Apr 152019

Sergiu Gatlan reports:

Malicious DICOM files can be crafted to contain both CT and MRI scan imaging data and potentially dangerous PE executables, a process which can be used by threat actors to hide malware inside seemingly harmless files.

Cylera’s Markel Picado Ortiz achieved this by taking advantage of a DICOM format design flaw which allows for the “128-byte section at the beginning of the file, called the Preamble,” to be modified to add compatibility with non-DICOM image viewers.

Read more on BleepingComputer.


Apr 152019

Catalin Cimpanu reports:

Microsoft Office products are today’s top target for hackers, according to attack and exploitation data gathered by Kaspersky Lab.

In a presentation at its security conference –the Security Analyst Summit– the company said that around 70 percent of the attacks its products have detected in Q4 2018 are trying to abuse a Microsoft Office vulnerability.

Read more on ZDNet.

Apr 142019

If ransomware is a cybercriminal’s friend, the new ransomware called Virobot, is their best friend – ever. Discovered just last month, Virobot is a one-stop-shop malware that uses ransomware, keylogging, and botnets – a triple threat. Traditionally, ransomware attacks enter through opened phishing emails and clicked attachments. It then it freezes computers and encrypts their data, rendering them useless. From there, a ransom payable in bitcoin is demanded, promising to provide the decryption key that restores data and devices. Depending on the target and how vital access to their data is – think hospitals and law enforcement – a decision to pay the ransom is made. Depending on how well an organization backs up its data, the organization can get back up and running on its own – so some ransoms go unpaid. From what’s been seen so far, Virobot ransomware may have its victims wishing for the “old school” days of simple ransomware attacks.

Read more on Numerica Credit Union.

Apr 142019

On April 7, RS Medical disclosed an incident that had the potential to compromise patient information. A copy of the notification from the Vancouver, Washington entity, obtained by DataBreaches.net, indicates that the attacker may not have been particularly interested in patient information, though:

The primary purpose of the breach, as determined by internal investigation, was to obtain an Outlook account from which to launch 10,000 phishing emails.

This incident, which occurred February 11 – February 12, 2019,  does not appear to be related in any way to the breach Microsoft has confirmed to TechCrunch. It appears to be due to just one more instance of an employee falling for a phishing attack.

The pain-relief device manufacturer says that after obtaining the employee credentials and testing the login o make sure it worked, the attacker launched a phishing attack. Ten thousand emails were reportedly sent out from the compromised account before the attack was detected and the password to the account was changed to lock out the attacker.

“The time the U.P. [unauthorized person] had access to the account totaled less than 2 hours. The likelihood that any PHI was acquired or viewed is low but cannot be disproven,” RS Medical’s Privacy Officer Joseph Basham writes.

But because access could not be disproved, RS Medical notified approximately 250 patients whose health information was potentially accessible in that employee’s mailbox. The PHI included name, home address,  phone number, and date of birth, as well as either diagnosis codes and/or type and quantity of medical equipment/supplies prescribed that RS Medical documented.

The RS Medical incident is just the latest in a slew of incidents where access to PHI may be highly unlikely but because an entity cannot definitively prove no access, entities have had to — or decided to —  to make notifications. It is also just the latest in a slew of incidents where if employees didn’t keep unencrypted PHI in their email accounts, no notifications might be required.

So why, when phishing accounts for approximately 1/3 of all attacks these days and when the costs of incident response may run into the millions of dollars, are people still retaining unencrypted PHI in email accounts?  And how can a covered entity justify to OCR, “Yes, we knew that having employees retain PHI in their email accounts contributed to a significant risk of a reportable breach even with providing training on recognizing phishing emails, but we let them store PHI anyway and didn’t even limit for how long it could remain in their email inboxes.”

RS Medical is regulated by the FDA.  They did nothing unusual, and I do not mean to suggest in any way that they should be singled out for any enforcement action. But maybe it’s time for HHS to send out a guidance about storing PHI in employee email accounts and how OCR views incidents of this kind — whether allowing such unencrypted storage is consistent with the Security Rule or not. Then again, maybe I’m not seeing something that others with actual security expertise would see.



Apr 122019

Marianne Kolbasuk McGee reports:

The University of Texas MD Anderson Cancer Center has filed a lawsuit arguing that a $4.3 million HIPAA penalty levied against it last year by the Department of Health and Human Services following three data breaches involving unencrypted devices was unlawful.

In the complaint filed Tuesday in a Texas federal court, MD Anderson argues that HHS, as a federal agency, does not have the authority to impose the civil monetary penalty against the cancer center because MD Anderson, which is part of the University of Texas, is a “state agency.”

MD Anderson also argues that HHS exceeded its authority by imposing a civil monetary penalty “beyond the statutory caps” under HIPAA, and also exceeded its authority by imposing an “excessive” penalty in violation of the eighth amendment to the Constitution.

Read more on GovInfoSecurity.