Kwampirs APT Group Is Still Attacking Healthcare Companies through the Supply Chain

An Advanced Persistent Threat (APT) group identified as Kwampirs, also called OrangeWorm, still attacks healthcare companies and compromise their systems with the Kwampirs Remote Access Trojan (RAT) as well as other malware payloads.

The threat gang is busy since about 2016, although activity has heightened lately with the FBI lately having passed three notifications concerning the APT group all this time in 2020. Symantec’s report in April 2019 was the earliest to document attacks on healthcare companies by way of the supply chain.

The APT group is targeting several different industries, which include healthcare, engineering, energy, and software vendor. The attacks on the healthcare community are thought to have taken place by way of the vendor software supply store and hardware goods.

According to the FBI, the attacks were really effective. The APT gang has attacked numerous hospitals across Asia, the United States and Europe, which include local hospital groups and leading transnational healthcare firms. The campaigns have involved locally contaminated appliances and enterprise malware attacks.

The APT group begins with the acquisition of access to the gadgets of victim organizations and creates an extensive and continual presence making use of the Kwampirs RAT to be able to perform computer network exploitation (CNE) campaigns. The attacks include two levels. The first includes the usage of the Kwampirs RAT to acquire broad and continual access to hospital systems which usually involves the delivery of various secondary malware payloads. The second entails adding more modules to the Kwampirs RAT to enable farther exploitation of the attacked systems. The extra modules are personalized based upon the organization which was attacked. The reports of FBI say that the attackers had the ability to sustain persistence on the attacked systems for a long time, from approximately 3 months to 3 years when they did comprehensive reconnaissance.

The APT group has targeted principal and alternative domain controllers, software development servers, engineer servers that comprise source code for software program creation, and file servers which are employed as databases for R&D information. When deployed, the Kwampirs RAT carries out day-to-day command and manipulate communications with Domains and IP addresses encoded in the malware and downloads information.

The principal goal of the APT group looks like cyber surveillance, nevertheless the FBI says that a review of the RAT pointed out various code commonalities with the Shamoon (Disttrack) wiper that was employed in the Saudi Aramco attack in 2012. Nonetheless, the FBI says that it hasn’t found the inclusion of any wiper modules in Kwampirs so far.

The FBI has given various advice and guidelines to follow to strengthen security and lessen the danger of infection. These best practices include:

  • Update software programs and operating systems and use patches
  • Use user input confirmation to minimize local and distant file inclusion vulnerabilities
  • Make use of a least-privileges guideline on the Web server to minimize the risk for escalation of privileges and pivoting sideways to other hosts, and to manage file creation and execution in certain directories.
  • Developing a demilitarized zone (DMZ) among internet-facing systems and the business network
  • Make certain all Web servers possess a protected setting and all unwanted and unused ports are deactivated or obstructed
  • Make use of a reverse proxy to minimize accessible URL paths to recognized legit ones
  • Set up a Web application firewall
  • Perform consistent virus inspections and code assessments, app fuzzing, and server network reviews
  • Perform routine system and app vulnerability verification to prepare areas of danger.

CMS Proclaims Sweeping Regulatory Adjustments Because of the Increase in COVID-19 Patients

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) announced that there is going to be some sweeping regulatory modifications and waivers to provide the most versatility to medical professionals when caring for patients throughout the COVID-19 outbreak. The latest modifications will permit healthcare providers to work as medical care delivery coordinators in their zones.

The non-permanent changes to remove constraints are supposed to establish hospitals and health systems with no walls. Consequently, hospitals and health systems will have less trouble dealing with a likely substantial increase in COVID-19 patients during the coming days.

Under standard situations, federal constraints require hospitals to deliver healthcare services inside their established facilities, however, this won’t be feasible with a rise in patient numbers. With the number of COVID-19 cases growing bigger, hospitals will subsequently fill up their capacity. If they don’t have added sites to treat patients, they are going to be overloaded.

To make certain that all patients could be given treatment and nobody is left behind, the CMS has laid-back constraints and gave interim new guidelines that would permit the giving of treatment in other areas. Numerous ambulatory surgery facilities have opted to call off elective treatments for the period of the public health emergency. Hospitals and health systems will be authorized to utilize those areas including inpatient rehabilitation hospitals, as well as hotels and dormitories, and would still be entitled to obtain a refund for services with Medicare. The new areas may be utilized to give healthcare services to non-COVID-19 patients to provide inpatient beds for COVID-19 patients that must have intensive treatment and respirators.

The CMS stated that ambulatory surgery facilities have two choices.

  • They could either agree with community healthcare systems to deliver services on behalf of the healthcare facility
  • They may enroll and charge CMS being hospitals during the public health emergency proclamation if that is not conflicting with their State’s Emergency Preparedness or Pandemic Strategy.

Healthcare companies won’t be authorized to operate beyond established plans at the community level.

To further maximize capacity, the CMS has made a waiver that will let doctor-owned medical centers to get more beds without facing penalties. Hospitals are allowed to create drive-through screening stations for COVID-19, make use of off-campus testing centers, and coverage will be granted to lab techs who have to go to a Medicare beneficiary’s residence to acquire samples to conduct COVID-19 testing. CMS is giving added reimbursement for ambulances, which are probably needed to transport patients between healthcare centers and doctor’s surgeries to make certain they acquire the necessary treatment. Medicare coverage for respiratory-linked instruments and machines has currently been prolonged to cover any health reason.

Modifications were likewise made to assist in the fast expansion of healthcare employees. These changes involve making Medicare enrollment less difficult for providers and enabling teaching hospitals to permit medical residents to offer services with the oversight of a teaching doctor. The CMS has furthermore granted a blanket waiver to enable hospitals to deliver more benefits to assist their medical personnel, including several everyday meals, laundry service for their own clothes, or child care services during the time the doctors and other workforce are at the healthcare facility offering patient care.

Transformations were additionally made to lessen the administration load on healthcare workers with the CMS giving patients more value than paperwork by removal of paperwork requirements to make sure that doctors have more hours for caring for patients.

The CMS has already said that there’s more freedom for the accessibility of telehealth services, with refunds now being given for all Medicare beneficiaries in all places. Coverage is presently included for around 80 additional services made available via telehealth, provided those services are delivered by doctors allowed to deliver telehealth services.

These latest changes and waivers are just temporary and in effect throughout the national public health emergency for COVID-19, and then the CMS will review how to fully go back to the existing system.

Solving the HIPAA Problem Using Compliancy Group’s Simple HIPAA Compliance Process

Compliance with all demands of the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, Breach Notification, and Omnibus Rules could be a big obstacle.

A lot of healthcare providers have set up a compliance program and thought that they were HIPAA-compliant, but they discover through a compliance review or HIPAA audit that they are not complying with a number of HIPAA provisions. Those errors could turn out to be really high pricey.

Compliance problems could quickly result in a data breach or can prompt the filing of a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR), which is the principal enforcer of HIPAA compliance.

OCR looks into submitted complaints and reported data breaches to ascertain if a healthcare organization has violated HIPAA Rules. It performs compliance audits to evaluate compliance of HIPAA covered entities and business associates of covered entities with all facets of HIPAA regulations.

OCR has increased its HIPAA compliance enforcement activities in recent years. In 2018, OCR charged covered entities and business associates with $28,683,400 in financial penalties in relation to 11 enforcement actions. In 2019, OCR issued financial penalties for 10 compliance investigations.

Resolving HIPAA Compliance Problems

Compliancy Group is aware of the great importance of HIPAA compliance and the challenges encountered by HIPAA-covered entities and business associates when attempting to employ and retain an efficient compliance program.

To make the HIPAA compliance process simpler, Compliancy Group has designed a software program that leads entities throughout the compliance process. The software program called The Guard streamlines all the things that an organization must do to accomplish HIPAA compliance, minimize risk, and avert penalties.

The Compliancy Group is hosting webinars from time to time to demonstrate the simplicity of using The Guard for completing the HIPAA compliance process.

With the help of Compliancy Group’s webinar and their compliance coaches, covered entities and business associates can realize compliance and meet all federal requirements. Find out more about the webinars being hosted by the Compliancy Group on this page.

Law Agency Files Class Action Lawsuit For Overcharging for Copy of Patient’s Health Records

A law business is filing a legal case against Medical Records Online (MRO), a healthcare release-of-information solution provider, for charging an overpriced fee on law businesses and insurance providers when furnishing digital copies of patients’ medical records.

Cipriani & Werner of Pittsburgh filed the legal case in federal court in Camden, NJ. The lawsuit pertains to MRO charges for furnishing a copy of a patient’s health records meant for a personal injury case against the store Kohl’s, which the law agency represents.

Cipriani & Werner procured the medical records of the plaintiff in the lawsuit from John F. Kennedy Medical Center, located in Edison, NJ. The MRO billed $528 for 518 pages of medical records of the plaintiff. The law agency was billed a $10 search fee and $1 per page, despite the fact the data was furnished digitally as a PDF file.

Cipriani & Werner states MRO violated the New Jersey Declaratory Judgement Act when it billed unlawful fees well over the highest limit. Other claims made include:

  • a claim under the New Jersey Consumer Fraud Act with respect to unconscionable commercial practices
  • for a breach of New Jersey common law
  • for a breach of contract for breaking the implied contract of good faith and fair dealing

The New Jersey Administrative Code permits a $10 search fee to be demanded for providing copies of medical data to third parties, a fee of $1 per page, and the actual charge of postage and media for distributing the records (e.g. a compact disc). Cipriani & Werner comments the bill should have only included a $10 search fee and there should be no per-page cost considering that the information was not printed.

The lawsuit claims that irrespective of whether MRO was furnishing copies of merely a number of pages of information or hundreds of pages, the cost to MRO of replicating electronically stored data and sending them to the client took an identical amount of time and work. Cipriani & Werner mentioned the overall process took only 5 minutes.

The Schnader Harrison Segal & Lewis law agency of Cherry Hill, NJ that represents MRO states that the service charge was absolutely legal and was according to state polices.

The lawsuit refers to a 2015 memorandum from the New Jersey State Department which disallows health record providers from asking for per-page fees for electronically transmitted copies of medical records and for per-page rates to be placed when records are provided to purchasers by means of computer equipment. Nonetheless, in this lawsuit, the state department memo is not applicable because the department of Health in New Jersey has no authority over MRO and the memo didn’t proceed through official rule-making steps in the State of New Jersey.

The class members are mostly legal professionals and insurance firms who ordered copies of electronic medical data from MRO from September 2015 up to February 2020, who were, in the same way, asked to pay for electronic copies of health records in civil cases. The lawsuit merely names MRO, not any healthcare organization that uses MRO for taking care of requests for copies of medical data.

Compliance with the New York SHIELD Act Data Security Provisions Required by March 2020

The New York Governor signed the SHIELD Act or Stop Hacks and Improve Electronic Data Security Act into law last July 2019. The New York SHIELD Act broadened the requirements of breach notification for businesses that gather the personal data of residents in New York. The data security provisions of the New York SHIELD Act became effective starting March 21, 2020.

There are businesses exempted from the requirements of the New York SHIELD Act including

  • small businesses that have less than 50 staff
  • small businesses having fewer than $3 million in gross income for the last 3 fiscal years
  • small businesses whose year-end total assets are under $5 million

With the above-mentioned businesses, their data security program may be scaled based on the size and complex nature of the business, the types of business activities, and the sensitivity of the private information obtained.

For the majority of HIPAA-covered entities, compliance is going to be quite simple. Entities that comply with the Health Insurance Portability and Accountability Act (HIPAA) are regarded as compliant with the New York SHIELD Act.

New York SHIELD Act Requirements for HIPAA Covered Entities

Compliance with HIPAA is not a guarantee that an entity is compliant with the New York SHIELD Act. Although there is a certain overlap, the coverage of the New York SHIELD Act is different from the data types covered by HIPAA. HIPAA-covered entities collecting the personal information of New York State residents must ensure compliance with the data security provisions of the SHIELD Act for those data types. See the picture below.

One good example of when the SHIELD Act is applicable and HIPAA doesn’t is for IT systems that store employee information but not protected health information (PHI) like the Social Security numbers or driver’s license numbers. Though the HIPAA does not cover the information, the SHIELD Act calls for the implementation of reasonable administrative, technical, and physical safety measures to make sure of the protection of data. See the Data Security Requirements of the SHIELD Act in the image below.

National Institute of Health IT Flaws Put EHR Data in Danger

The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review of the National Institutes of Health (NIH). The audit findings showed that technology management problems in the NIH digital health records system and IT systems endanger the patients’ protected health information (PHI).

NIH got $5 million in congressional appropriations in FY 2019 to supervise the NIH grant programs and procedures. Congress wants to make sure that cybersecurity controls were available to secure sensitive information and find out if NIH follows with the Federal regulations.

CliftonLarsonAllen LLP (CLA) performed the review on July 16, 2019 for OIG to figure out the efficiency of some NIH IT controls and to examine how NIH obtains, processes, retains and transfers electronic Health Records (EHR) in its Clinical Research Information System (CRIS), which included the EHRs of NIH Clinical Center patients.

NHS has around 1,300 doctors, PhD researchers and dentists, 830 nurses, and approximately 730 allied healthcare specialists. In 2018, the Clinical Center had greater than 9,700 new patients, more than 4,500 inpatient admissions, and above 95,000 outpatient consultations.

CLA discovered that NIH had employed controls to make certain the integrity, availability and confidentiality of health information included in its EHR and data systems, nevertheless, those measures didn’t work properly. Subsequently, unauthorized people may have accessed the information in their EHR system and information systems. Data was at stake of impermissible disclosure, changes, and disruption.

The National Institute of Standards and Technology (NIST) suggests basic and substitute EHR processing websites ought to be separate by area. The geographical separation lowers the threat of accidental disruptions and helps to make certain vital operations could be gained back when lengthy interruptions take place. OIG identified the principal and substitute sites were established in nearby buildings in the NIH campus. When a tragic event had transpired, there was a high probability of the two websites being impacted.

The hardware employed for the EHR system was possibly reaching the end of life or was on lengthened support. Four servers were using a Windows operating system which Microsoft doesn’t support ever since 2015. NIH paid for longer support up to January 2020, nevertheless, OIG learned there was no reliable transition package. OIG likewise learned that NIH wasn’t deactivating user accounts quickly upon the end of the contract of staff members or leaving NIH. Of 26 user accounts that had been non-active for over 365 days, 19 weren’t deactivated. Of the 61 terminated user accounts, 9 remain active. Of the 25 new CRIS users, 3 had modified their permissions without completing a form to complete the alteration.

NIH advised CLA that it had postponed software updates until the finalization of system enhancements. NIH was updating its hardware while in the fieldwork, improvements to CRIS is expected. Software changes were scheduled to be carried out after the finalization of the hardware update.

NIH had employed a programmed tool to search for non-active accounts and erase them, however, the tool wasn’t totally employed during fieldwork. There were concerns with the tool, for instance, problems following persons who switched departments.

OIG advised employing a substitute processing website in a geographically specific place and to do something to offset risks linked with the existing substitute website until the new website is set up. Policies and procedures ought to be executed to make certain that software is enhanced before the end of life, and NIH has to make certain that its automatic tool is performing as designed. NIH agreed with all advice and has detailed the things that were and will be done to ensure the execution of the advice.

New Report Shows the Brands Most Impersonated by Phishers

The new Vade Secure report revealed the top 25 frequently impersonated brand names in phishing attacks. The Q4 of 2019 Phishers’ Favorite report confirmed that PayPal continues to be the most often impersonated brand in phishing attacks, having 11,392 recognized phishing URLs in Q4. For two consecutive quarters, PayPal is number one on the list. Detection of PayPal phishing URLs increased 23% year-over-year and the rate of detecting new PayPal phishing URLs is 124 per day.

There was an increase in detecting phishing URLs imitating Facebook. The social media giant jumped to second while Microsoft is 3rd and Netflix is 4th. Facebook phishing URL detections went up by 358.8% in Q4 of 2018.

Though Microsoft is in third place overall, it is the most often impersonated brand in company phishing attacks. Microsoft currently has more than 200 million active Office 365 business users who are targeted by hackers to obtain their Office 365 credentials. Office 365 accounts may consist of loads of sensitive information and may be used to carry out spear-phishing attacks on partners and other staff within the organization.

A very visible change in Q4 was a substantial increase in phishing URLs impersonating WhatsApp, which made the Microsoft-operated instant messaging service to jump to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3 of 2019.

Because of the WhatsApp phishing URL detections, the percentage of phishing URLs for social media companies went up from 13.1% in Q3 to 24.1% in Q4. The brands completing the top ten were Bank of America (6th position), followed by CIBC (7th), Desjardins (8th), Apple (9th), and Amazon (10th). There was additionally a big increase in phishing URLs impersonating Instagram, which grew by 187.1% in Q4.

Organizations in the financial services were the most often impersonated in Q4 for the second successive quarter. Although phishers do impersonate big banking institutions, Vade Secure remarks that phishers are nowadays favoring smaller financial establishments, which may not have strong security controls in place to spot brand impersonation.

Vade Secure states that phishing attacks impersonating note services like OneNote and Evernote markedly increased, besides the increase in phony OneDrive and SharePoint notifications that direct to websites hosting phishing kits.

OIG Audit Divulges Extensive Inappropriate Use of Medicare Part D Eligibility Verification Transactions

The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review, which showed that a lot of pharmacies and other healthcare organizations are wrongly using the information of Medicare beneficiaries.

OIG carried out the audit since the HHS’ Centers for Medicare and Medicaid Services (CMS) asked for it to find out if there was incorrect access and usage of Medicare recipients’ details by mail-order and retail pharmaceuticals and other healthcare organizations, for example, doctors’ offices, treatment centers, hospitals and long-term treatment facilities.

CMS was troubled that a mail-order drugstore and other healthcare organizations were not making use of Medicare Part D Eligibility Verification Transactions (E1 transactions) correctly, which ought to be utilized solely for confirming Medicare recipients’ qualifications for particular policy benefits.

OIG made the review to find out if E1 transactions were merely being employed for their designed intent. Considering that E1 transactions consist of the protected health information (PHI) of Medicare beneficiaries, they may probably be employed for scams or other destructive or wrong intentions.

There are two components in an E1 transaction: a request and a response. The healthcare organization submits an E1 request which consists of an NCPDP provider ID number or NPI, coupled with primary patient demographic details. The request is sent to the transaction facilitator who complements the E1 request details with the information kept in the CMS Eligibility archive. A response is consequently given, which consists of a beneficiary’s Part D coverage details.

CMS picked one mail-order drugstore and 29 companies for the review performed. Of the 30 entities reviewed, 25 utilized E1 transactions for an intent other than invoicing for prescriptions or to know drug coverage order if beneficiaries got a few insurance plans. 98percent of the E1 transactions of those 25 companies weren’t related to prescriptions.

OIG learned that companies were getting coverage details for beneficiaries with no prescription medications. The companies are utilizing E1 transactions for assessing sales prospects, several providers had granted marketing firms to file E1 transactions for sales purposes, companies were getting data pertaining to personal insurance coverage for stuff not included in Part D, long term care facilities had received Part D coverage making use of batch transactions, and E1 transactions were sent by 2 non-pharmacy firms.

The HIPAA covers E1 transactions and implements the basic essential conditions. PHI needs to be safeguarded against unauthorized access whenever it is being digitally stored or sent between covered entities. The review findings indicate that there’s HIPAA violation and that this might well be a countrywide concern. As per the results of the review and evident prevalent incorrect access and usage of PHI, OIG is going to extend the reviews nationally.

OIG thinks these concerns have occurred because CMS hasn’t totally enforced controls to keep an eye on providers who are sending big numbers of E1 transactions compared to prescriptions given; CMS has yet to provide clear direction not to utilize E1 transactions for advertising purposes; and CMS hasn’t limited non-pharmacy access.

Subsequent to the review, CMS took additional steps to keep an eye on violations of the eligibility confirmation system and will be having suitable enforcement actions in instances of misuse are identified. OIG has advised that CMS ought to give clear guidance on E1 transactions and make sure that exclusively pharmacies and other certified businesses file E1 transactions.

Email Security Breaches at Shields Health Solutions and Lafayette Regional Rehabilitation Hospital

Shields Health Solutions Email Account Breach

Shields Health Solutions located in Stoughton, MA provides covered entities and hospitals with specialty pharmacy services. Unauthorized access of an employee’s email account probably allowed the hacker to view or copy the protected health information (PHI) contained in the account.

Shields Health Solutions spotted dubious activity in the email account of the employee on October 24, 2019. A cybersecurity firm inspected the incident and stated that the account was accessed by an unauthorized individual from October 22 up to October 24, 2019. The breach only affected one email account.

The email messages and attachments in the account contained the names of patients, birth dates, names of providers, medical record numbers, clinical information, prescription information, insurance company names, and minimal claims information. There is no proof that indicates patient data access or copying by the hacker.

Shields Health Solutions upgraded its email security by implementing multi-factor authentication on all employees’ email accounts and mailed notification letters to all affected individuals on December 16, 2019. The HHS’ Office for Civil Rights (OCR) breach portal has not posted about the breach yet thus the actual number of affected individuals is not yet completely identified.

Lafayette Regional Rehabilitation Hospital Email Breach

In July 2019, Lafayette Regional Rehabilitation Hospital located in Lafayette, IN learned about unauthorized access to an employee’s email account resulting in the potential viewing of patients’ PHI.

As soon as the hospital knew about the breach on November 25, 2019, prompt investigation of the incident was started to ascertain if unauthorized persons viewed any patient information. There is no certainty that the hackers viewed or copied patient data, nevertheless, there is a possibility that it happened. The information contained in the compromised email account included names, birth dates, clinical information and treatment details linked to medical services availed at the hospital. The Social Security number of several patients were likewise compromised.

On January 24, 2019, the hospital mailed breach notification letters to affected patients and offered those who had their Social Security numbers compromised free credit monitoring services. Further action taken by Lafayette Regional Rehabilitation Hospital included improving email security and reinforcing employee training on security awareness.

OCR already received the breach report which stated that approximately 1,360 patients were affected.

5,000+ Individuals Impacted by Phishing Attacks on Phoenix Children’s Hospital, VillageCareMAX and VillageCare Rehabilitative and Nursing Center

Village Senior Services Corporation, also known as VillageCareMAX (VCMAX), and Village Center for Care, also known as VillageCare Rehabilitative and Nursing Center (VRNC), experienced a business email compromise (BEC) attack. During a BEC attack, a threat actor impersonates an executive. It could be by accessing the executive’s real email account that was previously compromised in an attack or it could be spoofing the email address of an executive.

The sensitive data of VCMAX members and VRNC patients was requested by an unauthorized individual pretending to be an executive staff member. An employee thought it was a legitimate request and responded by giving the asked for information. On December 30, 2019, VCMAX and VRNC got a notice that there was a potential BEC attack.

Investigation of the incident confirmed the bogus request and the impermissible disclosure of sensitive information of VCMAX members and VRNC patients. The compromised data in the email account included the Medicaid ID numbers and names of 2,645 VCMAX members and the first and last names, dates of birth, names of the insurer, and Insurance ID numbers of 674 VRNC patients.

No report has been received regarding cases of personal data misuse, nevertheless, the instruction to all impacted persons was to be watchful and keep track of explanation of benefits statements, accounts and credit reports for evidence of bogus activities. A review of the policies and procedures by VCMAX and VRNC is ongoing and improvements will be implemented to avert identical attacks later on.

Phoenix Children’s Hospital Phishing Attack

Phoenix Children’s Hospital had a targeted phishing attack from September 5 to September 20, 2019, which brought about the breach of seven hospital employees’ email accounts.

After knowing that a breach occurred, a well-known computer forensic company was appointed to look into the scope of the breach. On November 15, 2019, it was confirmed that the compromised email accounts contained 1,860 past and present patients’ protected health information (PHI). It’s possible that the attackers have accessed or downloaded the information, which included names, personal information, and Social Security numbers along with some medical information for certain patients.

Phoenix Children’s Hospital mailed breach notification letters to the impacted patients beginning January 14, 2020. The hospital at the same time offered the patients who had potentially compromised Social Security numbers free credit monitoring and identity theft protection services.