Massive Cyber Attack Hits U.S. Government and Private Sector
The Russian government is believed to be behind the recent hack of SolarWinds software used by U.S. government networks, including the Treasury, Commerce, Defense and State Departments, the Department of Homeland Security and the National Institutes of Health.
SolarWinds also sold its software to private companies, including healthcare organizations. There are hundreds of thousands of organizations around the world, including most Fortune 500 companies and multiple U.S. federal agencies, which use the SolarWinds software, but the total number of victims of this attack is not yet known. As of Monday, December 14, SolarWinds said fewer than 18,000 customers had been hit.
Ironically, the SolarWinds product is itself a network monitoring software originally intended to enhance security. The attack was uncovered by an IT security consulting firm, FireEye, which itself used the SolarWinds platform.
SolarWinds Security Advisory is here.
Cyber Attack Strategy is Ongoing
The hackers broke into the SolarWinds network in order to use its software channel to push out malicious updates onto 18,000 of its Orion platform customers. This scenario, referred to as a supply-chain attack, is difficult to detect since it’s carried on software that looks like a legitimate update.
SolarWinds, based in Austin, Texas, put out a statement saying it was aware that its systems were experiencing a “highly sophisticated, manual supply chain attack” on versions of its Orion platform software released between March and June of 2020. SolarWinds has also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
Microsoft has said that it has not identified any Microsoft product or cloud service vulnerabilities in its investigation thus far.
The FBI is investigating the attack, which may have begun as early as Spring 2020. In addition to the federal government agencies, the victims have included healthcare, consulting, technology, telecom, and oil and gas companies around the world.
FireEye, the security firm that first uncovered the SolarWinds hack stresses that the attacks are ongoing, and while many organizations have taken steps to stop or slow the attack, it may still be doing damage, or hasn’t been detected yet.
Healthcare Organizations Warned to be on Alert
The Office for Civil Rights (OCR) has warned that healthcare organizations should review a Department of Homeland Security alert, warning of the SolarWinds global supply-chain cyberattacks.
Nation-state actors have been actively targeting the healthcare sector for years but during the pandemic activity has ramped up. One of the targets has been vaccine research. In early December North Korean hackers targeted AstraZeneca with a phishing attack while nation-state actors gained access to data on Pfizer’s COVID vaccine and from BioNTech after hacking the European Medicines Agency.
Healthcare organizations should review guidance from OCR, and from the Healthcare and Public Health Sector Coordinating Council and the Health Information Sharing and Analysis Center to tactical crisis response during an emergency, like the COVID-19 crisis. Two sources include the Health Industry Cybersecurity Tactical Crisis Response Guide and Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
HIPAA Risk Analysis – Risk Management Limits the Damage and Saves Money
The blueprint for cyber security defense is a fully compliant HIPAA Risk Analysis done at least once a year, with active, conscious, committed Risk Management all year long. Make sure to complete the Security Rule Checklist in The HIPAA E-Tool® and go beyond the framework provided by the National Institute for Standards and Technology (NIST). The NIST framework is good, but it is not complete for HIPAA compliance.
After completing the HIPAA Risk Analysis, even if a sophisticated hack gets through, with a Risk Management program in place, response and recovery is much easier, quicker and less costly.