Cyber breaches in the healthcare industry can have serious consequences, as they can compromise the confidentiality, integrity, and availability of sensitive patient information. These breaches can lead to financial loss, damage to reputation, and regulatory fines for the affected organizations. They can also have serious consequences for patients, including identity theft, financial loss, and harm to their physical and mental health.

According to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) in 2018, only 36% of healthcare organizations reported having a fully implemented cybersecurity program. The survey also found that only 37% of healthcare organizations had a formal incident response plan in place, and only 29% had regularly scheduled cybersecurity training for employees.

There have been several high-profile healthcare cyber breaches in recent years, including the 2017 WannaCry ransomware attack that affected the National Health Service in the UK and the 2018 breach of the health insurance company Anthem, which exposed the personal information of nearly 79 million individuals.

According to the US Department of Health and Human Services (HHS), the healthcare industry has consistently had the highest number of reported data breaches of any sector. In 2020, the HHS received reports of 1,363 breaches affecting a total of over 36 million individuals. The most common types of breaches reported were hacking/IT incidents (43.8%), unauthorized access/disclosure incidents (33.7%), and theft incidents (22.5%).

It is important for healthcare organizations to implement robust cybersecurity measures to protect patient information and prevent cyber breaches. This includes regularly updating and patching systems, training employees on cybersecurity best practices, and implementing strong passwords and access controls.

high-profile cyber breaches in the healthcare

There have been several high-profile cyber breaches in the healthcare industry in recent years. Some examples include:

• In 2021, the health insurance company Premera Blue Cross announced a data breach that affected over 11 million individuals. The breach occurred in 2014, but was not discovered until 2015. The company discovered that hackers had gained access to its systems and had potentially accessed personal and medical information of its customers.

• In 2020, the healthcare provider UnityPoint Health suffered a data breach that affected over 1.4 million individuals. The breach occurred when an employee fell victim to a phishing attack, which allowed hackers to gain access to the company's systems and potentially view or steal patient information.

• In 2019, the healthcare provider Quest Diagnostics announced a data breach that affected nearly 12 million individuals. The breach occurred when an unauthorized third party gained access to the company's systems and potentially accessed patient information.

• In 2018, the health insurance company Anthem suffered a data breach that affected nearly 79 million individuals. The breach occurred when hackers gained access to the company's systems and potentially accessed the personal and medical information of its customers.

It is important for healthcare organizations to implement robust cybersecurity measures to protect against cyber breaches and prevent the unauthorized access or disclosure of sensitive patient information.

healthcare HIPAA and cyber protection

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets standards for protecting certain health information. HIPAA requires covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates to implement safeguards to protect the privacy and security of protected health information (PHI).

HIPAA requires covered entities to implement physical, technical, and administrative safeguards to protect PHI. These safeguards include:

• Physical safeguards: measures to secure the physical environment where PHI is stored, such as locking doors and securing servers.

• Technical safeguards: measures to protect against unauthorized access to PHI, such as firewalls, encryption, and access controls.

• Administrative safeguards: policies and procedures to ensure the proper handling of PHI, such as training employees on HIPAA requirements and conducting risk assessments.

HIPAA also requires covered entities to report certain types of breaches of PHI to the Department of Health and Human Services (HHS) and, in some cases, to affected individuals.

It is important for covered entities and their business associates to comply with HIPAA requirements to protect the privacy and security of PHI and prevent cyber breaches. This includes implementing appropriate safeguards and regularly reviewing and updating their HIPAA compliance programs.

LastPass Breach Update

As the months pass, more and more information is becoming apparent regarding the LastPass breach that surfaced last August. What at first was thought to be some source code and technical data theft has turned into a rather sophisticated advanced persistent threat (APT) that affects nearly every user of LastPass. Here are some more details:

Back in August of 2022, a threat actor/s got a hold of some source code and internal technical details about LastPass. The actor/group then used that information to hack a LastPass employee (via social engineering or other means) and attain their credentials and security keys to access a cloud-based storage service. While this cloud-based storage service was logically and physically separated from LastPass's central infrastructure and network, it turns out it stored internal and customer-based information, which the threat actor was able to attain and download.

What kind of data are we talking about exactly? According to LastPass, they could download a backup of customer vault data from the encrypted storage container, which is stored in a proprietary format. This included unencrypted data such as website URLs as well as fully-encrypted data such as usernames and passwords and form-filled data.  

 So, in other words, they have the kitchen sink. They have everything.

 It is important to know that the encrypted data is encrypted with the latest 256-bit AES encryption and does require the customer's master password to decrypt. LastPass does not have knowledge of any customer master password, as stated in their 'zero knowledge' architecture. However, if your master password is weak and does not enforce MFA, you must consider your password compromised. You 

must change your master password and enforce MFA immediately. 

If you have a strong password, you may still be the target of social engineering devised to get your master password. LastPass will never ask for your master password.

If anything, this latest security breach of a significant company is more empirical proof that even the biggest and most secure/compliant organizations are not immune to cyber incidents. Vigilance against social engineering, strong passwords and MFA are some of the layers of defense that can protect against this specific incident.

To Do:

• Change LastPass Master Password to a very strong password or passphrase IMMEDIATELY.

• Enable MFA IMMEDIATELY

• Inventory all the applications and passwords you have in your last pass vault and change those. Start with the most sensitive and work your way down.

• Enable MFA on any application that stores sensitive information- even if it sits behind LastPass

• Change your mindset to be super extra cautious of social engineering emails -but especially any emails that detail this LastPass breach.

Written By: Carlos Neto     12/27/2022

 According to the study, this could have severe consequences for defense contractors, with nearly half losing up to 60% of their revenue if DoD contracts are lost.

"CMMC is a set of commercially reasonable standards to protect data," said CyberSecOp CISO. Organizations must address it as a part of doing business or risk losing the contract. “Nearly nine in ten (90%) of US defense contractors need to meet basic cybersecurity regulatory requirements.

According to the survey, defense contractors still need to implement basic standards. A sampling:

·        35% have security information and event management (SIEM)

·        39% have an endpoint detection response solution (EDR)

·        18% have a vulnerability management solution

·        28% have multi-factor authentication (MFA)

Defense contractors are being targeted by state hackers.

Defense contractors are a popular target for nation-state groups due to the sensitive information they possess about the US military. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in October 2022 highlighting advanced persistent threat (APT) activity detected on a defense organization's enterprise network.

CyberSecOp CISO is concerned that four out of five defense contractors reported a cyber-related incident, with nearly three out of five reporting business loss due to a cyber-related event.

CyberSecOp is a CMMC-AB REGISTERED PROVIDER ORGANIZATION (RPO)

DOD has made an effort to simplify CMMC, but it is undoubtedly still complicated. CMMC is based on several other standards, including DFARS, 800-171, and ISO 27001. Utilizing all the above information security standards make it very challenging for most DOD contractors to copy with CMMC. Get compliant with CyberSecOp CMMC Assessment, Security Program & Advisory Services.