Educating Employees on Cyber Security: Beware the Messy Desk!

It seems so simple, but keeping a clean desk is often overlooked when talking about data security. It’s also the perfect place to start the discussion with employees.

Employees that keep a cluttered desk tend to leave USB drives and smartphones out in the open. They also often forget to physically secure their desktops and laptops so someone can’t simply walk off with them.

A messy desk also makes it more difficult to realize something is missing such as a folder with hard copy print-outs of customer lists. In addition to increasing the likelihood of something being removed, a cluttered desk means that the discovery of any theft will likely be delayed—perhaps by days or even weeks if the employee is out of the office. Such delays make it more difficult to determine who the perpetrator is and where the stolen material might now be located.

 

11 Common Messy Desk Mistakes to Avoid

The following list presents 11 “messy desk” mistakes employees are prone to commit and which could cause irreparable harm to the business, the employee, fellow employees, customers and business partners. These are all bad habits for which to educate employees to stop:

  1. Leaving computer screens on without password protection: Anyone passing by has easy access to all the information on the device. Be sure to lock down screen settings.
  2. Placing documents on the desk that could contain sensitive information. It’s best to keep them locked up in drawers and file cabinets.
  3. Forgetting to shred documents before they go into the trash or recycling bin: Any document may contain sensitive information; it’s best to shred everything rather than taking a risk.
  4. Failing to close file cabinets: This makes it easy for someone to steal sensitive information and more difficult to realize a theft has occurred.
  5. Setting mobile phones and USB drives out in the open: They likely contain sensitive business or personal information and are easy to pick up quickly without being caught in the act.
  6. Neglecting to erase notes on whiteboards: They often display confidential information on products, new ideas and proprietary business processes.
  7. Dropping backpacks out in the open: There’s often at least one device or folder with sensitive information inside.
  8. Writing user names and passwords on slips of paper or post-its: This is especially important given that user names and passwords are typically used to log in to more than one site.
  9. Leaving behind a key to a locked drawer: This makes it easy to come back later—perhaps after hours when no one is around—and access confidential files.
  10. Displaying calendars in the open or on the screen for all to see: Calendars often contain sensitive dates and/or information about customers, prospects and/or new products.
  11. Leaving wallet, credit cards or security card out on the desk: This is more likely to impact the employee, but wallets may also possess corporate credit cards and security badges.

Of course you’re thinking – I trust my employees. Why would I need to be concerned about security of their desk area?

Trust isn’t always the issue. You have to be careful about accidental or inadvertent security vulnerabilities. For example, you sure wouldn’t want a document left on screen or on a desk pertaining to an employee review, compensation info, or termination. You wouldn’t want someone seeing a jump drive on a desk, thinking that’s the one with their project on it, and it has sensitive company information not intended for their eyes.

Sometimes it is about trust. Not all employees are as loyal as they seem. Some my be overly competitive and want to get info they shouldn’t have to advance in the company. Some may be planning to leave and take your customer lists with them.

The point is, if everyone keeps their own desk area clean and secure, you won’t have to worry about accidental, inadvertent, or malicious security breaches within your own company.

Next blog: Email threats!

For more information on keeping your small business secure call 678-389-6200 or contact us online.

Why You Need to Educate Your Employees on Cyber Security

When developing cybersecurity programs, many businesses focus on protecting their infrastructure perimeter and device endpoints. After all, that’s where cybercriminals usually first gain access and wreak havoc on a company’s digital access.

But it’s also important to consider what happens when a threat bypasses perimeter defenses and targets an employee—in the form of a malicious email or text, or even a voicemail that might prompt an employee to respond with confidential company information. There’s also the possibility of an offline attack from inside the office, where an employee or an office visitor might gain access to valuable data by quickly taking something carelessly left on a desk.

According to a recent PricewaterhouseCoopers survey, 86% of business executives expressed concern about cyber threats, including a lack of data security. In addition, 100% of IT professionalsrecently surveyed at an SMB said they could improve their cybersecurity systems. These numbers indicate that it’s clear there’s a pressing need for better cybersecurity. The issue is not going away anytime soon. If anything, it’s only getting worse.

Stronger cybersecurity has become a global priority over the last few years as hackers penetrate the IT infrastructure of government and enterprises with increasing frequency and sophistication. According to a recent government report, How to Protect Your Networks from Ransomware, 4,000 ransomware attacks occurred per day in 2016. Furthermore, the annual cost of global cybercrime damages are estimated to cost $6 trillion by 2021, according to a 2017 Cybercrime Report by Cybersecurity Ventures. Coupled with the Internet of Things (IoT) and the explosive growth of mobile devices, the threat landscape and potential for data leaks is even more significant.

In my next few blogs, we’ll explore the need for employees to practice strict and secure cybersecurity habits— not only to thwart digital attacks, but also to prevent someone from simply walking by their desk (in the office or at home) and picking up a device or document that contains sensitive information. We also present the key steps SMB business owners can take to educate their employees to help secure their company’s data and intellectual property.

We can’t stress enough the importance of security awareness training for internal employees. Educating them on what it takes to protect proprietary documents and data is critical. Any leaks— unintentional and intentional—could hurt the business in the form of information that assists a competitor, violates regulations, or harms the corporate image. Leaks can also hurt employees from the standpoint of personal information that might be exposed. Lastly, customers and business partners could be at risk, compromising the industry reputation of any business that does not properly protect confidential information. It only takes one incident to completely destroy any goodwill you established and built with your customer base.

Next blog: Physical Security Precautions…beware the messy desk!

For more information on keeping your small business secure call 678-389-6200 or contact us online.

IT Helps Dementia Patients

Dementia and Alzheimer’s are scary for both patients and caregivers. Right now, there is no cure. Scientists are trying to find ways of prolonging patient’s lives and delaying the onset of the disease. IT Technicians are finding ways to make lives better and caring for patients easier. Some remarkable work is doing things for these individuals that has never been seen or done before.

Dementia Technology

First, A Word About The Disease

According to Alzheimer’s International, nearly 44 million people worldwide have Alzheimer’s or related dementia. More than 5 million American’s are living with it, and Between 2017 and 2025 every state is expected to see at least a 14% rise in the prevalence of Alzheimer’s. Those statistics are startling, especially since Alzheimer’s disease is irreversible.

Accounting for around 70 percent of dementia cases, Alzheimer’s Disease is the most common cause of dementia, a group of brain disorders that results in the loss of intellectual and social skills. These changes are severe enough to interfere with day-to-day life. It progressively destroys the brain and ruins memory and thinking skills, and eventually the ability to carry out the simplest tasks.

A Few Other Statistics

  • In 2017, Alzheimer’s cost the United States $259 billion.
  • By 2050, costs associated with dementia could be as much as $1.1 trillion.
  • The global cost of Alzheimer’s and dementia is estimated to be $605 billion.
  • Alzheimer’s is the 6th leading cause of death in the United States.
  • Between 2017 and 2025 every state is expected to see at least a 14% rise in the prevalence of Alzheimer’s.
  • By 2050, it’s estimated there will be as many as 16 million Americans living with Alzheimer’s.
  • Every 66 seconds someone in the United States develops Alzheimer’s.
  • 1 in 3 seniors dies with some form of dementia.

Technology at its Finest

Because of these sad stats and high numbers, IT experts have come up with some amazing devices that use modern technology to aid in the care of people suffering from memory problems. Here’s a look at a few of the latest innovations.

Clocks

Clocks precisely intended for those with Alzheimer’s and dementia can help ease the stress associated with day to day life. Someone who has dementia may confuse night and day so an easy to read clock can help them to better tell the time.

Medication Management

Medication management technology created high tech automated pill dispensers which beep and open to remind caregivers and those with dementia to take their medicine. Vibrating alarms on a watch have also been fashioned to remind when it’s time for a pill. This technology serves the busy caregiver well by helping them not to forget medication time as well.

Video Monitoring

Video monitoring technology supports both care recipient and caregiver, by allowing both people more freedom. The patient doesn’t feel watched constantly because loved one can spend a little time away, and loved ones get the comfort of being able to see their family even when they’re not in the same house.

GPS Location and Tracking Devices

People with Alzheimer’s or dementia may wander. Tracking devices can be worn by the person in some way and have alert systems that let a caregiver know if their loved one has left a certain area. This type of technology can also alert emergency personnel to aid in a quick recovery.

Picture Phones

Picture phones are specifically designed for people who cannot remember phone numbers. These phones have large numbers and are pre-programmable with frequently called phone numbers. Some of the phones come with clear buttons where photos can be placed so that the person can just push the button associated with the photos to call their loved one quickly.

Electrical Use Monitoring

This device monitors a patient’s use of electrical appliances. It plugs into a wall outlet or power strip and will alert caregivers if their commonly used appliances have not been turned on or off.

Wearable Cameras

Wearable cameras and augmented reality glasses could be the next big thing in helping patients. These devices can take hundreds of pictures every day from the user’s point of view logging their lives in this way.

A Village of Care

In Kitchener, Ontario, something wonderful is happening. Facilities have been designed to be less institutional-looking, friendlier and homier. “Schlegel Villages” is one of the first of its kind and is improving the quality of life for the people that live there.

One problem they deal with though is when at-risk seniors become confused and attempt to leave. According to Schlegel’s IT director, Chris Carde, “Some seniors with certain types of mental illness can remember the door-lock code to get out but can’t remember anything else. A confused senior wandering out into a southern Ontario winter can be a serious, even fatal, incident”.

Schlegel Villages is also implementing an e-health system to replace paper charts at its care facilities. Carde states, “Nurses would have to write down a patient’s vital signs, then enter them into a desktop computer some distance away. The new system, which will use iPads and iPad minis to enter health information directly into the database, is being greeted warmly by clinicians”.

Thinking Outside of the Box

A German senior center applied the idea of using fake bus stops to keep Alzheimer’s disease patients from wandering off. Because their short-term memory is not intact, but their long-term memory works fine, they know what the bus stop sign means, and they stop. It is a huge success in Germany, now they want to bring it to several clinics in North America.

A Final Word

Thanks to these researchers and IT innovators, the future is much brighter for patients with memory diseases and their families and care providers. This is just the beginning when it comes to making life easier. Information Technology has only just begun to scratch the surface of what can be done to help in the fight against dementia and Alzheimer’s.

October 16th Is Steve Jobs Day

Steve Jobs Day Sheds Light On Apple Founder’s Legacy

In today’s modern world, the name “Apple” has become synonymous with technology. It’s no wonder then that Steve Jobs, the company’s late co-founder, has become such an influential figure in American history. His contributions are well documented in motion pictures, books and an authorized biography.

Steve Jobs Day

October 16 is known as Steve Jobs Day, which was declared in 2011 by the Governor of California. The day brings forth the opportunity to reflect on the life of the famed innovator and how his contributions have helped advance the human race. From iPhones to iPads and every single app in between, one could argue that humanity would not be as technologically savvy without the work of Steve Jobs.

In August of this year, Apple achieved what no other company in history has done. It became the first publicly traded U.S. company to reach $1 trillion. Not only is this historic in terms of branding, but it brings to light the incredible ingenuity the company has displayed throughout the years. Along with his partner Steve Wozniak, Jobs’ innovations have helped solidify an incredible legacy likely to stand the test of time.

The Early Years

Jobs grew up in the San Francisco bay area in the 1960s. By the age of 10, he had developed a fascination with electronics, likely due largely in part to time spent with his father building crafts. This hobby paved the way for Jobs’ establishment of Apple in 1976, along with his co-founder Steve Wozniak.

Jobs sat at the helm of Apple’s operations until 1985, when he broke ties with the company and established NeXT computers. Apple later purchased NeXT and paved the way for Jobs’ return to the company in 1997.

Apple Computers

While Jobs can’t be credited for inventing the first computer, his founding of Apple paved the way for its widespread use. The computers that came before Apple was expensive and typically used only for business purposes. The introduction of the Apple II, the brainchild of Jobs and Steve Wozniak, changed this concept forever. Marketed as the world’s first mass-market personal computer, the Apple II meant users could now access the technology from the privacy of their own homes.

More than two decades later, in 1998, Apple released the iMac, an all-in-one computer. One of Apple’s lesser-known inventions is the iBook, which was introduced in 1999. The laptop came equipped with Wi-Fi technology and a few upgrades to its design. People today may remember it for its tangerine and blueberry color options and clamshell design.

The Apple iPad, introduced in 2010, has made the Internet even further accessible. This tablet computer was built more for entertainment than previous devices, making it a staple in many households, utilized by children and adults alike. The product was deemed so successful that Apple sold more than 15 million of these devices in its first year.

The iPhone

Of all Apple’s products, none is as influential in the tech world as the iPhone. Apple’s introduction of the iPhone marked a paradigm shift for the traditional mobile phone. Apple’s version, like the majority of its most revolutionary products, boasted a sleek, simple design that helped further uncomplicate technology for the masses.

Introduced in 2007, the phone has undergone a radical series of redesigns over the years, each year presenting more opportunities for productivity than the last. Prior to the invention of the iPhone, mobile phones’ primary purpose was to access chatting and emailing. Today’s version is utilized for web-surfing, Facetiming, social media and the utilization of an endless stream of apps available for download at users’ fingertips. Frequent updates and new designs ensure Apple users are getting the best product possible, which has helped the brand amass its own population of loyal followers.

The iPod

One of Apple’s most significant inventions to date remains the iPod. While mp3 players had been on the market for several years, Apple’s version was seen by many as far superior, and so it began to dominate the market. Able to store thousands of songs, the iPod grew in success with the help of other products, such as Apple iTunes, which was released in 2001. The new technology allowed users to organize their digital library on both their personal computer and through their devices. The iTunes Music Store went live in 2003.

Not all of Jobs’ best inventions were technological. The innovator is also credited with inventing the world’s first glass staircase. The design, which was awarded a patent in 2002, has been used across some of Apple’s flagship stores and has since been adopted, in some sense, by both commercial and residential properties the world over.

Steve Jobs Day is a day designated for honoring the Jobs legacy, but his impact is seen daily, in the hands of millions. While Apple, as a company, has certainly carried on without him, Jobs is one innovator unlikely to ever be forgotten.

Google Shutting Down Google+

Google+ Social Media App Will Soon Move Off Into The Sunset

Google+ has never really been a popular social media network. In fact, most people say they’ve never used it and don’t know how it works. So it’s not too surprising to hear that Google has finally decided to pull the plug.

Google+ Shut Down

Google just announced a ten-month sunsetting period, which begins now and will end in August of 2019.

Besides the site simply not being popular, Google has had serious security issues. Project Strobe discovered a bug in Google+ that may have leaked the personal information of thousands of users. Though Google says the vulnerability was not discovered by hackers and that no profiles were compromised, their senior executives felt that rumors of a breach would likely trigger “immediate regulatory interest.” So they simply didn’t tell anyone.

Other Social Media Data Breaches

For several years, Facebook has been under scrutiny for allowing the data firm Cambridge Analytica to access their user information. This data was in turn used to create targeted social media ads that eventually swayed the presidential election of 2016. Since that incident, Americans have become much more aware of the effects and dangers of data breaches and social media manipulation.

Given the fact that almost no one was using the Google+ app and the high risk for potential data leaks, Google execs said they simply felt that it was best to discontinue Google+. Users will have 10 months to migrate their data before the platform is officially dissolved in August of next year. However, the company has decided to continue supporting the Enterprise version of Google+ so businesses using that app will not be affected.

More About the Google+ Security Breach

Last March, Google discovered a privacy breach, which allowed third-party apps using their programming interface to access the personal data of users. This data includes usernames, addresses, email addresses, birth dates and other bits of personal information.

The Wall Street Journal reported some details about the security breach and said that Google executives had been informed about the breach soon after it occurred. These executives made the decision not to disclose the breach to its users for fear of tarnishing their reputation.

Reporting Security Breaches

In a blog post, Google said that it decides when and if the organization should notify users of data breaches. They take into consideration the type of data that was leaked, whether there’s evidence of misuse and whether there’s anything that users can do about it.

According to security breach laws, any organization that experiences a data breach must inform those affected. And they only have a specific amount of time to do so. This varies by state but there are severe penalties for not correctly reporting a security breach.

Executives at Google say that the gap has been fixed and that users do not need to worry about any further data leaks. However, there is ample evidence that Google did not follow the law once they learned of the data breach. This can result not only in penalties from the federal government but also users can file individual lawsuits if they believe their personal info has been compromised.

How Data Breach Laws Are Changing

With the new European Union GDPR (General Data Protection Regulation), more countries and organizations are implementing stronger security measures. The GDPR affects anyone who does business with an entity that resides within the European Union. This has caused many business owners to revamp the way they collect and store personal information from their users.

Once a company has collected an individual’s personal information, they have a legal responsibility to keep that data as secure as possible. In spite of these advances in data security regulations, hackers seem to be one step ahead. Their tactics change, improve and evolve making it necessary for all organizations to be more cautious.

Senate and House Committees Get Involved

This past year, many social media and technology companies have come under scrutiny due to their data and privacy practices. Executives from Twitter, Facebook and Google have testified before various Senate and House committees. Under fire are their security measures, but also their political biases. The government is considering types of regulations that would prevent these companies from meddling in important things like the elections.

Now that everyone is fully aware of how easy it is to sway voters in one direction or the other, there is a very real fear that future elections may be manipulated by these companies. They not only have the knowledge, but they have the resources to influence the way people vote. And this ability holds within it a great deal of potential power to change our society in ways that can only be speculated about at the moment.

What Should Google+ Users Do?

In the meantime, if you are a Google+ user, it’s best to go ahead and make copies of any content you have on the site, then delete your account. Once it has been deleted, you’ll no longer have to worry about losing it to hackers who have found yet another weakness in the site’s security protocols.

What Employees Need To Know About Phishing Attacks

Phishing is just one of many tools in a hacker’s repertoire and happens to be one of their most effective.  Through phishing, hackers dangle their bait in front of preoccupied employees who would never dream that their PC could provide an open door for a hacker.  That’s why it is so important that employees understand how phishing works, how costly it can be, and what they can do to avoid letting themselves become an unwitting accomplice to a hacker’s attack on their company.

Phishing

The Nature of Phishing

Phishing involves a malicious entity that sends out emails that look like they are from reputable, well-known companies (maybe even the employee’s own employer) – but these emails are not what they seem.

Sometimes the purpose of a phishing email is to trick the recipient into revealing information such as logins, passwords, or personal information. Other times, phishing emails are used to install malware on the recipient’s computer. Once the hacker behind the phishing attack has succeeded in infiltrating the target system via login information or malware, the damage they cause quickly escalates.

Phishing Can Be Very Costly

So how expensive can phishing be?  Well, consider what happened to a bank in Virginia that fell victim to two phishing attacks in just eight months. Their disaster began when an employee received and opened a phishing email which succeeded in installing malware on company computers.  The malware was able to use the victim’s computer to access the STAR Network, a site used to handle debit card transactions.  Through the STAR Network, the hackers behind the malware were able to steal $569,000 in that one incident alone.

But that wasn’t the end of the matter.  Eight months later, even after hiring a cybersecurity forensics firm and following their advice to better secure their system, the same bank was victimized again through another phishing email.  This time, the hackers again gained access to the STAR Network, but then used the bank’s Navigator system.  Through those systems combined, the hackers were able to credit money to various bank accounts and then withdraw the money using hundreds of different ATMs.  Losses from this incident amounted to almost $2 million.

To make matters even worse, the bank’s cyber insurance provider denied coverage and the bank is now forced to pursue a lawsuit to recover their losses.

The Very Real Dangers Of Phishing Attacks

Phishing wouldn’t be so effective if it wasn’t so easy for busy employees to fall victim to seemingly legitimate emails or innocent-looking attachments.  The malware that was used to initiate the first attack on the bank discussed in this article was embedded in a Microsoft Word document.  Most of us have worked with thousands of Word documents during our careers and have never been victimized by one – but it only takes one time to cost a business millions of dollars.

In this case, once that document was opened, the malware was installed and the group behind it had access to what they needed. The bank in question hired Verizon to investigate both incidents. It was finally determined that the same group of Russian hackers were likely responsible for both attacks.

Common Sense Required

Even the most powerful of cyber security systems is still susceptible to attacks that take the form of phishing or social engineering. As long as people continue to subscribe to the view that firewalls, anti-virus, and anti-malware systems provide all the protection against cyberattacks that a company needs, then successful phishing attacks will continue. Education is one of the forgotten keys to foiling phishing attacks.

Employees need to be taught how to recognize a suspicious email and be given real-world examples of how convincing phishing emails can appear.  They need to be encouraged to view both emails and attachments with a critical eye.  Employees must also understand that, under no circumstances, is there a legitimate reason for someone to ask for their password.

Another aspect of this type of education is making sure that people realize that the targets of phishing are not C-suite executives or IT technicians, but employees from all levels.  Through a connection to the company’s network, any employee’s computer could serve as a launching pad for an industrious hacker’s plan of attack.

Conclusion

Phishing attacks are a reality that must be addressed if a company wants to avoid becoming a victim.  These attacks often result in very expensive losses that may not be covered by insurance.  While the importance of a rigorous cyber security system is never to be overestimated, neither is the importance of employee education.  Too many employees have unwittingly become accomplices in costly cyberattacks because they didn’t recognize a phishing email and never thought they could be the target of one.  The first line of defense against phishing isn’t a network firewall, but a trained employee who knows how to recognize a suspicious email or a questionable attachment.

Ransomware- The Rise of Cyber Extortion in Healthcare

mPoweredIT_Enforce Managed Security_Hacker

Today, it’s almost impossible to say the word “malware” without talking about ransomware. It is one of the most common and destructive forms of malware online today. Thieves take over your computer systems and hold your files hostage until you pay the ransom. Even if you decide to pay up, there is no guarantee you’ll get your files back or what condition they’ll be in. Nowhere is this cybercrime easier to see than in the healthcare industry, which continues to endure waves of the attacks.

While only 30 ransomware breaches in healthcare were reported in 2016, the number more than doubled to 64 the following year, according to a study by Protenus and Databreaches.net. The attacks are having a significant impact. Four of the five largest data breaches reported to the Office for Civil Rights (OCR) in 2017 were attributed to ransomware.

The jump in reports may be partially in response to new guidelines published by the OCR in July 2017. The document, released after a rash of attacks, clarified the OCR’s position that ransomware infections that encrypt protected health information (PHI) are presumed a HIPAA violation and must be reported – unless the victim can prove otherwise.

Of course, the jump may also be driven by a genuine increase in ransomware attacks, which was seen across many industries. A 59% increase in ransomware was observed year over year in 2017, according to McAfee Labs’ March 2018 Threat Report.

In study after study, researchers find ransomware to dominate the malware infections found in healthcare. More than 70% of malware-based security incidents involving PHI were attributed to ransomware in a Verizon report. That’s ten-times the number attributed to the second most-common type, RAM scrapers, which were found in just 7% of the incidents.

Examples of Cyber Extortion

Cyber extortion is a growing tend according to the OCR’s Jan. 2018 Cybersecurity Newsletter. The department predicts the threat “will continue to be a major source of disruption for many organizations.”

However, other types of cyber extortion have cropped up. They include the use of distributed denial of service (DDoS) attacks. This is when an attacker will render network systems unreachable to intended users, and then demand payment to end the flood of online traffic. Another type cited in the newsletter is perhaps the simplest of all. It occurs when an attacker steals sensitive data and threatens to publish or sell it unless payment is made.

Many varieties of cyber extortion are likely to emerge in the coming years as malicious outsiders continue looking for new ways to turn malware and hacking skills into profit.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Consequences of a Data Breach

Data breaches reveal the personal information of millions of Americans each year. In healthcare, the trend causes even greater concern due to the nature of the data. The consequences of a data breach are costly to healthcare providers, and more importantly, damaging to the victims.

Here is a sample of developments in this area during the start of 2018

All 50 States Require Breach Notification

On May 1, the Alabama Data Breach Notification Law of 2018 came into effect, making Alabama the final U.S. state to enact such legislation. The law requires notification of breach victims within 45 days of a breach’s discovery, which is 15 days shorter than HIPAA’s 60-day limit. Failure to comply with the notification guidelines can result in a penalty of up to $5,000 per day of the violation.

CT Residents Can Sue for Medical Data Breach


The Connecticut Supreme Court unanimously ruled in January that residents can file lawsuits against healthcare providers seeking damages for negligent disclosure of their medical records resulting in harm. The state joins Massachusetts, Missouri, and New York in allowing such lawsuits, which are not explicitly allowed by HIPAA.

States Looking to Cut Notification Window


A bill to amend Colorado’s data breach notification laws is advancing through the state legislature (not passed as of May 14, 2018). Among other changes, the bill would require organizations to notify individuals affected by a data breach within 30 days of discovery.

Massachusetts Launches Breach Portal

Perhaps following the lead of the OCR’s infamous HIPAA Breach Portal, Massachusetts launched a web portal in February for organizations to submit breach notifications. The portal is later expected to host information on reported breaches, including the organization breached, when the breach occurred, and the number of people affected.

Email- The Gateway to Cyber Attacks

Many cyber attacks that are attributed to “hacking” or “malware” first enter the organization through an old, reliable channel: email.

Email is a door into the network. With a cleverly crafted message, hackers can convince employees to install malware, share access credentials, or perform any number of actions to open an entry point for a larger attack. In this way, staff members become unwitting supporters of the attacks and help them to succeed. The mistake takes only a few seconds of oversight and can spark a data breach that harms the organization for years. In certain environments, only one employee has to make a single mistake to give attackers a foothold.

Going Phishing

When we talk about email as a vessel for hacking or malware, we are referring to an attack called “phishing.” This is when an attacker will disguise as a trustworthy individual or institution in an attempt to acquire sensitive information.  Email-based cyber attacks are very common and are growing more sophisticated. Broad- scale phishing emails, which are often easier to spot, are giving way to targeted, spear phishing emails – which are more closely tailored to the recipient and far more convincing.

More than two-thirds (69%) of health IT professionals surveyed said their organizations experienced a spear phishing attack in the last 12 months, according to the Ponemon report. This happens almost exclusively through email, though in rare cases it occurs over the phone. When asked to consider their organization’s most recent major security incident, 62% of healthcare information security professionals said email was the initial point of compromise, according to the HIMSS report. This was far beyond any other channel mentioned (“other” was second at 13% and “don’t know” was third at 12%).

Most often, malicious emails attempt to trick recipients into opening a malware attachment, clicking to visit a malicious website, or clicking to open a phony web form. However, the channel can also be used to leak or steal sensitive data directly. An attacker may convince an employee to reply to an email with access credentials or other sensitive information. Also, employees can accidentally email patient data to the wrong person (a.k.a. “misdelivery”).

Email is the top location for data breaches reported to OCR from Jan. 1 to May 15, 2018, accounting for 25% of the total during the period.

Email is also the top location for data breaches reported to OCR in 2017, accounting for 23% of the total and impacting 11% of all affected individuals.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Is Your Practice Vulnerable to a Cyber Security Breach?

It is a common misconception that small business or small medical practices are immune to cyber attacks. The thought being that since they pale in comparison to larger corporations, the appeal to steal sensitive information is low. However, this is not the case. Larger corporations have tighter security measures. Cyber thieves know they can easily access and obtain confidential data from small practices that have many vulnerabilities in their security.

Vulnerabilities are an intractable part of the cyber security landscape. As long as healthcare organizations rely on computer hardware and software, security flaws will be found and exploited. The vast majority of vulnerabilities (99%) leveraged in cyber attacks are publicly known beforehand. This fact should ring alarms for every healthcare IT professional.

Exploits of known vulnerabilities:

71% experienced a security incident attributed to an exploit of a software vulnerability greater than three months old.

66% experienced an incident attributed to a vulnerability less than three months old. This was the third-most common driver of security incidents found.

Zero-day vulnerabilities – those that are not publicly known before they are exploited in an attack – are rare. They make great headlines, but they are expected to play a role in less than 0.1% of cyber attacks through 2020. However, 48% of IT security professionals surveyed said their organization experienced a zero-day attack in the last 12 months, according to the same Ponemon report.

Vulnerabilities vs. Reality

Resource constraints contribute to vulnerability problems. For example, an MRI machine can cost up to $3 million. The devices are often network-enabled and paired with a control PC. If a vulnerability is discovered in the machine and no patch exists, then the organization will likely tolerate the flaw and perhaps mitigate or ignore it long before the system is replaced. The burden falls on the IT staff to “make it work” perhaps by isolating the system on the network and tightening access controls.

However, even these mitigations can encounter constraints. Medical environments – and hospitals in particular – rely on fast and easy access to data to improve patient outcomes. This can pressure IT departments to “loosen” security controls and ease constraints, potentially elevating the risk of data breach.

These factors and others help to explain why healthcare organizations continue to rely on outdated systems known to have severe security flaws. According to a July 2017 survey of 305 healthcare IT professionals in the UK and US by Infoblox:

  •  22% have systems running Windows 7, which was originally released in 2009. Windows 10 was released in 2015.
  • 20% have systems running Windows XP, which reached end-of-life and stopped receiving routine patches in 2014.

Medical Device Security

Vulnerabilities discovered in medical devices – such as CT scanners, pacemakers, and drug infusion pumps – are a growing concern to healthcare professionals, and even lawmakers.

More than half (55%) of health IT security professional said medical device security is not part of their overall cyber security strategy, according to the Ponemon study. When asked to select their greatest concern with medical device security, 39% of healthcare IT security professionals cited patient safety.

While some devices can be updated or replaced, this is not always the case. In the Infoblox survey, 15% of healthcare IT professionals said they either cannot update these systems or are unsure if they can.

Misconfiguration

Misconfiguration can open a security flaw in even the most rock-solid systems. This can cause major data leaks, especially when the system is a public-facing database. On Jan. 25, 2018, a security researcher discovered a database owned by a Long Island medical practice had been misconfigured and left publicly available. This revealed the medical information of more than 42,000 patients, including more than 3 million “medical notes” such as a doctor’s observations. Accessing the information required only knowing the server’s IP address.

In March 2018, a nonprofit healthcare conglomerate based in St. Louis notified 33,420 patients affected by a data leak caused by a server misconfiguration. The leak publicly exposed scanned images of patient driver’s licenses, insurance cards, and medical documents.

Spectre and Meltdown

On Jan. 3, 2018, security researchers revealed two security vulnerabilities present in billions of systems worldwide. Known as Spectre and Meltdown, they are among the most widespread data security flaws ever discovered. In short, the flaws are related to how most modern processors handle data. When exploited, they can allow an attacker to bypass data access controls and steal sensitive data – including data from the kernel or other applications.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Web Analytics