Posts Tagged hack

Cyber Security:  Five Common Phish Attack Schemes

Cyber Security:  Five Common Phish Attack Schemes

Hackers only need you, that’s right just you. They are sneaky and know the general population is busy and doesn’t pay close attention to the emails they receive. Hackers know people are comfortable in their daily habits. They exploit this behavior by creating email scenarios designed to encourage a click. They need just one person to click just one time to infect their computer with malware that grants them access to the information they need to launch a more sinister attack.

“Phishing attacks are by far the most common cyber attack today, and these attacks continue to get more and more sophisticated.  Gone are the days of the ‘dear sir’ attack-now we have to worry if an email appearing to be directly from a co-worker is actually from them,” said Steven Hines, president of Threat Advice.

Because hackers are continually changing their tactics, clicking on a nefarious email or link leading to a cyber attack can happen to anyone. Recognizing the threat before it turns into a disaster is just one way we each can be more prepared. The following are five ways hackers are currently trying to access your business and personal information:

  1. Look but don’t click. If the email address or the attachment name seems “phishy,” it probably is. Are there spelling or grammatical mistakes? Companies with professional staff are not going to make these types of mistakes.
  2. Analyze the salutation and signature closely. Most legitimate businesses will use your name rather than a generic greeting like “Dear customer.” The business should provide ways to contact them in the signature. If that’s not provided, it could be a phishing attempt.
  3. Know your brands. Hackers will spoof your favorite brands and make their emails look enough like the actual brand to fool you. Is the logo color wrong? Are there additional words in the brand name? Did you sign up to receive emails from them? Don’t click any links before you examine the email to confirm the sender.
  4. Urgent or Threating – No one likes a bully. A common phishing technique is to use harassing or threating language in the subject line or email content or to create a sense of urgency to handle a fake problem. Most legitimate banks, utilities/municipalities and businesses will not ask you to provide your private information via email nor threaten you in an email.
  5. What grandma said…“If it’s too good to be true, it probably is!” Hackers will continue to send phishing emails promising riches and prosperity if you only send your social security and bank information. Why? Because unfortunately, people still take the bait.

Article contributed by Cobbs Allen. Cobbs Allen is an official Gold Partner with the Medical Association. For more information about cyber liability insurance and how it protects your business, contact Margaret Ann Pyburn.

Posted in: MVP

Leave a Comment (0) →

“WannaCry” Ransomware Holds True to its Name

“WannaCry” Ransomware Holds True to its Name

This week, countries around the world faced an unprecedented cyber security attack. On May 12, 2017, the Critical Infrastructure Protection Lead for the Department of Health and Human Services Laura Wolfe first reported it as a “significant security issue.” Hours later, the Department of Homeland Security’s Computer Emergency Readiness Team warned the public of a malware virus called “WannaCry.” As with typical ransomware, an individual would receive an email purposely designed to look like an email sent by a business or individual the recipient may be familiar with and contain either a link or attachment. Once opened, the virus spreads giving the attackers access to computer systems and the ability to encrypt the information and extort money from the victim.

What’s the relationship between HIPAA and ransomware?

When a health care entity is the victim of a ransomware attack, the protected health information accessed during the attack is considered to be breached. Therefore, unless the affected entity can prove the information was encrypted prior to the attack, it must go through all of the usual steps to comply with the HIPAA Breach Notification Rule. This includes, but is not limited to, reporting the breach to people whose information was compromised no later than 60 days from discovering the breach. If the breach includes the protected health information of greater than 500 people, there must also be contemporaneous notice to HHS and news media outlets.

Why can’t you just follow the money?

Often, individuals connected to ransomware activity will use a currency called “Bitcoin.” Since around 2009, bitcoin has allowed for the exchange of goods and services without regard to the identity of the sender or recipient. Since there is no bank to act as a conduit, there are no transaction fees which have allowed the use of bitcoins to increase in popularity among merchants. However, the anonymous nature of the transactions makes it difficult, if not impossible, to trace. This anonymity makes it a currency of choice among hackers.

Who does this affect?

Many health care entities built their information technology infrastructure around Windows XP when it was introduced in 2001. Windows XP was discontinued in 2014 and is no longer supported by Microsoft. As a result, it has not received necessary updates or security patches. Due to its initial popularity, many entities may still have at least one Windows XP device and have been sluggish to fully convert to a more secure operating system. Fortunately, as of the date of this article, experts have been able to identify the threat and dramatically slow the spread of the most recent virus. However, health care entities must be vigilant about addressing these cyber security concerns. Hackers are aware of these vulnerabilities and will continue to use their resources to exploit those weaknesses.

How can you protect yourself?

Make sure that you are using up-to-date antivirus software, and be sure to implement updates and patches as they are made available. Educate your staff on the importance of not opening suspicious emails, and teach them how to look for subtle irregularities hackers often use when they are attempting to pose as someone familiar to the recipient. Additionally, ensure you and your staff never click on links in emails that appear bizarre. A common example is an email from your banking institution that you were not expecting or a link to collect a fictitious lottery prize.

Victims of this cyber crime are encouraged not to pay the ransom because most often the information is still not made available by the hacker. Instead, if you believe that your system has been exposed to this malicious software, please report this threat to authorities. You can begin the process by contacting your FBI Field Office Cyber Task Force by visiting https://www.fbi.gov/contact-us/field-offices.  You can also report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Liability

Leave a Comment (0) →

Don’t Fall Victim to Cyber-Security Disasters

Don’t Fall Victim to Cyber-Security Disasters

Editor’s Note: This article was originally published in the 2015 Fall Issue of Alabama Medicine magazine

Every day, it seems the news is filled with more and more reports of cyber-security attacks. Unfortunately, the health care community is considered a prime target for those individuals who would seek to gain access to confidential information.

Did you know that stolen medical records can be valued at up to 10 or 20 times that of a credit card number?1 Compounding this is the ever-growing reliance within the medical community upon electronic and digital systems to capture patient data and deliver medical care. So how can health care providers protect themselves from being the victim of a cyber-security incident?

Assess and Manage Your Risk

Medical providers should have a comprehensive knowledge of where their critical information resides, and of any and all vulnerabilities related to the storage and transmission of the data. To ensure that those in the medical community recognize the threat(s) to confidential information, the United States Department of Health and Human Services mandated within the HIPAA Security Rule that all covered entities conduct a thorough risk analysis to identify all potential vulnerabilities as well as determine the probability and magnitude of a possible security event.2

While a risk assessment should be a formal exercise in which all facets of information security are reviewed and vetted for adequacy, the provider should also establish and maintain a strategy for risk management. This involves implementing proper safeguards to secure information as well as communicating and educating personnel throughout the organization on the policies and procedures which continually mitigate risk. By creating and cultivating a culture of compliance, one can significantly reduce the chance of exposing a vulnerability that could lead to unauthorized access.

Increase Detection Capabilities

Recent cyberattacks in the health care community have exposed a very dangerous trend: Many times, hackers have accessed and begun harvesting data several weeks or even months prior to being detected.3 It is no longer sufficient for medical providers to consider security safeguards, such as firewalls and anti-virus software applications as “set-it-and-forget-it” mechanisms. Solutions should be implemented to enable the monitoring and detection of breaches that could trigger proper incident response processes quickly and efficiently.

Health care organizations should consider investing in Next-Generation Firewalls. These security devices provide more than just network filtering – they typically offer advanced security features, such as deep packet inspection (where each specific data part that passes through is examined for viruses or other types of malicious software) as well as intrusion prevention systems that monitor network traffic for malicious activity and are configured to actively prevent or block such attempts once detected.In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

Protect and Secure Mobile Devices

According to the 2014 SANS Health Care Cyber-Security Survey, 52 percent of respondents allow access to health record information via mobile devices. Another 30 percent indicated that sensitive data was being included in instant messaging applications.4 As mobile device usage continues to grow, it becomes more and more important for healthcare providers to implement a mobile device management policy to address and minimize the threat of these devices causing a security incident.Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.

Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

Looking Ahead

The SANS report data shows that the health care industry is slowly starting to make strides and improve when it comes to protecting critical data from attack. However, it has become clear that not only are the hackers getting smarter, but their overall activity and attempts to infiltrate and mine confidential information continue to increase significantly.5 A 2014 report in United States Cyber Security Magazine indicated that the health care industry was the target of more cybercrime incidents than any other market, and this trend is likely to continue as hackers start to realize the value of medical information.6

Health care organizations will need to continue to thoroughly examine and assess the ways in which they are protecting themselves from attack. Analysis will need to be conducted internally and externally, as associated organizations such as payers, insurers, and other entities within community health care networks will be responsible to each other for protection of medical information. By effectively assessing and managing risk and building a risk framework that addresses all areas of critical data, medical providers can take significant steps towards minimizing the likelihood of a cybersecurity attack.

Sources

  1. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
  2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
  3. http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
  4. https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
  5. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  6. http://www.uscybersecurity.net/Pages/online_magazine.html

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

Contbronzemvpributed by Nic Cofield, Jackson Thornton Technologies Consultant. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →