HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 23 – Its Zoom’s World Now

By April 3, 2020 No Comments
Ep 23 - It's Zoom's World Now FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus It’s Zoom’s World Now, The Impact of COVID-19 on IT and Security & Microsoft Helping Hospitals.

This is Episode 23!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback. What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Google Releases Security Updates for Chrome

Note..Patch MS SQL and Citrix ADC Netscaler for known vulnerabilities

Cyber Security News

US Small Business Administration Grants Used as Phishing Bait

COVID-19: Hackers Begin Exploiting Zoom’s Overnight Success to Spread Malware

‘Secure’ Backup Company Leaks 135 Million Records Online

FCC will require phone carriers to authenticate calls by June 2021

Top Email Protections Fail in Latest COVID-19 Phishing Campaign

IRS Warns of Surge in Economic Stimulus Payment Scams

FBI Warns of Attacks on Remote Work, Distance Learning Platforms

Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks

Marriott Reports Data Breach Affecting Up to 5.2 Million Guests

Topic 1: COVID 19 – The New IT Reality

Topic 2:  Cybersecurity Lawyer Who Flagged The WHO Hack Warns Of ‘Massive’ Remote Work Risks

Topic 3:  A Note from Zoom’s CEO

HIPAA Corner: 

OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Ep 23 - It's Zoom's World Now Pin

Transcription (Unedited)

This is the Proactive IT podcast this week the latest in it in cybersecurity news. Plus it zooms world now, the impact of Cova 19 on it and security and Microsoft helping hospitals. This is Episode 23 Hi everyone and welcome to the productive IoT podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech a client focused and security minded IT consultant located in Central Connecticut, you can find us at and wash tech comm that’s NW Aj tech.com. All right, we start off this episode like we start off every episode is the Patch Tuesday portion of the podcast, we normally start off. Well, let me start off by saying if you could share, comment, like review, this podcast, whatever that you can do on your platform, which is greatly appreciated, because we’re really trying to reach more people to talk about compliance issues and it issues cybersecurity issues. And the more that it is like and reviewed, the more people will see it, the more it’ll move up in the rankings on the different podcast platforms. And we’re, we’re doing our job and we’re happy about it. We love to give and that’s what that’s really what this podcast is about is giving. And then secondly, if you’re in a HIPAA compliant business, if you go to Facebook and type get HIPAA compliance into the Search. You can join that Facebook group and we share tons of HIPAA information in there. Questions, articles, breaches, all kinds of stuff. And of course, the podcast. So check that out. join the group, and you’ll learn you’ll learn lots of stuff. I promise. We normally have a question that a week I do not have a question that did not get a question this week. You know, everybody’s brains is somewhere else right now, understandably. So I hope everybody’s staying healthy and dealing with the quarantine as it may be in some areas, including my area. Just get through this. Well get through this together. Hopefully, while you’re home, you might consider starting your own podcast or something along those lines because it does help it it’s a way to get out there. We’re going to talk a lot about zoom today, but you can use zoom to facilitate things as far as Patch Tuesday goes. We only have one update So far, and that is Google has released an update to Google Chrome. And you should be on version 18 point 0.398 7.162. And that is a security update. So you’ll want to take care of that is a pee. Zoom did have a lot of patches, and but we’ll get to that later. And Patch Tuesday for the month of April is April 14. So we still have some time. Before we hear anything, we still got 12 days to 11 days sorry, before we hear anything about what we can look for forward to for Microsoft. But along Microsoft lines, there has been an increase in attacks on unpatched versions of Microsoft SQL and Citrix ADC netscaler and they are going after hospitals. So if you’re using Microsoft SQL for and it’s facing the internet, I mean you’d have it even if it’s not but if it is public facing and you have weak passwords, you better fix that. Because brute force is, is being used to attack these servers and then if they haven’t been patched recently, you’re going to have problems. And also Citrix ADC the same thing. Citrix ADC netscaler has an update to it. If you have not patched to the latest version, you need to now because they are being actively exploited. Alright, we have a lot of news to share this week. There was a there is a lot of zoom news. I’ve decided to remove some of it from this episode because we’re going to talk about the CEO of zooms response to a lot of issues and in most of the issues that are publicly known at this point, are included in that response. So we’ll get to that in a little bit. It is one of our hot topics this week. First up on bleeping computer us small business, small business administration grants used as phishing bait so attackers are attempting to deliver REME COEs Remote Access Tool payloads on systems of small businesses via phishing emails impersonating the US Small Business Administration. They are taking advantage of the financial problems experienced by SMBs during the current cobit 19 pandemic to lure them into opening malicious attachments camouflages disaster assistance, grants and testing center vouchers despite using broken English, which is a key indicator of a phishing email By the way, within the phishing emails, the malicious actors made sure that the overall layout is as close as possible to the real thing using the official us SBA logo and footer info as IBM x force threat intelligence researchers found the victim is presented with an application number and is urged to complete the application before March 25. So that date has come and gone but I’m sure some people will still try it. In order to do this victims are requested to sign the attach form and upload it to the SBA website. Also, since the attackers method of asking for grant information is identical to the process used by the real us SBA, some SMEs might fall for this chicken open the malicious attachment. So this was reported after March 25, by the way, but it is still out there. And I’m sharing this because it talks about the payload after that, but because there is a huge, huge, huge increase in I’m going to talk about more of them, but a huge increase in scams, phishing attacks, ransomware attacks everything around kovat 19. So Cova 19, the stimulus plan on hospital reports and all of these things are being used to try to trick people into doing things and it’s going to work on doubtedly will work. We need as a as a whole. We need to remain vigilant and say No, I didn’t request this information. This wasn’t for me. No, I don’t believe this was sent to me on solicited. It’s just stop, stop clicking is really all I could tell you stop clicking. If you need help with phishing, reach out to us and we will set something up. We can do it remotely. We don’t have to do it. We don’t have to come to your office or to your home. We can talk about it remotely over of all things zoom. But we could also talk about it over the phone. And we can check we can set you up so that you are protected. But just reach out to us please because it’s it’s really serious right now. Also, the Hacker News Cova 19 hackers begin exploding zooms overnight six success to spread malware. So this article talks about an increase in the purchase of domains around zoom. So you know, like zoom, remote meetings, calm or something like that. There was a huge thing. crease in early March in the number of domains purchased. And the idea is that they will then launch these domains, trick people into going to them and downloading what looks like zoom but isn’t zoom or maybe it is zoom wrapped with something else, and then installing malware onto the computer and systems that are going to be used. And then from there, it could spread even more. So if it’s in an enterprise network or even if it’s, you know, somebody working remotely connected to the enterprise network, it could spread ransomware to that network. So we will see an increase in ransomware attacks and malware attacks around zoom, I’m sure in the coming months. info security magazine secure backup company leaks 135 million records online. So the company is SOS online backup they have 135 million records in an exposed I believe it was an s3 bucket. But let me just verify that totaling 70 gigs and made it metadata related to user Oh no, I was sorry. It was their own storage. So 70 gigs of metadata related to user accounts on SLS online backup does include a structural reference descriptive and administrative meta data covering many aspects of SOS online backups cloud services VPN mentor reporter explains so VPN mentor has been very business very busy the last few weeks. The Trove also included PII such as name, emails, phone numbers, business details for corporate customers and account usernames. So not a good look for a source online backup. You of course, want your backup company to remain secure and make sure that data is not left out in the open. They will be subject to ccpa because they are a California based business. So That could be even more problems for them. And they may also have to deal with GDPR because they have clients in Europe. So we’ll we’ll keep an eye on that and see what, what comes of that. And gadget FCC This is actually good news for people tired of robo calls FCC will require phone carriers to authenticate calls by June 2021. The agency says the move will help combat the scourge of robo calls. The FCC announced today which was March 31. All carriers and phone companies must adopt the stir shaken protocol by June 30 2021. The regulatory requirement is designed to combat robo calls, specifically, specifically those that tried to hide their phone numbers by allowing carriers to authenticate caller IDs. The agency says the widespread adoption of stir shaken will reduce the effectiveness of illegal spoofing. help law enforcement agencies identify bad actors and most importantly, allow carriers To identify spammers before they ever call your phone FCC estimates fraudulent call schemes cost Americans approximately $10 billion. That’s a bee. Every year FCC Chairman Ajit pi started pushing carriers to adopt the protocol in 2018. Congress also mandated the technology when it passed the Trust Act last year. While the regulatory requirement to support stir shaken is a step in the right direction, it won’t magically solve the scourge of robocalls. Overnight, it’s not enough for carriers to merely implement the protocol on their own. They must also test that their implementation works with other networks. In other words, it’s not something your wireless provider can just turn on. Moreover, as a consumer, you may also need a device that can display the color verify notification when someone calls you. Most modern smartphones support the feature out of the box, other handsets will will need to be updated. What I have noticed one positive about the pandemic if there are any, is that there is a huge decrease In a number of robo calls, and I’m not the only one that sees it, there’s other peoples that have reported the same thing. So it’s interesting. Threat posts reports top email protections fail and latest kovat 19 phishing campaign and effective spoofing campaign promises users important information about new coronavirus cases in your local area, scooting past Proofpoint and Microsoft Office 365 ATPs. This was determined by ko fence phishing defense center PDC discovered new phishing attacks that use socially engineered emails promising access to important information about cases of Cova 19. And the receivers local area according to a blog post published Tuesday by conference researcher Qian manabi. So it’s interesting. I know we reported on the daily podcast that there is a phishing campaign around local hospitals saying you know there’s a person that tested positive and you may have been in contact with them. Well, this may be the same thing and it’s somehow skirts, Proofpoint and Microsoft Office 365 ATP So, this is why we have to remain vigilant. You have to know what a phishing email looks like so that you can report it or delete it, whatever whatever method you have in place in your organization. bleeping computer reports IRS warns of surge in economic stimulus payment scams, internal revenue. Of course, the Internal Revenue Service today issued a warning to alert and this was April 2. So yesterday, today issued a warning to alert about a surge in coronavirus related scams over email, phone calls or social media requesting personal information while using economic impact state payments and alert. So what they’re doing is they’re calling up saying, Hey, we need your checking account to develop to deposit the payment. And then of course if once you give up that information and probably some other information they’ll ask for to ask you to verify your social security number. Things like that. You have now become a victim. And scammers can use a wide range of tactics to trick the targets into sharing their personal or financial information ation with some of them potentially tempting to emphasize the word stimulus checker stimulus payment. The official term is economic impact payment, ask the taxpayer to sign over the economic impact payment check to them. Ask by phone, email, text or social media. So notice phone it’s not just phone calls, phone, email, text or social media for verification. Why would the IRS use social media I mean, think about that. IRS does not call people they do not text people. They do not email this then you mail in the in post through the post office. So they may ask by phone, email, text or social media for verification of personal, personal and or banking information, saying that information is needed to receive or speed up the economic impact payment. And I could promise you the IRS most likely has your checking account information already anyway, suggest that they get a tax refund of economic impact payment faster by working on the taxpayers behalf the scheme Could be conducted by social media or even in person and then mail taxpayer a bogus check perhaps in an odd amount and tell the taxpayer to call a number or verify information online in order to cash it. So we’ve seen that scam before using different methodologies but same scam. Also on bleeping computer FBI warns of attacks on remote work and distance learning platforms. FBI internet crime complaint center IC three issued a public service announcement today about the risk of attacks exploiting the increased usage of online communication platforms from remote working and distance learning caused by the source code to a pandemic. So another name given to the cobit 19 pandemic. FBI says that it is expecting an acceleration of exploitation attempts of virtual communication environments used by government agencies, private organizations, and individuals as a direct result of the Cova 19 outbreak. Computer Systems and virtual environments provide essential communication services for telework and education. In addition to deducting regular business, I see threes PSA set. Some pieces of advice they give you software use do not use software from untrusted trusted sources. So if you’re going to use zoom download from zoom.us make sure you update it frequently. Also under attack, video teleconferencing, hijacking, conferencing, eavesdropping, remote desktop access is being attacked. So use a reliable Remote Desktop Access Tool and it should be locked down it should be multi factor authentication and complex passwords. And then also rented it equipment and pre installed malicious tools is an issue. And so here are the tips share do not should not should not share links to remote meetings, conference calls or virtual classrooms on open websites or open social media platforms. Do not open attachments or click links within emails from senders. You do not recognize enable Remote Desktop access functions. Do not enable Remote Desktop functions like RDP or virtual network computing VNC unless absolutely needed. If you go and use RDP you should do it over VPN. Provide exact information on children when creating user profiles. Use initials instead of full names. Avoid using exact dates of birth. Avoid including photos upon attachments or click links within emails received from senders you do not recognize or I’m sorry, open to not open attachments not upon Do not open attachments or click links within emails received from senders you do not recognize. do not provide username passwords, birthdate social security numbers, financial data or other personal information in response to an email or phone call. Do not use public or non secure Wi Fi access points to access sensitive information and do not use the same password for multiple accounts. I feel like I’ve talked about these things before. Hmm. bleeping computer. Microsoft is alerting hospitals vulnerable to ransomware attacks. Microsoft, this is actually pretty cool on their behalf. But Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public facing VPN devices and gateways located on their network. The pulse VPN, which is another device, I should have mentioned earlier in this in this in the episode, another device that needs or another system that needs to be patched if you have not done so. Because it is if you have not patched it has been a vulnerability known for a few months now, if you have not patched it, then you are going to be targeted. And if you’re using this for your hospital, then you are probably already being targeted. So pulse VPN devices have been known to be targeted by threat actors with this vulnerability. It’s thought to be behind the Travelex ransomware attack by rebel or sort of mcareavey. Soto and Kimi is not one of the ransomware groups that said they would stop the attacks on hospitals Mays is one of them, but they have continued from what I’ve read. Other attackers such as Doppel, painter and Ragnarok ransomware. Were also seen in the past utilizing the Citrix ADC netscaler vulnerability that we talked about earlier. So, again, if you’re using pulse VPN or Citrix ADC netscaler you need to make sure that you are on the most recent version because you are exposing and so Microsoft is checking for you, but you’re exposing your hospital or your your business, whatever the case may be. So here’s some tips for Microsoft hardened internet facing assets apply latest updates security updates, use threatened vulnerability management, perform regular audit, remove and remove privileged credentials. thoroughly investigate and remediate alerts, prioritize and threat commodity malware infections as potential full compromise. So in other words, a foreign computer is impacted, treated as a full compromise Include IT pros and security discussions ensure collaboration between sec ops sec admins IT admins into in configure service servers, and other endpoints securely. So that’s always been an issue in a lot of businesses where those teams sec Ops, sec admins and IT admins, they don’t necessarily work well together. Build credential hygiene use MFA or NLA and use strong randomized just in time local admin passwords apply principle of least privilege. monitor for adversarial activities hunt for brute force attempts monitor for cleanup of event logs and analyze logon attempts. hardening hardened infrastructure use Windows Defender firewall enabled simple tamper protection, enable cloud delivered protection and turn on attack surface reduction rules and ANSI for office VBA. And finally, on bleeping computer Marriott reports data breach affecting up to 5.2 million guests Marriott international today revealed that personalization Roughly 5.2 million hotel guests was impacted in a data breach incident detected at the end of February. At the end of February, we noticed that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property The company said it in a statement. We believe this activity started in mid January. Upon discovery, we immediately unsure the login credentials were disabled, began an investigation implemented heightened monitoring and arranged resources to inform and assist guests. Although an investigation of this incident is ongoing, Maria says that currently there is no reason to believe that the information involved included Marriott Bon voyage account passwords or pins payment card information, passport information national IDs or driver’s license numbers Marriott has set up a self service online portal for guests who want to determine whether their info was involved in this data breach and if so what categories of personal data were involved? In addition, Marriott bond boy members who had their information potentially exposed in the incident had passwords disabled and will be requested to change their password on the next login, as well as prompted to enable multi factor authentication. According to Marriott, the following guests information might have been involved in a breach and various combinations for each of the affected customers. Contact emails like name, mailing address, email address and phone number, loyalty account information account number of points balance but not passwords, additional personal details like company gender and birthday month. partnerships and affiliations linked airline loyalty programs and numbers and preferences, like your stay room preferences and language preferences. So this is the second time in less than two years that they have been hacked or compromised. So Marriott’s got to get their act together a little bit I think here. That being said, this is enough information to launch launch spear phishing campaigns. So something to be on the lookout for if you have stayed at Marriott recently, you should check into Whether or not you may have been compromised in that incident. It is time for this week’s hot topics and unfortunately, they all centered around Cova 19. So that, you know, that’s not really the focus of this podcast but because it impacts cybersecurity, we have to report it. So the first one is on Forbes written by john Webster Cova 19 the new it reality. I am one of my co workers are now engaged in a research project to determine how they impact Cova 19 and the resulting social distancing measures are impacting enterprise IT the impact is significant and cause for pause to consider what is changing daily. Here’s what we’ve heard in conversations with enterprise IT operations so far. Security is not primary concern to the point that some projects that were active before the pandemic are now being put on hold, or even abandoned while security projects are accelerated. One healthcare IT executive we spoke to, has seen a near doubling of outside attacks on the internal healthcare delivery systems over the last few weeks. Personally, I find this as evil as it gets. And he’s right, it is evil, but it is going to continue and it will probably increase. But to the point zoom just announced, and I’m going to talk about it shortly that they are putting all future in other projects aside to to help with the security. And so we’ll get to that in a moment. Data Protection is now a second priority behind security, in fact, to go hand in hand, which is also true, that is worth more than gold on the dark web. So just keep that in mind. Because at home workers are more vulnerable to attack and farther away from direct support. Their data is more at risk. backups are more frequent, which puts increased demand on data protection systems trying to handle the increased load network bandwidth is being increasingly challenged to handle the load of workers trying to stay connected in order to remain functional. As one IT operations staff member said it’s the last mile problem that’s slowing us down. Train IT staff is an even greater demand in areas that are now deemed critical. As noted, these include security and data protection, cloud infrastructure and network management are two more disaster recovery and business continuity plans are at least being partially activated to deal with the stay at home workers. This is particularly the case for systems that now must be managed and maintained remotely post 911 it executive realized that it wasn’t just systems that needed to be covered by disaster recovery plans. The absence of hands on operational stuff needed to be considered as well. I will say from assisting many people in the last few weeks with setting up work from home. This is not 100% accurate. I’ve seen some scary things from government system. I’m not going to go into detail on local government, I will say that that is not set up properly. RDP direct from a BYOD. Bring Your Own Device. So a personal laptop being used to RDP into a workstation at a government job, a local government job. So it’s this is not being taken seriously still, and that is a recipe for disaster. Cloud workload migration and remote systems management projects are accelerating. However, the problem here is that cloud providers may have to respond by rationing capacity, because of the spike in demand. And I did hear already, I believe was Microsoft Azure in UK was having issues because of that. A longtime user of one of the major cloud providers was told yesterday that his requests for new capacity can’t be fully met because of the cloud provider has seen the same spike in capacity demand from their other large users. We need to recognize the new reality. As an IT community and come together over ways to deal with it, there are positive ways to approach these challenges. It seems to me that continued functioning of healthcare systems, for example, should now be a national priority as they face every one of the challenges I’ve noted here, expect to see more on this topic here in the coming weeks. So it’s, these are great points, especially in healthcare. And these are going to be challenges. So even when this pandemic is all said and done, it will eventually go away. We’re going to see that these things are going to be attacked and need to be taken care of going forward. It is a new world. You know, once eventually will go away we will eventually will return to normal for the most part, but some things will have to change and those things will have to change. And PR not a source I normally use but we’re using it today. npr.org cyber support cybersecurity lawyer who flagged a hoo hack. That’s World Health Organization warns of massive remote work risk. A large number of companies are rolling out mandatory work from home policies to help limit the risk posed by the corona virus outbreak. But cybersecurity experts warn that those remote setups invite new hacking risks. The Federal Bureau of Investigation recently issued warnings of an uptick in fraudulent crimes tied to the corona virus, particularly by scammers posing as official health agencies. This month, the hacking group tried to break into the World Health Organization. The breach was discovered by Alexander ballasts, a hacker turned Information Security lawyer who founded the New York based Blackstone Law Group. Although rebels can’t be certain about the identity of the hackers. He says the group replicated a portal used by the remote who employees that he describes is very, very convincing rebels spoke to NPR Steve Inskeep about the designs of such attacks and some best cybersecurity practices people should use to defend themselves against hackers. The group that targeted who we have been watching for quite a while and that group has in fact, our to several other employees, other clients who is not one of Blackstone’s clients By the way, and we have been monitoring the internet for indications that the group has reawakened or reactive reactivated some of its infrastructure. And that’s what we’ve detected with aspect risk with respect to live attack against the World Health Organization. It’s very difficult to say with any near certainty exactly who this is, there are some indications that the group by the name of dark hotel, which is known for targeting executives, checking into hotels and hotel Wi Fi, and things like that may be responsible for this particular type of attack. What we do know though, is that the group we’ve been watching is very sophisticated, their attacks are very sleek, they’re very well researched. The attackers perform a significant amount of reconnaissance on those configurations and systems of who they attack. And they painstakingly create portals that look exactly like the victims portals. And that’s where that’s what we saw with the HU on 13th of March. We saw URL, a web being created and put together that exactly mirrored the doorway to the World Health Organization’s internal file systems. So it was external link to the internal file systems that the portal the remote, that portal that remote employees would use to access by the who, let’s say if they were working from home. That’s what this group replicated. We have seen this group not only replicate the portals of who but major research universities in many other integral governmental organizations like the who, in fact, the same day, that the who was targeted by this particular group. They also targeted the UN, certain components of the United Nations. They have all the hallmarks of being a state sponsored or state affiliate group, and that means that they will be could be considered what’s known as an abt or an information security teams that stands for an advanced, persistent threat, essentially a force to be reckoned with. People are very used to seeing this, these portals that are asking for their usernames and passwords. And if you look at the web address or the URL that’s associated with this particular type of attack, it’s very, very convincing. I was glad to hear on the back end of this, though, from what we know from the who that that attack was on successful. So we did report that last week it wasn’t successful. Well, I think it’s for the obvious reason anybody would want to target the World Health Organization right now. It would be for intelligence gathering purposes and gaining an advantage. I mean, right now, any advice, any advanced information about preventative measures, cures vaccines, even country by country infections, and statistics is going to be extraordinary value that can be valuable to a country’s private industry, especially if they’re trying to get a leg up on the respect to let’s say, palliative care care, the distribution of testing kits and even the creation of a vaccine. I suppose it would also be very helpful to somebody who’s working in the stock market absolutely would most certainly be valuable because they are dealing with right now is a different class of information that is moving markets data from the world World Health Organization certainly moves the market one way or the other. And we’ve witnessed that over the last few weeks, it’s bounced significantly in in both directions. This means that more personal devices more off premises endpoints, so to speak, being used to handle and process business data, including highly sensitive data like trade secrets, and business plans. Because of this, all of our client companies have had to dedicate a massive amount of IT resources to support all of these remote working arrangements, including the deployment of best cyber hygiene practices, things are known things that are known as MFA, or to FA in particular, using something other than just a password to access company resources is critical these days, because the bad guys know that people reuse passwords or they have variations on a theme of passwords. There have been so many data breaches with all of our passwords for so many years. Now that there’s a always a password that you can associate with individuals. And so with the bad guys, the threat actors will try as a password spraying. Just taking your username with your password and variations on a theme of your password and trying to brute force their way into your office systems. So again, we’ve talked about this extensively, don’t reuse passwords. There are ways to deal with this password one on one. You know, I’ve talked about it, I’ve written about it. And you could just look up on our website. There’s an article on there, and I’ve shared it on social media. So look for that. We need to do better multi factor authentication and two factor authentication should have already been activated. If it’s not, then you need to do it now. And then, we’ve talked a lot about zoom this week, and we’re going to talk about it right now. This is a letter written on zooms blog, a letter from Eric Yon, who is the founder and CEO of zoom. And this is to address the increasing issues being found with zoom and there’s been a handful of issues this week reported, comp vulnerabilities in attack. and so forth. So let’s let’s read this to our zoom users around the world whether you are a global corporation that needs to maintain business continuity and local government agency working to keep your community functioning. A school teacher educating students remotely or a friend that wants to host a happy hour to spark some joy while social distancing, you are all managing through unique challenges brought upon us by this global health crisis. During this time of isolation, we at zoom feel incredibly privileged to be in position to help you stay connected. We also feel an immense responsibility usage of zoom