Archive

Category Archives for "Blog"

Blog articles about the latest technology, threats, attack techniques, and vulnerabilities.

Provider faces $1.55 Million dollar penalty for BA Breach

On March 16, 2016 the Department of Health and Human Services Office for Civil Rights made a statement that says the provider organization lacked a HIPAA-required business associate agreement with the vendor, which had access to protected health information. In addition, the provider had not conducted the HIPAA required enterprise wide risk analysis.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says it’s crucial that healthcare organizations develop a vendor management program “that can scrutinize each time that a vendor or contractor is being sought to evaluate if the service provider will be receiving, maintaining or creating protected health information so that the business associate agreement required by the HIPAA standards will be in place.”


Click Here for the full story from Healthcare Info Security


At HealthGuard we have several solutions to help with not only Risk Analysis but also to give much needed visibility to Business Associates. Contact us today!

Please follow and like us:

  • March 18, 2016
  • Blog

Why do hackers want your health record?

Health Records contain lots of information that is exciting to a hacker. Your health record contains information from your name, address, birthdate, social security number, email, personal health information, possibly even your credit card. They contain information about your spouse and we all supply at least a name and contact info for an emergency contact. There is a lot of good stuff in there when you look at it from a bad guy perspective!

According to the Ponemon Institute, health records are sold for as much as $363 per record. A small breach of only 1,000 records is a decent sized payoff for these hackers! The security company RedJack found a set of Medicare ID numbers for 10 beneficiaries online being sold for about $4,700!

While banks and credit card companies can simply cancel a card or set up a new accounts. Hospitals and other medical organizations don’t have a simple process for fixing lost patient data. One simply cannot get a new social security number or change their birthday. “Unlike credit card numbers, healthcare information is non recoverable, and potentially lethal in the wrong hands” Robert Hansen, the vice president of WhiteHat Security, told the Christian Science Monitor.

blue-emergency-signHackers sometimes simply want your medical records for all of that juicy personal data but their are some who steal records to use a person’s health insurance information to obtain fraudulent or fake medical claims.

According to the Ponemon Institute, Healthcare organizations experience, on average, a cyber attack almost monthly (11.4 attacks on average per year) as well as the loss or exposure of sensitive and confidential patient information. However, 13 percent are unsure how many cyber attacks they have endured. Almost half of respondents (48 percent) say their organization experienced an incident involving the loss or exposure of patient information in the past 12 months. As a consequence, many patients are at risk for medical identity theft.

Please follow and like us:

  • March 11, 2016
  • Blog

Introducing the CYBER MRI

The US has seen an explosion in the digitization of healthcare over the last 10 years. We have seen the Electronic Health Record (EHR) adoption rate grow to over 97%, and network attached medical devices become commonplace. While all of this new technology has many benefits, it has not come without a price. Since mid-2009 there have been over 152 million electronic patient records breached. Earlier this year a hospital in Hollywood, California had their network, including multiple critical patient care systems hacked and held ransom. In the last seven years, the government has handed out over $32.5M in civil-monetary penalties to organizations not meeting HIPAA compliance; and billions of dollars of class action suits have been filed by victims that have had their information lost.

quote

In this morass of issues, there are three key challenges confronting Healthcare providers:

1. Monitoring the organization’s regulatory compliance.

2. Monitoring the organization’s cyber security readiness.

3. Accurately identifying, quantifying and communicating risk in terms all stakeholders can understand.


To address these issues, HealthGuard has developed the Cyber MRI; the industry’s first quantitative cyber risk management platform designed from the ground up for healthcare providers.

Benefits:

• Fast time to value – the Cyber MRI is an affordable, and easy to use system that allows providers to get up and running in hours, not days or weeks.

• Customizable – Its modular design makes it customizable for the needs of any customer. You only buy what you need.

• Improved visibility – the Cyber MRI gives unparalleled visibility into the organizations risk issues. Enabling better insights, and better decision making.

Want more information? Click Here

CyberMRIsuiteLOGO

Please follow and like us:

  • February 17, 2016
  • Blog

Calibrated Probability Assessment

We recently took a client through a subjective probability assessment calibration training session and upon seeing their results (below), they asked the question “what do these numbers mean?”

Screen Shot 2016-02-15 at 1.47.34 PM

I responded with a brief email  that I thought was worth sharing because it helped them have a better understanding of the “numbers” and their significance (or so they said). Here is what I sent them.


“Kevin, Good question. These numbers essentially mean that the five of you collectively, and for the most part individually, are capable of providing fairly accurate subjective probability assessments (the group showed marked improvement between the first and the last exercises).  

This is important because as we discussed, humans are generally very bad at estimating probabilities, especially when there are multiple variables or factors involved. There are a number of reasons for this shortcoming including tendencies called cognitive biases, which can impact judgement and decision making (sometimes catastrophically).


Being “calibrated” is a valuable skill when performing any type of quantitative analysis, especially risk analysis, as risk by its very definition involves uncertainty and estimating/calculating probabilities. I am sure you have seen folks struggle when trying to describe cyber risk to a business person in qualitative terms (“high/medium/low” or “critical / non-critical”), or in pseudo-quantitative (this risk is a “5” and this one is a “10”). It isn’t very effective and can lead to mis-informed decisionmaking.


Many industries are either looking at or moving toward quantitative analysis. Last year the World Economic Forum actually proclaimed that the world needs to move to do a better job of quantitatively analyzing/measuring cyber risk. Many of these concepts are new to folks, but I have been studying and applying them for about 6 years and have found a lot of good resources including published material, research, and books (both academic and non) that I can point you to if you ever have a case of insomnia. But if you want a couple of short, goodreads, take a look at these two articles:


http://understandinguncertainty.org/node/85


https://en.wikipedia.org/wiki/Calibrated_probability_assessment

Please follow and like us:

  • February 15, 2016
  • Blog

OCR has announced a new cyber-awareness initiative

HHS Office for Civil Rights has just launched a new cyber-awareness initiative. While the details are still limited, at first pass it looks like it could be a useful tool for security managers that are looking for ideas and content for their own training and awareness programs.

7e1073bf-aefe-4c5d-a021-bdc1aec9162c

 

January 2016 Topics

Ø  Ransomware

Ø  “Tech Support” Scam

Ø  New Tool: Better Business Bureau (BBB) Scam Tracker

RansomwareRansomware is malicious software that, when deployed, effectively walls off data so that it is inaccessible to authorized users.  Ransomware frequently infects devices and systems through spam and phishing messages, botnets, exploit kits, compromised websites, and malvertising.  Ransomware uses a social engineering trick to get potential victims to click on malicious email attachments or open crafted Short Message Service (SMS or text) messages, which lure them to compromised or malicious websites.  Ransomware targets all sizes of businesses and institutions, home computers, mobile phones, and other devices.

 

According to the FBI, use of ransomware by cybercriminals has increased significantly recently.  Reports by IBTimes claim that cybercriminals from many different countries are increasing ransomware attacks on U.S. targets.  Also, a joint study conducted by several security firms estimates that creators of “CryptoWall 3.0,” a ransomware, have obtained over $325 million from victims since its January 2015 launch. Fox-IT, a cybersecurity company, reported that “CryptoWall,” “CTB-Locker,” and “TorrentLocker” are three top active ransomware programs.

Cybercriminals charge from hundreds to thousands of dollars to unlock the data, and have been collecting ransom payments using digital payments systems such as “MoneyPak,” “CashU,” “Reloadit,” and “Bitcoin.”

 

To combat the threat of ransomware, Covered Entities and Business Associates should consider:

  • Backing up data onto segmented networks or external devices and making sure backups are current.  
  • Ensuring software patches and anti-virus are current and updated.
  • Installing pop-up blockers and ad-blocking software.
  • Implementing browser filters and smart email practices. 

Resources:

The Department of Homeland Security (DHS):   https://www.us-cert.gov/  – (For Ransomware remediation)

The Federal Bureau of Investigations (FBI):  http://www.ic3.gov/default.aspx(To Report ransomware schemes) 

 

Tech Support Scam –   This scam involves a criminal posing as a computer support technician that makes an unsolicited call to trick a potential victim into believing his/her computer is infected with malware.  A victim is then persuaded to visit websites to download malicious software that gives the criminal the capability to remotely access and control the victim’s machine.  Once the criminal has gained the victim’s trust, the criminal charges hundreds of dollars for “phony” assistance with malicious software removal or for the purchase of fraudulent support plans or software.

 

Other forms of scam tactics have been used besides phone call scams.  These include: pop-up ads seeded into websites that claim a victim’s computer is infected with malware; promoting promises to increase the speed and performance of a victim’s PC, which leads a victim to a malicious website; and malicious search ads that attract an unsuspecting victim seeking online support. 

 

Reports of this type of scam have increased recently, especially among older individuals.  According to Microsoft’s Digital Crime Unity, tech support scams are the single largest consumer scam perpetrated in America today, with approximately 3.3 million victims, and criminals who are collecting $1.5 billion annually.  

 

To combat the threat of this type of scam, Covered Entities and Business Associates should consider training staff to: 

  • Hang up the phone if you are suspicious of the caller.
  • Never allow a third-party to have remote access to your computer if the caller’s authenticity cannot be verified directly through the CE or BA. 
  • Do not trust unsolicited phone calls.
  • Do not provide any personal information over the telephone.
  • Do not download any unknown software or purchase online services.
  • Verify the identity of the caller directly with the CE or BA, or with the company the caller claims to represent.
  • Record the caller’s information and report it to the CE or BA and to law enforcement.

Further, for those who suspect they are a victim of a tech support scam, immediately change passwords for all accounts including email passwords and online banking accounts; and conduct a scan for malware.  In some cases, re-imaging the system would be the best option, to be sure that all malware has been removed.

 

A New Resource for Covered Entities and Business Associates: Better Business Bureau (BBB) Scam Tracker Earlier this year, the Better Business Bureau launched a website that allows consumers to track scams that have been reported in their area.  This is a free platform for information-sharing and awareness of scams in the United States and Canada.  The website features a “heat map” that shows the number of scams reported in each area, based on area codes.  Also, anyone can use the tracker feature “Report Scam” to provide details such as specific information about the scam; information about the scammer(s); information about the individual(s) scammed; and information about the individual reporting the scam.

There are multiple reportable scam types recognized by the BBB: phone scams, phishing emails, illegal business schemes, and fraud.  Visit the BBB Scam Tracker website https://www.bbb.org/scamtracker/us  for additional information.

Please follow and like us:

  • February 9, 2016
  • Blog

The Royal Melbourne Hospital Breach

For over two weeks The Royal Melbourne Hospital has been infected with a variant of the information stealing Qbot malware, which reportedly entered the organization through a zero-day exploit that targeted the organizations obsolete Windows XP systems. While the organization has struggled to fully eradicate the malware, many of their key systems have been brought back online according to a statement from the organization. 

http://www.zdnet.com/article/qbot-virus-still-attacking-royal-melbourne-hospital/

Please follow and like us:

  • February 8, 2016
  • Blog

Healthcare’s Third Party Cyber Risk Management Issue

What do Target, Home Depot and Goodwill have in common? If you guessed that they all suffered large and embarrassing data breaches due to a 3rd party supplier/vendor, then pat yourself on the back for knowing at least a little about data breach trivia.

All joking aside, for many security leaders these breaches have shed a spotlight on the fact that an organization’s cyber security program is only as good as the weakest link in their supply chain. 
Web

By law healthcare providers and other covered entities must require their Business Associates (BAs), and the BA’s subcontractors, to implement the HIPAA Security Rule requirements and adequately safeguard all Protected Health Information (PHI) in their custody. Most of the organizations that we talk to are fully aware of these issues and have well written Business Associate contracts in place. Even so, many still struggle to effectively manage their 3rd party risk due to the fact that they lack any meaningful visibility into their BAs’ security and compliance management programs.

Part of the challenge is that beyond a signature on a contract, organizations still don’t have any real assurance that their suppliers are actually doing what they should be doing. Furthermore, most healthcare providers security and compliance teams are already stretched thin and lack the resources (and possibly the legal authority) required to conduct security reviews and risk assessments of their BAs. A recent Protivity study on 3rd party risk management concluded that many organizations lack 1) the skills and expertise, and 2) the right tools and processes to effectively manage their 3rd party risk.

The bottom line is that every Healthcare Provider relies on an ever changing ecosystem of dozens or even of hundreds of business partners to provide cost effective care to their patients. These partners provide a wide range of business, IT, and medical services that require Providers to share vast amounts of protected information and often provide direct access to their networks and systems. At a business level, these relationships rely on some level of trust between both parties. That said, these relationships can represent a significant amount of risk to a Provider, making it prudent for all organizations to adopt a “Trust but Verify” strategy when it comes to 3rd party risk management. Given the challenges they face, Providers need a cost effective way to improve their 3rd party risk visibility, and to receive ongoing assurances from their partners that they are keeping their security and compliance programs up to date.

data security-min

References:
1.  Breaches Affecting More than 500 Individuals | HHS.gov
2.  Business Associate Contracts | HHS.gov
3. 2015 Vendor Risk Management Benchmark Study

Please follow and like us:

  • January 29, 2016
  • Blog

IRS Tax Tip#6: Tips for Using Credit Bureaus to Help Protect Your Financial Accounts

We’re continuing to publish the very useful information the IRS is putting out this tax season. Tip #6 is great information to tuck away in an important place because if you ever suspect you may be a victim of identity theft, this article tell you who you need to call.

https://www.irs.gov/uac/Tips-for-Using-Credit-Bureaus-to-Help-Protect-Your-Financial-Accounts

Please follow and like us:

  • January 13, 2016
  • Blog