HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 28 – The Hidden Costs of Ransomware

By May 8, 2020 No Comments
Ep 28 Critical Vulnerabilities Being Patched, Breaches & Cybersecurity Stats are Gloomy, and the Cost of Ransomware FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Critical Vulnerabilities Being Patched, Breaches & Cybersecurity Stats are Gloomy, and the Cost of Ransomware

This is Episode 28  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance, and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback.  What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Unpatched Oracle WebLogic Servers Vulnerable to CVE-2020-2883

SaltStack Patches Critical Vulnerabilities in Salt

Firefox 76 released with integrated data breach alerts

Microsoft releases May Office updates with fixes for auth issues

Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages

Google Releases Security Updates for Chrome 

Cisco Releases Security Updates for Multiple Products

Cyber Security News

Trump Declares National Emergency As Foreign Hackers Threaten U.S. Power Grid

GoDaddy notifies users of breached hosting accounts

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

Nearly 2,000 malicious COVID-19-themed domains created every day

US financial industry regulator warns of widespread phishing campaign

SAP announces security issues in cloud-based products

Cyberattack on NTPC Further Exposes the Cybersecurity Risks of Energy Sector

An Update on Cognizant

Critical WordPress plugin bug lets hackers take over 1M sites

Hot Topics

Topic 1:  Consumers will opt for competitors after a single ransomware-related service disruption

Topic 2: Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility

Topic 3:  Half of Companies Have Suffered a Cybersecurity Issue Amid COVID-19 Crisis

HIPAA Corner: 

https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol1-508.pdf

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Ep 28 Critical Vulnerabilities Being Patched, Breaches & Cybersecurity Stats are Gloomy, and the Cost of Ransomware IGS

Transcription (Unedited)

This is the proactive it podcast this week the latest in it in cybersecurity news. Plus critical vulnerabilities being patched. breaches in cybersecurity stats are gloomy, and the cost of ransomware. This is Episode 28. Hi everyone and welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech a client focused and security minded consultant located in Central Connecticut, you can find us at and wash tech comm that’s NW Aj tech.com. Well, it’s been another fun week in isolation. I don’t know what to call it really, because it’s not real isolation, we can go out, but you’re trying to avoid it for the most part and I’m now entering week eight It is day 56 as I record this I don’t know. Good. Seems like there may be some some light at the end of the tunnel. But we’ll see. First of all, wherever you’re listening to this, if you could like share, review or comment, you know, whatever, we’ll get people to, you know, new people to listen to, if that would be awesome. You know, especially on Apple and Google, but also stitcher and anywhere else you listen to it. And if you’re in a HIPAA compliant business, if you can go over to Facebook, type in get HIPAA compliance, and join that group. You’ll be awarded with Lots of HIPAA information. And if you want to go to that now, are we you know, just you go do that, and I’ll wait right here. All right. Did you do you? Um, I did not. You know, I’ll be honest with you. I got asked a lot of questions this week, and I did not pick one to completely forgot about it, to be honest. So we’re not going to do a question of the week. We’re going to jump right into the updates for the week. And so it is the first week of May. We do not have Patch Tuesday updates from Microsoft, but we do have quite a few updates to talk about. So we’re gonna jump right into that, with the first one being unpatched Oracle WebLogic servers that are vulnerable to CVE 2020 2083 Oracle has released a blog post warning users that have previously disclosed Oracle WebLogic Server remote code execution vulnerability is being exploited in the wild Oracle disclose the vulnerability and provided software patches in April 20. 20 critical patch update over malicious cyber actors are now known to be targeting unpatched servers so if you’re using Oracle WebLogic Server get patched because it’s already been exploited saltstack which you may have heard about because it’s being it’s impacted some pretty big systems including ghost blogging platform saltstack does did patch a critical vulnerability in salt. So you should be if you’re, you shouldn’t be on anything prior to 2019 point 2.4 or three first salt. I’m sorry, should not be on anything prior to 2019 point 2.4 or two to 3,000.2. So get that updated ASAP because it is being actively exploited. Firefox 76 was released to integrate data breach alerts I I’m obviously I’m on Firefox 76 already, I have not checked out the data breach alert to see if it works at all. So we’ll be it’ll be interesting to see how that develops. There were some security vulnerabilities addressed with that release as well. Microsoft released May office updates with fixes for auth issues. There are no security updates as part of this rollout. But there is an issue with auth issues basically. Blank authentication prompts were being displayed. And I believe there was something that was crashing as well. I don’t I don’t remember what it wasn’t this point, but it’s a it’s a bug in feature update. So applied at will Microsoft Office 2016. PowerPoint 2016 outlook 2016 Project 2016 word 2016. And Skype for Business 2015 instacart did patch a security bug that would have led to tech spoof SMS messages. I’m only reporting this because sort of as an update, it’s not anything you need to take care of. But they did patch an issue with their system. Basically, it was sending a text message saying, if you’ve saw that they have an application on our website, you can happen, have them text you the link to the application. And link could have been compromised and sent a different link redirecting you to a malicious website. With that being said, if you ever want to download an app for anything, do it from the Google Play Store or from the Apple Store, don’t click on links and don’t download it from anywhere else. And we have a Google released a security update for Chrome you should be on at 1.0 point 404 4.138. That’s across the board. And finally Cisco released security updates for a bunch of products. That was just reported. Yesterday. So if you’re using Cisco products, check out their Cisco Cisco security advisories page and see if you need to update any of them. All right, we got lots of news to share this week. First up earlier this week on Forbes Trump declared national emergency as foreign hackers threaten us power grid. Combine that with another article that I saw a few days later that I don’t think I’m sharing today where a, an energy company in Canada was hit with a ransomware attack. So President Trump has signed an executive order that declares foreign cybersecurity threats to the US electricity system, a national emergency. We’ve known for a little while now that electric grid is a target. So President Trump signed an executive order may 1 to further secure the US bulk power system from foreign adversaries that he wrote are increasingly creating exploiting opportunities. The Executive Order declaring a national emergency over the hacking threat bans the acquisition, importation transfer or installation of bulk power system electricity equipment from companies under foreign adversary control. Executive Order also confirmed that the task force has been established with members including the Secretary of Defense Secretary of Homeland Security and the director of national intelligence to work to protect against national security threats to energy infrastructure, with the sort of did not do is go as far as naming any specific foreign adversaries and other companies. They may control so they left it a little vague on purpose, I’m sure. However, President Trump did state the acquisition or use of bulk power system or choosing equipment designed, developed, manufactured or supplied, subject to the jurisdiction of these unnamed foreign adversaries as to their ability to create an exploit vulnerabilities with potentially catastrophic effects. Acknowledging that an open investment, climate needs to be maintained for the growth of the economy, President Trump note wrote that this openness has to be balanced with the requirement to protect against a critical national security threat. Then Director of National Intelligence Dan arcos, published a ward worldwide threat assessment in January 2019. That warned of cyber attack capabilities both China and Russia when it came to the US electricity grid. That report stated that Russia has the ability to execute a cyber attack in the United States that generates localized temporary disruptive effects on critical infrastructure. The FBI and the Department of Homeland Security released an alert in 2018 warning of Russian government actions targeting among others the energy infrastructure sector in the US. US Secretary of Energy Dan relay, who will lead the newly established Task Force said it is imperative the bulk power system be secured against exploitation and tax by foreign threats. this executive order will greatly diminish the ability of foreign adversaries to target our critical electric infrastructure. The Department of Energy established the Office of cyber security, energy, security and emergency response in February of 2018 to approve energy, infrastructure security, including Preparedness and Response against cyberattacks. So there you have it. bleeping computer report GoDaddy notifies users are breached hosting accounts to secured an October 19 of 2018 and was discovered on April 23. I did see somewhere a number of accounts and don’t don’t believe it’s in this article. But it wasn’t attend. Oh, here it is approximate 28,000 accounts. They identified an SS de identified SSH usernames and passwords that were compromised through an altered SSH file in the hosting environment. This apparently only impacted hosting and nothing else. So if you are hosting on GoDaddy you should have received he received a notification at this point, an email or a letter saying that your account may have been compromised and enforced password changes. Citizen HIPAA right of access study shows significant improvement in compliance. So this was good news I wanted to share it. There has been a significant improvement in compliance with the HIPAA right of access. According to the latest patient records scorecard report from citizen to propel the report citizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare date. Data and wide range of healthcare providers were assessed for the study from single physician practices to large integrated healthcare delivery services or systems. So this is a so the HIPAA right of access rule is this you asked for your medical records to bring them to another doctor or just because you want Whatever it may be, they’re supposed to give them to you within a reasonable amount of time, which is 30 days or less. And you’re supposed to give it to for no less demand supposed to charge more than the cost of actually creating that record, which is usually a few dollars. They have a rating system for this, they’ve been doing this for a little while, I guess. They have a rating system of one to five stars, one being the worst and five being, you know, your name goes up in lights. The good news is that there was an increase of so there’s the latest study saw the percentage of one stars fall to 27% from 51%. That’s those that were not compliant. percentage of providers awarded four stars rose from 40 to 67%. And those with five stars rose from 20 to 28%. So that is good news, because we did see a few and they actually believed that this was because of the enforcement initiative on right of access, by the way by the OCR. And we did see a couple of penalties last year and we saw a few breach notifications for it as well. So maybe people are taking a little bit more seriously, let’s hope. On tech Republic, nearly 2000 malicious COVID-19 themed domains created every day. More than 86,600 new domains related to pandemic are considered risky or malicious according to a new report. And there was 1.2 million newly registered domain names containing words related to the COVID-19 pandemic from March 9 through April 26. And they believe that almost 87,000 of those are malicious in nature. And I’m just looking for the actual numbers here. Man, I’m not looking I’m not seeing what I’m looking for. So anyway, there’s 2000 rough almost 2000 domains registered every day related to COVID-19 that they believe will be malicious in nature, meaning it could be phishing sites or carry malware. And believe they believe that most of them will be crypto mining sites, but some of them will be fishing for sure. You know, they’ll say, Hey, we have a, we have masks, we have we have peepee, or we have a vaccine or we have a cure or whatever it might be, none of those things will be true. They will steal information and run with it and probably use it in another attack later on. And so that is the goal and there was some registered around zoom done. This article doesn’t cover the zoom ones. But that did occur when zoom was having all their problems. And it’s they’re still being used. And this is why you need to have DNS filtering in your environment because DNS good DNS filtering will take care of any newly registered domains. So they will not cause an issue with your business. Zd net us Financial Industry Regulatory warns of widespread phishing campaign. This is FINRA making a warning or issuing a warning I should say the US Financial Industry Regulatory Authority, also known as FINRA, probably more commonly known as FEMA. FINRA has issued a rare cybersecurity alert today warning member organizations have a widespread ongoing phishing campaign. FINRA said the malicious emails were aimed at stealing Microsoft Office and SharePoint account passwords. From its member organizations, FINRA, which is private industry group that works as a self regulatory body for brokerage firms and exchange Marcus said the campaign is still ongoing. According to the security alert, phishing emails were sent using a domain of app broker finra.org so you could see where someone might fall for that and made to look like they were sent by Bill woman or Josh drove Nick to FINRA as vice president presidents. FINRA said the phishing emails included the ads PDF, I’m sorry and attach a PDF file that contains a leak link redirecting users to a website prompting members to enter the respective Microsoft Office or SharePoint passwords. So this goes to a point where I’ve said before, don’t open attach attachments that you didn’t expect. Don’t click on links you didn’t expect, if in doubt with links and type them in manually and if and if in doubt about an attachment make a phone call and see if it really came from where it came from. bleeping computer SAP analysis security issues in cloud based products German software maker SAP announced on Monday that has started to fix security issues identified in several of its cloud based products. The company discovered the problems following an internal review and has already started working on eliminating the vulnerabilities. details about the security flaws have been have not been disclosed in an advisory This week the company says that fixing a post will largely be completed in the second quarter of 2020. The list of affected products includes sa p success, faster success factors. Sa p concur sa p callate. Is cloud Commission’s sa p Caldas cloud si p q as well as sa PC for si Sales Cloud sa p cloud platform in SAP analytics cloud. Some of these platforms along with their infrastructure were acquired over the years and company paid billions of US dollars for them. With this SAP inherited all the potential gaps and had to align them to the company’s present contractually agreed or statutory. IT security I’m sorry that should be contractually agreed on statutory IT security standards. It is estimated that around 9% of SAP is 440,000 customers are impacted by the vulnerabilities. They will be notified of the risk and will receive assistance to remedy the problems. Sa Pease investigation is not complete but the company does not believe that customer data has been compromised as a result of these issues. And then effort to ensure that the effective products meet relevant terms and conditions. And in addition to technical, cold remediation, SAP has decided to update its security related terms and conditions. These remain in line with the market peers. The security updates are not expected to have an impact on the company’s financial outlook for 2020. So I guess that’s good news for SAP. So roughly 440 thousand companies are impacted by this. So they will reach out to you and help you resolve it. So that’s that’s a step in the right direction, in my opinion, and here it is, I mentioned it earlier. cyber attack on NTPC further exposes the cybersecurity risks of energy sector so Northwest Territory is Power Corporation. A generator and distributor of electricity in Canada was hit with a ransomware attack. The ransomware attack hit NTPC shutting down its IT systems and impacting the power generation, transmission and distribution systems are company, my NTPC the online payment portal used by NTPC was not working properly and leading the customers to a message saying that the files were encrypted by networker, although not confirm for this case, but the spread of networker ransomware aka mail two is usually associated with the COVID-19 themed phishing phishing emails as observed during its previous attacks. And so here’s some of the previous attacks or the here’s, here’s actually information about an earlier data breach with NTPC. In January 2016 NTPC informed its customers that it had wrongly sent some personal details of its customers to third party, resulting in breach of personal data file containing a list of customer names, meter addresses, and balance account balances was sent out to some customers while responding to some customer inquiries. Other attacks on energy sectors and April 2020, the Portuguese multinational energy giant energy SMD portrait Goal UDP, was hit with Ragnar locker ransomware, where no hackers stole 10 terabytes of sensitive company files and asked for 1500 and 80 Bitcoin which is roughly $10.9 million. In March 2020, the European electricity association was targeted by cyber intrusion incident, although no further details about the incident were disclosed. In February 2020 of the reading municipal light department, our mld was targeted by cyber criminals in an attempt to extort money by encrypting data in an ancient in the station’s computer system. In January 2020, a hacking campaign by Iranian hackers was observed targeting the European energy sector, in which the attackers tried to steal sensitive information using the pupae rat malware. Other attackers by networker in other attacks by networker sorry, in March 2020 network or ransomware was observed using Coronavirus themed phishing emails to target its victims in the same month. Just ransomware was also used to target The Champaign Urbana Public Health District and in February 2020, the Australian toll group admitted that they were targeted by network a ransomware. The toll group by the way, Australian toll group was hit with another attack within the last couple of days. So not not a good year for them. Cognizant we have an update on Cognizant you may remember Cognizant is an MS MSP. So similar type businesses me as my business, except that they make quite a bit more money than I do. And we’ll get to that in a moment. They are. I believe they’re the largest the world’s largest MSP, but I could be wrong, but Cognizant believes it has contained in Mays ransomware attack that hit the MSP in IT consulting firm in late April 2020. According to the first quarter earnings statement, released May 7 still yesterday. In their statement, Congress has said the company believes it has contained the attack and that the actor is no longer operating in the company’s environs. Since becoming aware of the attack, the company has taken decisive actions to remediate the threat while keeping clients regularly informed. The company believes these measures enabled it to continue its operations in a timely, secure manner. In addition, the company has and will continue to take any necessary steps to protect the integrity of its systems. Cognitive provably previously disclosed at the attack may impact company revenues. More details about the attack and remediation are expected to surface on cognisance earnings call for quarter 120 20. Cognizant says revenue was 4.2 billion up 2.8% from a year ago quarter, including a negative 50 basis points impact from the exit of certain content services businesses and a net income was 367 million compared to 441 million a year ago. Now that being said, mes doesn’t just hit you with a ransomware attack. There’s still data. They have not said if that has happened here in Mesa has not released any data. So that tells me one of two things Mays is not done yet. Or Cognizant may have paid some money. But I’m sure we’ll learn more as the day’s progress here. So when there’s another update on Cognizant, I will share and last bit of news before we move on to our hot topics. Critical WordPress plugin bug lets hackers take over 1 million sites. That doesn’t mean they have it means it’s possible. So Elementor Pro and ultimate add ons for Elementor. WordPress plugins have critical vulnerabilities that Elementor Pro has released release patches for so if you are using those in your on your WordPress website, you should be updating Elementor Pro to version 2.9. point four immediately. There’s vulnerabilities that are being attacked as we speak. ways you can check to make sure that your site hasn’t already have been compromised check for any unknown subscriber level users on your site this may indicate that your site has been compromised as part of this Active Campaign. If so, remove those accounts. Check for files named WP dash XML or PC dot php these can be considered an indication of compromised, so check your site for evidence of this file and delete any unknown files or folders found in WP content slash uploads slash element or slash custom dash icon slash directory files located here after a rogue subscriber level account has been created our clear indication of compromise. So again, that is almost 1 million. I think it’s actually a little more than 1 million sites that are using Elementor Pro and another hundred and 10,000 sites using ultimate add ons for Elementor. So if you’re using those, get them updated immediately. Let’s talk some numbers because this if you know, not gonna lie, I try to scare you guys. I try to scare business owners, because they need to be scared. I don’t do it because I want you to purchase on fear I do it because you need to be educated you need to understand the risks that are out there. So if you’re not willing to consider the risk of, you know, you being breached your client information being stolen or whatever else, maybe you’d be concerned about this risk. consumers will opt for competitors after a single ransomware related service disruption. While most consumers are taking necessary security precautions to protect their online accounts. I don’t believe that but if but some of them are. Businesses may not be doing enough to protect their information inadvertently driving sales to competitors that can that can an ark serve research reveals and I found this on help. NET security calm by the way 7% will switch to a competitor. If your systems and applications are back online within 24 hours. 41% will walk away if they still can’t access systems and applications within two to three days. They serve a survey of nearly 2000 consumers across North America, the United Kingdom, France and Germany found that 70% believe businesses are not doing enough to adequately secure their personal information and assume it has been compromised without them knowing it. And as consumers become more educated and cyberattacks become well known, perceived trust becomes more influential and a purchasing decisions, with the study also finding that nearly nine out of 10 consumers consider the trustworthiness of a business prior to purchasing a product or service and 59% of consumers would likely avoid doing business with an organization that had experienced a cyberattack in the past year. These findings suggest businesses must manage Uncharted challenges within the use of cyber criminals, or I’m sorry within the rise of cyber criminals. Now making breaches public regardless ransom pay. So again, we’re talking about me’s and the apple painter. I think Raju and a few others are clop are now publishing the data that they steal if you don’t pay up ransomware related service disruption consumer tolerance thresholds, cyberattacks, have arguably become the largest business threat. However, the quantifiable impact on consumer behavior has not been widely understood. The study found that one in four consumers will abandon a product or service in favor of a competitor after a single ransomware related service disruption, failed transaction or instance of an inaccessible information. It also found that tolerance for these events quickly deteriorates with over 66% of respondents setting that they would turn to a competitor. If an organization couldn’t restore systems and applications within three days following a cyber attack. And over a third of those would be willing to switch after a mere 24 hours of waiting to access their information or make a transaction Moreover, the potential damage doesn’t stop during a shortly during or shortly thereafter a cyber attack. More than eight and 10. respondents admit to sharing their negative ransomware related experiences with family friends or colleagues posting about their experiences online or medium and lying about the incidents. Note these attacks are usually very well publicized. So you have to think about that perspective as well. certain industries fared better than others. While the report concludes their debt consumers are generally intolerant of cyberattacks. There are a few industries where businesses are under even more pressure to keep data secure and operations running. The survey found that nearly half of consumers would walk away from their banking or security provider immediately upon experiencing ransomware related event which would which prohibited them from transacting or accessing information and 43% would immediately seek out a competitive communication product or service and I can’t say I blame them. While there are many negative ramifications caused by cyber attacks, businesses that take protective or I’m sorry, proactive steps in many To get ransomware quickly will benefit in the long run. Over half of the respondents would be willing to pay more for products and services they believe to be more reliable and secure in the banking and securities industry in over 40% would pay more if they believe products and services were more secure from companies in the healthcare insurance and retail categories. So all of you, businesses, these are all almost all of them. compliant type businesses that say you can’t afford cybersecurity because it’s too much money. Well think about that over half of the respondents would be willing to pay more for products and services they believe to be more reliable and secure in the banking and securities industry, and over 40% would pay more if they believe products and services were more secure from companies in the health care insurance and retail categories. Consumers are clearly already hesitant about working with companies hit by cyberattacks, and it just won’t tolerate disruption as businesses figure out recovery and remediation plans after the fact. The findings represent a stark warning for organizations given that one in four of their customers will be gone immediately upon disruption with many more losing patients within 48 hours, and the numbers are there, the ransomware attacks take in many cases take more than 48 hours to recover from. businesses must do more to ensure they’re protecting your data from cyber criminals and mitigating the chance. They’ll experience extended downtime, we recommend a two pronged approach where cyber security backup and disaster recovery are deeply intertwined. So if the thought of your clients data being stolen, or the thought of your business coming to its knees, or you know, I don’t know why business owners wouldn’t already be concerned and we’re going to go over another article in a moment that shows that some businesses are not concerned that maybe this is another one you get hit, you’re going to lose reputation immediately and I’m going to look up the hit that target took after they were their credit card information was stolen a few years ago. Just to give you an idea, but before we do that, patients notified medical records expose that tornado hit secure medical record facility. So I’m going to go through this first and then I’m going to explain why I’m bringing this up. Several healthcare providers have been affected by an unusual data breach at wapa. Wisconsin base stat information informatics solutions LLC. stat provides secure medical records services to several health care providers, which includes scanning paper files so they can be added to hospital medical record systems. On March 3, a staff facility in Lebanon, Tennessee was hit by a tornado, which caused extensive damage to the building and some of the records stored in a facility that notified all affected clients the same day, and representatives of those health care providers visited the site to assist with locating and securing medical records in the facility. to limit the potential for unauthorized access. A tall fence was erected At around the building while the medical records were located and secured to security guards were also posted on the site 24 seven to prevent unauthorized individuals from accessing the building. The majority of the medical records were found in the remnants of the building, but the records were determined to be unsalvageable, and have now been securely destroyed. While it is possible that to an authorized individuals, that unauthorized individuals may have viewed some paperwork relating to patients, no evidence has been uncovered to suggest that this was the case and patients are not believed to be at risk of financial harm. Out of the abundance of caution patients whose records were stored in a building are being notified by mail and will be offered complimentary credit monitoring services. The medical records at the facility contain the following types of information, full names, social security numbers, addresses, dates of birth, medical record numbers, account numbers, medical images, diagnosis, nursing and physician documentation, test results, medications and other types of information typically found in medical records. And so here’s the of the health care providers who were impacted by this Bayfront health in Port Charlotte, Florida, Bayfront health and Buta gorda, Florida. Commonwealth health Wilkes Barre General Hospital, Pennsylvania, Commonwealth health, Moses Taylor Hospital in Pennsylvania and Poplar Bluff Regional Medical Center in Missouri. Now, why did I bring this up? This illustrates a very important point. Your security risk analysis is supposed to go through every risk that is believed to be in existence for your practice for your metal for your covered entity or business associate, associate, whatever it might be. Tennessee is in an area where they do get tornadoes. So tornado is a very real risk. I’d be willing to bet that this business stat did not do a security risk analysis that included tornado potential for tornadoes. So in other words, if you live in an area where you’re you’re constantly under hurricane threats so Florida, South Florida, then you should include that in your security risk in house. If you live in the northeast where blizzards are very real threat, you should include that in your security risk analysis. If you live in an a coastal area where water is an issue, you should you should include really you should include flooding, whenever you have a covered entity or business associate, but that needs to be in your security risk analysis. The security risk analysis should take every possible risk, analyze it and prepare your healthcare practice or business associate for that risk. It’s not meant to be a checklist. It’s not meant to say okay, well, we are we have anti malware software in our computers. So we’re secure. That’s not what it’s meant to be. And that is part of it. You know, that’s, that’s part of your security risk analysis. And every every healthcare practice should have that. You should, you should make sure that your systems are secure from breach and from malware and from ransomware, and all that stuff, you know, and that includes data backups and all that. But this I’m sure that could have done more to prevent something like this from happening, it is tragic. And I’m sure that the numbers will show that the chances of that building getting hit by a tornado were pretty small, but it’s still a possibility and it’s still something that needs to be looked at when you run your security risk analysis at least once a year. So that’s the point of me sharing it is it’s a rare HIPAA breach, but it’s still a HIPAA breach and it still could happen. You know, we’ve we’ve, with Florida you get hurricanes all the time. And they do say that 20 is going to be an act of hurricane season in a way this year is going to wouldn’t shock me the least bit. So, that’s something to think about if you have a healthcare practice and that could be anything, it could be a dentist, the chiropractor, a physician, an optometrist, any hip any business that that falls under the HIPAA umbrella needs to run a security risk analysis and say, okay, we could get hit with a hurricane. Are we prepared for that? And what do we need to do to prepare for that better? So that is, that was the whole point of me sharing that. And plus, it’s one less HIPAA breach I need to report later on in this podcast. And we’re going to go back to the we’re not going back to the article, but we’re going to go back to that topic. So I found this some dark reading. It’s a real short read. Dark reading.com half of companies have suffered a cyber security issue a mid COVID-19 crisis. survey shows 49% expect to experience a data breach or cybersecurity incident in the next month. But it gets scarier than that. Social Justice, social justice sensing and working from home may be helping to stem the tide of the COVID-19 pandemic but they aren’t doing much good for enterprise cybersecurity. According to the results of new study, nearly half, which is 46% of global businesses have encountered at least one. cybersecurity scare since shifting to remote working model, and 49% of the survey respondents anticipate suffering and data breach or security incident in the next month as a result of moving employees to work from home. The study conducted by Barracuda found that an increase in perceived risk has not been accompanied by an increase in security spending. So that’s where it gets scary. So you saw that you getting hit with a ransomware attack which will directly impact your bottom line and your reputation. And then you see this where it says some 40% of companies surveyed said their response to COVID-19 as included cutting their cybersecurity budget in 50% said they would consider cutting staff. If cybersecurity could be maintained. Cutting, they cut it. They didn’t. They didn’t just they didn’t just say, Alright, we need to make sure we’re still doing the same thing. They cut it. And the problem with that is, you now have this population of employees that are working from home. And they are not cybersecurity aware. And that is opening up a whole new wormhole for your business. I’ve worked with a number of employers, businesses over the last now eight weeks to help secure it and I got to tell you some of the things I’ve seen from municipalities from small businesses from healthcare practices from law firms, it’s unreal, and you know that a lot of them are BYOD. So you’re working from home now you need to use your own device. to remote back into the office, they’ll set up Remote Desktop with no security at all use very simple password. They will make sure that you can still access your email but they’re not securing that you don’t turn on multi factor authentication. They’re not educating their people in phishing. They’re not doing anything to secure the business and secure in many cases secure client files and not spending on it is not the answer. That is the opposite of the answer. So I thought it was scary that you know 40% said they are they are cutting spending on cybersecurity during COVID-19. Hopefully that is not a trend going forward. But COVID-19 might be here for a little while. So who knows? All right, we’re gonna continue on our hip education. With a review of the technical Volume One cybersecurity practice for small healthcare organizations that was part of the 405 D project. And as the I never remember what h ICP stands for, but it’s it’s h ICP, also known as hiccup. That is part of the part of the it’s a plan to make sure that healthcare practices are more cyber secure. So we’re going to talk about today cybersecurity practice number four data protection and loss prevention. Let’s start with and again this is all this is all based off of the NIST cybersecurity framework. So that means if you’re familiar with the NIST cybersecurity framework, none of this should come as a surprise to you. But and apparently it does, because I see him care practices across the board USING IT support or other business associates what’s supposed to be business associates support, that are not familiar with this and are not using best practices. So let’s jump in here set the expectation for how your workforce is expected to manage the sensitive data at their fingertips. Most healthcare employees work with sensitive data on a daily basis very true. So it is easy to forget how important it is to remain vigilant about data protection. organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data. And so we just talked or we will talk about sorry about employees getting fired for viewing data that they shouldn’t be viewing towards it. A couple of those this week. Establish a data classification policy that categories data as for Israel, sample, sensitive internal use or public use identify the types of records relevant to each category. For example, this sensitive data category should include pH I social security numbers. And if you don’t know what pH is, its protected health information. credit card numbers and other information that must comply with regulations may be used to commit fraud, or may damage the organization’s reputation. And credit card numbers also fall into PCI By the way, so you need you need to look at both of those. So we have classification highly sensitive data that can be easily used to commit financial fraud or to cause significant damage to the organization’s reputation. Examples of such data for patients include social security numbers, credit card numbers, mental health information, substance abuse information and sexually transmitted infection information. access to these data should be restricted to users who require it and who demonstrate proper identification at login. Such data must be managed in compliance with applicable regulatory requirements. Sensitive All other pH I, especially data associated with the designated records, clinical research data, insurance information, human employee data, and organizational board materials. internal data that should be protected yet are not considered sensitive. Examples include organization policies and procedures, contracts, business plans, corporate strategy, and business development plans, internal business communications and in public all data that can be sanitized and approved for distribution to the public, with no restriction on use, prohibit the use of unencrypted storage such as thumb drives, mobile phones or computers require encryption of these mobile storage mediums before everything should be encrypted, not just mobile. Because there have been a few cases in the last few months of servers walking away and desktops walking away all these things walking away. The document references The different NIST framework as well when it comes to the different practices in this document, and we have use of classifications to establish data usage procedures identify, identify authorized users of sensitive data and the circumstances under which such data may be disclosed. So in other words, identify who’s allowed to access it and make sure they’re the only ones accessing it. Train your workforce to comply with organizational procedures and OMC guidance. When transmitting pH I through email, encrypt all pH I sent via email or text, however, patients can request and receive access to their HIV unencrypted electronic communication following a brief warning to the patient that unencrypted communication could be accessed by a third party in transit. And the patient confirms that they will still want to receive an unencrypted communication. So in other words, if you’re going to send an email, and that person is asking you to send it to their free gmail account or free Pop your email account there for let’s say Comcast since we’re talking about them earlier, you need to warn them of the risks because Comcast does not encrypt their email. When emailing pH I use a secure messaging application such as direct secure messaging, which is nationally adopted secure email protocol and network for transmitting pH I DSM can be obtained from EHR vendors and other health information exchange systems. It was developed and adopted through Meaningful Use program and many medical organizations nationwide. Now use DSM networks when you texting pH, I use a secure texting system. And there are quite a few secure test texting systems. But I would, to the point here use the one that your EHR provides if you’re going to use anything, not just a texting system, implement data loss prevention technologies to mitigate the risk of unauthorized access to pH I check with your IT provider to determine if this is feasible for your organization, or reference cybersecurity, practice number four Data Protection and prevention. So data loss prevention is having a disaster recovery, business continuity, disaster recovery system set up. And so the way we do it is we set it up where you have a local backup and then you have an off site backup done through the cloud. And if something goes down, you’re able to get back up virtually within minutes. train staff never to back up. data on control uncontrolled storage devices on Personal Cloud or Personal Cloud services. For example, do not permit employees to configure any workplace mobile device to backup to a personal computer unless the computer has been configured to comply with your organization’s encryption and data security standards. I saw this once where they employee installed their personal Dropbox account on the work computer. I don’t know how they how they were allowed to do that. And why would that wasn’t preventable, but they did and a place picked up on a security scan and the employee they didn’t I don’t know if there were ever recommend, I don’t know what the HR outcome was, but obviously, the Dropbox account was removed. And when they did find stuff in the Dropbox account that shouldn’t have been there. Not only that, but the employee had information in the Dropbox account that he probably did not want anybody else to see. Remember to protect archived data such as records for previous patients to to to it is important to monitor access to the data which may be used infrequently so that cyber attack is detected immediately ensure the absolute absolute absolute data removed or destroyed properly so they cannot be accessed by cyber thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning. digital data must be properly disposed of to ensure that it cannot be inappropriately discovered, recovered sorry. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means the data are destroyed. And if not, by the way, it’s easily recoverable. Retain and maintain only data that your organization requires to complete work comply with record storage requirements minimize your organization’s risk by regularly removing unnecessary data. And so what are the threats mitigated by this ransomware loss of depth or equipment or data and accidental or unintentional data loss? So, data protection and that is a big part of HIPAA. Not just HIPAA, but healthcare in general healthcare IT protecting your patients information, your clients, those are your clients to protect their information. Right, it’s time for the HIPAA breach report. We have quite a bit of breach news not necessarily breaches but news to share shareholder suicide Last quarter to recover losses caused by data breaches a lab Corp shareholders taking legal action against labcorp. And its executives and directors over the loss in share value that was caused by two cyber attacks experienced by the company in the past 12 months. So you may recall those breaches from last year where labcorp was breached 10,251,784 patients and in companies like quest were were part of that. And so a lot of you know, obviously it was a big breach. labcorp was one of the companies worst affected by data breach at the medical debt collection company, American Medical medical collection agency AMC, so that was also quest was also part of that. They use labcorp services to infiltrate MCA systems and at least 24 of the MCs clients were affected by the breach a second labcorp data breach was reported by TechCrunch In January of this year that involved around 10,000 labcorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website mis configuration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS Office of Civil Rights. Even though TechCrunch researchers confirm that the documents contain patient data. Ramin Eugenio holds shares in labcorp, which lost value as a result of the data breaches and filed a lawsuit on April 23. To recover those and other losses. The lawsuit names labcorp as the defendant along with 12 of the company’s executives and directors, including labcorp CIO Landsberg, Varian, CFO, Glen Eisenberg and actor I’m sorry director Adam shuck Schecter. The lawsuit alleges that prior to the AMC a breach and subsequently labcorp failed to implement appropriate cybersecurity procedures and did not have sufficient oversight of cybersecurity which directly resulted in the two data breaches in an S sec filing labcorp explained the AMC a data breach it costs the company $11.5 million in 2019 in response and remediation costs, but the lawsuit points out that the figure is just a fraction of the total losses and does not cover the costs of litigation default. Several class action lawsuits have been filed by victims of the AMC a data breach that name labcorp. So the total losses are not known to its shareholders and it probably won’t be known for years. Also lawsuit also states that the second breach has not been acknowledged, publicly or in any SEC filings as such Eugenio alleges lab corpse failed in its responsibility to its shareholders and breached its duties of loyalty care and good faith. The lawsuit alleges labcorp failed to implement effective internal policies, procedures and controls to protect patient information. There was insufficient oversight of compliance with federal and state regulations and its internal policies and procedures. labcorp did not have a sufficient data breach response plan in place pH I was provided to MCA without ensuring the company had sufficient cyber security controls in place. labcorp did not ensure that the individuals and entities affected by the breach were noticed, notified in a timely manner, and that the company did not make adequate public disclosures about the data breaches. The lawsuit seeks reimbursement for damages sustained as a result of the breaches and public acknowledgement of the January 2020. data breach. The lawsuit also calls for a reform of corporate governance and internal procedures and requires a board level committee to be set up for an an executive office or position appointed to ensure adequate oversight of data security. So we’ve talked about the hidden costs of of HIPAA breaches before obviously, this was a very large data breach last year, large HIPAA breach last year, but these are the hidden costs. So, you know, OCR hasn’t even I don’t know where they are in the investigation of this breach, and I’m sure there will be something type of settlement when all of a sudden done but did lawsuits and everything else that’s going to come from this are going to be probably far worse than the actual HIPAA breach. settlement. bjc healthcare has announced the email counts of three of its employees had been accessed by an unauthorized individual after the employees responded to phishing emails suspicious activity was detected in the email accounts on March 6, and accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts and only been accessed for a limited period of time on March 6, it was not possible to tell if the patient data was viewed or obtained by the attacker. review of the accounts revealed did contain the data of patients at 19, bjc and affiliated hospitals protected health information in emails and attachments vary from patient to patient and may have included the following data elements, patient names, medical record numbers, patient account numbers, dates of birth, limited treatment and or clinical information. which included provider names visit dates, medications diagnosis, testing information, the health insurance information, social security numbers, driver’s license numbers of certain patients were also potentially compromised. All patients affected by the breach will be notified by mail when the email account review is completed. So they did notify and exactly 60 days so good for them. However, three email breaches means no MFA, no training is occurring on a routine basis at bjc. And there is a list of 19 facilities here. Alton Memorial Hospital Barnes Jewish hospital, Barnes Jewish St. Peter’s hospital Barnes Jewish West County Hospital bjc behavioral health PGC in corporate health services bjc homecare bjc Medical Group boom Medical Group Poon Hospital Center, Christian hospital Memorial Hospital Daleville Memorial Hospital East Missouri Baptist Medical Center Missouri Baptist physician services LLC Missouri Baptist Solomon hospital, Parkland health center Boone tear Parkland Health Center at Farmington progress West hospital and Louis Children’s Hospital. Patients notified medical records expose this tornado hit secure medical record facility. We already talked about that. But again, just to review if you when you run your your security risk analysis, you need to consider all potential loss not just things that are common, like theft, but anything that could occur. And and Robert H Lurie Children’s Hospital of Chicago has terminated employee for improperly accessing the medical records of patients without authorization over a period of 15 months. The privacy violations were identified by the hospital on March 5. Employees access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had access to medical records of 4824 patients without authorization between November 2018 and February 2022. types of information access by the employee including names addresses, dates of birth diagnosis, information, medications, appointments, medical procedures no health insurance information, financial information or social security numbers where access. No reason was given as to why the medical records were access but the hospital says it does not believe the employee obtain misused or disclosing information to anyone else. hospital setting the employee no longer works at the hospital. This is not the first incident of its type to occur at Lurie Children’s Hospital. A similar incident was discovered in November 2018 when the hospital learned that a former employee access to medical records of patients without authorization between September 2018 and September 2019. So it sounds like they have an issue with access controls which we talked about in last week’s podcast so you know, mercy health and we talked about that breach earlier. Last when did it occur in March so we did talk about it a couple months ago. Mercy health fires nurse for multiple privacy violations. This one’s interesting mercy health has also recently taken action against an employee for alleged violations of HIPAA Privacy Rule. A nurse at hackley Hospital in Muskegon, Michigan was terminated on April 3 determination came shortly after the nurse raise concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic, and how the alleged lack of preparedness but put safety at risk. The nurse contacted the Michigan Nurses Association, labor union, which claimed at Mercy Mercy health fire the nurse for speaking out the labor union also filed a charge with the National Labor Relations Board. House termination came on the evening of April 3 days after he had publicly raised concerns about lack of appropriate PCP and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic. So the labor union in April 21 press release 10 days after the nurse was fired in one day after the press release was issued by the labor union. Mercy health released a press release of its own stating the nurse was fired for multiple violations of HIPAA rules. Mercy health said it does not usually share details about employment matters related to its workers but what’s compelling To speak out due to the misinformation campaign led by the labor union. Mercy health claims the fire nurse Justin Howe was terminated for accessing the medical records of multiple patients over a period of several days. The records were not were were not for patients receiving treatment at campus where the nurse worked and there was no legitimate work reason for accessing those records. Mercy health claims that how was not the only nurse terminated for improper medical record access according to mercy health press release. We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe, along with the others were terminated for the same just investigative effort is still in process. So kind of interesting case. We’ll wait to see what comes with that. And then we have three more breaches that were reported early this morning. St. Francis healthcare partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of so instigated cybersecurity incident that allowed an unauthorized individual to gain access to its email system. The attack occurred on December 30, but it took until March 20. Further forensic investigation to determine that patient’s protected health information was potentially compromised. The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service diagnosis, health insurance or health insurance. provider names and count numbers prescription information in all types of procedures performed, no financial information or social security numbers were compromised. The investigation uncovered no evidence to suggest patient information was accessed stolen or misused. steps have now been taken to improve data security practices and all affected patients were have been notified by mail. There’s a few failures here one, obviously with this took more than 60 days to notify. Make your breach notification to sophistication it’s not a thing. phishing attacks are not so sophisticated. If you set up multi factor authentication, and you train your employees, then it’s not a sophisticated attack it can’t happen. The the the statement here is that a sophisticated cyber security incident that allowed an unauthorized individual to gain access to its email system tells me that somebody was fished. Florida internal medicine practice suffers ransomware attack Daniel Ben. Ben data what’s Md ffensive pa is notifying 3314 patients that the protected health information has been exposed as a result of a ransomware attack. The attack occurred on March 25 2020, resulting in the encryption of its computer systems including patient records backup files were not affected so files could be recovered without paying the ransom. And these types of ransomware attacks. files are not typically accessed by the attackers prior to file encryption. However, data access cannot be ruled out. So notification letters have been sent effective paid to affect a patient’s doctor Then debits explained in a breach notification letters that names addresses dates of birth, social security numbers, health insurance, information and medical information were potentially compromised. Either the abundance of caution identity theft protection services have been offered to all affected patients. steps have also been taken to improve security to prevent further attacks in in the future. So here’s a here’s the here’s the thing with this one. They say that in these types of ransomware attacks, files are not typically accessed That is incorrect. And that is a very poor assessment. Very poor statement. Because as we’ve seen multiple times now in the last few months, they’re stealing the files before they encrypt you. They’re spending time to peruse your network, so to speak in encrypting your files. Houston Methodist Hospital is notifying 1987 heart patients that some of their protected health information was stored on portable storage devices that were stolen from vehicle a vendor representative in mid February. The individual was employed by the medical device manufacturer and operated to 3d imaging technology in the hospitals cardiac cath third is Catherine ization lab. The hard drives were left in a vehicle from where they were stolen. The hospital reports that the room where the hard drives were stored, was locked in removal of the devices was against hospital protocol and violated established technical safeguards and contractual obligations. The representative believed the room was only locked due to the lead hour of the day. The hard drives contain medical images that included a patient’s name, gender, date of birth and code number. The images could only be viewed with specialist software that clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be located. So means the hard drives were not encrypted. An email an employee of Ascension Eastwood clinic in Southfield Michigan sent an email to patients on April 15th. I’m just explaining the practice was transitioning to telehealth services due to COVID-19 to help prevent the spread of The disease in error was made sending email patients email addresses were not added to the BCC field of the email and could therefore be viewed by other patients. As a result of the error email addresses and in some cases, patients names were disclosed to other patients. Apart from allowing a patient to be identified as a patient of the clinic, no other information was exposed. The HHS Office of Civil Rights breach portal shows 999 patients were affected and that is going to do it for the HIPAA breach roundup and that is going to do it for this podcast. So until next week, stay healthy, stay safe and stay secure.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply