HC3 TLP White: Monthly Cybersecurity Vulnerability Bulletin - June 11, 2021

Executive Summary

In May 2021, vulnerabilities in common information systems relevant to the healthcare sector have been disclosed to the public and warrant attention. This includes the Patch Tuesday vulnerabilities – released by several vendors on the second Tuesday of each month – as well as ad-hoc vulnerability announcements including mitigation steps and/or patches as they are developed. Vulnerabilities this month are from Microsoft, Adobe, Intel, SAP, Cisco and Apple. These vulnerabilities should be carefully considered for patching by any healthcare organization with special consideration to each vulnerability criticality category against the risk management posture of the organization.

News of Interest to the Health Sector

• MITRE updated to version 9 their ATT&CK framework for analyzing and characterizing cyber threats.
• Emsisoft recently released a report titled: The Cost of Ransomware in 2021 – a Country-by-country Analysis. For the year 2020, their data shows the average ransom demand grew by more than 80%. For aggregate ransom costs, the data sample they have access to shows that a minimum of $18.6 billion was paid globally last year, however, it is estimated the real total is around $75B globally. Reports all state US victims paid a minimum ~$1B, but estimate the total may be as much as $3.7B. That cost increases significantly when factoring in downtime costs, and this may provide a little more insight as to why organizations pay ransom. Including downtime costs, US victims paid a minimum of about $5B and are estimated to have paid as much as $20B
• Sophos released their State of Ransomware in Healthcare 2021 report. They surveyed decision makers in healthcare organizations across 30 countries and found one third (about 34%) of all healthcare organizations were successfully attacked by ransomware over the last year. It was also found that healthcare was a bit less able to prevent ransomware attacks. 54% of all ransomware attacks resulted in encrypted data across industries, that number was 65% when limited to healthcare organizations. They also found healthcare organizations were a bit more likely to pay ransom – 34% of healthcare organizations attacked by ransomware paid up, while the average across industries was 32%. However, healthcare organizations were less likely to use backups to restore data, only 44% reported doing so as compared to the 57% average across industries. The average cost of a ransom for healthcare organizations according to their data was lower as compared to other industries – about $130K for healthcare and about $170K for all survey respondents. Finally, average ransomware recovery costs were much lower for healthcare as compare to other industries: Healthcare averaged $1.2 million in recovery costs while the rest of the industry averaged $1.85 million, with education coming in first at $2.73 million on average. Sophos provided two possible reasons for this: First, many healthcare organizations don’t have the IT budgets that other sectors do. Also, in many parts of the world, healthcare is a public service and therefore there are less reputational costs. In a competitive market, if people lose faith in one health provider, they can choose to use another. When healthcare is strictly a public service, they tend to be less concerned with their brand and losing patients to competitors.
• The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency released a best practices guide specifically for Darkside ransomware. HC3 recommends this guide for many reasons. First, as ransomware operators, Darkside remains a general threat to healthcare, regardless of their targeting history. Second, this guide presents not just strong advice for Darkside, but much of it applies across ransomware families and even represents good general cyber hygiene practices. Third, this guide contains several references which will be helpful for the healthcare organization attempting to remain as secure as possible in cyberspace. View the entire nine page bulletin below.