Podcast: Play in new window | Download
Episode 12 What Does Windows 7 EOL Mean to HIPAA, the Heart Ache After a Ransomware Attack and Encryption for HIPAA
This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus What Does Windows 7 EOL Mean to HIPAA, the Heart Ache After a Ransomware Attack and Encryption for HIPAA
This is Episode 12!
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Patch Tuesday Update:
Microsoft Releases January 2020 Office Updates With Crash Fixes
Python 2.7 has reached EOL
Windows 7 EOL is on Patch Tuesday 1/14
Juniper Networks Releases Security Updates
Cisco Releases Security Updates for Multiple Products
Cyber Security News
Update: Attackers Are Scanning for Vulnerable Citrix Servers, Secure Now
TrickBot Gang Created a Custom Post-Exploitation Framework
Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
4 Ring Employees Fired For Spying on Customers
City of Las Vegas wakes up to a cyber attack
Topic 1: The Hidden Cost of Ransomware: Wholesale Password Theft
Topic 2: Is Windows 7 HIPAA compliant?
Topic 3: These hacking groups are eyeing power grids, says security company
HIPAA Corner: Encryption
This is the proactiveIT podcast this week the latest in tech and cyber security news. Plus work does windows seven and a life mean to HIPAA, the hardik after a ransomware attack and encryption for HIPAA. This is Episode 12. Hi everyone and welcome to the proactive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so you can better protect your business and identity. This podcast is brought to you by and watch tech a client focused and security minded IT consultant located in Central Connecticut. You can find us at no wash tech com that’s NW Aj tech.com. Or let’s start with what we always start with Patch Tuesday updates. The Microsoft Windows Update will be patched Tuesday update will be January 14, which corresponds with Windows seven and Windows Server 2008 are to end of life. So if you’re still using seven or 2008 or two, it is time to move on update to Windows 10 or to server 2016 or 2019. They will offer extended support for Windows seven, but it’s really more beneficial to move on to Windows 10. We’re going to talk more about Windows seven. Later on in this episode, Microsoft did release an update for office Microsoft Office. Firefox did update to 72 point 0.1. Now that’s important because there was an update to 72 there were issues with 72 They updated almost immediately just 72 point 0.1. As I mentioned last week, Python 2.7 has reached end of life. The last update will be I believe it was April, and then they will move on. So update to Python three Juniper Networks released some security updates, as did Cisco. So for multiple products for Cisco, so go check out those updates. Get them applied ASAP. We will talk about the windows. Microsoft Windows Updates more next week. So that’s it for the updates this week. Let’s move along. Alright, first up for the news for the week. There are hackers attackers will use the word attackers scanning for vulnerable Citrix servers you should secure them now. On bleeping computer we did report this vulnerability a couple of weeks ago, security researchers have observed ongoing scans for Citrix application delivery controller, netscaler ADC and Citrix gateway netscaler gateway and there’s a few different versions of those that are impacted. Servers vulnerable to attacks exploding CVE 2019 1971. During the last week, this vulnerability impacts multiple Citrix products and it could potentially expose networks of over 80,000 firms to attack hacking attacks. According to a positive technologies report from December. They found 80,000 at least 80,000 companies in 158 different countries, potentially at risk, top five countries, number one being united states 38% of all vulnerable organizations then you followed by UK, Germany, Netherlands and Australia. There are no public exploits available yet. I use the word yet but there are people scanning for these networks as we speak. So, you can expect there to be an attack there is mitigation measures there is no patch as of yet from Citrix, but there are mitigation measures. You should go to the Citrix site, the Citrix support site and follow the steps to mitigate the risk that exists right now with Citrix. netscaler Citrix application delivery controller. Moving along bleeping computer trick bot gang created a custom post exploitation framework. So essentially, trick bot has decided to stop using or at least in this instance, instance stop using pre made and well known tool kits and they have created their own tool kit, tool kit post exploitation toolkit. So trick bot is a banking Trojan. It is known for stealing credentials in gaining access and what’s what’s even scarier is that trick bot is able to do more than just steal credentials. And usually when trick bot gets gets on a network, it does all a bunch of different things and eventually you know, your your data is stolen and you have ransomware in your computer, on your network. So you you they’re evolving, I guess you could say. So now the trick bot is creating their own frameworks. And they are using this in the wild now. So that is on bleeping computer. You can read more about it, but just know that trick bot is evolving and getting more sophisticated threat posts. This is good news. We have some good news to this week. See, Google ditches patch time bug disclosure and favor of 90 day policy. So what what is going on here a used to be that if Google found a vulnerability, the city found a Microsoft vulnerability and Microsoft patched that vulnerability. Zero Dave vulnerability that is and a patch that vulnerability. A week after Google founded Google would then notify the rest of the world about this zero day. And the problem with that is it didn’t give people that were using those products time to look into the patch. And what you know, tested on a small part of their network to make sure that it didn’t just didn’t break anything else. And really just didn’t give anybody a chance to work with with the update. So now Google has decided that they will wait the full 90 days as they do with zero days that don’t get patched. So if you have a zero day, it gets patched on day 20. They will wait for 90 days to go public with that, that vulnerability. So that’s kind of good news. It’s gives it gives product it gives the owners of those products time to deal with the patching, assuming that the vendor does take care of that patch in a relatively short period of time. On bleeping computer we have what do we have? Oh, the travel x update. So Travelex, you may have heard we’ve talked about it on the show a few times. Already in the last since New Year’s Eve. They were hit with a ransomware attack on New Year’s Eve it is this soda. Soda no kibby ransomware. Soda keavy demanda $3 million. To this point. It is now January 10. So 11 days later, they still have not paid that ransom. They still have not recovered. They are still down. So no website no currency exchange. Travelex is a currency exchange service in UK, they are down so don’t a keyboard says that they did still data five gigs of data, and that they will release it to the public if they if Travelex doesn’t pay up so initially demanded 3 million they are now demanding $6 million or the equivalent of $6 million in Bitcoin. They claim to have dates of birth, social security numbers, credit card numbers and other information. This was sold on a key be told this to bleeping computer so they are now looking for $6 million, rather than $3 million. And as of this moment travel x is still not paid the ransom and I wouldn’t recommend that they do. But it’s now a $6 million ransom and they are now looking at even bigger issues. So if now it does say an article if the data is released to attack will need to be classified as a data breach. notifications and free monitoring services will need to be offered GDPR funds would likely would be likely as Are the risk of clacks class action lawsuit? So you can imagine, you know, now they’re balanced, they’re trying to determine is $6 million? Or is do we deal with the fallout from this? If if, in fact, the people do have the data they claim to have now, I told you guys a few weeks ago, this was going to be the trend moving forward. And here we’re seeing it again. We’ve seen it a few times in the last few weeks. So here, here it is, again, they’re threatening it. It’s it’s not known if they’re going to, if they have the data, and if they’re going to honor that threat, we will see threat post for ring employees fired for spying on customers. So we’ve talked about ring cameras, and the cameras being I don’t the word hack isn’t really appropriate because essentially what has happened is users of the cameras were not using strong password policies that did not activate two factor authentication and people compromise their camera. Russ so from threat post again ring said that four employees were fired because their of their inappropriate access to customers connected video feed smart doorbell company ring, which of course is owned by Amazon said that it has fire for employees over the past four years. For an appropriately accessing custom video footage. This disclosure comes in recent letter to senators in response to a November inquiry into the company’s data policies from Amazon own rinda as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year, and let it ring said the former employers were authorized to view video data, but their attempted access to the data exceeded what was necessary for their job function. In each instance one once ring was made aware of the alleged conduct ring properly investigated the incident and After determining that the individual violated company policy terminated individual according to rings January six letter obtained by motherboard in addition Taking swift action to investigate and take appropriate disciplinary action. To each of these cases ring has taken multiple actions to limit such data access to a smaller number of team members. So ringside employees have access to live feeds only when customers granted permission solely for troubleshooting a device issue. The company set up periodically reviews the access privilege that it grants to employers to verify their need for customer data access. It’s not clear how long each employee was able to view the fields, or how many customers were impacted. Threat post has reached out to Amazon for further details. However, ring isn’t alone in facing challenges around weeding out employees who may be accessing sensitive personal data in May to 2019. A report outline how snapped employees were abusing their access to private user data which includes location data, safe snaps and phone numbers and a report in 2018 found that Facebook had fired an employee who allegedly abused his access to data to stalk women. So you know ring his ring is really kind of taking it taking a hit for Team lately. It’s a good product. I don’t know, you know what will come of this? I’m sure that that Amazon will find their way through it navigate their way through it. They don’t, you know, there’s not a lot that Amazon did wrong. Again, the that the hacking will call it hacking for the purpose of this podcast of the cameras was not any fault of the drone, they didn’t tell the users to use the same username and password that they use for everything else. They didn’t tell users to not use two factor authentication. Maybe they could highlight that option a little better. Maybe they can educate their their customers a little better. But overall, I don’t think Amazon can be blamed for that and then you know, people are going to do what people do. And then finally, we talked about it a few days ago city of Las Vegas was hit what a what a cyber attack. Still no confirmation as to what that was but CD net city of Las Vegas said it successfully avoided devastating cyber attack, a security breach that took place on January 7. The city said it detected intrusion intrusion in time to prevent any damage so the attack began on 4:30am Tuesday morning January 7, and IT staff immediately detected the intrusion took steps to protect impacted systems in the city responded by taking several services offline including his public website which is still down at the time of the writing the writing is on January 9, so yesterday. City officials have not disclose any details about the nature of the incident but local press reported that it might have involved an email delivery vector and subsequent statement published on Twitter on Wednesday, the city confirmed resumed full operations with all data systems functioning as normal thanks to our software security systems and fast action by our our IT staff. We were fortunate to avoid what had the potential to be devastating situation and said we do not believe Any data has was lost from our systems and no personal data was taken we are unclear as to who was responsible for the compromise, but we will continue to look for potential indications. The city also added so you can expect that within a couple of days of the city of Las Vegas. Investigating we will be we will become we will be made aware of what the attack was exactly. But the good news is it looks to be minimal damage caused by this attack. So, good job by the fast acting IT team Good job by the city of Las Vegas of making sure there was minimal impact. Alright, that wraps up the news. We’re going to move around on to our focus topics for the week. Alright, our first topic of the week comes from Krebs on security calm. And this is regarding a November 9 2019 ransomware attack to hit virtual care provider Inc. in believe it was Wisconsin, where it turns out that impacted 110 clients of theirs. So virtual care provider anchors in MSP they were hit by the ryoka ransomware strain in this in turn, spread to 110 of their clients and took down most of their clients in the process. Now, the the president of the company Karen Christianson has been very upfront didn’t, you know, didn’t hide didn’t run and did whatever they could do. And so krebbs talk to her, and it’s actually pretty interesting conversation but there’s an MPC an important piece of information in this conversation. So the title of the blog post is the hidden costs of ransomware. wholesale password theft. So organizations in the throes of cleaning up after ransomware outbreak typically will change passwords for all user accounts that have access to any email system servers and desktop workstations within their network. But all too often ransomware victims fail to grasp the crooks behind these attacks, can and frequently do siphon every single password stored on each infected endpoint. So I always tell people, you know, don’t store your passwords in Google Chrome, you’re going to see why in a minute. The result of this oversight may have may offer attackers way back into the affected organization access to financial and healthcare accounts, or worse yet, key tools for attacking the victims, various business partners and clients. In mid November 2019, Wisconsin based virtual care provider Inc VCP for short, was hit by the Rio Grande somewhere strange the CPI manages the IT system for some 100 10 clients that serve approximately 2400 nursing homes in 45 US states, the CPI declined to pay the multimillion dollar ransom. demand and by their extortionist and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while the CPI rebuilt its network. Just hours after the story was published the CPI chief executive and owner Karen Christus, and reached out to say she hoped I would write a follow up since piece about how they recovered from the incident. My reply was that I considered doing so if there was something in their experience that I thought others could learn from their handling of the incident. I had no inkling at the time of how much I would learn in the days ahead. So earIy emails on December 3, I contacted Christiansen to schedule a follow up. interview. This is Krebs again. Krebs on security com. A follow up interview for the next day on the morning of December 4 less than two hours before my scheduled call with dcpi and more than two weeks After the start of the ransomware attack, I heard via email from someone claiming to be part of the criminal group that lands the Rio Grande somewhere inside VCP. The email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with dcpi. Later that day, this person said they wanted me to reiterate a message. They just sent to the owner of ecpi, stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them. Maybe you chat to them. Let’s see if that works. The email suggested the anonymous individual behind that communication declined to provide proof that they were part of the group that held VCP eyes network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to request for more information. We were bitten with releasing evidence before us hence we have stopped this evening in our ransom stay anonymous person rope. If you want proof, we have hacked two systems as well. You may confirm this with them. We haven’t seen any media articles on this and as much you should be the first to report it, we are sure they are just keeping it under wraps security news site bleeping computer reported on T systems right with ransomware attack on December 3. In our December 4 interview VCP is acting chief information security officer Mark Schaefer, Mark Schaefer, Cisco at Wisconsin based SBA consultant confirmed that company received a nearly identical message that same morning and that the voting seemed very similar to the original extortion demand the company received. However, Schaefer assured me the VCP I had indeed rebuilds it’s rebuilt it small network, or I’m sorry, it’s rebuilt its email network following intrusion and strictly use the third party service to discuss remediation efforts with other sensitive topics. Like a company battling a country Christian said said several factors stopped the painful radio grants and were attacked from morphing into a company ending event for starters, she said, an employee Spotify suspicious activity on the network in the early morning hours of Saturday, November 16. She said that employed then immediately alerted higher ups within VCP, who ordered a complete and immediate shutdown of the entire network. The bottom line is at 2am. On a Saturday, it was still a human being who saw a bunch of lights and had enough presence of mind to say someone else might want to take a look at this, she said, the other guy called said he didn’t like it either and call the Chief Information Officer at 2:30am, who picked up his cell phone and said shut it off from the internet. Schaefer said another mitigating factor was that VCP I had gone tracted with a third party roughly six months prior to the attack to establish off site data backups that were not directly connected to the company’s infrastructure. The authentication for that was entirely separate. So the lateral movement of the intruders didn’t allow them to touch that Schaefer said Schaefer said to move up to move to third party data backups coincided with a comprehensive internal review that identified multiple areas where VCP could hardened its security but That the attack is hit before the company could complete work in some of those action items. We did a risk assessment which was pretty much spot on. We just needed more time to work on it before we got hit. He said we were doing the right things just not fast enough. If we’d had more time to prepare, it would have gone better. I feel like we were company battling a country it’s not a fair fight. And and and once you’re targeted, it’s pretty tough to defend wholesale password theft. Just after receiving a tip from a reader about the ongoing Rioch infestation of ecpi Krebs on security contacted the walkie based hold security to see if its owner Alex Holden, had any more information about the attack, hold and said his team had previously intercepted online traffic between and among multiple ransomware gangs and the victims and I was curious to know if that had held true in the VCP attack as well. Sure enough, Holden quickly sent over several blogs blogs of data suggesting the attackers had breach VCP is network on multiple occasions over the previous 14 months, so more than a year, they were in there. While does include while it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15 of this year, which is 2019. Holden said at the time when we looked at this in retrospect during these three days, cyber criminals slowly compromised the entire network disabling antivirus running customized scripts and deploying ransomware. They didn’t even succeed at first, but they kept trying hold and said it appears. The intruders laid the groundwork for VCP are using email to a powerful malware tool, typically disseminated via spam. Email tech continues to be among the most costly and destructive malware reads a July 2018 folder under malware from the US Department of Homeland Security it’s warm like features result in rapidly spreading network wide infection which are difficult to combat. According to Holden, after using a motet to Privacy API servers and endpoints for ransomware attack. The intruders deployed in module the motek called checkbox, which is a bank and children often use to download other malware and harvest passwords from infected systems. So you can see how sophisticated This is. Indeed Holden shared records of communication VCP is tormentors suggesting data at least trick bot to steal passwords from infected VCP I endpoints that the company used to log in at more than 300 websites and services including identity and password management platforms. Auto and last past multiple personal and business banking portals, Microsoft Office 365 direct deposit and Medicaid billing portals cloud based health insurance management management portals numerous online payment processing services cloud based payroll management services, prescription management services, commercial phone internet and power services, medical supplies services state and local government competitive bidding portals online content distribution networks shipping and postage accounts Amazon, Facebook, LinkedIn, Microsoft and Twitter accounts. Toward the end of my follow up interview with Shaffer and VCP is Christian soon I shareholders list of sites for which the attackers had apparently stolen internal company credentials. At that point Christian pseudo abruptly ended the interview and got off the Line saying she had personal matters to attend to share for thank me for sharing the list. Noting that it looked like VC pie probably now had a few more notifications to do. Moral the story companies that experiencing ransomware attack or, or for that matter, any type of equally invasive malware infestation should assume that all credentials stored anywhere on the local network, including those saved inside web browsers and password managers are compromised and needs to be changed or the abundance of caution. This process should be done from a pristine preferably non Windows based system that does not reside within a network compromised by the attackers. In addition, full use should be made of the strongest method available for securing these passwords with multi factor authentication. So that again, as I Krebs on security.com go check that out because it’s a, it’s really a big lesson in how to better protect your information was not the case here. And so or maybe it seems like they were taking the appropriate steps. They just hadn’t gotten there yet. But what also seems to have failed is not realizing that more was compromised than they originally thought. All right, next up, I mentioned earlier in the update the Patch Tuesday update that there is that Windows seven end of life is coming up next week Tuesday to be exact. So here’s the dilemma windows seven end of life and HIPAA dilemma. This is a blog post on wash tech. com. So on January 14 2020, Microsoft will end support for Windows seven and Windows Server 2008 are two that means after the next Patch Tuesday, Windows seven and 2008 are two will no longer receive regular security updates. So what does that mean for health care practices who still use Windows seven or server 2008 or two security risk assessments are required part of HIPAA compliance program. As part of this area, you should be identifying any technology that is at risk of being vulnerable to exploits and cyber threats. Now, we hear all the time about hospital equipment, medical equipment that hasn’t been updated and then becomes vulnerable and there was even a HIPAA breach, I believe last week where some radiology equipment was compromised. This applies to Microsoft Windows two so windows seven and server 2008 are to have already been exposed to very large ransomware attacks in the past. Many windows seven computers remain on patched to those threats. As of October 2019, Windows seven still held 27% of the Windows, Microsoft Windows market share it Leave that the share will still be 13% by 2021, which turns out to be about 100 million computers. That’s a lot of potential targets a year after security updates stop, Windows seven and server 2008 or two will no longer be a secure option for your business once regularly. Once regularly security updates once regular security updates stop, vulnerabilities will be discovered these vulnerabilities will allow cyber attackers to gain access to your computers. Once the attackers gain access to a computer on your network, it becomes easier to gain access to everything else. A high level overview of life after windows seven support. We have seen numerous cases of attackers hanging around in business networks I just talked about one for years before we can have it. There were several well publicized incidents just last year had talked about one earlier there’s podcast A few months after windows seven server 2008 support as there will likely be vulnerability Is to vulnerabilities might make it easier for attackers to gain access to those windows seven computers. Once the attackers gain access to even one computer in your organization, they will take their time to figure out if you have anything of value, which is primarily data data is gold data is gold, it’s probably worth more than gold at this point. And they will figure out how to best exploit this, it’s likely that they will utilize tools many of which are free, or very clean, or very cheap sorry to gain admin level access to your network. Now that they have admin access, they will likely steal your data and store it where they can access again, if your network has access to any other valuable and the attackers mind assets that they will also exploit this. Once they are confident that they have the gold which is data, they will most likely watch a ransomware attack. All your data will be encrypted the attackers will demand a ransom and probably threatened to expose the data they stole if you did not pay up. Even if you have a great backup disaster recovery plan in place your stuff exposed businesses now our risk of being destroyed. 60% of businesses closed six months after a data breach. Even if you do survive, you will lose customers your business reputation will take a big hit. Compliance will crush you if you’re on Windows seven. If you’re a health care provider, law firm financial firm or other regulated business, you’re going to be in a even worse shape. From a HIPAA perspective, the OCR could view this as negligence if you perform this the required security risk assessment risk assessment then you should have identified that Windows seven server 2008 or two will be at risk after January 14 2020. If you did not address this, it can look if you did not address it. This can look as though you did not follow the recommendations from your own Sri. More likely you didn’t conduct NSR as required under hip but the fact that you still have windows seven on your network is a good indication that you do not have it or are ignoring the advice of it. Doing so is just a mental detrimental to your practice and even more importantly, your patient This is good indication that you do not have a HIPAA compliance program in place. The good news is the OCR will probably provide technical assistance. The first time they visit. If they do this, you should heed their advice the second time won’t be as pretty. It’s not about HIPAA. It’s not about the HIPAA potential fine. I say this because financial penalties seem to scare some health care practices. The truth of the matter is you’re in business that requires you are you to care for your clients. Part of caring for your clients is protecting them and the IT world a good it vendor will go above and beyond to secure educate and mitigate risk to their technology and data. And healthcare you go to great lengths to protect your clients confidentiality, integrity and availability of their health records. The same is true and legal and financial. If you’re in business to care for someone you should take care of their sensitive data as well. It’s about taking care of people is Windows seven HIPAA compliant. So that’s the big question here. The short answer is after January 14 2020. It will be considered unnecessary and avoidable risk. It will not be HIPAA compliant to use Windows seven, server 2008 or two even if you follow best practices. So even if you have backups in place encryption, setup, security software and all that other stuff you are, you’ll still be out of compliance, you can purchase an extended support plan for Microsoft for the but for the price and potential risk, it makes more sense to just upgrade to Windows 10. So final thought windows seven and server 2008 or two windows seven was one of my favorite Microsoft operating systems. It was stable. It worked well. It was a great improvement over Vista. It’s time has sailed. It has been a risky operating system for years now. It was a big target for the wanna cry ransomware outbreak that caused many businesses to go into a frenzy. Even if you were not hit by want to cry, you probably spent a lot of money mitigating the risk. The longer you keep windows seven server 2008 or two on your business network, the bigger the risk becomes, it’s time to move on. It’s time to take care of your business and clients. So that’s on the way. Tech website, you can go read it. And you know, tell me Is it is it HIPAA compliant or not? Okay, and the last bit of last topic for today, on Zd net these hacking groups, our are eyeing power grids security company cyber security company wars, the hackers are investigating industrial control systems associated with power infrastructure. At least three hacker groups have the capability to interfere with or disrupt power grids across the US in a number of cyber criminal operations. Targeting electricity and other utilities is on the rise. According to a new report on the state of industrial control systems. Cyber security company, Drago said the political and military tensions in the Gulf appear to coincide with a rising interest in hacking groups targeting electricity grids, power companies and other systems related to utilities in the US the threat landscape focusing on electric utilities in North America is expansive and Increasing led by numerous intrusions into ICS systems for reconnaissance and research purposes in ICS. Activity groups demonstrating new interests in the electric sector warned its North American electric cyber threat perspective report. The report notes that the security researchers are tracking seven groups that target electrical facilities in North America and that three of these have demonstrated the capability to infiltrate or disrupt electrical power networks. While dragos doesn’t attach attribute which nation states or cyber cyber criminal groups could be behind these attacks. The company has outlined three operations that show evidence of disruption capabilities xeno time, D Malloy and electrum. As you know, time is the hacker group behind the Triton cyber attack that disrupted oil and gas facilities and cyber Saudi Arabia in 2017. This attack was tailored towards try conics safety controllers and researchers warned that the incident represented an escalation of ICS attacks due to authorities. Mental catastrophic capabilities and consequences. Since then, zero time has expanded activity to include electric facilities in North America alongside utilities across Europe, Australia in the Middle East. The group has repeatedly demonstrated its ability to access, operate and conduct attacks in an industrial environment and drag us believes the group capable of attacks against us based systems. demonoid is described as a highly aggressive and capable activity group with the ability to achieve long term and persistent access to it and operational environments for both intelligence gathering and possible disruption. Victims of the group’s hacking campaigns have already been discovered in Turkey, Europe and North America. It’s suggested that the Malloy has links to the dragon fly hacking group. A third group electrum is also described as capable of developing malware that can modify modify electronic equipment processes, and ICS controlled wallet mostly focused previously attacks on Ukraine. Including causing power outages in winter. It is described as well resourced in drag was warned that the group is capable of physically disruptive events, North American electric utilities should consider electrum to be a serious threat was the paper. While the report states that there have been some minor improvements to the security of the systems, there’s been, there’s still more to be done. But simple security practices like segmenting networks, installing security patches, not using default passwords, inquiring two, factor authentication and systems inside industry environments would go a long way towards protecting against these kinds of cyber attacks. So pretty interesting. The ICS systems are still capable, still a potential threat. We know we’ve seen the frenzy that occurs after a massive power outage in the US. There hasn’t been one in a little while other than weather related. And the last major one I think was maybe early 2000s But I do remember the panic tested in after. So, electric companies electric grid, so I should say need to you need to do a better job preparing for not doing those simple things that I just listed off. Right It’s time for the HIPAA breach report. It was quiet up until till maybe Wednesday. Now we have a bunch of stuff. So we’re going to start with up to 25,000 patients of the Native American Rehoboth rehabilitation association of Northwest affected by a malware attack. It is an era for short. provider of education, physical and mental health services and substance abuse treatment services to Native Americans is alerting certain individuals about a malware infection has potentially allowed unauthorized individuals to gain access to their protected health information. NRA reports that the attack occurred on November 4 2019. The malware initially bypass security system, but was detected later that afternoon. The threat was contained by November 5, and all passwords and email accounts were reset by November six. The malware was determined to be email to a credential stealer can also exfiltrate emails and email attachment. It is therefore possible that the attackers obtain emails and attachments in a compromised accounts, some of which included protected health information. Typically when this me now, ad libbing particularly when email Tet. When it compromises the system sometimes includes trick bot, which also steals credentials, so hopefully they got away with this. No no further damage but according to NAR a press release issued on January 3 2020. The forensic investigation confirm that the pH of 344 individuals was either accessed by attackers or there was a high risk of the information being accessed. Another group of patients was also potentially affected for this group. No evidence of authorized access was found. However, OCR believes that up to 25,187 individuals may have been affected. So big big number of a big gap in difference there so it’ll be interesting to see what comes of that. It types of information that were in the email accounts included home addresses, full names, social security numbers, birth dates, medical record or patient ID numbers. a limited number of individuals also a clinical information exposed include diagnosis services receive treatment, information and treatment dates. It is sad that there are people in the world whose intent is to harm is to cause harm and distress to vulnerable populations such as our clients to Jacqueline Mercer, CEO of NAR a Northwest Words cannot express how truly sorry we are that our clients in an era Northwest have been subjected to this malware attack. A new Endpoint Protection solution has now been implemented. So I just Great, you know, press release statement made by CEO. Unfortunately, you should have been doing the right thing all along. You’re not the first health care system to be compromised. But it does seem like they gotta handle that pretty quickly. So that’s good. Potentially 25,000 Records, mercy health Lorraine hospital laboratory patients affected by millionaire. So short story. We’ve seen this a few times already in the last few weeks a an error in the mailing system that they use RCM enterprise services as a provider of patient billing services to mercy health arraign Hospital, somehow when they sent out the, their mailing, their social security number was viewable in the transparent window of the envelope. So that’s a little scary. It does not end it happened on on around November 7 of 2019. It does not say how many people were impacted by this so we’ll keep you up to date when more information is vailable alum your health phishing attack impacts 49,351 patients. So our mental health in Alexandria, Minnesota is notifying almost 50,000 patients as some of their protected health information was potentially accessed by unauthorized individuals as a result of a phishing attack. A mere health learned about the phishing attack on November 6 2019, and launched an internal investigation which confirmed the account was accessed by an unauthorized individual between October 31 and November 1 of 2019. So, two days, a company of forensic company a computer forensics company was engaged to assist with the investigation and discovered on November 10, that a second email account had been breached on November six, comprehensive review their compromised accounts revealed some emails and email attachments contain protected health information. The types of information potentially compromised in the attack vary from patient to patient and may have included the following names addresses dates of birth medical record numbers, health insurance information, treatment information and or diagnosis of formation. limited number of social security numbers and driver’s license number will also found in the accounts. alum your health was unable to confirm whether the any emails or email attachments containing bhi were accessed or copied by the attackers but unauthorized PHR access and data def could not be ruled out on January 3 20 $20. Mirror health set notifications to all 49,351 patients whose information was present in the email accounts. individuals whose social security numbers or driver’s license number were exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months. no reports of misuse of patient information have been received to date. alum your health again a little too little too late. alum your health has now added more layers to cyber defenses and further security awareness training has been given to employees to help them identify phishing emails and other email based threats. So 50,000 that’s going to be a hefty fine ransomware attacks reported by Florida and Texas Health care providers Let’s see what we got here. It’s becoming increasingly common for threat actors to use ransomware to encrypt files to protect data access to prevent that access, but also to steal data and threaten to publish it or sell their stolen data. If the ransom is not paid. This new tactic is intended to increase the likelihood of victims paying the Ransom Center for facial restoration of Miramar, Florida is one of the latest healthcare providers to experience such an attack. Richard Davis, MD fscs of the center of facial restoration received a ransom demand on november eighth 2019 informing him that his clinic server had been reached, breached and data had been stolen the attacker said the data could be publicly exposed or traded with third parties if the ransom was not paid. Dr. Davis filed a complaint with the FBI cybercrime center and met with FBI agents investigating the attack. After the attack occurred. Dr. Davis was contacted by by around 15 to 20 patients who had also been contacted by the attacker and issued with a ransom demands So, that’s proof they have the data. The patients were told that their photographs and personal data would be published at the ransom demand was not paid. According to Dr. Davis’s substitute breach notice the compromise server contain the data of approximately 3600 patients. While it is possible the attacker stole the files of all patients there. There are reasons to suspect only a very small number of patient photographs and personal data may have been stolen, has taken some time to determine which patients have been affected as much. The information held on patients was strong was stored and scanned patient Intake Forms rather than a database, which each file had to be open and check manually and that was a painstakingly slow and labor intensive process. types of data exposed was limited to photocopies of driver’s license or passwords home addresses email addresses, telephone numbers, insurance policy numbers and credit card numbers most of which only showed the last four digits or patients potentially affected by the attack have now been notified and steps have been taken to improve security including replacing all hard drives and implementing new firewalls and anti malware software, the rest of the burn has not been paid. Children’s choice pediatrics ransomware attacks impacts 12,689 patients. Children’s choice pediatrics in McKinney, Texas is notifying 12,689 patients that some of the protected health information may have been accessed by unauthorized individuals who use ransomware to try to extort money from the practice. The attack occurred on around October 27 to 19 and resulted in the encryption of data on this network to the streets had backed up all data and attempts were made to recover all files encrypted by the ransomware. That process has been completed, but it was not possible to restore all patient data. Some patient records could not be recovered. Effective patients have been advised to be alert to the possibility of data misuse and to monitor their account statements for signs of fraudulent activity. No reports have been received to suggest any patient data was stolen, or has been misused children’s choices now strength and security to prevent similar attacks from occurring in the future. So actually seems like at least they had a backup plan in place even though doesn’t seem like everything was was backed up correctly or, or was I don’t know, maybe it got corrupted in the process. I don’t know what they were using for backup but maybe it got backed up in the process. But it does seem it took them on just a little longer than 60 days to report which, as we know is not does not follow HIPAA, reporting rules, breach report rules, so good for them and that and one aspect not good and the other. That is it for a HIPAA breach. We’re going to move on to our HIPAA, HIPAA breach notifications. We’re going to move on to our HIPAA education and we’re going to talk about a little bit about encryption. So stay tuned for HIPAA corner this week, HIPAA education going to talk about encryption, there’s been still even in 2019. And imagine they’ll still be some to 2020 cases where an unencrypted device turned up missing, lost, stolen, you know, whatever, whatever it may be. And it’s it’s not hard to encrypt advice and protect your your healthcare, Pratt, your healthcare practice. And in doing so, once that device is encrypted, you you then satisfy the needs for HIPAA and you remove the risk of being fined or otherwise investigated by OCR. So it’s, it’s silly to me that that this still happens in 2019 2020. We’re in 2020. Now, it’s it’s just silly that it still happens. Now. That being said, there’s really two things that that you need to worry about when it comes encryption nosing. There’s encrypting data at rest which means that Static is not moving. So on our laptop on a USB drive on a server, on a desktop, any device on a smartphone, those need to be encrypted. And then there’s encryption in when mostly as it relates to communicating. So email and messaging, whether that’s through an app or through secure text messaging. So we’re going to talk about first we’re going to talk about through for messaging. And what needs to happen is, you need to have end to end encryption. So there Well, okay, so let me rephrase, you need to have encryption on your end, you can’t guarantee that the person on the other end has encryption, there’s not really a way to guarantee that. But your email needs to be encrypted. And whatever email you’re using needs to be able to sign off on a BA. So Google G Suite will do that. Office 365 will do that. I’m not aware of any others that do but I’m sure they’re out there. So I’m going to take again, as I usually do from HIPAA journal, HIPAA encrypt HIPAA encryption requirements, the HIPAA encryption requirements have for some been a source of confusion. The reason for this is the technical safeguards relating to encryption of protected health information are defined as addressable requirements. Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should implement a mechanism to encrypt pH I whenever deemed appropriate. This instruction is considerably vague and open to interpretation, hence the confusion. Now there are services and unsung adding in my own now, there are services out there, such as xyx that will allow you to encrypt data as you send the email. So you put in a subject you put in a word in the subject, and that tells you that you need to encrypt that email. The term addressable does not mean the safeguard is something that can be put off until another day it actually means that safeguard should be implemented. To an alternative to safeguard that produces the same results should be implemented or covered entity has to document with a justifiable reason why no course of action has been taken in respect of the safeguard the phrase whenever deemed appropriate could for example, be applied to covered entities that exchange communications via an internal server. protected by a firewall on this scenario, there should be no risk to the integrity of phF from an outside source when confidential patient data is at rest or in transit. So at rest meetings is sitting on that server or sitting on a device. And in transit means this in an email or text messaging to our secure text messaging apps now that you can use and also mobile applications which we discussed last week, one of them being followed by health that you can use as well. Once a communication containing pH goes beyond a covered entity, firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form of electronic communication, email, SMS, instant message, etc. Except in a case where a patient has given their Express written permission for the PHR, to be communicated without encryption. And as we discussed last week with an application that would be a third party application, not provided by the covered entity to healthcare practice, how to approach encryption issues. One of the one of the reasons why the HIPAA encryption requirements are vague and open to interpretation is that when the original Security Rule was enacted, it was acknowledged that technology advances, what may be considered appropriate encryption standards one day may be inappropriate another In other words, today we have 128 to 56 bit to 56. Obviously, it’s better. So if you can use to 56. you absolutely should. But encryption standards when security rules created, which was six, seven years ago, maybe don’t apply today. Maybe they’re not they’re not the encryption standards, then we’re not as good as they are now. Just look at how passwords have evolved during the life of HIPAA. Consequently, that Part of human health and human services did not demand that covered entities implement security mechanisms that could be out of date with within a few years, and instead left to HIPAA encryption requirements technology neutral. This allows covered entities to select the most appropriate solution. For the individual circumstances. The encryption requirements apply to every part of the IT system from clients like cell phones to the servers like Amazon cloud or Microsoft Azure. So I do see Amazon more and more promoting their HIPAA capabilities, I guess. So HIPAA email encryption, the HIPAA Security Rule allows covered entities to transmit EP HIV email over an electronic Open Network, provided the information is adequately protected. HIPAA covered entities must decide whether or not to use encryption for email, that that’s the decision must be based on the results of a risk analysis. The risk analysis will identify the risk to the confidentiality, integrity and availability of P pH, and a risk management plan must then be developed to reduce those risks to an appropriate level. One of the ways that risk can be managed is by using encryption for all messages. Although if an equivalent level protection can be offered by another means the covered entity can be used, you can use that measure in place of encryption. That decision along with the details of alternative protection must be documented and made available to OCR in the event of an audit. OCR does not specify HIPAA email encryption requirements. But covered entities can find out more about electronic mail security from the National Institute of Standards and Technology NIST, you’ve probably heard me refer to NIST multiple times in this podcast. NIST recommends use of Advanced Encryption Standard also known as as 128 192, or 256 bit encryption, open pa open PGP and s Am I me, mine. So you heard me say 128 192 or use your me say 128 to 56 or to 56 earlier. Obviously if you can, you’re going to one used to 56. And I would imagine with quantum computing coming, they’re going to want to improve on that as well. Using secure messaging solutions to resolve encryption issues. So this is what my kids pediatrician uses. And this is what I talked about last week. They use an application from all scripts called follow my health. And whenever there’s communication that needs to come to me regarding the kids, it comes through the application and I just get an email saying there’s a new message that’s it, there’s doesn’t see anything else just as there’s a new message. And then I have to log into the secure application read the message in there. So using secure messaging solutions to resolve encryption issues due to the increased use of personal mobile devices and workplace maintaining the integrity of pH I in a healthcare environment, it’s a problem for many covered entities. Route 80% of healthcare professionals use a mobile device to help them manage their workflows, abandoning unencrypted laptops Smartphones and tablets would have serious consequences for the flow of communication in a healthcare organization. A solution to encryption issue is to implement a secure messaging platform. Secure Messaging platforms comply with HIPAA encryption requirements by encrypting pH I both at rest and in transit. Make it unreadable or undecipherable and unusable to communication containing pH is intercepted, or access without authorization. The Secure Messaging solutions not only meet HIPAA email encryption requirements, they also meet the requirements for access control, water controls, integrity controls and Id authentication. So there’s a good use case for those mobile applications as long as the mobile application is either created in house which is highly unlikely what most healthcare providers or it’s provided by your EHR EMR vendor in this case of follow my heart, it would be all scripts, find out more about encryption so you can learn more about encryption. There’s another guide on his journal, the HIPAA compliance guide. We didn’t talk about at rest encryption at rest too much here because it will vary depending on your environment. So in a server, you will use BitLocker for sure. And the keys in any any event the encryption key will need to be a separate location from from that device. So server a little easier to manage you use a key management system. If you have a laptop or smartphone, if you have a smartphone, turn on encryption on your smartphone. And in this way, it’s encrypted unless you unlock it. And then turn on biometrics if you have that capability on a smartphone and most of them do now, turn on biometrics, so thumbprint finger, fingerprint scanner or facial recognition and include a pin just in case This will help protect the information even further. Laptops you can have, depending on what version of Windows you have, or whatever the case may be, you will you can absolutely add encryption to that laptop either through windows if it’s if it’s the right version of Windows and right hardware configuration, you can include BitLocker on the laptop, just make sure the keys in a different location. And if not, there are third party encryption software out there that you can use. Same same type of security though Make sure to keys in a different location, not on a laptop, not on the device. And then thumb drives, portable drives, things like that you’ll want to use in those same 30 part third party systems you can encrypt those however, I would recommend against thumb drives I just don’t see a good use case for thumb drives at this point. It seems crazy to have a thumb drive with PH I And, you know, this, these are smaller, pretty much the same size as a DOM, and you lose it, in some case smaller and you lose it. And it’s not encrypted, you just lost a bunch of information and they’re not hard to lose and lose them all the time. I don’t have sensitive information on thumb drives, but I lose them all the time. They do break, even though in theory, they’re not supposed to they do break. So I would avoid thumb drives all together, even portable hard drives. Just use Cloud and make sure everything is encrypted. You can set up a Dropbox account or OneDrive account. You know, OneDrive is Microsoft. So you can set those up and set them up to be HIPAA compliant. If you’re using the right version of those software’s, in Dropbox case, so that’s the HIPAA encryption education piece that I wanted to go over with you today. And again, we bring this up because there’s still cases there was just a panel of fine settlement last. I think it was two weeks ago I talked about or maybe it was last week about the ambulance company that that left a laptop in the back of the ambulance, and it disappeared. The laptop was not encrypted. Now, that was back in 2013. So it’s been a few years that it happened, but they just received the fine the settlement a couple weeks ago. So it’s still still happening even today. And email. Absolutely. So what email beyond encryption, make sure you set up multi factor authentication for your email. But it’s still happening in email as well. I just worked with a a practice that was not using encrypted email. They weren’t even using a professional email account. They were using a free gmail account. And so we’ve got them squared away. And now it’s encrypted and it’s professional and it’s not costing them that much to actually manage that account monthly. That does it for the hip education. Peace that does it for this episode of the productive it podcast. So until next week, everybody have a great week and remember to stay secure
Transcribed by https://otter.ai
The Department of Health and Human Services defines covered entities as healthcare providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, those affected by HIPAA does not end there.