BLOG

HHS OCR PRESS RELEASE: Cyber Alert – Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks

OCR is sharing the following update with our listserv from the Federal Bureau of Investigation (FBI), warning individuals that the FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status.  August 2020 PIN Number 20200803-002 The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This product was coordinated with DHS-CISA. This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks Summary The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization.  Threat Overview On 14 January 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 creates the risk of cyber criminal exploitation of a computer system. ·       As of May 2019, an open source report indicated 71 percent of Windows devices used in healthcare organizations ran an operating system that became unsupported in January 2020. Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year. ·       Cyber criminals continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered the RDP vulnerability called BlueKeep in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the BlueKeep vulnerability. Cyber criminals often use misconfigured or improperly secured RDP access controls to conduct cyber attacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world. ·       In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems. After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target. Recommendations Defending against cyber criminals requires a multilayered approach, including validation of current software employed on the computer network and validation of access controls and network configurations. Consideration should be given to: ·       Upgrading operating systems to the latest supported version. ·       Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure. ·       Auditing network configurations and isolate computer systems that cannot be updated. ·       Auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts. Reporting Notice The FBI encourages individuals to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at [email protected] When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. ###

Read More »

Alert: Postcard Disguised as Official OCR Communication

Alert: Postcard Disguised as Official OCR Communication August 6, 2020 OCR has been made aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.  The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard is addressed to the health care organization’s HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment.  The link directs individuals to a non-governmental website marketing consulting services. The postcard below is not from HHS/OCR. HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  This communication is from a private entity – it is NOT an HHS/OCR communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR.  The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov.  If organizations have additional questions or concerns, please send an email to: [email protected] Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation. 

Read More »

Ransomware Attacks Delivered Via Phishing Campaigns on the Rise

Please read the latest cybersecurity news about email-based phishing campaigns used to deploy ransomware attacks. Attackers are specifically leveraging the COVID-19 pandemic to lure targeted users into clicking the malicious link. Subject lines include “COVID-19 test results” and “virus analyses.” READ MORE 

Read More »

Reopening dental practices needs a team approach, ADA president says

Reopening dental practices needs a team approach, ADA president says Written by Gabrielle Masson | April 30, 2020   As some dental practices begin plans to reopen, dentists should be communicating and engaging with their dental team members to address any concerns related to returning to work amid the COVID-19 pandemic, according to the American Dental Association. “Good communication is the key to making patients and the dental team comfortable as they return to our offices,” said ADA President Chad Gehani, DDS. “Dental team members who are confident that their office is keeping up with all appropriate prevention measures will convey that confidence to patients.” Dr. Gehani said dental teams should meet via video and discuss key concerns, such as availability of and access to personal protective equipment. Dr. Gehani and his wife, Rekha Gehani, DDS, virtually meet with their team members regularly. “Explain what changes will be made moving forward, and if their job responsibilities will be amended,” the ADA president said. “This crisis underscores how every member of the dental team is important and must be respected for their unique roles,” Dr. Gehani concluded.

Read More »

HHS Alert: Phony Emails

Watch out for fake Office of Civil Rights investigators, hospitals warned HHS alerted hospitals and health systems of someone posing as an Office for Civil

Read More »

HHS Gives Dental Practice Posting PHI on Yelp a Bad Review

Practice
Must Pay a $10,000 HIPAA Settlement

A dental practice in Texas that responded to patients’ Yelp
reviews by disclosing patient names and other health information has gotten a
bad review from federal regulators: A $10,000 HIPAA monetary settlement and a
corrective action plan.

Read More »

Smaller Breaches Being Scrutinized

While some leaders have speculated that OCR has lessened its enforcement of HIPAA, Beazley finds the agency has remained active and smaller breaches are increasingly being scrutinized.

Read More »