Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.
The NotPetya attack in late June 2017 spotlighted a new attack vector that has been successful in attacking specific domains. In the summer NotPetya Ransomware attack, the attackers successfully penetrated a major software vendor and inserted the malicious code directly into a legitimate software update. The software vendor was the major supplier of financial software to many businesses in one country (Ukraine). This could be pure coincidence, or it could be an indicator that rogue actors are starting to exploit weaknesses in the supply chain.
Security of an organization’s printers and multi-function devices, as well as the data on those devices, is handled by the IT department, right? While this might be true, compliance and privacy officials should care about what is happening with these devices. It is not uncommon for these devices to have significant data storage capacities, as much as 320 GB. Imagine how many records such a device could hold, as well as the fact healthcare organization will have hundreds if not thousands such devices. Think about what gets printed in a busy clinical area or by the staff in finance or patient quality. These business units often work with large files that include the information of hundreds if not thousands of individuals. Has anyone at the organization ever evaluated the volume of records that get printed by the staff in one of these areas?
It has been almost two years since I started this incredible journey at CynergisTek and in healthcare. In that time, what I have found to be the most impressive is the amount of ongoing and constant change. Particularly, I have seen how security has changed in healthcare IT over the past few years and how as an industry we are responding to it to improve our ability to protect patient information.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.
In the classic movie Groundhog Day, the main character played by Bill Murray finds himself trapped reliving the exact same day over and over again. In the film, he eventually decides to make the day better, to right as many wrongs as possible eventually leading him to escape the loop. In a similar fashion, information security in general has been stuck in a Groundhog Day type of loop for at least a couple of decades, and unless we can make some changes we can expect more futility as we fight the uphill battle of information security.
Having a solid security plan is extremely important to build an effective information management program. The security plan should also include a separate disaster recovery plan for the unfortunate event of an incident. I recently sat down with Mac McMillan, Chief Strategy Officer and President of CynergisTek to discuss the differences between having a security plan and having a disaster recovery plan, as well as the current state of security.
There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk, will be in a better position to defend their enterprise from attack.
The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.
Petya, or NotPetya as some call it, has shown itself to either be very poorly thought out ransomware, or more likely a full on destructive malware attack thinly veiled as ransomware. In essence, a “traditional” ransomware threats will encrypt specific important file types and show the user a ransom note telling them to pay or lose their data. In the last week of June, we saw something stranger, on the surface it appeared to be a modified version of a known and fairly common ransomware variant called Petya, hence the NotPetya name. However, unlike standard ransomware, where the entire purpose of it is to make money, the ransom payment and recovery mechanisms built into this new Petya variant were very weak. It relied on a single email address (that was promptly shut down) and a single Bitcoin wallet meaning there was virtually no way for the criminals to know who had paid, or which key might be the right one to unlock the data.