has ballooned overnight, far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely. To put this growth in context. As of the end of December of last year. The maximum number of daily meeting participants, both free and paid, conducted on zoom was approximately 10 million in March this year, we reached more than 200 million daily meeting participants both free and paid. We have been working round the clock to ensure all our users new and old largest mall can stay in touch in operation. Now we’ll say this. I’ve heard reports of issues with zoom. As far as usability, like functionality. I have not experienced any and if they’re 200 million people on this thing every day, I think they’re doing a great job of maintaining the usage of zoom that is still works, even though they’ve seen this huge increase in usage. For the past several weeks supporting this influx of users has been a tremendous Undertaker. undertaking, not Undertaker undertaking. In our sole focus, we strive to provide you with uninterrupted service in the same user friendly experience that has made zoom the video conferencing platform of choice for enterprises around the world. While we while also ensuring platform safety, privacy and security. However, we recognize that we have fallen short of the communities and our own privacy and security expectations for that I’m deeply sorry and I want to share what we are doing about it. First, some background, our platform was built primarily for enterprise customers large institutions with full IT support. These range from world’s largest financial services companies, to leading telecommunications providers, government agencies, universities, healthcare organizations and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user network and data center layers and confidently selected zoom for complete deployment. However, we did not design the product with foresight that in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home. We now have a much broader set of users who are utilizing our product and a myriad of unexpected ways presenting us with challenges we did not anticipate when the platform was conceived. Now, I’ve been using zoom for years, at least five or six years, and I’m not an enterprise business. So I get that This what they’re saying that their target is enterprise businesses, and I’ve used it in enterprise environment. But I’ve also used it on a personal level. I’ve used it for all kinds of things, remote support, screen sharing webinars, recording videos, recording podcasts, just a bunch of things. And I’m even seeing today where people start a zoom session and then use Facebook to stream it live. So it’s used for a myriad of reasons, as he said, and I don’t believe maybe their target was enterprise, obviously, because that’s where the, the big bucks will be. But they definitely targeted smaller businesses as well. However, we did not design the product with Okay, here we go. I read that already. There’s these new mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists, and security researchers have also helped to identify pre existing ones. We appreciate the scrutiny and questions we have been getting about How services works about our infrastructure and capacity and about our privacy and security policies. These are the questions that will make zoom better both as a company and for its users. We take them extremely seriously, we’re looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future. But before I lay out what we intend to approve, I want to share what we have done so far. So what we’ve done with the flood of new users part of the challenges ensuring that we provide the proper training tools and support to help them understand their own account features, and how best to use the platform. We have been offering training sessions and tutorials as well as free interactive daily webinars. to users, we have proactively sent out many of these resources to help familiarize you users with zoom. They have training and tutorial rep webinars, live daily demos, upcoming webinars, video trainings webinar, signups for various platform trainings, were taking several steps to minimize customer support. Time. wait time When they reach out with questions, we’re listening to our community of users to help us evolve our approach. We have also worked hard to actively quickly adjust specific issues and questions that have been raised. So these are some of the more recent issues now. On March 20, we published a blog post to help users address incidents of harassment, or so called zoom bombing on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls and limiting screen sharing. And in parentheses, we have also changed the name and content of that blog blog post, which originally referred to uninvited participant as party crashes given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these attacks of these types of attacks, and deeply feel for anyone who’s meeting has been in has been interrupted in this way. So the types of attacks he’s talking about, there have been incidents of people sharing pornographic images. In probably video, I’m not sure people showing swastikas on on video. So these are the types of things that are very disturbing, especially if it’s a school or a business meeting on March 27, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users. So there was an issue with the zoom app. On iOS. If you logged into Facebook, it was collecting additional information they have since fixed that, on March 29, we updated our privacy policy to be more clear and transparent around the data we collect and how it is used explicitly clarifying that we do not sell our users data. We have never sold user data in the past and we have no intention of selling users data going forward. So this was one of the concerns that was sent to me that they are selling user data or sharing user data with China that the research and development team is in China. So that has been clarified, they’re not doing that. for education users, we rolled out a guide for administrators on setting up virtual classroom, set up a guide on how to better secure their virtual classrooms. Set up a dedicated K through 12 privacy policy, change the settings for education users enrolled in our K through 12. programs or virtual waiting rooms are on by default, change the settings for education users enrolled in K through 12 program so that teachers by default, are the only ones who can share content in class. So that is in direct response to some incidents that the FBI reported about people crashing in and some of those incidents included swastika and then somebody yelling and screaming and eventually sharing the teachers address home address. So on April 1, we published a blog to clarify the facts around encryption on our platform acknowledging and apologizing, apologizing for the confusion. We permanently removed the attendee attention tracker feature updated for to to clarify that it’s permanently removed released fixes for both Mac related issues raised by Patrick Wartell. So there were some issues around how the zoom app is installed on Mac, so you need to update it if you have not. We released a fix for the UNC link issue which was on on windows that has been fixed and there is an update. So you need to update if you have not already and permanently removed the LinkedIn Sales Navigator app to identify After identifying unnecessary data disclosed by the feature updated for to to clarify that it has permanently removed what we’re doing. In the next 90 days, we are committed to dedicating the resources needed to better identify, address and fix issues proactively. We’re also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes enacting a future freeze effectively immediately and shifting all of our engineering resources to focus on our biggest trust, safety and privacy issues. Conducting a comprehensive review with third party experts and Representative users To understand and ensure the security of all our new consumer use cases, preparing a transparency report that details information related to request for data, records or content, enhancing our current bug bounty program, launching a Cisco counsel in partnership with leading cisos from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices, engaging in a series of simultaneous white box penetration tests to further identify and address issues. Starting next week. The CEO will host a weekly weekly webinar on Wednesdays at 10am. Pacific Time to provide privacy and security updates to our community. transparency, transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps for their own to best use and protect themselves on the platform. We welcome the continued questions and encourage you to provide us With feedback, our chief concern now and always is making users happy and ensuring that the safety, privacy and security of our platform is worthy of the trust you all have put in on us. Together, let’s build something that can truly make the world a better place. Sign up. Well, Eric s. Yuan, founder, CEO of zoom. So I think it’s a great step forward. I understand the concerns that many people have. But it is it is what it is. You know, it’s really just growing pains and unexpected, you know, unexpected, rapid, rapid growth, where these problems appeared, that maybe they weren’t aware of maybe they were aware of, I don’t know, but they have addressed them very quickly. And they’re very, very transparent about addressing it. So I would still put my stock in zoom. Going forward. Will there be more issues, probably. But you could see that they’re addressing them and I think there is still some lingering issues. But they’re addressing them. And you could see that they will be taken care of quickly as they come up. And in reality, you can, you know, a lot of software applications, they get tested in a small test environment or a development environment. And it’s not until they’re released to the user base, that a lot of problems surface. And I’ve seen this, I’ve seen this in the enterprise environment. I’ve seen this in the real world. I’ve seen this many times where you test test test and everything looks great. The minute you release it to the to the user base, you find more problems. And sometimes there are security issues. Sometimes it just bugs. So zooms on top of it. They’re being transparent, they’re addressing issues very quickly as they come up. I don’t think we have anything to worry about as long as you’re doing your part. So add the passwords, use the waiting room. Don’t share it publicly. Things like that. Right, it is time for the education portion of the podcast. We we are in unprecedented unprecedented times right now. So, things have changed. We’ve talked a lot about the telehealth change the relaxation of the rules. But the OCR issued a bulletin on civil rights laws and HIPAA flexibilities that applied during the Cova 19. Emergency and this is on hhs.gov. Today the Office of Civil Rights, which was March 28. At the US Department of Health and Human Services is issuing a bulletin to ensure that entities covered by civil rights authorities keep in mind that obligations under laws and regulations that prohibit discrimination on the basis of race, color, national origin, disability, age, sex and exercise of conscience and religion in HHS funding programs, including in the provision of health care services during kovat 19 OCR is particularly focused on ensuring that covered entities do not unlawfully discriminate against people with disabilities when making decisions about the treatment during the Cova 19 healthcare emergency. OCR enforces that Americans with Disabilities Act, section 504 of the Rehabilitation Act, the Age Discrimination Act in Section 1557 of the Affordable Care Act, which prohibits discrimination in HHS funded health care programs, or activities. These these laws like other civil rights statutes, OCR enforces remain in effect as such persons with disabilities should not be denied medical care on the basis of stereotypes, assessments of quality of life, or judgments about a person’s relative worth based on the presence of absence or of disabilities or age. decisions by covered entities concerning whether an individual is a candidate for treatment should be based on an individualized assessment of the patient and his or her circumstances. On the best available objective medical evidence. So it is going to be interesting to see how this plays out for sure, because we’re already seeing cases of people being sent home and then later getting sicker or dying. We did see one incident where someone was sent home because they didn’t have insurance and they died. And I believe that was in California. So it is going to be interesting to see how this plays out. Our civil rights laws our civil our civil rights laws protect the equal dignity of every human life from ruthless utilitarianism, said Roger Severino OCR director at HHS is committed to leaving no one behind during an emergency and helping healthcare providers meet that goal. Persons with Disabilities with limited English skills and older persons should not be put at the end of the line for health care during emergency Severino ad. And I’m sure some of that is in response to what happened in Italy. So we’ll keep Data mine. There’s a bulletin. So there’s one bulletin that talks about and it’s six pages long, so I’m not going to read it but you can find it. On the hhs.gov site, the I’ll have the course the link will be in the show notes so you’ll be able to link to it. But there is the OCR is notice of enforcement discretion, allowing providers to serve patients while where they are through commonly used apps like FaceTime, Skype and zoom to provide telehealth remote communication. So we talked about that. And zoom actually does have a telehealth version that you can purchase. When we returned to normal obviously, you can do that. You can do it now too. I’ve set up clients on it, but it’s not necessary at this point. So you can provide telehealth services over FaceTime over Facebook Messenger and things like that as long as not shared with the public and as long as you tell the patient Have the risks that exist by using these applications that are not secured and don’t have a business associate agreement. We’ve talked about that already. So I’m not going to dwell on that one guidance that empowers first responders and others who receive protected health information about individuals who have tested positive or been exposed to Cova 19 to keep up to help keep both first responders and the public safe. So we’ll we’ll go through that. That’s pretty quick. OCR issues guidance to help ensure first responders and others receive protected health information about individuals exposed to Cova 19. Today, the OCR at the US Department of Health and Human Services issued guidance on how to how covered entities may disclose protected health information about an individual who has been infected with or exposed to Cova 19 to law enforcement, paramedics and other first responders and public health authorities in compliance with the HIPAA act of 1996 Privacy Rule. Guidance explains the circumstances under each Under which covered entity may disclose pH, such as the name or other identifying information about individuals without their HIPAA authorization and provides examples including when needed to provide treatment when required by law, when first responders may be at risk for an infection and when does one disclosure is necessary to prevent or lessen a serious and imminent threat. This guidance clarifies the regulatory permissions that covered entities may use to disclose pH I to first responders, and others so that they could take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally covered entities must take reasonable efforts to limit the pH I used or disclosed to that which is a minimum is the minimum necessary to accomplish the purpose of the disclosure. Our nation needs our first responders like never before and we must do all we can to assure their safety while they’re, while they assure the safety of others said Roger Sue Marino OSHA director, this guidance helps ensure first responders will have greater access to real time effects. extra information to help keep them in the public safe, added Severino so and then there’s a link to the guidance. Again. This is well, it’s not as big a document but, you know, I’ll just skim through the through the highlights. When disclosure is needed to provide treatment for example, HIPAA permits a covered skilled nursing facility to disclose pH I about an individual as Cova 19 to emergency medical transport personnel, who will provide treatment while transporting the individual to a hospital emergency department when so such notification is required by law. For example, HIPAA permits a covered entity such as a hospital to disclose pH I about an individual who test positive for Cova 19. In accordance with state law requiring reporting of a confirmed or suspected case of infectious disease to public health, to notify public health authority to in order to prevent or control spread of disease. For example, HIPAA permits a covered entity to disclose pH I to a public health authority. Such as the CDC, or state, tribe, tribal, local and territorial public health departments that is authorized by law to collect or receive pH I for purpose of preventing or controlling disease injury or disability, disability, including for public health, surveillance, public health investigation and public health interventions, when first responders may be at risk of infection. For example, HIPAA permitted covered County Health Department in accordance with state law to disclose pH I to a police officer or other person who may come into contact with a person who tested positive for Cova 19 for purposes of preventing or controlling the spread. When disclosure of pH I had to first responders as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, a covered entity may disclose pH to prevent or lessen a serious and imminent threat to a person or the public. When such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity consistent with applicable law and standards of ethical conduct to disclose Ph. I, about individuals who have tested positive for covered 19 two Fire Department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of eminent exposure to such personnel and the discharge of the duties. So this is there could be some gray area there. And when responding to a request for for PhD by a correctional institution or law enforcement official have having lawfully lawful custody of an inmate or other individual. So, hopefully that clears that up for some people, one of those might have a little bit of gray area. Hopefully that makes things a little bit clearer for some of you. And then the final piece that we have from no CR is guidance on how healthcare providers can share information with the CDC family members of patients and others to help address the Cova 19 emergency so that the previous one pretty much addresses that. So we will move on from there and talk about the HIPAA breaches for the week. Okay, we just have four breaches to report this week no enforcement’s at all. Stopped Stockdale radiology in California has announced that patient data has been compromised as a result of a ransomware attack on January 17. An internal investigation confirmed that the attackers gained access to patients first and last names, addresses refund logs, and personal health information including doctor’s notes. Stockdale radiology said a limited number of patient files were publicly exposed by the attackers stock delivery Algae also discovered on January 29, that for the patient information may have been accessed, but has not been publicly disclosed. So that means they’ve probably hit by maize or sold on a key be one of the groups that said they will do this system were immediately shut down to prevent any further unauthorized data access and a third party computer forensics firm was engaged to investigate the breach and determine how access was gained and who was affected. FBI was immediately notified about the attack and arrived to Stockdale radiology within 30 minutes. The FBI investigation into the breach is ongoing. I’m not really sure why that is important that they arrived within 30 minutes but in response to the attacks, Doctor radiology has conducted a review of internal data management and its security protocols and has taken steps to enhance cybersecurity to prevent further attacks in the future. According to the breach report, there is 10,700 patients were affected by Abilene, Texas based affordable care urgent care clinics has started notifying patients that some of their Protected Health and Permission may have been compromised as a result of a ransomware attack. The attack was discovered on February 4, and is believed to have started around February 1. An analysis of the breach. analysis of the breach revealed the attackers gain access to a service and deployed resumes ransomware. So amaze is one of the groups that said we will not attack healthcare providers, although this is before that, so but they said they wouldn’t attack healthcare providers during this pandemic, I don’t believe was called a pandemic till after February 1. So, prior to deploying ransomware the attackers download a patient information some of that data has been publicly exposed. The types of data the compromised servers included names addresses telephone numbers, ages dates of birth, visit dates, visit locations, reasons for visits, health insurance provider names, health insurance, policy numbers, Insurance Group numbers, treatment codes and descriptions and healthcare provider comments, no financial information, electronic health records or social security numbers were compromised. Doesn’t say the number of people that were impacted so the Georgia Department of Human Services has announced that staff in August Augusta, Georgia improperly disposed of boxes of confidential case files containing the records of individuals who receive services from the division of family and children’s services before June 12 2017, and individuals who receive services from the division of aging services before 2017 after being alerted to the incident immediate action was taken to recover the boxes and prevent them from being accessed by unauthorized individuals. The Georgia Department of Human Services does not believe the files were accessed by unauthorized individuals during the time the files were left unprotected. All affected patients are being notified about the breach, and policies and procedures are being reviewed to prevent similar incidents in the future. According to the breach summary on HHS OCR breach portal, known as the HIPAA wall shame records up to 500 individuals which is a nice round number because 500 is when you have to report it Neo genomics is alerting 911 patients that some of their PhD has been accidentally disclosed to an unauthorized individual. On January 28, an employee was communicating with the patient about completing and returning a form to nutrigenomics and accidentally attached and sent the wrong Excel spreadsheet. spreadsheet sent to the patient included data of patients who had laboratory tests performed between June 2018 and October 2019. The spreadsheet contain patient’s first and last names, dates of birth and the name of test performed by nutrigenomics. The results of the test are not included in the spreadsheet, and no other information was impermissibly disclosed there was reported to nutrigenomics by the patient who confirm the writing that their spreadsheet has been deleted. Out of the abundance of caution Neo genomics has offered affected patients affected individuals complementary credit monitoring services. nutrigenomics reports that the individual who made there has been retrained and the workforce has been instructed to check documents and spreadsheets to ensure they are correct before being sent. via email, that is it for their HIPAA breach report. And that is it for the productive it podcast. So until next week everyone, stay healthy, stay safe, stay secure.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply