HHS and American Hospital Association Alert Providers to Act Now on “Citrix Bleed” Vulnerability

December 7, 2023December 11, 2023 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology Citrix Bleed, critical infrastructure, cyber threats, cybersecurity, hacking, healthcare sector, HIPAA Security Rule, ransomware, technology

The United States Health & Human Services Department (HHS) Health Sector Cybersecurity Coordination Center (HH3) issued an HH3 Sector Alert for a software vulnerability dubbed the “Citrix Bleed“. The HH3 Alert advises on a Citrix security advisory regarding a zero-day vulnerability that impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (fomerly Citrix Gateway). The HH3 Alert, issued on November 30, 2023, urges healthcare organizations to upgrade their devices to prevent damage to the health sector from cyber attacks, including ransomware.

Per the HH3 Alert, even if the patch that Citrix released for this vulnerability was implemented, Citrix warns that compromised sessions will still be active after the patch is implemented. Organizations should follow the Citrix guidance to upgrade devices and remove any active or persistent sessions with the commands listed in the Alert.

On December 1, 2023, the American Hospital Association (AHA) similarly alerted its members about the Citrix Bleed issuing its own alert titled, “Urgent: Hospital Action Needed to Protect Against ‘Citrix Bleed’ Threat.” AHA also published the following article the same day: “HHS-HC3 calls for immediate hospital action to protect against ‘Citrix Bleed’ vulnerability and ransomware threat.”

In its weekly Medicare MLN Connects news on December 7, 2023, the Centers for Medicare and Medicaid Services (CMS) asks providers to make sure their IT department reads the information and takes necessary action. Providers also should share the HH3 Alert with their network clearinghouse and vendors.

Relatedly, on December 6, 2023, CNN reported that HHS shared exclusively with CNN a plan focused on getting more money and training to small and rural health care providers who lack dedicated cybersecurity staff. CNN reported that Biden administration officials “have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.” Click here to read the full CNN article, titled “US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances,” by Sean Lyngass.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

Apache Log4j Vulnerability in Java Applications May Pose Risk to Confidential Company and Personal Information

December 17, 2021January 19, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, data breach; notification, Data Privacy & Security Breach Notification, data theft, Java application vulnerability, Log4j, ransomware, unauthorized access

By: Kathie McDonald-McClure

On December 11, 2021, the United States Cybersecurity & Infrastructure Security Agency (CISA), issued a Statement regarding what it called a “critical vulnerability affecting products containing the log4j software library”. This Statement emphasizes that end users are reliant on their vendors to inform them about the vulnerabilities and to develop patches to protect against the vulnerabilities. Separately, CISA established a webpage for Apache Log4j Vulnerability Guidance that CISA is continually updating to impart further guidance and vendor information as they become available. End users should be on the lookout for critical patches from their vendors.

According to the CISA Guidance, the Log4j vulnerability is being widely exploited by a growing set of malicious actors to steal information, launch ransomware attacks, or conduct other malicious activity such as taking over a company server to mine cryptocurrency. At least 10 major technology vendors have issued statements that one or more of their products have been affected by the Log4j vulnerability: Cisco, IBM, VMware, Amazon Web Services (AWS), Fortinet, Broadcom, ConnectWise, HCL Connections, N-Able, and Okta.[1] On December 15, 2021, the Microsoft 365 Defender Threat Intelligence Team reported that a new family of ransomware, called Khonsari, is being deployed via the Log4j vulnerability on non-Microsoft hosted servers.

Continue reading →

KRONOS Payroll Ransomware Attack Implicates Potential Data Breach Notification Obligations

December 17, 2021January 19, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, data breach; notification, Data Privacy & Security Breach Notification, KRONOS Privacy Cloud, Log4j, personal information compromise, ransomware, UKG, unauthorized access

By: Kathie McDonald-McClure

UKG, Inc., a company that provides payroll support services known as KRONOS for many U.S. companies, began notifying its customers on December 12, 2021, that the KRONOS Private Cloud (KPC) had been attacked by ransomware. (See UKG Kronos Private Cloud Status Updates.) The KPC products include Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. UKG reports that the KPC solutions may be unavailable for “several weeks.” Affected companies are diligently working to find alternative solutions to process their payrolls in the interim. UKG has created a KPC Incident Resource Hub to assist customers impacted by the KPC disruption in services.

The American Hospital Association (AHA) reported that the ransomware attack has impacted many hospitals and health systems that rely on KRONOS for timekeeping, scheduling and payroll. John Riggi, AHA’s Senior Advisor for Cybersecurity and Risk, said, “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients. … This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. … [W]e urge all third-party providers that serve the health care community to examine their cyber readiness, response and resiliency capabilities.”

In addition to the immediate payroll issues, if the ransomware attack compromises employee personal information, then it may trigger a data breach notification for these employers under state breach notification laws.

Continue reading →

Senators Propose U.S. Cybersecurity Incident Notification Law

July 21, 2021March 21, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime CISA, Cyber Incident Notification Act, cybersecurity, Cybersecurity intrusion, ransomware

This post was originally published on July 21, 2021. See important “Update” below.

UPDATE: On March 15, 2022, President Biden signed H.R. 2471, the Consolidated Appropriations Act of 2022, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“The CIRCI Act”). The CIRCI Act, which appears as Division Y in H.R. 2471, has several elements proposed by the initial Senate Bill that was the subject of this article with some variations. CISA has 24 months to issue implementing regulations.

——————————————————

In light of the escalation in ransomware and other cyber threats, a bi-partisan group of U.S. Senators has released a cybersecurity notification bill titled “Cyber Incident Notification Act of 2021.” Under the proposed bill, a “covered entity” would be required to report a “cybersecurity intrusion” or “potential cybersecurity intrusion” to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of confirmation of the intrusion. Covered entities also would be required to submit updated cybersecurity threat information to CISA within 72 hours after the discovery of new information. The requirement for updates would continue until the incident is mitigated or any follow-up investigation is completed.

Although the term “cybersecurity intrusion” would be defined in future rulemaking with public comment, the bill provides, at a minimum, that the term include ransomware if it falls into one of six broad categories. The categories include ransomware involving a nation-state, an advanced persistent threat cyber actor, or a transnational organized crime group. The categories also include ransomware that results in or has the potential to result in harm to national security interests, the U.S. economy, or to public confidence, civil liberties, or public health and safety. In essence, it would encompass most types of ransomware.

The term “covered entity” also is to be defined by future rulemaking but, per the bill, “shall include, at a minimum, Federal contractors, owners or operators of critical infrastructure, as determined appropriate by the Director based on assessment of risks posed by compromise of critical infrastructure operation, and nongovernmental entities that provide cybersecurity incident response services.” CISA’s list of critical infrastructure sectors include: Information Technology, Communications, Healthcare and Public Health, Emergency Services, Financial, Energy, Food and Agriculture, Commercial Facilities, Critical Manufacturing, among others. For a full list of CISA’s current “critical infrastructure” sectors and a detailed description of each, click here.

To incentivize compliance, the law would allow the CISA Director to assess a civil penalty up to 0.5 percent of the entity’s gross revenue from the prior year for each day it violates the requirements under the law or under rules promulgated under the law. The Director would be allowed to “take into account mitigating or aggravating factors, including the nature, circumstances, extent, and gravity of the violations and, with respect to the covered entity, the covered entity’s ability to pay, degree of culpability, and history of prior violations.”

Click here to read the full Senate Bill.

New Treasury Department Ransomware Advisories Warn that Ransom Payment May be Sanctionable

October 22, 2020October 23, 2020 Kathie McDonald-McClure Cyber Security and Cyber Crime FinCEN, infection vectors, OFAC, ransom payment sanctions, ransomware, security incident response, U.S. Treasury advisories

by Margaret Young Levi and Kathie McDonald-McClure

Cyber attacks using ransomware have been on the rise during the COVID-19 pandemic. Ransomware, whether it encrypts computer files or locks an entire hard drive, can block access to an organization’s essential operating data, unless the organization can obtain a decryption key. In many if not most cases, a decryption key is only available by paying a ransom to the cybercriminal.

On October 1, 2020, the U.S. Department of the Treasury Office of Terrorism and Financial Intelligence announced the issuance of two advisories aimed at fighting ransomware scams and attacks. In making the announcement, Deputy Secretary Justin G. Muzinich said:

Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes. Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.

The advisories also warned that those who facilitate ransomware payments may be sanctioned for violating Treasury law and regulations. However, Treasury’s efforts to crack down on ransomware in this way places its victims in the crossfire. Ransomware victims may feel they have no choice but to pay the ransom if this is the only way to regain access to essential data, which is often the case when the most recent data back-up is also attacked and a decryption key is not available by other means. Moreover, paying the ransom may be a matter of public safety. For example, ransomware that locks healthcare providers out of patient electronic medical records, attacks computers that support life-saving medical devices, or that shuts down computers connected to automobiles and other consumer devices, could pose a risk of injury or even death.

Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory, entitled “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (Treasury Advisory). The Treasury Advisory is intended to educate financial institutions and others involved in cyber incident response measures about ransomware trends and indicators of ransomware as well as related money laundering activities. More specifically, the Treasury Advisory addresses the following areas of concern: