirteen guidelines range from eliminating default passwords that have to be reset by the consumer (which usually doesn’t happen) to ensuring software integrity and system resilence.

DCMS has pledged to revisit the Code every two years. Comments may be made to securebydesign@culture.gov.uk. What’s missing, of course, are two things: an enforcement mechanism and a comparable code of practice for commercial use.

The cybersecurity black hole–and bad flashback–that is the Internet of Things

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/10/blackhole_596.jpg” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

Friday’s cyberattack is a shot-over-bow for healthcare (updated)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/03/26ED4A2300000578-3011302-_Computers_are_going_to_take_over_from_humans_no_question_he_add-a-28_1427302222202.jpg” thumb_width=”150″ /]Friday’s multiple distributed denial-of-service (DDoS) attacks on Dyn, the domain name system provider for hundreds of major websites, also hit close to home. Both Athenahealth and Allscripts went down briefly during the attack period. Athenahealth reported that only their patient-facing website was affected, not their EHRs, according to Modern Healthcare. However, a security expert from CynergisTek, CEO Mac McMillan, said that Athenahealth EHRs were affected, albeit only a few–all small hospitals.

A researcher/spokesman from Dyn had hours before the attack presented a talk on DDoS attacks at a meeting of the North American Network Operators Group (NANOG)

The culprit is a bit of malware called Mirai that targets IoT–Internet of Things–devices. It also took down the (Brian)KrebsOnSecurity.com blog which had been working with Dyn on information around DDoS attacks and some of those promoting ‘cures’. According to Krebs, the malware first looks through millions of poorly secured internet-connected devices (those innocent looking DVRs, smart home devices and even security devices that look out on your front door) and servers, then pounces via using botnets to convert a huge number of them to send tsunamis of traffic to the target to crash it. According to the Krebs website, it’s also entwined with extortion–read, ransomware demands. (Click ‘read more’ for additional analysis on the attack)

Here we have another warning for healthcare, if ransomware wasn’t enough. According to MH, “even for those hospitals with so-called “legacy” EHRs that run on the hospital’s own computers, an average of about 30 percent of their information technology infrastructure is hosted (more…)

The sea of security ‘red flags’ that is Healthcare.gov

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions

—Lyle Lovett, ‘Good Intentions’

Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:

  • Cross-site request forgery
  • ‘Clickjacking’–an invisible layer over the legitimate website
  • Cookie theft, and not by the Cookie Monster
  • Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
  • Log in fraud–the happy hunting ground of hackers and DDOS attacks

Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)

Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.