The CynergisTek Blog

Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.

Pay Now or Pay Later: The Cost of Privacy and Security

For many things in health care, if you don’t spend the energy and resources to reduce risks now you will likely pay for it later. However, if you wait until later it will cost more to take care of the problem than it would have to prevent it. We all know if we eat healthy, exercise and get our routine medical and dental examinations the risk of serious health conditions is reduced. Catching a disease early could mean the difference between surviving or not. There are of course exceptions.

By |September 16th, 2016|

When Sam Wasn’t Sam

Let’s look seriously and objectively at the dangers inherent in maintaining current systems of user privileging Sam was just another network engineer assigned to the server team at the hospital. Each engineer had two sets of credentials, one with and one without elevated privileges, and they had all been told not to use the one with privileges when just accessing the network or routine services such as email. But Sam always liked to do things his own way, and saw no point in wasting his time worrying about which login he used, thinking, “These security guys were always making a mountain out of a molehill.” Then one day, a massive outage took place that affected multiple systems and applications, and someone in finance was on fire because they couldn’t get payroll out, hell they couldn’t even access the payroll servers.

By |September 14th, 2016|

OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.

By |August 24th, 2016|

MouseJack Hack: Wireless Keyboard & Mouse Lets Bad Guys in the House

Serious Vulnerability in Non-Bluetooth Wireless Human Interface Devices (HIDs) Overview Over the last week, I have been working to better understand the MouseJack hack and how easily it could be exploited. It turns out that this is a very concerning attack. Without purchasing any hardware (mostly because I have several different Logitech keyboards and mice), I was able to re-flash the firmware on a standard Logitech Unifying receiver.

By |August 23rd, 2016|

What We Know About the Banner Health Breach

On Wednesday, August 3, 2016, Banner Health announced the first potential mega breach of 2016. 3,700,000 patients were notified that their personal health information (PHI) might have been compromised by hackers. Patients’ names, dates of birth, addresses, dates of service and social security numbers were part of the potentially compromised data. Per Banner Health’s press release, they learned that the cyberattacks might have started when hackers gained access to payment card data from cards used at various food and beverage outlets located in some Banner Health facilities. It is believed that this happened from June 23 until July 7, 2016.

By |August 19th, 2016|

Vegas Aftermath: Black Hat & DEF CON Takeaways

Black Hat Last week marked my third year in Las Vegas for the annual “hacker conferences,” BSides Las Vegas (which I was unable to attend), DEF CON and Black Hat. Black Hat is two days of briefings, tool demos, workshops, and a very large array of security vendors. Finally, the week affectionately known as “hacker summer camp” by attendees is capped off with the largest, longest-running, hacker conference in the world – DEF CON.

By |August 12th, 2016|

Protecting Information Assets with Data Loss Prevention

The modern healthcare ecosystem is all about data and what we can do with it, which is why Data Loss Prevention (DLP) tools should be on everyone’s list of priority solutions to implement. I used to say that DLP solutions paid for themselves based on their ability to control exfiltration, and therefore reduce the risk of breaches, but these solutions are becoming far more important than that. DLP tools have the ability to help users take control of information and do what is really important—manage it from cradle to grave.

By |August 8th, 2016|

NIST Drafts New Guidance

SMS Two-Factor Authentication Is No Longer Approved By NIST This week the National Institute of Standards and Technology (NIST) released new guidance regarding SMS two-factor authentication (2FA) in its latest draft of the Digital Authentication Guideline. According to the draft, NIST says, “[out of band authentication] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” The draft guidance from NIST doesn’t go into too much detail as to why this method has been deprecated, but there are some clues in the draft as well as numerous other reasons that have been discussed in the media.

By |August 3rd, 2016|

Pre Black Hat and DEF CON Primer

As I am writing this particular blog post, I am just eight days from flying to fabulous Las Vegas, Nevada. Why on earth would I, or anyone not required to, go to the middle of the desert during the hottest possible time of the year (the first week in August)? Because that weekend is the biggest, and oldest, hacker gathering in the world. The gathering I am talking about is the 24th annual DEF CON where more than 10,000 hackers and security geeks will descend upon the Bally’s and Paris Casinos for four days of nothing but hacking and networking (with people, not the IT sense of the word).

By |July 28th, 2016|