ArchiveCategory Archives for "Blog"
Blog articles about the latest technology, threats, attack techniques, and vulnerabilities.
Blog articles about the latest technology, threats, attack techniques, and vulnerabilities.
According to the Department of Health and Human Services “The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”
SO, the questions surrounding Phase 2 are:
WHEN? Currently underway
WHO? Every covered entity and business associate is eligible for an audit. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
HOW DO THEY CONTACT YOU? Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov
HOW DOES THE AUDIT WORK? OCR plans to conduct desk and onsite audits for both covered entities and their business associates. Audited entities will submit documents on-line via a new secure audit portal on OCR’s website. There will be fewer in person visits during these Phase Two audits than in Phase One, but auditees should be prepared for a site visit when OCR deems it appropriate.
See all information from the Department of Health and Human Services here.
Read the Phase 2 Announcment here.
On March 16, 2016 the Department of Health and Human Services Office for Civil Rights made a statement that says the provider organization lacked a HIPAA-required business associate agreement with the vendor, which had access to protected health information. In addition, the provider had not conducted the HIPAA required enterprise wide risk analysis.
Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says it’s crucial that healthcare organizations develop a vendor management program “that can scrutinize each time that a vendor or contractor is being sought to evaluate if the service provider will be receiving, maintaining or creating protected health information so that the business associate agreement required by the HIPAA standards will be in place.”
Click Here for the full story from Healthcare Info Security
At HealthGuard we have several solutions to help with not only Risk Analysis but also to give much needed visibility to Business Associates. Contact us today!
Health Records contain lots of information that is exciting to a hacker. Your health record contains information from your name, address, birthdate, social security number, email, personal health information, possibly even your credit card. They contain information about your spouse and we all supply at least a name and contact info for an emergency contact. There is a lot of good stuff in there when you look at it from a bad guy perspective!
According to the Ponemon Institute, health records are sold for as much as $363 per record. A small breach of only 1,000 records is a decent sized payoff for these hackers! The security company RedJack found a set of Medicare ID numbers for 10 beneficiaries online being sold for about $4,700!
While banks and credit card companies can simply cancel a card or set up a new accounts. Hospitals and other medical organizations don’t have a simple process for fixing lost patient data. One simply cannot get a new social security number or change their birthday. “Unlike credit card numbers, healthcare information is non recoverable, and potentially lethal in the wrong hands” Robert Hansen, the vice president of WhiteHat Security, told the Christian Science Monitor.
Hackers sometimes simply want your medical records for all of that juicy personal data but their are some who steal records to use a person’s health insurance information to obtain fraudulent or fake medical claims.
According to the Ponemon Institute, Healthcare organizations experience, on average, a cyber attack almost monthly (11.4 attacks on average per year) as well as the loss or exposure of sensitive and confidential patient information. However, 13 percent are unsure how many cyber attacks they have endured. Almost half of respondents (48 percent) say their organization experienced an incident involving the loss or exposure of patient information in the past 12 months. As a consequence, many patients are at risk for medical identity theft.
The US has seen an explosion in the digitization of healthcare over the last 10 years. We have seen the Electronic Health Record (EHR) adoption rate grow to over 97%, and network attached medical devices become commonplace. While all of this new technology has many benefits, it has not come without a price. Since mid-2009 there have been over 152 million electronic patient records breached. Earlier this year a hospital in Hollywood, California had their network, including multiple critical patient care systems hacked and held ransom. In the last seven years, the government has handed out over $32.5M in civil-monetary penalties to organizations not meeting HIPAA compliance; and billions of dollars of class action suits have been filed by victims that have had their information lost.
In this morass of issues, there are three key challenges confronting Healthcare providers:
1. Monitoring the organization’s regulatory compliance.
2. Monitoring the organization’s cyber security readiness.
3. Accurately identifying, quantifying and communicating risk in terms all stakeholders can understand.
To address these issues, HealthGuard has developed the Cyber MRI; the industry’s first quantitative cyber risk management platform designed from the ground up for healthcare providers.
• Fast time to value – the Cyber MRI is an affordable, and easy to use system that allows providers to get up and running in hours, not days or weeks.
• Customizable – Its modular design makes it customizable for the needs of any customer. You only buy what you need.
• Improved visibility – the Cyber MRI gives unparalleled visibility into the organizations risk issues. Enabling better insights, and better decision making.
Want more information? Click Here
We recently took a client through a subjective probability assessment calibration training session and upon seeing their results (below), they asked the question “what do these numbers mean?”
I responded with a brief email that I thought was worth sharing because it helped them have a better understanding of the “numbers” and their significance (or so they said). Here is what I sent them.
“Kevin, Good question. These numbers essentially mean that the five of you collectively, and for the most part individually, are capable of providing fairly accurate subjective probability assessments (the group showed marked improvement between the first and the last exercises).
This is important because as we discussed, humans are generally very bad at estimating probabilities, especially when there are multiple variables or factors involved. There are a number of reasons for this shortcoming including tendencies called cognitive biases, which can impact judgement and decision making (sometimes catastrophically).
Being “calibrated” is a valuable skill when performing any type of quantitative analysis, especially risk analysis, as risk by its very definition involves uncertainty and estimating/calculating probabilities. I am sure you have seen folks struggle when trying to describe cyber risk to a business person in qualitative terms (“high/medium/low” or “critical / non-critical”), or in pseudo-quantitative (this risk is a “5” and this one is a “10”). It isn’t very effective and can lead to mis-informed decisionmaking.
Many industries are either looking at or moving toward quantitative analysis. Last year the World Economic Forum actually proclaimed that the world needs to move to do a better job of quantitatively analyzing/measuring cyber risk. Many of these concepts are new to folks, but I have been studying and applying them for about 6 years and have found a lot of good resources including published material, research, and books (both academic and non) that I can point you to if you ever have a case of insomnia. But if you want a couple of short, goodreads, take a look at these two articles:
HHS Office for Civil Rights has just launched a new cyber-awareness initiative. While the details are still limited, at first pass it looks like it could be a useful tool for security managers that are looking for ideas and content for their own training and awareness programs.
January 2016 Topics
Ø “Tech Support” Scam
Ø New Tool: Better Business Bureau (BBB) Scam Tracker
Ransomware – Ransomware is malicious software that, when deployed, effectively walls off data so that it is inaccessible to authorized users. Ransomware frequently infects devices and systems through spam and phishing messages, botnets, exploit kits, compromised websites, and malvertising. Ransomware uses a social engineering trick to get potential victims to click on malicious email attachments or open crafted Short Message Service (SMS or text) messages, which lure them to compromised or malicious websites. Ransomware targets all sizes of businesses and institutions, home computers, mobile phones, and other devices.
According to the FBI, use of ransomware by cybercriminals has increased significantly recently. Reports by IBTimes claim that cybercriminals from many different countries are increasing ransomware attacks on U.S. targets. Also, a joint study conducted by several security firms estimates that creators of “CryptoWall 3.0,” a ransomware, have obtained over $325 million from victims since its January 2015 launch. Fox-IT, a cybersecurity company, reported that “CryptoWall,” “CTB-Locker,” and “TorrentLocker” are three top active ransomware programs.
Cybercriminals charge from hundreds to thousands of dollars to unlock the data, and have been collecting ransom payments using digital payments systems such as “MoneyPak,” “CashU,” “Reloadit,” and “Bitcoin.”
To combat the threat of ransomware, Covered Entities and Business Associates should consider:
The Department of Homeland Security (DHS): https://www.us-cert.gov/ – (For Ransomware remediation)
The Federal Bureau of Investigations (FBI): http://www.ic3.gov/default.aspx – (To Report ransomware schemes)
Tech Support Scam – This scam involves a criminal posing as a computer support technician that makes an unsolicited call to trick a potential victim into believing his/her computer is infected with malware. A victim is then persuaded to visit websites to download malicious software that gives the criminal the capability to remotely access and control the victim’s machine. Once the criminal has gained the victim’s trust, the criminal charges hundreds of dollars for “phony” assistance with malicious software removal or for the purchase of fraudulent support plans or software.
Other forms of scam tactics have been used besides phone call scams. These include: pop-up ads seeded into websites that claim a victim’s computer is infected with malware; promoting promises to increase the speed and performance of a victim’s PC, which leads a victim to a malicious website; and malicious search ads that attract an unsuspecting victim seeking online support.
Reports of this type of scam have increased recently, especially among older individuals. According to Microsoft’s Digital Crime Unity, tech support scams are the single largest consumer scam perpetrated in America today, with approximately 3.3 million victims, and criminals who are collecting $1.5 billion annually.
To combat the threat of this type of scam, Covered Entities and Business Associates should consider training staff to:
Further, for those who suspect they are a victim of a tech support scam, immediately change passwords for all accounts including email passwords and online banking accounts; and conduct a scan for malware. In some cases, re-imaging the system would be the best option, to be sure that all malware has been removed.
A New Resource for Covered Entities and Business Associates: Better Business Bureau (BBB) Scam Tracker – Earlier this year, the Better Business Bureau launched a website that allows consumers to track scams that have been reported in their area. This is a free platform for information-sharing and awareness of scams in the United States and Canada. The website features a “heat map” that shows the number of scams reported in each area, based on area codes. Also, anyone can use the tracker feature “Report Scam” to provide details such as specific information about the scam; information about the scammer(s); information about the individual(s) scammed; and information about the individual reporting the scam.
There are multiple reportable scam types recognized by the BBB: phone scams, phishing emails, illegal business schemes, and fraud. Visit the BBB Scam Tracker website https://www.bbb.org/scamtracker/us for additional information.
For over two weeks The Royal Melbourne Hospital has been infected with a variant of the information stealing Qbot malware, which reportedly entered the organization through a zero-day exploit that targeted the organizations obsolete Windows XP systems. While the organization has struggled to fully eradicate the malware, many of their key systems have been brought back online according to a statement from the organization.
What do Target, Home Depot and Goodwill have in common? If you guessed that they all suffered large and embarrassing data breaches due to a 3rd party supplier/vendor, then pat yourself on the back for knowing at least a little about data breach trivia.
All joking aside, for many security leaders these breaches have shed a spotlight on the fact that an organization’s cyber security program is only as good as the weakest link in their supply chain.
By law healthcare providers and other covered entities must require their Business Associates (BAs), and the BA’s subcontractors, to implement the HIPAA Security Rule requirements and adequately safeguard all Protected Health Information (PHI) in their custody. Most of the organizations that we talk to are fully aware of these issues and have well written Business Associate contracts in place. Even so, many still struggle to effectively manage their 3rd party risk due to the fact that they lack any meaningful visibility into their BAs’ security and compliance management programs.
Part of the challenge is that beyond a signature on a contract, organizations still don’t have any real assurance that their suppliers are actually doing what they should be doing. Furthermore, most healthcare providers security and compliance teams are already stretched thin and lack the resources (and possibly the legal authority) required to conduct security reviews and risk assessments of their BAs. A recent Protivity study on 3rd party risk management concluded that many organizations lack 1) the skills and expertise, and 2) the right tools and processes to effectively manage their 3rd party risk.
The bottom line is that every Healthcare Provider relies on an ever changing ecosystem of dozens or even of hundreds of business partners to provide cost effective care to their patients. These partners provide a wide range of business, IT, and medical services that require Providers to share vast amounts of protected information and often provide direct access to their networks and systems. At a business level, these relationships rely on some level of trust between both parties. That said, these relationships can represent a significant amount of risk to a Provider, making it prudent for all organizations to adopt a “Trust but Verify” strategy when it comes to 3rd party risk management. Given the challenges they face, Providers need a cost effective way to improve their 3rd party risk visibility, and to receive ongoing assurances from their partners that they are keeping their security and compliance programs up to date.
1. Breaches Affecting More than 500 Individuals | HHS.gov
2. Business Associate Contracts | HHS.gov
3. 2015 Vendor Risk Management Benchmark Study
Once again more great tips from the IRS. Read their article and check back below.
Just how do you Encrypt personal files at home? There are many ways, but here is a link to download a free encryption software that works well for your home PC.
We are loving the Security Tips the IRS is putting out this season! Here is the link to tip #7 which discusses safety while online. Learn what to look for to find out if a site is secure and great reminders on who and who not to trust online!