security_threat.png

  1. Weak Security - New technology is being created and released every day. However, more often than not, these new technologies rush to market with consumers connecting them to their wi-fi without fully considering the security ramifications. These unsecured connections can pose a very real risk of hackers and cyber criminals gaining access to your network. With more and more employees working from home and using their own home wi-fi, businesses are left exposed.
  2. Social Media - Cyber criminals are not leveraging social media more than ever. Using personal information from social media profiles or targeting specific websites they know social media users are visiting are just a few ways hackers can be invited in.
  3. Mobile Malware - Virtually almost every device utilized now is mobile. That means these devices are traveling around connecting to different networks, wi-fi, and hotspots EVERYWHERE. If mobile devices are not fully secured the door is left wide open for attacks.
  4. Third-Party Entry - Entering through a third-party endpoint is the easiest way for hackers or cyber criminals to gain entry to your systems.
  5. Poor Configurations - Companies continues to regularly not customize and properly configure their security settings which can lead to major holes in networks and security parameters.
  6. Old Security Software - If security software is not updated, patched and monitored on a very regular basis when new malicious code comes out it will easily bypass old systems.
  7. Social Engineering - Utilizing social media to interact and psychological gain trust into somebody's network is perhaps one of the most malicious security threats but also effective.
  8. No Encryption - Protecting sensitive business data should be top priority however, encryption is a measure few industries choose to enable. Specifically, when it comes to healthcare, encryption is necessary for HIPAA compliance.
  9. Personal Devices - Whether an organization issues company devices or not, company information will end up on personal devices. Mobile Device Management is imperative for businesses.

Inadequate Security Technology - New security technologies will send an alert when attacks are being attempted as well as advanced threat protection to try and stop an attack BEFORE it happens. Companies and businesses alike should be investing in these types of software

 


 

allscripts.pngAs many of you know, an Electronic Health Record (EHR) is a digital record of a patient’s paper charts, updated in real-time.  This is an incredible option to have in the world of medicine, where information can be exchanged between doctors as well as business associates. It also provides an incredible benefit to the patient, giving them the best and most appropriate care when needed.

Overall, it really is a great thing to have so much information at your fingertips.  Unless that information gets into the wrong hands.  Which is exactly what happened to Allscripts Healthcare, an EHR company used by a variety of businesses in the medical field, including

hospitals, pharmacies and emergency service (ambulance) centers around the world.

Today Allscripts is working with the Department of Justice to pay $145 million in a preliminary settlement in response to an attack that exposed patient records which were thought to be safe in the cloud.   They were in violation of HIPAA, the HITECH Act’s EHR incentive program, and the Anti-Kickback Statute related to Practice Fusion – which was the company acquired by Allscripts in 2018.  This settlement will resolve both companies of all criminal and civil liability related to the investigation surrounding them both.

Unfortunately, they aren’t alone.  With the human component being the big risk factor in any organization, healthcare employs many, many people with patient access.  Each record is a gold mine for hackers, and therefore even one mistake can prove costly to an organization like we’re seeing with Allscripts.

How do we remedy this?  The first and most important step is to cover your assets. Cyber Insurance is going to increase your likelihood of surviving a breach, but once you have the end protection setup, get your employees trained.  And then repeat the training.  Conduct Security Risk Assessments at least annually, not only to comply with HIPAA but to identify security gaps which could leave your organization’s data up for grabs. Then, perform a vulnerability scan and find out if your system is as secure as you hope and believe.

Protection and prevention go hand in hand and in the world of healthcare, you can never have enough.

The post Allscripts to Pay $145 Million for Practice Fusion EHR Investigation appeared first on HIPAA Secure Now!.

HIPAA – Then & Now

The Health Insurance Portability and Accountability Act, better known as HIPAA, has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI).

With good intentions, HIPAA set forth to provide both security provisions and data privacy. The legislation was passed in the age of paper records, a time that required much different security measures than what we see today.

23 years later, it’s safe to say the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.

The Digital Age

Today, the chances of you finding a healthcare provider that still relies on paper records is slim. The convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.

Unfortunately, with the pros come the cons. Digital medical records do pose some major risks, and as mentioned, HIPAA has made minimal progress when it comes to addressing them.

Hackers Exploiting Healthcare

According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. 2019 has already seen some massive healthcare breaches, like the Quest Diagnostics data breach that affected at least 12 million patients.

So, why are hackers setting their sights on healthcare organizations? There are several reasons.

PHI yields high profits on the dark web. Where credit card information can quickly become worthless to cybercriminals, PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something that the affected individual can easily change, like a birth date for example.

Hackers also know that the healthcare industry historically underinvests when it comes to IT security and training. What’s this mean for a cybercriminal? Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.

Furthermore, with the vast technology and highly connected systems used in the healthcare industry, one attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect that attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.

Acknowledging the Cybersecurity Problem

With HIPAA being flawed and outdated, how do we move forward to protect patients and their data from the cybercrime epidemic?

Although HIPAA needs some major updating, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t completely ignored the issue at hand.

In December 2018, HHS issued cybersecurity guidelines for the healthcare sector in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.

In addition to the cybersecurity issues plaguing healthcare, protecting consumer data, in general, has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of a federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.

How Do We Fix This?

  1. Don’t wait around for a regulation. It’s evident that we cannot wait around for HIPAA to change, or in hopes of Congress passing a federal law to better protect the privacy of patients and consumers.
  2. Take a look around. It is critical for both Covered Entities and Business Associates to take a closer look at the patient data they are protecting. Remember, cybercriminals don’t just seek out financial information, but rather, information that could yield a large profit for them, whether that be a birthdate, a Social Security number, or anything in between. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
  3. Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
  4. Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
  5. HIPAA is not optional – abide. Despite the flaws of HIPAA, it’s intended to protect patient data, which is valid and necessary, from an ethical point of view as well as a regulatory one. Whether you’re a Covered Entity or a Business Associate, it is your responsibility to comply with HIPAA.

Technology will continue to advance, and hackers will continue to do the same when it comes to ensuring their skill set matches the need necessary to exploit these ever-evolving devices and systems. It is up to us to ensure that we continue to evolve our cybersecurity practices, which in turn will help us better protect PHI in the digital age where HIPAA has left holes.

The post Why We Need to Go Beyond HIPAA appeared first on HIPAA Secure Now!.


 

meetme.png
MeetMe: A dating social media app that connects people based on location. Users are encouraged to meet in person.

WhatsApp.jpg
WhatsApp: A messaging app that allows texts, video calls, photo sharing and voicemails with users worldwide.

Bumble.jpg
 Bumble: Similar to Tinder, but requires women to make the first contact. Law enforcement says kids and teens can create fake accounts and falsify their age.

live.me.png
 Live.Me: A live-streaming app that uses geolocation to share videos. The sheriff's office said users can earn "coins" to "pay" minors for photos.

askfm.png
Ask.FM: The sheriff's office said this app lets users ask anonymous questions and is known for cyberbullying.

grindr.jpg
Grindr: A dating app geared toward the LGBTQ community based on user location.

tiktok.png
TikTok: A new app popular with kids lets users create and share short videos. Law enforcement said the app has "very limited privacy controls" and users can be exposed to cyberbullying and explicit content.

snapchat.png
Snapchat: One of the most popular social media apps in the world, Snapchat lets users take and share photos and videos. The app also lets people see your location.

hola.png
Holla: This self-proclaimed "addicting" video chat app lets users meet people in seconds. Law enforcement said users have seen racial slurs and explicit content.

calculator.jpg
Calculator : Police say this is one of several apps that are used to hide photos, videos, files and browser history.

scout.png
Skout: A location-based dating app that is supposed to prohibit people under 17 from sharing private photos. However, police say kids can easily create an account with a different age.

badoo.png
Badoo: A dating and social media app where users can chat and share photos and videos based on location. Police say the app is supposed to be for adults only, but they've seen teens create accounts.

kik.png
Kik: Police say kids can bypass traditional text messaging features using this app. Kik "gives users unlimited access to anyone, anywhere, anytime," the sheriff's office said.

wisper.png
Whisper: An anonymous social network that lets users share secrets with strangers. Police say it also shows users' location so people can meet up.

hotOrNot.png
Hot or Not: The app lets users rate profiles, check out people in their area and chat with strangers. Police say the goal of the app is to hook up.

 

dataExposedInEmail.pngApproximately 25,000 patients are being notified by Adirondack Health that their protected health information (PHI) may have been obtained by a hacker.

Vermont-based Adirondack Health is part of the Adirondacks Accountable Care Organization (ACO). Adirondacks ACO analyses health data for the entire region and is made up of all the Adirondack region’s hospitals.

The Breach

On March 4, 2019, it was discovered that an unauthorized individual had accessed an employee’s email account for two days. After discovering the unauthorized access, Adirondacks ACO began checking every email and attachment in the affected employee’s account, looking for any PHI that may have been accessed.

Adirondacks ACO discovered that two employees had been discussing information regarding patients who had missed a baby wellness exam and other screenings, as part of their population health analysis. The employees were planning to send the information, contained in a “gap-in-care” spreadsheet, to providers so they could determine how to contact their patients.

That’s when an unauthorized individual from outside the U.S. remotely obtained access to the email account. At this time, no evidence suggests that the email was opened by the unauthorized party, however, the possibility could not be ruled out.

The Exposure

The unauthorized access was not due to a phishing attack, and a spokesperson for Adirondack Health stated he does not believe the employee could have avoided it. The spokesperson also stated that policies are being changed as a result of the incident.

Information contained in the exposed spreadsheet includes patients’ names, dates of birth, Medicare ID numbers, health insurance member numbers, as well as limited treatment and/or clinical information. Some patients also had their Social Security numbers listed.

Adirondacks ACO began notifying patients of the breach in early July. 25,000 letters of notification have been sent to affected patients, with only a few remaining.

For patients who had their Social Security numbers listed on the spreadsheet, free credit monitoring and identity protection will be provided by Adirondacks ACO.

The post 25,000 Patients’ Data Exposed in Email Hack appeared first on HIPAA Secure Now!.

 

 

Facebook Status: Away on Vacation

Socihackers_social_media.pngal media is great for a lot of things.  Sharing photos, reconnecting with old friends, finding like-minded people and groups to share ideas and hobbies.  But when does sharing become oversharing?

Hackers gain access to your personal data via your profile and the information you share there – and you don’t even realize it’s happening.  Photos with your children and pets with identifying names on them, locations of where you’ve been, or where you are currently on vacation.

By posting this all and not ensuring that your profile is private or protected, you are handing over valuable information that attackers can use to guess passwords or hack your accounts while you are away on vacation, – and likely less engaged with the day to day happenings – like bank account deductions. Not away on vacation? That doesn’t mean you’re off the hook either.

Tagged in a photo from that recent work conference?  Now they know where you work and what you do for a living.  Some people even post detailed resumes online that give away an incredible amount of information.

While your likes and dislikes can create online engagement for you, it can also be a goldmine for marketing agencies and now cybercriminals who can not only guess your whereabouts and possible login information, but they can also create duplicate (fake) online profiles using all of the personal information you’ve shared.  Using professional headshots only adds to their bank of resources and credibility.

How to Avoid Oversharing

Make sure your profile security is set to the strictest parameters available.  Do not allow yourself to be “tagged” without approval.  Do not indicate when you are traveling – wait until you are home to share photos and stories.

Professionally speaking, give details that are headlines, but not entire outlined details of your experience and career.

Social media isn’t going away, and the power it holds can be used for wonderful things to enrich your life.  Just be sure that you aren’t giving away too much to the wrong people.

The post Hackers Using Social Profiles appeared first on HIPAA Secure Now!.

 

Credential Stuffing

trojanHorse.pngEvery year it seems there’s a constant slew of major hacks at big companies that end up with millions of username/password pairs being compromised. These results in the real world are what’s known as credential stuffing. Credential stuffing is when hackers use long lists of stolen login credentials in a large-scale automated attempt to log into various websites. Therefore users should make their credentials more secure and not something not commonly used.

Banking Trojans

In network security terms, a Banker trojan- horse or (Banker Trojan) is a malicious program used to obtain confidential information about victims via online banking and payment systems. How a banking trojan works is it disguises itself as a genuine app or software that users download and install. Once installed it positions itself in a way to access your banking details. Once it has the login information, it can beam it back to the malware developer granting them access to your bank account. Easy right?

Quantum Cryptography

Quantum cryptography is the science of exploiting quantum mechanical properties to execute cryptographic tasks. Essentially, quantum cryptography is based on the usage of individual particles/waves of light (photons) and their intrinsic quantum properties to develop an unbreakable cryptosystem - essentially because it is impossible to measure the quantum state of any system without disturbing that system. It is theoretically possible that other particles could be used.

 


 

momo.pngMomo, with its bulging eyes and stringy hair, reportedly appears on sites or apps like WhatsApp, Facebook and YouTube, sometimes in conjunction with kids’ videos meant to depict the popular game "Fortnite" or kids show character Peppa Pig. A trend called the “Momo Challenge” has been stirring up fervor in recent weeks. This terrifying doll asks the viewer to participate in challenges that range from innocuous to deadly including murdering and suicide. This “character” has been appearing around the internet for at least a year, according to international police agencies and news outlets. These videos are targeting children.

Educating Your Children

While the MoMo challenge is nothing more than a viral hoax, it still lays the underlying problem that your kids need to be educated and careful when on the internet, even if you think they are watching something as simple as their favorite kid show on YouTube. It’s not just this creepy character that kids need to be aware of on the Internet but of various things from disturbing content to cyber criminals aiming to extort information. 

History

To clear things up, this isn’t the first sighting of “the Momo challenge” but it has resurfaced, and people are still unaware of its presence on the internet. This is nothing more than an internet hoax that is reappearing that reminds us to watch over what our kids are doing on the internet and what they might be, being exposed to.

 


 

What is SIM Swapping?

SIM for Cellphone.jpgSIM swapping is a technique that mainly involves the social engineering (or manipulation) of a target’s mobile phone provider. Using personal information obtained on their target, a hacker will attempt to persuade the target’s mobile phone provider to port their phone number over to a SIM card belonging to the hacker. Once the swap occurs, the hacker has essentially hijacked their target’s mobile phone number. One-time passwords, verification codes, and two-factor authorization that goes through a user’s mobile device via phone call or text message gets sent to the hacker.

College Student Steals Millions

College student, 20-year-old Joel Ortiz of Boston, accepted a plea deal for stealing more than $5 million in cryptocurrency from more than 40 victims. Cyber theft has recently and is continuing to be a huge threat to the crypto-currency community. Ortiz pled guilty to the crime and was sentenced to 10 years in prison as part of his plea deal.

You’re Just Lucky

You’re just lucky you haven’t been breached. Over the last few years, several SIM hijackers have been arrested, such as 21-year-old Nicholas Truglia who stole a million dollars in crypto, however authorities say Ortiz is the first person ever to be convicted of a crime involving SIM swapping. This just goes to show Ortiz is not the only person using this social engineering technique but was just one of the many to get caught. These are millions of dollars we are talking about, in the form of digital currency. Be protected and stay engaged in cyber security practices!

 


 

Went Phishing Again…

phising.jpgSophisticated hackers launched a successful phishing campaign that stole more than $800,000 from Cape Cod’s Community College. According to a Cape Cod Times report “Next-generation endpoint security solutions, if installed on all systems, would have stopped and prevented the attack.” Working with banking officials, the West Barnstable, Massachusetts college was able to recover around $300,000 of the funds.

Attack Details

  • The Phishing email appeared to have been sent from another college.
  • The person who clicked the email open had no suspicions at first, but when something seemed off, contacted the school’s IT department who ran a diagnostic test and found a polymorphic virus embedded in the phishing email.
  • The hackers set up a fake URL address for TD Bank and made nine fraudulent transfers totaling $807,130 from the college’s financial account. The hackers also placed calls to fool employees and validate the transactions.
  • The college recently installed next-generation endpoint protection software — but only on a portion of systems. Had the security been installed on all systems, the virus infection would have been avoided.

School Districts Under Attack

This is the second time in recent months that hackers have stolen money from the higher education industry in the United States’ New England region. An attack in June 2018 stole an estimated $1.4 million from 21 account holders at the Connecticut Higher Education Trust (CHET). Outages that have crippled colleges have also been Hacker-generated, for example, the Wisconsin outage that triggered three days of class cancellations.

Forgetful Users

Every year, technology like smartphones and laptops are lost in taxis, coffeeshops and elsewhere. Any security plan that doesn’t account for these “user error” conditions, is going to have difficulty from the very start. Teach routines like places to search before leaving a location or create "rituals" around packing up and leaving. These will help remind people to look around them before leaving. Also, mobile device management like a log-in authentication could help minimize damages.

Thieves

Sometimes laptops get stolen by people who want to sell them on Craigslist, but sometimes laptops get stolen by people who are trying to steal your data. These data-hungry attackers are often found in parking lots and coffee spots normally visited by high-value targets. Always be mindful about where your laptop is, as well as using the public Wi-Fi at your favorite coffee shop. 

USB Trojans

Hackers have created a trojan that makes exclusive use of USB devices in order to spread. As with most cyber-security practices, the first line of defense is changing user behavior. In order to defend against USB Trojans is to first make sure that anti-malware systems are Up-To-Date and aggressive. The second step is to make sure there is a procedure for randomly appearing USB sticks. 

Phishing Emails

Phishing emails are fraudulent emails appearing to come from a legitimate business or enterprise. These messages usually link you to a fake website or may get you to provide private information that is later used to obtain your personal data. Be on the lookout. Educate yourself and your staff.

 


 

crytojacking.jpgCryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. Cryptojacking has become a more popular way for cyber-criminals to extract money from targets in the form of cryptocurrency. Widely publicized hacks, like ransomware attacks, are some of the ways the hackers are Cryptojacking.

Four Young Hackers Booked In South Korea

Four young hackers have been arrested in a cryptojacking case involving over 6,000 computers in what is allegedly South Korea’s “first” known case of its kind, Korean English-language news outlet Aju Daily reports Nov. 8. The cryptojacking campaign is said to have lasted two months, as of October 2017, but resulted in mined crypto worth only around one million ($895).

Cryptocurrency In The US

International cybersecurity firm Group-IB has shown that the number of compromised accounts has risen 369 percent since 2017. Data shared with Hard Fork shows that a staggering third of all victims were in the US. Every single one of the top 19 exchanges has been breached; 720 usernames and passwords were stolen in total.

Prevention

Now, more than ever, it’s a good idea to increase your knowledge of cyber-attacks and pay attention to who you conversate with about cryptocurrency in public. Set a complicated password and until the exchanges sort out their security issues, don’t keep too much on any particular exchange.

 


 

MmadisonCounty.jpgadison County employees were unable to send emails one evening when a ransomware virus infected their computer systems. The virus has had crippling effects on the county’s ability to conduct business according to Madison County’s clerk Kim Muir. Ransomware viruses work by cutting off a user’s access to files and other important systems while demanding a ransom for it back.

Madison County’s Game Plan

The virus was discovered on October 4th, when an employee was checking to make sure the court’s new Odyssey system would run properly for the next day. “We don’t know a lot about how it happened or anything. We’ve got great IT people working to get our systems back up to where they need to be,” Muir says.

Update

Many of the files that were encrypted have since been restored. Muir says they still do not have access to email but hope to have that too, soon restored. The ransomware virus ended up costing the county just under $200,000. Lisa Cannon (IT Director) said the ransomware breach affected over 600 personal computers and up to 75 servers. Weeks were spent recovering data.

Prevention

Ransomware and other viruses can be easily avoided with 24/7 monitoring of computer networks, strong anti-virus, software patches, and updates, as well as end-user training. Reach out to your IT support team or person whether it be internal or external and make sure all of these things are being taken care of so you can avoid being the next Madison County.

 


 

ninja.jpgHacked to Mine Cryptocurrency?

According to a local news report in China’s Da Lian city, 20 arrests have been made in suspicion to hacking over a million computers and using these computers to mine or “generate” cryptocurrency using their victims’ computer processing power. Cryptocurrency is a form of digital “money.”

How did the Hackers do it?

The hackers created and embedded the malware inside internet browser plug-ins they developed for multiple purposes, such as improved browsing speed, which were shown in display ads that reached 5 million computers in the country.

When clicking the display ads and downloading the plug-ins, over a million computers were breached, mining a total of 26 million digibyte, decred and siacoin tokens over the course of two years, according to the police. China reported this hack has earned its creators more than $2 million.

Reasoning?

Hackers apparently opted to mine more minor cryptocurrencies or alt coins since they don't require such significant amounts of computing power, allowing the back-end mining process to be quieter and less likely to be spotted by victims.

The report also indicated the hackers developed a network of more than 100 agents to help propagate the illicit mining software, such as through working relationships with internet cafes.

 


 

DEFCON.jpgWhat is the DEFCON Convention?

The DEF CON convention is one of the world's largest hacker conventions, held annually in Las Vegas, Nevada with the first DEF CON taking place in June 1993. Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be "hacked."

What does this mean for Me and You?

The meaning behind this is simple and obvious, there is a LARGE convention where hackers go and show off their new skills, new hacking technology, and even go to show off what kind of damage they can do. As this convention grows, so does the possible threat of someone going back to their hometown and using what they learned on you or your company! Just as these hackers are sharpening their tools, your company should be doing the same via cyber-security!

The Positive Side

On the positive side of this otherwise dark convention, a lot of cybersecurity professionals and software engineers also attend this event to help find loopholes in big-name companies and programs to help strengthen cyber defense. So, hackers go to show off their skills and new technology, and the “good guys” come and try to figure out how to stop it.