Thought leadership. threat analysis, news and alerts.
Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation
The Office of the Information and Privacy Commissioner of Alberta recently released an annual report, covering the period of April 1, 2018 to March 31, 2019, showing a 407% increase in healthcare sector data breaches. The spike of healthcare sector data breach reports was similarly seen in Ontario.
The period covered by the annual report includes only seven months of mandatory breach reporting in the healthcare sector in Alberta. Alberta’s Health Information Act took effect on August 31, 2018, mandating the more than 54,900 health information custodians in the province, including Alberta Health, Alberta Health Services, Covenant Health, nursing homes, physicians, registered nurses, pharmacists, optometrists, opticians, chiropractors, podiatrists, midwives, dentists, denturists and dental hygienists to notify an individual affected by a privacy breach as well as notify the Information and Privacy Commissioner of Alberta and the Minister of Health.
The Alberta law also provides penalty provisions in case the health information custodian fails to report a breach or fails to take reasonable steps in maintaining safeguards to protect health information.
The Office of the Information and Privacy Commissioner of Alberta reported that a total of 674 breaches were reported under Alberta’s Health Information Act during the period of April 1, 2018 to March 31, 2019, representing a 407% increase compared to the reported average of 130 healthcare sector data breaches for the last few years.
In the report written by Jill Clayton, Information and Privacy Commissioner of Alberta, many of the healthcare sector data breaches are relatively easy to address, requiring only the health information custodians to notify the affected individuals and to take preventive steps to prevent similar events from re-occurring in the future. A significant number of these cases, Clayton said, are much more serious, involving law violation and affecting hundreds to thousands of Albertans. A significant number of these cases, Clayton said, often becomes offense investigations and can result in significant court-imposed fines for offending parties.
The Information and Privacy Commissioner of Alberta said that active offense investigations have risen from 5-6 at any one time to over 20 as of September 30, 2019, with nearly 70 healthcare sector data breaches flagged as potential offenses. Since Alberta’s Health Information Act took effect on August 31, 2018, the Commissioner said there have been 10 convictions for knowingly accessing health information under the said Alberta law.
The Commissioner also reported that since the Health Information Act took effect, more snooping breaches – unauthorized access to health information by authorized users of health information systems – have been reported. “Cyberattacks were also reported more frequently, which is a concern that will need to be monitored,” the Information and Privacy Commissioner of Alberta said.
Healthcare Sector Data Breach Reports in Ontario
The spike of healthcare sector data breach reports was similarly seen in Ontario. In late 2017 Ontario’s Personal Health Information Protection Act took effect, requiring health information custodians, including hospitals, pharmacies, doctors’ offices, and dental clinics to report health privacy breaches to the Information and Privacy Commissioner of Ontario.
In the period covering the first full year of the mandatory healthcare sector breach reporting, from January 1 to December 31, 2018, the Information and Privacy Commissioner of Ontario reported that self-reported breaches in the healthcare sector rose from 322 in 2017 to 506 in 2018. Out of the 506 breaches reported, 120 were snooping incidents, 15 were ransomware and other cyberattacks, while the remaining 371 were due to lost, stolen or misdirected health information, records not properly secured and other collection, use and disclosure issues.
According to the Information and Privacy Commissioner of Ontario, the rise in snooping incidents wasn’t indicative of the rise of snooping incidents, but rather health information custodians have better methods of detection, such as the use of using data analytics to monitor and audit health information systems for unauthorized access and other types of health privacy breaches. The Information and Privacy Commissioner of Ontario also noted that the rise of self-reported breaches in the healthcare sector rose as health information custodians are now required to report breaches, unlike in previous years where it was only recommended to do so.
Cyber Attacks: A Growing Concern in Health Care
In the 2018 Annual Report for the Information and Privacy Commissioner of Ontario to the Legislative Assembly of Ontario, Commissioner Brian Beamish said that in 2018, Ontario’s health care sector was a prime target of ransomware and other cyber-attacks, with victims ranging from local health integration networks to long-term care facilities.
In June 2018, CarePartners, a home care service provider to Ontario's Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, reported a data breach to the Information and Privacy Commissioner of Ontario. “The cyber-attack breached CarePartners' computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed by the perpetrators,” CarePartners said in a statement. The health care agency, however, didn’t specify the extent of the data breach in the public statement.
Commissioner Beamish said that cyber-attacks, in particular ransomware attacks, underscored the importance of the following:
In the area of snooping or unauthorized access to health information by authorized users of health information systems, Commissioner Beamish said artificial intelligence can be used to curb unauthorized access. "When deployed properly, technology that identifies anomalous behaviour is a valuable tool for health information custodians, to not only detect and deter unauthorized snooping but to immediately identify and respond to cybersecurity threats,” Commissioner Beamish said.
