Too Many Threats, Too Often

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

It used to be that almost a day could not go by without the report of a phishing attack. Now seemingly a day cannot go by without a ransomware attack being reported. While phishing may be a route in, it is not the only way to get past an organization’s defenses. Avenues of attack are evolving over time, with the only consistent issue being that privacy is compromised. Even if all threats cannot be stopped, it is instructive to be aware of the nature of the threats that are rising as a means of implementing more defenses to make a successful attack harder.

Ransomware as a Service
So many industries are becoming available as a subscription based service, so why not ransomware. What does it mean to be able to access ransomware as a service? To a degree it means the cyber attackers can obtain off the shelf ransomware that can be thrown out against many different organizations. It does not matter if most of the attacks are unsuccessful so long as some get through. The ability to send out a significant number of attacks translates to only needing a few to hit to make an impact.

Having ransomware available for subscription also means that attackers do not need to know how to actually create the ransomware. Instead, all an attack takes is some degree of bankrolling by the party interested in initiating the attack along with a willingness to share in the potential spoils. Purchasing a piece of malware just opens the door to that many more potential attackers.

Assembling the Team
A recently reported development of different ransomware groups and other bad actors seeking to group together is another area of concern. The possibility of different bad actors coming together in a reverse form of the Avengers could mean enhancement of capabilities and synergies of vectors utilized. If groups try to exploit more than one avenue of attack, then an organization’s good defenses in one area could be subverted in another.

The groupings of attackers may also bring together the arguably better known ransomware attackers with other lesser known actors that engage in different forms of attacks. Additionally, the groupings may rely more upon the cloud, which to some degree mirrors the direction that most services are going.

Increased Phishing Sophistication
What happens when email filters stop catching phishing attacks? The question may not be so theoretical. Spearphishing variants and other very targeted messages are finding success in getting past defenses. The success lies in the use of email spoofing and social engineering. Posing as a trusted person within an organization is designed to take advantage of personal connections that tap into regular routines. The attempt to get a response by bypassing potential concerns is the point of the social engineering. The messages bypass protections because the text of a message is not analyzed, which is also where the success lies. The combination all amounts to exposure and risk.

Data Exfiltration in Ransomware
As ransomware increased in prominence, man reports after an attack just indicated that data had been locked down, but no indication of access or exfiltration could be detected. Unfortunately, the relative integrity of the data no longer applies. Recent reports suggest that up to half of ransomware attacks now exfiltrate data along with encrypting it. Outflow of data is never a good outcome as it increases the potential impacts of a data breach. Additionally, the increased occurrence of exfiltration means more data breaches should be reported because the ability to argue that no compromise occurred disappears, which undermines one of the arguable outs under the HIPAA definition of a breach. Disclosing a breach is not necessarily a negative since all impact do want to know, however it does raise the regulatory impact.

Diverted Attention
The constant strain on systems and services caused by COVID-19 presents yet another opportunity for weaknesses in cybersecurity. If organizations are focused on keeping the doors open and providing services for patients, then cybersecurity will not be a top concerns. Add the introduction of new remote connections, whether for telehealth or work from home, and the possibilities for compromise become apparent. The creation of new openings also combines with some threat actors being clear that attacks are coming or others alleging that attacks would cease and then continuing to dump data.

Insiders Still Lurking
With all of the outside threats accumulating it can be easy to forget that risks remain within the proverbial walls of an organization too. Whether unintentional or intentional, insiders pose a significant risk to security too. The exposure can take many forms including rushing through tasks too quickly or sending data out for the individual’s own purposes. The level of intent varies across the examples, but the common factor is that data are used or disclosed in ways not permitted under HIPAA.

Ways to Address
Even if every breach or compromise cannot be prevented, steps can be taken to minimize the likelihood of an issue occurring and/or mitigating the consequences when the unfortunate inevitable does occur. The ways to address have been covered many times, but run the gamut from more training, education and awareness to implementing automated systems to enhance monitoring to making greater investments in security tools.

The brief listing of examples for improving security demonstrate that many different paths to enhancing operations. However, no silver bullet exists that will ensure the security of data. Instead, comprehensive security require ongoing, constant efforts that recognize the ever evolving nature of threats.

What Comes Next?
The continued impact of ransomware and other cyber attacks will be determined by the amount of attention give to enhancing security and trying to stay even with or ahead of the attackers. There is no claim that those efforts are easy or guarantee protection. However, giving in is not a option that anyone should consider.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.