The Digital Health Security Project and Accelerated Ransomware Attacks

Digital Health Security Initiative Introduced by the HHS

The U.S. Department of Health and Human Services’ Advanced Research Projects Agency for Health (ARPA-H) has reported the release of the Digital Health Security (DIGIHEALS) project, which wishes to enhance the electronic infrastructure of the healthcare sector in the U.S. ARPA-H is a financing bureau that was established in 2022 to back up biomedical and health study, particularly research that could improve areas of medicine and health that can’t be accomplished using more conventional study and commercial activity.

In the last couple of years, cybercriminals have been attacking the healthcare industry using ransomware to stop access to crucial systems and information. In a lot of attacks, hospitals are compelled to reroute ambulances, call off appointments, and postpone care. A lot of attacks have prompted disruption for a few months and a number of attacks have led to the permanent shutdown of medical facilities.

ARPA-H Director Dr. Renee Wegrzyn stated that the DIGIHEALS project comes whenever the U.S. healthcare system urgently needs stringent cybersecurity abilities to secure patient privacy, safety, and lives. Presently, off-the-shelf software programs don’t succeed in identifying appearing cyber threats and safeguarding healthcare facilities, causing a technical gap that needs to be resolved.

The project aspires to lessen the capability of malicious actors to strike digital systems and stop massive cyberattacks and will concentrate on hi-tech security standards, vulnerability recognition, and automatic patching to handle cybersecurity issues and software-associated flaws.

By creating and boosting security, functionality, and software guarantee technologies, this electronic health security attempt will help address weaknesses in health programs. This project will likewise help in identifying technical restrictions of future technology deployments and bring about the creation of new technology in digital security to better safeguard health networks and patient data.

With a Broad Agency Announcement, the DIGIHEALS project is seeking proposals for tested technologies created for national safety and will use them for civilian health networks, clinical care services, and personal health systems to make sure that in case of an extensive cyberattack, patients can still get hold of the health care they require. Proposals must be sent via the Scaling Health Applications Research for Everyone (SHARE) BAA. ARPA-H is looking to give several awards.

Ransomware Groups are Speeding Up Their Attacks and Keeping Dwell Time to Only 5 Days

Ransomware groups have sped up their attacks and are staying inside victims’ systems in less time before initiating file encryption, based on Sophos’ 2023 Active Adversary Report. The information reported is for the first half of 2023 and was collected and reviewed by the Sophos X-Ops team.

The ransomware groups’ dwell time has a median of 5 days in the first six months of 2023, which is near the limitation of what hackers can do. They don’t count on the median dwell time to drop to under 5 days because of the time it often takes for the attackers to accomplish their goals. Typically, attackers take 16 hours from preliminary access to enter Microsoft Active Directory and elevate privileges to permit access to internal systems. Most ransomware groups don’t depend on encryption only and additionally exfiltrate information in order to put pressure on victims to pay the ransom. Quite often, backups of information exist hence it is possible to recover them without giving a ransom payment. However, in case there is a risk of data exposure, ransoms are usually paid. Normally, ransomware gangs take about 2 days to exfiltrate data files.

The decrease in dwell time is reasonable. The more time hackers stay in systems, the higher the possibility that they will be discovered, particularly since attack detection systems are becoming better at uncovering infiltrations and malicious activity. One way ransomware groups have sped up their attacks is by choosing intermittent encryption, which means encrypting only parts of files. The process of encryption is much faster, meaning the time to identify and stop an ongoing attack is less, however, the encryption remains enough to stop file access.

Ransomware groups generally time their activity to lower the chance of discovery. In 81% of attacks reviewed by the investigators, the encryption process was activated outside regular business time for instance on a weekend or at holiday breaks when workforce levels are minimal. 43% of detected ransomware attacks happened on a Friday or Saturday. Whereas the dwell time for ransomware groups has diminished, there was a little rise in the dwell time for non-ransomware cases, which grew from about 11 days to 13 days in the first six months of 2023.

In a lot of cyberattacks, hackers exploit a vulnerability enabling the use of a remote service for preliminary access, for example, vulnerabilities in VPN gateways or firewalls. Exploited vulnerabilities in public-facing apps is the top cause of attacks for a while then external remote services; but in the first half of 2023, 50% of attacks were due to reversed and exposed credentials, while 23% of attacks were due to vulnerability exploitation.

Breached credentials make it easy for hackers to conduct attacks particularly when no multi-factor authentication is in place. Using phishing-resistant MFA must be a main concern for all companies, however, the researchers discovered that in 39% of incidents investigated, MFA wasn’t set up. Immediate patching must also be a target because this lowers the opportunity for hackers to work. The researchers recommend adhering to CISA’s schedule for patching critical vulnerabilities to 15 days and patching high-severity vulnerabilities to 30 days as indicated in the Binding Operational Directive 19-02. This schedule will pressure attackers into a lesser set of strategies by the low-hanging fruit.

Earlier reports have pointed out the degree of Remote Desktop Protocol (RDP) abuse. In the first six months of 2023, RDP was exploited in 95% of attacks, higher than 88% in 2022. In 77% of attacks involving RDP, there was internal access and lateral movement, which is higher than 65% in 2022. Merely 1% of attacks used RDP for external access. Because of the degree of abusing RDP, security teams should prioritize RDP. When attackers are compelled to break MFA or use their own resources for lateral movement, attackers tend to spend more effort and time, which gives defenders considerably more time to identify attacks and raises the likelihood of detecting malicious activity.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone