/ en Fri, 25 Apr 2025 17:27:06 -0500 Tue, 10 Dec 24 06:15:00 -0600 /aha-center-health-innovation-market-scan/2024-12-10-assessing-health-care-environment-2025 <div class="container"><div class="row"><div class="col-md-8"><img src="/sites/default/files/inline-images/Assessing-the-Health-Care-Environment-for-2025_0.png" data-entity-uuid="26b88094-b584-4174-8bce-4a0b75b739c7" data-entity-type="file" alt="Assessing the Health Care Environment for 2025. The cover of the 2025 Environmental Scan. Download your free copy today!" width="100%" height="100%"><p>Despite the significant upheaval in the retail health care sector over the past year, consumers still have plenty of choices for accessing care.</p><p>And as the recently released <a href="/environmentalscan">AHA 2025 Environmental Scan</a> points out, convenience in accessing care and affordability are primary drivers in consumers’ decision-making processes.</p><p>The AHA Environmental Scan contains data, surveys, trends, thought leadership and educational resources, illustrating some of the top issues facing the field, including workforce, financial stability, care delivery transformation and greater value. This scan can help leaders plan for the future of their organizations and consider ways the field can move forward together.</p><h2>Pay Close Attention to Access and Navigation</h2><p>In assessing factors that drive consumers to change providers or select a new provider, an Accenture survey from earlier this year highlighted the following:</p><ul><li><span><strong>89%</strong></span> of respondents said ease of navigation was the top factor that caused them to switch providers.</li><li><span><strong>70%</strong></span> cited access, which includes convenience, digital interaction, telehealth and customer service, as a top factor driving patients to select a new provider.</li><li><span><strong>53%</strong></span> said they selected a new provider based on a trusted physician or referral from a friend and the communication skills of the new provider.</li></ul><p>It’s worth noting that in navigational challenges cited by consumers, factors such as difficulty in doing business with the provider, bad experiences with the front desk or administrative staff, and problems with digital/online service and support solutions all weighed heavily in patients’ decisions to change providers.</p><h2>3 Ways to Improve the Consumer Navigation Experience</h2><p>Within the environmental scan, Lee Schwamm, M.D., senior vice president and chief digital health officer at Yale New Haven Health, offers three tips for creating an ideal digital state for consumers:</p><ul><li>Provide ubiquitous broadband and <span><strong>high-quality, affordable access</strong></span> not just for health care, but digital access in general, which will positively impact the social drivers of health.</li><li>Employ a <span><strong>cyber-secure platfor</strong></span><strong>m</strong> for data interoperability so devices and wearables can travel on a highly secure, standardized platform that is fully integrated with electronic health records.</li><li><span><strong>Deliver a better developed, autonomous layer/toolkit powered by artificial intelligence</strong></span> that would do much of the preprocessing and deliver standardization and uniformity. It must be equitable and accessible. Digital redlining is real.</li></ul><p>So, what do patients want from their overall digital health experiences and applications from providers? A report from Gozio Health this year found the following:</p><ul><li><span><strong>78%</strong></span> want to view or review lab tests in the providers’ apps.</li><li><span><strong>73%</strong></span> want to view their medical history online.</li><li><span><strong>73%</strong></span> want to message their providers within the apps.</li><li><span><strong>68%</strong></span> want to request medication refills through the apps.</li><li><span><strong>64%</strong></span> want to schedule appointments themselves through the apps.</li></ul><h2>Affordability Worries Many Consumers</h2><p>The rising cost of health insurance is another factor impacting consumers. Nearly one-third of consumers cited affordability as the most important factor in their health care experiences, noted a report this year from Huron Consulting.</p><p>Meanwhile, worries about being able to afford care and health insurance premiums are impacting a large percentage of the population, according to a Kaiser Family Foundation report from this past spring. That report found the following:</p><ul><li><span><strong>47%</strong></span> of adults reported that it is difficult to afford health care costs.</li><li><span><strong>48%</strong></span> of insured adults worried about affording their monthly insurance premiums.</li><li><span><strong>One in four</strong></span> said that in the past year they skipped or postponed getting the health care they need because of cost.</li><li><span><strong>One in five</strong></span> said they did not fill a prescription because of cost while a similar percentage said they instead opted for over-the-counter alternatives.</li></ul><p><a href="/environmentalscan"><span><strong>Download the AHA 2025 Environmental Sca</strong></span><strong>n</strong></a> for a more complete look at the issues impacting the health care landscape.</p></div><div class="col-md-4"><p><a href="/center" title="Visit the AHA Center for Health Innovation landing page."><img src="/sites/default/files/inline-images/logo-aha-innovation-center-color-sm.jpg" data-entity-uuid="7ade6b12-de98-4d0b-965f-a7c99d9463c5" alt="AHA Center for Health Innovation logo" width="721" height="130" data-entity- type="file" class="align-center"></a></p><p><a href="/center/form/innovation-subscription"><img src="/sites/default/files/2019-04/Market_Scan_Call_Out_360x300.png" data-entity-uuid data-entity-type alt width="360" height="300"></a></p></div></div></div>.field_featured_image { position: absolute; overflow: hidden; clip: rect(0 0 0 0); height: 1px; width: 1px; margin: -1px; padding: 0; border: 0; } .featured-image{ position: absolute; overflow: hidden; clip: rect(0 0 0 0); height: 1px; width: 1px; margin: -1px; padding: 0; border: 0; } h2 { color: #9d2235; } Tue, 10 Dec 2024 06:15:00 -0600 Cybersecurity Thought Leadership Block <div class="container row"><div class="row"><div class="col-md-8"><p>The information provided in the report is pulled from threat actor data leak sites ‘as is,’ meaning, it is shared as it has been posted by the threat group. They have been known to make mistakes, have typos, mis-name victims, or use other language aside from the victim name. The report shares the information ‘as is’ and neither the source of the report, nor our team, goes to the individual sites to verify the information, though it can be (and we sometimes do) cross-referenced with other reporting sources. Neither the originator of the report, nor our team, is in direct discussion w/ the threat actors. There are cyber threat intelligence firms that do engage in cybercrime forums and can provide additional perspectives of victims and ongoing discussions occurring in those forums.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 16 Aug 2024 02:09:50 -0500 Cybersecurity Thought Leadership Block <div class="container row"><div class="row"><div class="col-md-8"><p>The information provided in the report is pulled from threat actor data leak sites ‘as is,’ meaning, it is shared as it has been posted by the threat group. They have been known to make mistakes, have typos, mis-name victims, or use other language aside from the victim name. The report shares the information ‘as is’ and neither the source of the report, nor our team, goes to the individual sites to verify the information, though it can be (and we sometimes do) cross-referenced with other reporting sources. Neither the originator of the report, nor our team, is in direct discussion w/ the threat actors. There are cyber threat intelligence firms that do engage in cybercrime forums and can provide additional perspectives of victims and ongoing discussions occurring in those forums.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Thu, 22 Feb 2024 08:10:30 -0600 Cybersecurity Thought Leadership Block /news/blog/2021-04-22-blog-4-key-takeaways-covid-19-town-hall-rural-communities-vaccination <p>A panel of rural health care experts and other health care leaders assembled by the AHA and the Black Coalition Against COVID-19 convened April 21 at 7 p.m. ET for a live town hall to discuss the challenges facing rural communities and providers throughout the pandemic, including, equitable access to care and vaccines, broadband technology and vaccine confidence. Speakers included AHA Board Chair Rod Hochman, M.D., CEO of Providence in Renton, Wash.; AHA Rural Services Committee member Dr. Francine Witt, DPN, R.N., president and CEO of Effingham Health System in Springfield, Ga.; Rep. Ron Kind (D-Wisc.) and senior leadership from the White House and the Centers for Disease Control and Prevention. </p> <p>Here are a few of their top insights and solutions for helping rural communities achieve the best health outcomes during COVID-19 and beyond: </p> <ol> <li><strong>Health care leaders can work with the community to build confidence in the vaccine. Dr. Hochman shared how invaluable community members are to demonstrating leadership during COVID-19 and confidence in taking the vaccine</strong>. In the Seattle community, Providence worked with the Ethiopian population to help spread the word that COVID-19 vaccines are safe and effective. Hochman emphasized that health care leaders can empower others through patience, persistence and education.<br /> <br /> “Both as a physician and as a leader of a health organization, I’ve always found that if you take the time to explain the science behind what’s going on, why it works – people then understand,” Hochman said. “But we need to be patient and we need to take the time to understand. And then we need members of the community – who are just as important if not more important than the doctors and nurses and leaders like ourselves— to really advocate for taking the vaccine.”<br />  </li> <li><strong>Federal and local support and funding are necessary for rural hospitals to thrive. </strong>“Rural hospitals are essential to the strength and health of the population across America,” said Dr. Witt. She underscored the importance of funding and resources to help hospitals thrive.<br /> <br /> “I’m hoping this pandemic has enlightened federal, state and local government that rural hospitals are not just there to stabilize, but we are essential to the health outcomes of the people, not just in rural communities but also in America,” Dr. Witt said.<br /> <br /> In addition, Witt praised the Biden Administration’s American Rescue Plan for creating a special enrollment period through Aug. 15 with more plans available that include financial assistance to consumers, noting that conversations about access to care must discuss coverage as well. <br />  </li> <li><strong>Rural providers need reliable broadband and flexibility to continue serving patients effectively post-COVID-19. </strong>“The pandemic has revealed once again devastating inequities in our health care system; it disproportionately harms black Americans and communities of color,” said Rep. Ron Kind, D-Wisc. He also added that the tremendous pressure COVID-19 has put on rural communities has hurt society with 136 hospital closures over the past decade <a href="https://www.beckershospitalreview.com/finance/why-rural-hospital-closures-hit-a-record-high-in-2020.html#:~:text=%22It%20was%20devastating%22%20when%20they,they%20were%20forced%20to%20close">and 20</a>  since the pandemic started. In addition, Rep. Kind discussed how the explosion of telehealth during the pandemic has illustrated the need to continue reaching rural patients where they are.<br /> <br /> “The COVID pandemic has really highlighted the digital divide throughout America but especially in rural America… I don’t think there’s any going back from what we’ve experienced in the last year,” Rep. Kind said. “Health care providers like it, patients like it – and now it’s up to us in Congress to make sure we’re aligning those incentives and maintaining the financial reimbursements including audio reimbursement for telehealth as we move forward beyond the pandemic.” <br />  </li> <li><strong>Upcoming infrastructure legislation presents opportunity to strengthen hospitals.</strong> As Congress gears up to consider an infrastructure proposal, health care leaders are <a href="/lettercomment/2021-04-21-aha-shares-congressional-leaders-priorities-include-infrastructure">eager</a> to see included necessary federal investment to ensure hospitals are able to meet patients’ health care needs and continue to be a source of jobs and economic stability in their communities, often as one of the region’s largest employers.<br /> <br /> Hochman underscored AHA’s full support for passage of the in-development infrastructure bill in Congress.<br /> <br /> “We have a lot of infrastructure needs for rural hospitals that have been forgotten about in terms of equipment needs and in terms of structure, and those are things that we’re going to get behind very strongly at the AHA,” Hochman said. </li> </ol> <p>You can watch a replay of the full <a href="https://www.youtube.com/watch?v=ZGxsT_JaY9Q">event here</a>.  </p> Thu, 22 Apr 2021 13:25:27 -0500 Cybersecurity Thought Leadership Block /other-cybersecurity-reports/2021-04-16-white-paper-strategic-threat-intelligence-preparing-next <div class="container"> <div class="row"> <div class="col-md-8"> <h2>Introduction</h2> <p>As the impact of the SolarWinds incident is still being investigated and discussed, the ���������� Association (AHA) and Health-ISAC collaborated on this strategic intelligence analysis to identify what other “SolarWinds” like issues might be lurking in enterprise networks. The paper is meant for all audiences, non-technical and technical, as we present strategic level decision elements that senior leaders including C-Suite Executives can use to help understand the risks involved with certain enterprise IT systems in their network environment. We then provide detailed technical analysis and recommendations for IT and information security teams to help address immediate concerns by providing tactical mitigations and recommendations. For our technical audience, this paper presents a detailed analysis of characteristics that allowed the SolarWinds incident to affect multiple industries, organizations, and systems.</p> <p>The ability to extract the characteristics and features of SolarWinds could allow organizations to predict and hopefully prevent the next “SolarWinds”-like event in their enterprise environments.</p> <div> <h3>How Health-ISAC and AHA Work Together</h3> <p>The AHA and Health-ISAC have urged for more ways to improve cyber security in a global approach to defend against cyber threats. Hospitals and health systems, and the patients they care for every day, are heavily targeted by cyber adversaries, including sophisticated nation-states. Defenders have made great strides to protect their networks, secure patient data, preserve health care services’ efficient delivery and, most importantly, ensure patient safety. However, it cannot be done alone. Hospitals and health systems need more active support from the public and private sector to defend patients from cyber threats.</p> <p>Health-ISAC and AHA partner in a variety of ways. Highlighting just a few examples regarding information sharing, Health-ISAC shares many threat and vulnerability reports with AHA for the benefit of their 5,000 member hospitals. AHA and Health-ISAC will continue to work together to ensure tactical threat and vulnerability intelligence is broadly shared with this community. Health-ISAC and AHA will also continue to collaborate on strategic threat analyses, much like this report, in the future.</p> </div> <h2>Executive Summary</h2> <p>The SolarWinds incident that began to unfold in mid-December 2020 is yet another reminder of the on-going risks lurking in enterprise networks. SolarWinds is the company that makes the Orion platform which is used by tens of thousands of businesses globally to help manage their networks, systems, and information technology infrastructure. As Orion runs with privileged access to the assets it manages, the SolarWinds breach meant those enterprise assets could now easily be compromised by the adversary. It is these supplychain dependencies and inherent trust models that must be carefully reviewed before, during and after any implementation to ensure unwanted risks are not introduced into the enterprise network.</p> <p>As senior leaders responsible for overall risk management of your firm, you should be asking the right questions of your technical experts about new and existing technologies which provide broad access into your IT infrastructure, including access to data and sensitive information. Information security principles including least privileged access, network segmentation and on-going monitoring should be used in concert to minimize risk during implementation and production of enterprise management systems. What controls are in place? Establish and maintain a dynamic inventory process for all IT systems (you can’t secure what you don’t know about) and implement appropriate audit and control processes. Monitoring should also include establishing a baseline of “normal” network traffic and looking for anomalies outside that baseline for potential issues.</p> <p>As part of the risk management process, you should also understand the types of sensitive data you have in your environment as it relates to customers, patients and your firm’s strategic priorities and intellectual property. Should there be a breach of your network, do you have an up-to-date inventory of data to understand the possible compromise exposures, including exposure to legal and regulatory risk? Could you determine what was stolen? Do you have an understanding of the vendors/third party suppliers you use so that when vulnerabilities arise you can assess risks? What is the future value of that data (ie, is it part of an R&D project to develop a new product, that if exposed, could provide another firm a competitive advantage or other sensitive data like patient information)? Are there future reputational, economic or national security implications because of the breach? These are just some of the questions you should be asking your internal subject matter experts.</p> <h2>Technical Analysis</h2> <p>In mid-December 2020, news of a major cyber security breach began to unfold. Victims from several US Government agencies, Microsoft and cyber security firm FireEye, were all impacted by the SolarWinds attacks. This sophisticated attack campaign likely also compromised multiple unnamed business systems and resources, occupied multiple days of news coverage, and instigated largescale business responses still months later to mitigate the event.</p> <p>Before the wide-spread coverage and analysis, malicious actors gained access to the build versions of the network monitoring software named Orion, designed by Texas-based company SolarWinds. Access to the Orion build version was possibly caused by a vulnerable Microsoft Office 365 account. The cause of this initial breach is still unknown, but could have possibly been due to complex phishing attacks, weak passwords or unsecure account hardening practices. The attackers then established a foothold in the software update publishing infrastructure somewhere before September 2019. Next, the malicious actors surreptitiously modified software updates provided by the SolarWinds corporation, which was then directly applied to legitimate users updating their Orion platform to the latest version.</p> <p>The first known modification, occurring in October 2019, was merely a proof of concept. Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control (C2) infrastructure to further weaponize the supply-chain structure of the Orion update function. In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby effectively trojanizing them. Once weaponized, the update was sent to enterprise security administrators, who automatically applied the relevant security fixes, not knowing the update was malicious.</p> <p>The malware would stay dormant from 12 to 14 days before attempting to communicate with one or more of several C2 servers, trying to mimic and masquerade as legitimate Orion outbound traffic sent back to SolarWinds. If the outbound traffic was able to contact one of the C2 servers, an alert would be sent to the attackers of a successful malware deployment and would offer the attackers a backdoor that the attackers could choose to utilize if they wished to exploit the system further. The SolarWinds Orion Platform incident is certainly one of the most significant cyber security compromises from the past few years, especially because its complex supply chain exploitation and propagation. But this event is not the only cyber incident to have the identical, distinguishable characteristics that made the attack so meaningful and so successful.</p> <h2>SolarWinds – Characteristics Broken Down</h2> <p>In order to first compare SolarWinds characteristics to similar events in the past, the underlying attributes must be identified. At its core, the reason why the SolarWinds incident could compromise so many organizations around the globe relies on the simplicity and wide scale adoption of managed services for enterprise organizations. Managed service providers and software, products that can control and manage multiple systems and software from a centralize service, offer simplicity when onboarding new systems and a scalable growth mechanism for managing dynamic business systems. Their rise in popularity over the past 15 plus years, and the subsequent security incidents, reveals three distinguishable characteristics that makes these enterprise software systems such appealing targets to malicious actors:</p> <ul> <li>The centralized system easily controls multiple subsystems, networks, or products, requiring little interaction or no activation from the controlled system.</li> <li>The system possesses an undisclosed, unpatched, or unknown opening that attackers can exploit for a degree of administrative control.</li> <li>The exploited opening of the centralized product can affect, in either a limited or total ability, the subsystem it controls.</li> </ul> <p>These first characteristics exist for several reasons, mainly for ease-of-use and onboarding control of systems. The second characteristic, the undisclosed, unpatched, or unknown opening, is also uncontrollable, but can be mitigated by vulnerability testing, quality assurance, least privilege operations and Privileged User Monitoring and Access control discipline. The last characteristic lies in the relationship between the controlling software and the controlled devices/products. The SolarWinds attackers exploited all of the above characteristics to achieve their attack goals -- and we discuss <strong>four more incidents</strong> in this document where attackers exploited the same factors -- the 2003 HP OpenView vulnerability, WannaCry (2017), Petya/NotPetya (2017) and the 2021 SAP Solution Manger incident.</p> <h2>HP OpenView (2009)</h2> <p>When applying this threat model to the 2009 HP OpenView incident, and comparing it to SolarWinds, all three characteristics match. HP OpenView is a now legacy system management and network monitoring software system which was used to manage a variety of HP and non-HP affiliated devices, such as virtual machines, servers, databases, and networking devices, thus matching the first characteristic. Two undisclosed vulnerabilities, designated CVE-2009-0920 and CVE-2009-0921, allowed remote attackers to execute remote malicious code via specially crafted HTTP requests on the vulnerable system, satisfying the second requirement. The last shared characteristic is the combination of the previous two points, where the utilization of CVE-2009-0920 and CVE-2009-0921 is paired with a vulnerable HP OpenView to cause significant damage to any connected service or device. At the time, the combination of CVE-2009-0920 and CVE-2009-0921 potentially affected millions of organizations utilizing HP OpenView in business environments, and numerous business entities appropriately responded, much like they did in the current SolarWinds incident.</p> <h2>WannaCry (2017)</h2> <p>Probably one of the most significant vulnerabilities to ever affect the online connected ecosystem, EternalBlue, an exploit reportedly discovered by the United States National Security Agency (NSA) for older Windows operating systems versions, affected millions of outdated and unpatched systems. While coverage and analysis of this vulnerability was widespread, systems that were unavailable or otherwise unable to upgrade legacy Windows systems were subject to the weaponization of the EternalBlue vulnerability through the WannaCry ransomware, which has been attributed to the North Korean government.</p> <p>By using WannaCry ransomware on central administrative systems, such as a domain controller or server, this incident satisfies the first and second characteristics, by having a centralized system that controls a variety of services directly impacted by an unpatched vulnerability. The combination of these two components directly leads to the third and final characteristic, which could potentially cause large-scale destruction and disruption of critical systems not only in the healthcare sector, but any system worldwide that had failed to upgrade its legacy Windows systems.</p> <h2>Petya and NotPetya (2017)</h2> <p>A continuation of the EternalBlue vulnerability described in the WannaCry section above, Russian-backed state actors utilized the legacy Windows flaw to encrypt the boot records of systems, centralized services, and other critical machines across a wide variety of business sectors. While the original Petya malware variant was primarily used to target Ukrainian entities and worldwide legacy systems, another variant, deemed NotPetya, utilized different keys for encryption and possessed a unique reboot style different from its predecessor. The discovery and investigation of NotPetya found that a Ukraine-based tax accounting software firm named Intellect Service, which developed the M.E.Doc tax accounting software was corrupted by Russian nation state actors. M.E.Doc had more than 400,000 customers across Ukraine, representing about 90% of the country’s domestic firms and prior to the attack was installed on an estimated one million computers in Ukraine.</p> <p>By abusing the automatic update features of M.E.Doc, state actors pushed a corrupted update that included the newly discovered NotPetya variant. The attack affected systems primarily in Ukraine, but also impacted entities across the globe, with estimated damages caused by the attack measured to be over $10 billion (US). This incident remains highly notable because of the similarities when compared to the aforementioned SolarWinds attack, which utilized a compromised updater to spread malware across a variety of business systems across the globe. SolarWinds’ methodologies, such as its techniques, tactics and procedures, might have either been inspired by, or directly influenced by, the initial attack and intrusion vector of the Russian NotPetya malware strain.</p> <p>The impacts across the globe – while perhaps unintended by the attackers – left many organizations reeling from the attack. Unaffected entities that were, in fact, not vulnerable to the Petya and NotPetya strains were indirectly affected by vulnerable third-party services providers. For example, a large medical operation outsourcer was compromised by Petya and NotPetya-enabled attacks, and healthcare providers globally that relied on that service provider were operationally affected by the loss of service.</p> <p>With both malware variants, centralized medical management systems were impacted across the globe, as these complex systems provided lifesaving services that could not have been deactivated or upgraded to the most current versions of the Windows operating system. These centralized, targeted medical systems, which affected multiple medical devices across hospitals and health centers, were directly impacted by an unpatched and weaponized vulnerability, which satisfies the first, second and third characteristics of the SolarWinds shared-characteristics model.</p> <h2>SAP Solution Manager (SolMan) (2021)</h2> <p>Another example to apply the SolarWinds exploitation model is to the 2021 SAP Solution Manager incident. Solution Manager (SolMan) is a widely used software module created by SAP that provides integrated content, methodologies, and tools to implement, operate, monitor, and support enterprises’ SAP and, to a limited extent, non-SAP solutions.</p> <p>SolMan closely resembles HP OpenView, has properties of SolarWinds Orion products, and satisfies the first exploitation characteristic, by easily controlling multiple subsystems. A discovered vulnerability, tracked as CVE-2020-6207, was assessed a CVSS base score of 10.0, the highest severity rating available. The issue was addressed by SAP as part of its March 2020 updates, but a public release of a proof-of-concept by security researchers could allow attackers to target unpatched systems. The unpatched opening meets the second distinguishable characteristic. While not unknown, undiscovered, or left unpatched by developers, a lack of coordinated response by unaware security and system administrators allowed for numerous SAP-enabled systems to be left open for attackers to exploit. A successful exploitation of the vulnerability would allow a remote unauthenticated actor to execute highly privileged administrative tasks in the connected SAP Solution Manager Diagnostics toolset used to analyze and monitor SAP systems via SolMan. The attack could shut down any connected SAP system, delete any data stored on connected devices, and read and extract any logs stored on connected systems. These capabilities closely resemble achieved capabilities via a SolarWinds Orion compromise, and also satisfies the third characteristic of the overall threat model outlined earlier.</p> <h2>Analysis: Summing It Up</h2> <p>As demonstrated by several examples, the SolarWinds incident -- still in the news three months after its discovery -- was not the first interconnected software failure that affects the devices it controls or has access to. Centralized administrative software and unknown vulnerabilities have, and always will be, a potential central point of compromise for system and security administrators. The rise and continued usage of managed service providers and software allows small and large businesses limitless scalability and easy onboarding. Their continued use and development represent a risk as these software systems create new opportunities for attackers and security researchers to find new openings in trusted enterprise software systems.</p> <p>In conclusion, the SolarWinds incident is not the first incident of this type to occur, multiple types of centralized administrative software have been compromised in the past, by either motivated nation state actors, such as Russia, China, North Korea or Iran or by public disclosure of critical vulnerabilities. The rise of managed service providers into critical businesses has expedited the severity of the situation and will also continue to be compromised by the same attack vectors we described in this paper. Administrators should consider their critical data dependencies, business functions, and business relationships with these third-party firms, as their past history of central failure and data compromise will likely continue in the future and will directly and negatively impact an organization if an incident were to occur. The best countermeasure to ensure organizational security and protection from the next SolarWinds level event is the application of proper patch management, vulnerability awareness, and the use of reputable threat intelligence. With the analysis and recommendations provided, healthcare organizations should be able to utilize actionable threat intelligence and remain alert to potential vulnerabilities, thereby effectively preventing, or at least minimizing, the impacts from the next “SolarWinds-type” event.</p> <h2>Technical Recommendations</h2> <p>Simply put, the best ways to mitigate the next SolarWinds-level incident are having vulnerability awareness, applying proper patch application and management, implementing least privilege access, deploying Privileged User Monitoring & Access Control functions, and having access to reputable threat intelligence.</p> <p>Software developers of centralized administrative software have, and always should, responsibly disclose actual or potential vulnerabilities and security breaches. The software vendors should respond with an appropriate patch or remediation in a timely, critical, short period. All parties in the examples and incidents listed previously disclosed their vulnerabilities or breaches publicly, openly explained the technical details and methodologies that allowed for success exploitation, and subsequently released a patch or update which mitigated the issues. Security and systems administrators must be aware of all potential openings via conducting proper and regular vulnerability scanning, testing and implementing patches across systems and continuing to verify that security controls remain effective against potential attackers.</p> <p>In the case of a SolarWinds-level event, security administrators should also be aware of thirdparty recommendations and security practices that would help augment their traditional security infrastructure and development lifecycle. As SolarWinds impacted multiple sectors and organizations, third-party entities offered services, techniques, tactics, and procedures to help support and prevent future breaches utilizing this supply chain attack methodology. Microsoft released CodeQL queries to the general public, helping to mitigate potential damage to all potentially impacted developers utilizing a development rollout structure similar to the SolarWinds Orion platform. Using these queries, software developers can scan their source codebase for functionality or syntactic code elements that match those used by the malicious implants from the SolarWinds attack.</p> <p>Security systems and administrators, though, cannot predict the occurrence of an unknown zero-day affecting their centralized administrative software, which leads to another area that organizations can use to mitigate the next SolarWinds-level event, having access to meaningful threat intelligence. Reputable and timely threat intelligence allows administrators and information security staff to become aware of urgent zero days discovered, potential or ongoing nation state campaigns, and direct threats that can affect their centralized administrative software that they would otherwise be unaware of. By using reliable threat intelligence, organizations can take action in their own environments to remediate vulnerabilities, implement countermeasures and other recommendations to minimize the likelihood of an attack.</p> <h2>Recommendations from Health-ISAC and AHA</h2> <ul> <li>Continue to review and monitor Common Vulnerabilities & Exposures (CVEs) along with their criticality to ensure appropriate priorities are applied to software patch management of internal systems and satellite products of centralized administrative software. <ul> <li>Immediate testing of the patch and implementation where applicable.</li> <li>Continuous review of current common vulnerabilities and exposures to infrastructure to reduce organizational attack surface.</li> </ul> </li> <li>Administrators should identify and consider their critical data dependencies and business relationships with third-party firms who operate centralized administrative software in their environment. <ul> <li>Utilize a least access-privilege approach, giving only the necessary data and privileges that are needed to operate a service, thereby limiting potential openings for attackers to exploit. <ul> <li>When managing users who have elevated permissions and access to critical resources within your business environment, mandatory activation of two, or multi-factor authentication remains a top priority. Account access should also be immediately terminated upon the employee leaving the organization.</li> </ul> </li> <li>Use internal cyber security “hunt” teams to identify enterprise systems that meet the exploitation characteristics described above.</li> </ul> </li> <li>Utilize the actionable threat intelligence disseminated from Health-ISAC, AHA and other threat intelligence sources. <ul> <li>Access to threat intelligence reports should be analyzed and potentially acted upon in a timely matter.</li> <li>Communication between disseminators and recipients of threat intelligence should be maintained for familiarization, feedback and response, potential collaboration, and openness.</li> </ul> </li> <li>Identify appropriate and known communications channels such as IP addresses and ports that such critical software and services should be communicating over and use that information to develop a baseline of what can be considered normal activity. Continuously monitor and design alerts for any deviation in communications from known communications channels.</li> </ul> <h3>Strategic Risk Management Considerations:</h3> <ul> <li>Identify mission critical third party software, solutions and services utilized by the organization.</li> <li>Risk categorize and risk rank based upon scope of access to networks, volume and sensitivity of data.</li> <li>Risk rank based upon criticality to operations, revenue capture and most importantly, impact to patient care and safety.</li> <li>Utilize a vendor risk management program which incorporates cybersecurity, legal, compliance, clinical, finance and operations teams to assess risk in these types of mission critical third party, enterprise level applications.</li> <li>Ensure cybersecurity teams are involved in the scoping, purchase and acquisition of new technologies and have conducted appropriate cybersecurity due diligence on the product or service and the business associate organization.</li> <li>Develop business associate agreements which include and scale cybersecurity requirements proportionally with the risk ranking of the business associate organization and service being provided.</li> <li>Require business associates to notify within 72 hours of the discovery of any vulnerability, breach or compromise or which has the potential to impact the confidentiality, integrity and availability of your data, and or their services.</li> <li>Include cybersecurity insurance requirements in business associate agreements which scale proportionally with the identified risk ranking of the business associate.</li> </ul> <h2 id="resources">Resources</h2> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2003-0746">NIST: CVE-2003-0746: Various Distributed Computing Environment (DCE) for HP OpenView</a></li> <li><a href="https://www.networkworld.com/article/2240268/hp-patches-openview-vulnerabilities.html">Network World: HP Patches OpenView Vulnerabilities</a></li> <li><a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhealth-isac.cyware.com%2Fwebapp%2Fuser%2Fmyfeeds%2F0b84eb57&data=04%7C01%7Cdsamuels%40AHA.ORG%7C1b5e331ace2b4c31c64108d8fdf98f40%7Cb9119340beb74e5e84b23cc18f7b36a6%7C0%7C0%7C637538595603560344%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Bqbc9Ghz6%2BnAnKgyJiqKfzG%2F5ZzJEx08NgCxG1oXfq0%3D&reserved=0">Health-ISAC: SAP Solution Manager Flaw Weaponized with Proof of Concept Available</a></li> <li><a href="https://www.coresecurity.com/core-labs/advisories/openview-buffer-overflows">Core Security: HP OpenView Buffer Overflows Advisory ID Internal CORE-2009-0122</a></li> <li><a href="https://www.zdnet.com/article/microsoft-petya-ransomware-attacks-were-spread-by-hacked-software-updater/">ZDNet: Microsoft: Petya Ransomware Attacks Were Spread by Hacked Software Updater</a></li> <li><a href="https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx">Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/microsoft-shares-codeql-queries-to-scan-code-for-solarwinds-like-implants/">Microsoft Shares CodeQL Queries to Scan Code for SolarWinds-Like Implants</a></li> <li><a href="https://github.com/github/codeql/blob/cba9f421ad3ec153c5a6c4167bca5868502c8fab/csharp/ql/src/experimental/Security%20Features/campaign/Solorigate-Readme.md">SolarGate CodeQl Queries Github</a></li> <li><a href="https://www.microsoft.com/security/blog/?p=92881">Microsoft Blog: Turning the Page on Solorigate and Opening the Next Chapter for the Security Community</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-352a">CISA Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations</a></li> <li><a href="https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network">CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products</a></li> <li><a href="https://cyber.dhs.gov/ed/21-01/">DHS Emergency Directive 21-01 Mitigate SolarWinds Orion Code Compromise</a></li> <li><a href="https://h-isac.org/h-isac-threat-bulletin-solarwinds-breach/">Health-ISAC: SolarWinds Breach Attributed to Latest US Agency Attacks</a></li> <li><a href="/system/files/media/file/2020/12/hisac-tlp-green-cyber-threat-level-yellow-dec-15-2020.pdf">Health-ISAC Cyber Threat Level Raised to Yellow (Elevated)</a></li> </ul> <div class="row"> <div class="col-md-6"> <h2>Conclusion</h2> <p>As we have described in this paper, the December 2020 SolarWinds incident was not the first and surely will not be the last trusted enterprise software solution to be leveraged in a complex global cyber-attack.</p> <p>What is truly needed is close cooperation between governments, the healthcare sector and all critical infrastructure globally via a formal exchange of cyber threat information and combined cyber defenses – to create a truly global approach.</p> <p>We urge organizations to use the strategic and tactical issues discussed in this paper as considerations for all trusted systems used, or planning to be used, in your environment.</p> </div> <div class="col-md-6"> <div> <p>As this paper was going through final editing, news broke of a major Microsoft Exchange compromise that has impacted hundreds of thousands of organizations globally. Researchers believe that four zero-day vulnerabilities were being actively exploited by Chinese nation-state actors, with other malicious cyber actors suspected as well, including ransomware groups. Exchange Servers, the crown jewel of espionage targeting, are the key to email across many enterprise networks. The ramifications of a Microsoft Exchange server being breached can be catastrophic for a business. While the Exchange compromise is extremely serious, it does not meet the three characteristics we discussed for puposes of this paper that make enterprise management systems an attractive target for threat actors.</p> </div> </div> </div> <div> <p>We welcome your feedback and suggestions regarding this paper. Please contact the Health-ISAC Threat Operations Center via email at <a href="mailto:toc@h-isac.org?subject=Feedback on White Paper: Strategic Threat Intelligence: Preparing for the Next “Solarwinds” Event">toc@h-isac.org</a> or John Riggi, AHA senior advisor for cybersecurity and risk, at <a href="mailto:jriggi@aha.org?subject=Feedback on White Paper: Strategic Threat Intelligence: Preparing for the Next “Solarwinds” Event">jriggi@aha.org</a>.</p> </div> </div> <div class="col-md-4"> <p><a href="/system/files/media/file/2021/04/hisac-aha-white-paper-strategic-threat-intelligence-preparing-for-next-solarwinds-event_0.pdf" title="Click here to download a PDF of the white paper."><img alt="White Paper: Strategic Threat Intelligence: Preparing for the Next Solarwinds Event page 1" src="/sites/default/files/2021-04/Page-1-hisac-aha-white-paper-strategic-threat-intelligence-preparing-for-next-solarwinds-event%20%28002%29.jpg"></a></p> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2021/04/hisac-aha-white-paper-strategic-threat-intelligence-preparing-for-next-solarwinds-event_0.pdf" target="_blank" title="Click here to download a PDF of the white paper.">Download the White Paper</a></div> <hr> <div><img alt="H-ISAC Health-ISAC logo" data-entity-type="file" data-entity-uuid="50a7640d-e1b9-4175-9632-b059d1867c7f" src="/sites/default/files/inline-images/hisac-aha-white-paper-strategic-threat-intelligence-preparing-for-next-solarwinds-event.jpg" width="632" height="290" class="align-center"> <p>Organizations should be active with their respective critical infrastructure Information Sharing & Analysis Center (ISAC). Health-ISAC, for example, shares timely threat intelligence, indicators of compromise (IOC), technical guidance, situational awareness, mitigation strategies and best practices. The ISAC also coordinates and collaborates on sector response. On Monday morning, December 14, 2020, just hours after the SolarWinds breach was announced, Health-ISAC alerted its members about the incident, provided an analysis including IOCs and detailed recommendations to address the issue. Health-ISAC also provided an Executive Summary PowerPoint that members could use internally within their organizations to explain to senior leadership what happened, the implications of the breach and what needed to be done to mitigate the compromise. Health-ISAC updated the advisory and communications in subsequent releases based on member feedback, especially from our Threat Intelligence Committee. The sharing was invaluable to the entire health sector.</p> </div> <div><img alt="AHA logo" data-entity-type="file" data-entity-uuid="6c75b07b-b23a-41bc-92c4-4860b281e636" src="/sites/default/files/inline-images/aha-brand-full.png" width="216" height="83" class="align-center"> <p>The AHA, which represents over 5,000 hospitals and health systems and 43,000 individual members, understands that cyber risk is a now a top enterprise risk issue impacting not only data, but impacting patient care and safety. The AHA through its senior advisor for cybersecurity and risk, John Riggi, a former FBI cyber executive, continues to serve as a platform to collect, analyze and share cyber threat intelligence from the field, the government and Health-ISAC . During the SolarWinds breach, the AHA worked with all public and private partners to understand the scope of the breach, its impact and rapidly disseminate related technical and strategic threat information. In the realm of cyber defense, there is no competitive advantage between organizations. We all face the same cyber threats and the same potential consequences to data and to patients. Thus, the AHA strongly believes in the necessity of rapid and robust cyber threat information sharing - between organizations, sectors and the government in a truly “whole of nation” approach to cybersecurity.</p> </div> <hr> <p><a href="/center/cybersecurity-and-risk-advisory-services/preferred-cybersecurity"><img alt="APCP: ���������� Association Preferred Cybersecurity Service" src="/sites/default/files/2021-04/APCP_418x211.png" class="align-center"></a></p> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Fri, 16 Apr 2021 17:06:21 -0500 Cybersecurity Thought Leadership Block /center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety Fri, 09 Oct 2020 12:38:30 -0500 Cybersecurity Thought Leadership Block