Healthcare organizations are a prime target for cybercriminals. Let us help you protect patient information and mitigate IT security related risks.
Contact us today to get started.
Recent DDoS Attacks Leverage TCP Amplification
A recent report from Radware showed that attackers over the past month have been leveraging TCP amplification in launching distributed denial-of-service (DDoS) attacks.
What Is TCP Amplification?
TCP amplification is one of the lesser-known ways attackers perform DDoS attacks. In a DDoS attack, multiple computers are operating together to attack a particular target, for instance, a website.
TCP is a set of rules that’s applied whenever computers connected to the internet try to communicate with one another, enabling them to transmit and receive data. With TCP, connection is only established with a three-way-handshake, also known as SYN, SYN-ACK, and ACK. During the three-way-handshake, the IP addresses of both communication parties are veriﬁed via random sequence numbers.
1. SYN (Synchronize)
This first handshake happens when computer X, for instance, sends a message containing a random sequence number to another computer, let’s call this computer Z.
2. SYN-ACK (Synchronize-Acknowledge)
This second handshake happens when computer Z responds via an acknowledgment number and a random sequence number.
3. ACK (Acknowledge)
This third handshake happens when computer X completes the connection setup by sending a ﬁnal acknowledgment to computer Z via a sequence number and acknowledgment number.
Ampliﬁcation DDoS attack, meanwhile, refers to an attack in which an attacker doesn’t directly send trafﬁc to the ultimate target but rather sends spoofed network packets to a large number of devices, also known as reflectors or ampliﬁers. Attackers often use ampliﬁers that send back responses that are significantly larger than the requests, resulting in an increased or ampliﬁed attack volume. TCP was initially thought to be immune from amplification attacks due to its three-way-handshake.
TCP’s vulnerability to amplification attacks was reported back in 2014. In the paper “Exit from Hell? Reducing the Impact of Ampliﬁcation DDoS Attacks”, researchers at Ruhr-University Bochum demonstrated that even with the three-way-handshake TCP is still vulnerable to ampliﬁcation DDoS attacks. According to the researchers, TCP is vulnerable to ampliﬁcation DDoS attacks as SYN/ACK segments are resent until connection is successfully established, connection times out, or connection is manually closed.
Resending of SYN/ACK segments, the researchers said, overloads the capacity of the victim’s network. “In face of ampliﬁcation attacks, this is problematic, as the client’s IP address is not validated until the handshake is complete,” the researchers said.
In this 2014 study, the researchers showed that hundreds of thousands of devices, mostly business and consumer routing devices, were vulnerable to be abused for ampliﬁcation DDoS attacks as these devices repeatedly sent up to 20 SYN/ACK packets in response.
In the follow-up paper "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", researchers at Ruhr-University Bochum identified thousands of TCP-based protocols that allow amplification of factor 50 times and higher. In this follow-up paper, the researchers also identified more than 4.8 million devices vulnerable to an average ampliﬁcation factor of 112 times. They also identiﬁed thousands of devices that can be abused for ampliﬁcation up to a factor of almost 80,000 times, reﬂecting more than 5,000 packets within 60 seconds and causing a serious impact on a victim’s network.
From the viewpoint of the attackers, the researchers said, abusing TCP brings multiple beneﬁts as there are millions of potential TCP ampliﬁers out there and ﬁxing them is an “infeasible operation”. According to the researchers, the root cause of the ampliﬁcation DDoS attacks is IP address spooﬁng which "enables attackers to specify arbitrary targets that are ﬂooded with reﬂected trafﬁc”.
TCP Amplification Attacks + Carpet Bombing
Radware reported that last month, European sports gambling website Eurobet experienced TCP amplification attacks that lasted for nearly 30 days. Radware also reported that last month, Turkish financial services company Garanti experienced TCP amplification attacks.
In the case of TCP amplification attacks on Garanti, Radware said, "In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
According to Radware, TCP amplification attacks are combined with a technique called “carpet bombing”. Carpet bombing attack is a type of DDoS attack where instead of focusing the attack on a single IP, random IP addresses of the victim’s network are attacked. Radware reported that over the last few months, carpet bombing has been used in a number of attacks against South African internet service providers (ISPs).
Impacts, Preventive and Mitigating Measures
By leveraging carpet bombing technique, attackers increase the attack surface; and by leveraging TCP amplification, attackers increase the hit rate onto the victim’s services. For now, however, carpet bombing has been predominantly used against ISPs.
While the recent TCP amplification attacks targeted large organizations, the victims of these attacks also include small organizations and homeowners who owned devices used for the TCP amplification attacks. As the main targets of TCP amplification attacks were overwhelmed by traffic and suffered outages as a consequence, the devices used in the TCP amplification attacks – those that processed the spoofed requests and legitimate replies from the main target of the DDoS – also experienced spikes in traffic, resulting in outages.
IP blacklisting is one of the options in preventing DDoS attacks. In the case of TCP amplification attacks that rely on IP address spooﬁng, IP blacklisting has some pros and cons.
One of the disadvantages of IP blacklisting in TCP amplification attacks is that legitimate users could be affected by this blacklisting as malicious actors could mimic their IP address.
Speak with our expert team today and prevent and mitigate denial of service attacks with iron-clad guarantees. No equipment to purchase, install or maintain.
Schedule a consultation today and protect your organization.
Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law
The recent report from the Office of the Privacy Commissioner of Canada showed that data breach reports in Canada skyrocketed after the implementation of the mandatory data breach reporting required under the country’s privacy law.
Mandatory Data Breach Reporting
On November 1, 2018, organizations across Canada became subject to the mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Prior to the mandatory data breach reporting, data breach reporting was done on a voluntary basis.
Organizations subject to PIPEDA are required to report to the Office of the Privacy Commissioner of Canada any data breaches that pose a real risk of significant harm to an individual or individuals. The law also requires that the affected individual or individuals should be notified and records of all data breaches should be kept within the organization.
The Numbers After One Year of Implementation
Last November 1st, one year after the implementation of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada reported that breach reporting “skyrocket”, increasing six times the volume that the office had received during the same period one year earlier. According to the Office of the Privacy Commissioner of Canada, from November 1, 2018 to October 31, 2019, a total of 680 breaches were reported to the office, affecting over 28 million Canadians.
The Office of the Privacy Commissioner of Canada said that while some of those reports involved well-known corporate names, a significant volume came from small and medium-sized businesses.
Fifty-eight percent or 397 of the reported breaches, which made up the majority of reported breaches, involved unauthorized access, the Office of the Privacy Commissioner of Canada said. Key factors behind breaches resulting from unauthorized access were social engineering hacks and malicious insiders.
According to the Office of the Privacy Commissioner of Canada, more than one in five or 147 data breaches reported over the past year involved accidental disclosure, which includes sending critical information to the wrong person as a result of incorrect email or postal address or accidental exposure.
The Office said roughly one in four of the reported breaches involved social engineering attacks such as phishing and impersonation. In phishing attacks, attackers send malicious emails containing malicious links or attachments. Once this malicious link or attachment is clicked, it installs malicious software (malware) on the email receiver’s computer.
In impersonation, the tactic used in business email compromise (BEC) scams, fraudsters convince employees at an organization that they are someone. In a BEC scam, a fraudster impersonates via a spoofed email, for instance, a CEO and convinces an employee of an organization to release a certain amount to a bank account controlled by the fraudster.
According to the Office of the Privacy Commissioner of Canada, it observed a growing impersonation scam in the telecommunications industry. In the tactic known as SIM swap, an impersonator convinces a customer service representative of a telecommunication company into believing that he or she is an account holder. Successfully convincing a customer service representative, enables the impersonator to make changes to the account, including the change of a phone number to be assigned to a new SIM card controlled by the impersonator, allowing the impersonator to access other accounts.
In related information, the U.S. Federal Bureau of Investigation (FBI) recently issued an alert to its partner organizations warning them about SIM swap. According to the FBI, between 2018 and 2019, SIM swap is the most common tactic used by malicious actors in bypassing the two-factor authentication (2FA), which resulted in draining the bank accounts of the victims and passwords and PINs changed.
Notable Reported Breaches
The reported breaches at the financial cooperative Desjardins and financial holding company Capital One are two of the notable breaches over the past year as these two breaches affected millions of Canadians. The Desjardins data breach, which was initially announced in June 2019, affected 4.2 million Canadians; while the Capital One data breach, which was initially announced in July 2019, affected 6 million Canadians.
Desjardins attributed the data breach to one suspect, a former employee; while Capital One attributed the data breach to a “specific configuration vulnerability” in its public cloud infrastructure – a vulnerability that was exploited by one suspect, a former employee of the public cloud infrastructure, the Amazon Web Services (AWS).
Amazon, for its part, said in a statement, “AWS was not compromised in any way and functioned as designed.” The company added that the Capital One data breach, which also affected 100 million individuals in the United States, wasn’t a result of a vulnerability in the cloud server itself, but by a misconfiguration of firewall settings on a web application, managed on the cloud server by Capital One.
Preventive and Mitigating Measures Against Data Breaches
The Office of the Privacy Commissioner of Canada offers the following cyber security measures in order to prevent or mitigate the effects of a data breach:
Steve E. Driz, I.S.P., ITCP