Breaking Compliance News Blog

New North Korean Cyberattack– A Sophisticated Attack? Or Not?

Posted by ScottGima on 10/25/18 8:56 AM

A recent technical alert issued jointly by the Department of Homeland Security, the Department of the Treasury and the Federal Bureau of Investigation states a “high confidence” that North Korea is responsible for multiple attacks that have stolen millions of dollars from banking ATM systems across the world.

This attack, known as “FASTCash,” was a very sophisticated attack. The government’s technical alert about the attack includes a diagram. This diagram – and the inner workings of the attack are hard for a non-technical person like myself to discern.   

Phishing Attack

But one surprising detail of the attack is very easy to understand: The hackers began their attack with simple spear-phishing emails:

“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees.”

Despite the high level of sophistication of this attack, the entry into the banks’ network was not technically sophisticated. It was a simple phishing attack directed at bank employees.

What is Spear Phishing?

Spear phishing uses a fraudulent email is designed to appear to originate from a known or trusted source. It is a targeted attack toward the email recipient and/or the recipient’s organization with the goal of obtaining the employee’s credentials (ID and password) and/or to download malware. The fraudulent email could mimic an email coming from Twitter, Facebook, LinkedIn or other social media account. It may also be formatted to look like it originates from a senior executive within the organization. When an employee clicks on the email, they either download malware, and/or are taken to a website where they input their credentials (which are then sent to the hackers).

Is your organization vulnerable to spear phishing?

Possibly. According to Verizon’s 2018 Data Breach Investigations Report, 12% of people click on phishing emails. Using this statistic, if you have 200 employees, you should expect 24 successful phishing attacks this year.

Take this Phishing IQ Test from SonicWall. Do you think you or your employees in your organization can successfully identify every phishing email in this test?

 

Read More

Topics: security, HIPAA

Anthem Makes HIPAA History

Posted by Margaret Scavotto, JD, CHC on 10/16/18 3:43 PM

In early 2015, Anthem announced the largest healthcare cyber-attack America has seen. Hackers accessed records of 79 million people. Affected patients brought class action lawsuits against Anthem. In 2017, the lawsuits settled for $115 million.

Yesterday, the OCR announced it has settled the underlying HIPAA violations of this data breach for a whopping $16 million. This settlement far exceeds the next-highest HIPAA settlement we have seen ($5.5 million), and brings 2018's average HIPAA settlement amount up to $4,978,000.

The OCR reported that hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. The OCR also found that Anthem: "failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

What you can do

Your HIPAA security strategy needs to address the HIPAA Security Rules. If you haven't already done so, conduct a HIPAA security risk analysis (or update yours, if it's time). Review HIPAA Security administrative, technical and security safeguards to make sure you have implemented measures to mitigate risks that could subject your organization to an attack.

And, don't forget to train your staff. The OCR noted that the Anthem breach started when potentially a single employee clicked on a spear phishing email.  You could have the most sophisticated HIPAA security defense available - but if employees can't recognize suspicious emails, you are still vulnerable to cyber-attacks.

New Call-to-action

 

Read More

Topics: security, data breach, HIPAA

The Threat of Nation-State Sponsored Cyber Attacks

Posted by Scott Gima on 7/31/18 7:13 AM

 

The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.

On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:

     In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities               were identifying alarming activities that suggested that an attack was potentially coming to the United                 States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet,         the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning             lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.

     Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are                     penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets       in the United States. The targets range from U.S. businesses to the federal government (including our               military), to state and local governments, to academic and financial institutions and elements of our critical         infrastructure — just to name a few.

     All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine       our long-term competitive advantage.

Threat to Healthcare Providers?

Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.

Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.

If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.

Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:

  • Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
  • Implementing policies and procedures to guard against and detect malicious software
  • User training so staff can assist in detecting and report attacks
  • Implementing access controls to limit access to ePHI to only persons or software programs requiring access.

 

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: data breach, HIPAA, security

    Privacy Policy           Terms of Use