More Healthcare Sector Malware and Ransomware Threats and New Guidance about FERPA and Student Health Records

Ransomware actors continually attack the U.S. healthcare industry, cybercriminals are more and more using malware for data theft and providing persistent access to healthcare sites. Red teams are using legitimate penetration tools to cover up their malicious activity amongst real use of these tools.

These are a few of the results of Blackberry’s latest Global Threat Intelligence Report, which is based on threats discovered by its Cylance Endpoint Security solution within 90 days from December 2022 until February 2023. At that time, Blackberry discovered around 12 cyberattacks each minute and discovered a huge upsurge in unique attacks utilizing new malware samples. These attacks increased by 50% from 1 every minute to 1.5 every minute in the latest reporting time frame.

The United States is still the most attacked country, though the focus changed. Brazil is currently the second most attacked country, and then Canada. Similar industries are preferred: 60% of all malware attacks target the healthcare, financial services, and food/staples industries. The most often used malware were downloaders, ransomware, droppers, and remote access tools (RATs).

Blackberry noticed a rise in cyberattacks on the healthcare sector that use the BlackCat ransomware, RedLine initial access and information stealer, Agent Tesla RAT, and Emotet downloader. In the last 90 days, BlackBerry found and stopped 5,246 unique malware samples that were utilized in attacks on its healthcare company clients. There was an average of 59 new, unique malware samples blocked daily. BlackBerry also stopped 93,000 attacks on its healthcare clients.

The major malware threat confronting the healthcare sector was Emotet. Although Emotet was initially a banking Trojan, today it is employed mainly as a botnet-driven malware dropping a variety of malicious payloads for other threat groups. Emotet can self-propagate and move laterally. It is employed to deliver ransomware and malware payloads. The RedLine information stealer was likewise a major threat to the healthcare industry.

Ransomware groups still present a serious threat, with Royal and BlackCat both strongly attacking the healthcare industry. BlackCat is assumed to include ex-affiliates of the BlackMatter and DarkSide ransomware operations. It began in November 2021 and there are hints that it is expanding its attacks. Royal ransomware is a fairly new ransomware gang that initially came out in September 2022. The group is believed to consist of some highly competent and knowledgeable individuals, such as members of the now-dead Conti ransomware operation.

Initial access brokers are targeting the healthcare sector by breaching healthcare networks. Then, they sell network access to ransomware groups. Access is usually acquired via credential theft. BlackBerry likewise noticed extensive use of the penetration testing tools Brute Ratel and Cobalt Strike. Cybercriminals and nation-state actors were seen utilizing these tools.

According to BlackBerry, ransomware affiliates are expected to keep targeting hospitals and medical companies well into the future, particularly in countries that help or give financing to Ukraine. BlackCat, LockBit 3.0, and Royal are expected to present a threat to the healthcare industry. Healthcare, together with other critical infrastructure industries, will probably be attacked by financially driven and politically driven actors in the upcoming months. BlackBerry additionally cautions that AI will possibly be used more for attack automation as well as deep fake attacks. Deep fake attacks have acquired substantial traction recently.

DoE Publishes New Guidance about FERPA and Student Health Records

The U.S. Department of Education has released new guidance for schools and postsecondary educational organizations about their responsibilities under the Family Educational Rights and Privacy Act (FERPA) to keep student privacy safe, focusing on the value of securing the privacy of student health records. Guidance was additionally released for parents, legal guardians, and students above 18 years old about their privileges under FERPA (Know Your Rights) regarding student medical records.

FERPA was passed to keep the privacy of student records safe and give parents the rights over the academic records of their children. FERPA is applicable to academic agencies like school districts, educational organizations (such as public elementary and secondary schools), and postsecondary educational organizations (such as universities or colleges) that get financing under any program implemented by the U.S. Department of Education.

The guidance for FERPA-regulated educational organizations tells parents and qualified students their right to have control over the sharing of personally identifiable information in student academic records and agrees with FERPA in prohibiting sharing of academic records except if a parent or qualified student gives written permission or the disclosure is protected by an exemption to FERPA’s general consent prerequisites.

The Department of Education has told FERPA-regulated educational organizations that FERPA’s meaning of educational records consists of the medical records of qualified students that are looked after by FERPA-regulated educational organizations or their agents except if the medical records are regarded as treatment data. Health records are regarded as treatment data when they are associated with a qualified student (above 18 years old at a postsecondary educational organization) and are “made or taken care of by a doctor, psychologist, psychiatrist, or other acknowledged professional or paraprofessional working in his or her professional or paraprofessional ability or helping in that capacity; made, kept, or utilized only in association with giving treatment to the qualified student; and shared only to the individuals giving such treatment, other than that the qualified student might have those data evaluated by a doctor or other proper professional chosen by the student.

In case a qualified student’s treatment data are exposed for any reasons besides those explained above – giving the qualified student with treatment or for personal evaluation by a doctor or suitable professional chosen by the qualified student – the data are categorized as educational data and are consequently protected by FERPA, and aren’t categorized as protected health information (PHI) covered by the HIPAA Regulations.

The guidance emphasizes that qualified students’ health-associated records that are made, kept, or utilized for non-treatment reasons are categorized as academic records. For instance, when they are employed for healthcare forms and questionnaires to qualify for eligibility to take part in school-backed athletics. Treatment data are likewise categorized as academic records – and are consequently governed by FERPA’s limitations on disclosures – when employed for the therapy of students below 18 years old who are participating in an elementary or secondary educational institution.

The guidance affirms that sharing of student academic records (which include some medical records) are just allowed by FERPA with the preceding written permission of a qualified student or the parent/legal guardian of the student (non-qualified student) or when one of the permissive exemptions to the general permission requirement is applicable. When an exemption is applicable, FERPA allows – but doesn’t require – the sharing. When it is decided to share student data the disclosure must be limited to the minimum required amount of data to satisfy the supposed reason of the disclosure.

The guidance additionally makes clear when medical records are protected by FERPA or HIPAA. FERPA is applicable to student medical records that are kept by campus health clinics as well as other health care services managed by such organizations, as they are eligible as academic records or treatment data under FERPA, and therefore are not included in the coverage of the HIPAA Privacy Guideline. When a postsecondary education institution is a HIPAA-regulated entity that offers healthcare to nonstudents, the nonstudent information is PHI covered by the HIPAA Privacy Rule and the student medical records are educational or treatment data that are covered by FERPA.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone