Ransomware- The Rise of Cyber Extortion in Healthcare

mPoweredIT_Enforce Managed Security_Hacker

Today, it’s almost impossible to say the word “malware” without talking about ransomware. It is one of the most common and destructive forms of malware online today. Thieves take over your computer systems and hold your files hostage until you pay the ransom. Even if you decide to pay up, there is no guarantee you’ll get your files back or what condition they’ll be in. Nowhere is this cybercrime easier to see than in the healthcare industry, which continues to endure waves of the attacks.

While only 30 ransomware breaches in healthcare were reported in 2016, the number more than doubled to 64 the following year, according to a study by Protenus and Databreaches.net. The attacks are having a significant impact. Four of the five largest data breaches reported to the Office for Civil Rights (OCR) in 2017 were attributed to ransomware.

The jump in reports may be partially in response to new guidelines published by the OCR in July 2017. The document, released after a rash of attacks, clarified the OCR’s position that ransomware infections that encrypt protected health information (PHI) are presumed a HIPAA violation and must be reported – unless the victim can prove otherwise.

Of course, the jump may also be driven by a genuine increase in ransomware attacks, which was seen across many industries. A 59% increase in ransomware was observed year over year in 2017, according to McAfee Labs’ March 2018 Threat Report.

In study after study, researchers find ransomware to dominate the malware infections found in healthcare. More than 70% of malware-based security incidents involving PHI were attributed to ransomware in a Verizon report. That’s ten-times the number attributed to the second most-common type, RAM scrapers, which were found in just 7% of the incidents.

Examples of Cyber Extortion

Cyber extortion is a growing tend according to the OCR’s Jan. 2018 Cybersecurity Newsletter. The department predicts the threat “will continue to be a major source of disruption for many organizations.”

However, other types of cyber extortion have cropped up. They include the use of distributed denial of service (DDoS) attacks. This is when an attacker will render network systems unreachable to intended users, and then demand payment to end the flood of online traffic. Another type cited in the newsletter is perhaps the simplest of all. It occurs when an attacker steals sensitive data and threatens to publish or sell it unless payment is made.

Many varieties of cyber extortion are likely to emerge in the coming years as malicious outsiders continue looking for new ways to turn malware and hacking skills into profit.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Healthcare Hacking & Malware – Targeting Patient Medical Records

Healthcare hacking and malware is big business for bad guys. Cyber criminals are launching attacks against healthcare networks every single day. Healthcare hacking and malware is generally done by “malicious outsiders” rather than rogue employees. The motivation is almost always money.

 

Hackers Are Drawn to Data

Why do hackers target the healthcare industry? Many speculate one reason is the value of the data stored by hospitals, care providers, and other medical offices. When asked the types of information they believe hackers are most interested in, more than half of healthcare IT professionals surveyed pointed to the following three types:

  • Patient medical records: 77%
  • Patient billing information: 56%
  • Login credentials: 54%

Patient medical records remain a profitable commodity on the dark web. Criminals can use the records to conduct medical fraud schemes – collecting payments from public services such as Medicaid and Medicare – and can go undiscovered for years.

Patient billing information – including credit card numbers – is also valuable to data thieves and can be used for fraudulent transactions.

However, the lifespan of such schemes is often far shorter than medical-related ones. The payment card industry is far more efficient in detecting and blocking fraudulent transactions than government regulators in the medical field. This may partly explain why more healthcare IT professionals say hackers are targeting medical records.

Login credentials, of course, are often targeted to gain access to additional systems storing valuable data. Other types of data – such as clinical research, email content, and employee information – can also be targeted, though fewer respondents cited them than the three data types mentioned above.

The use of stolen credentials was found in nearly half (49%) of all healthcare security incidents attributed to “hacking” in the Verizon 2018 Protected Health Information Data Breach Report.

What can you do about it?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

When you need IT problems fixed yesterday

IT service issues

One of the biggest complaints I hear from businesses who use Managed Services Providers is the lack of urgency when something goes wrong. It can take hours to get a response after submitting a ticket, and then the fix can take days. Most companies are pretty happy with their MSP – until they submit that first ticket with a time-sensitive issue!

When something goes wrong, you want it fixed yesterday!

We actually do that. We monitor our clients’ systems and fix potential issues before they become a problem. So essentially, what would have been a problem today was fixed yesterday. Can your provider do that?

Now we’re not saying issues never arise – they occasionally do. And while no MSP can promise to solve every issue in a matter of minutes, we understand the urgency to get it fixed and act accordingly. At mPowered IT, we strive to respond to every ticket within 15 minutes. From there we quickly evaluate the “crisis level”, prioritize it, and give you an estimate of when the problem can be resolved.

What’s not fixed yesterday, we jump on today, and address the issue as soon as humanly possible!

 

Top 5 Security Cyber Security Threats to Your Small Business

I hate to say it, but the bad guys are getting really good at taking advantage of businesses, and they’re making a mind-boggling amount of money off it. So, it’s not going to slow down, it’s just going to escalate. I want to let you know what the biggest cyber threats are, according to Webroot’s 2018 Cyber Threat Report, so you can make sure you’re not one of their statistics.

1. Phishing – Employees are taking the bait!

Phishing scams used to be almost laughably obvious – a Nigerian prince wanted to send you money! But now these scams are so cleverly disguised, it takes an eagle eye to spot one. It’s very easy for your employees to innocently click on what appears to be a legitimate link and open your business to thieves. Today’s phishing scams are more likely to be via email from what appears to be a company you already do business with. Employees need to be trained to never provide info or click links unless they’re absolutely sure they’re from a legitimate source. Talk to us about our Security Awareness Training.

2. Static Malware is history. Polymorphism is the new threat. 

Static lists were once the preferred method of keeping known malicious files from being downloaded onto machines. However, polymorphism’s popularity means static lists are useless in defending against malware. Tiny variations in malware binaries, ones that otherwise do not change their core functions, now prevent these lists from reliably filtering out threats. Of the hundreds of millions of executable files Webroot analyzes each year, 94% percent were polymorphic. We provide the latest in endpoint protection through our Enable program.

3. Cryptojacking uses your computers without your knowledge.

The best cons are the ones you never even know about. Cryptojacking involves hijacking the computing power of a machine and reassigning it to the task of cryptomining, the process of adding transactions to a blockchain leger in exchange for a small transaction fee. Over time, these efforts can lead to steady returns on little effort for cryptojacking operations. We have advanced security services that watch for unusual behavior on your systems.

4. Ransomware – Extremely quick and profitable!

This is one of the most frustrating and costly cybercrimes. Thieves take over your computer systems and hold your files ransom until you pay up. The worst part of it is, even if you go ahead and pay the ransom, there’s no guaranteed that you’ll actually get your files back, and if you do, they could be damaged or corrupted. Two major ransomware attacks in 2017 caused over $4 billion in losses in just 24 hours. Those grabbed headlines, but the truth is, ransomware happens on a smaller scale to small business every day. A layered security approach coupled with comprehensive backup systems is the best approach to thwarting Ransomware.

5. Malicious mobile apps

With nearly two billion smartphone users, and the enormous popularity of mobile apps, this is now a sweet spot for cyber criminals. Webroot found that one third of mobile apps are now built with malicious intent. In other words, they appear to be something fun or useful, but their actual purpose is to hack your phone.Be wary of applications you install on your phone and be sure to read what access they need to the data stored there.

What can you do about it?

The first line of defense is to make sure you train your employees and keep all systems updated. Those pesky reminders that you need to update your software should never be ignored. Updates are not just improvements in function or design, they also contain fixes of known vulnerabilities.

The next line of defense is to have a great IT partner who will focus on your security. We make it our priority to keep our clients’ networks secure against all known threats, and be informed of potential future threats. It costs so little to protect your business from cyber threats, especially when you consider how much even one small attack can cost in terms of lost revenue and reputation.

Give us a call and we can help you assess your vulnerability to cybercrime and show you how to avoid it.

Call 678-389-6200.

Employee Training Can Prevent HIPAA Violations

HIPAA Compliance, HIPAA Audit

Human error is one of the primary causes of HIPAA violations. Even your best employees can make mistakes, or inadvertently create a situation that leads to a violation. All employees need HIPAA training, so that they understand what would constitute a violation, and what they should do if they see other employees mishandling information.

Fortunately, the software solution I’m now offering my medical and dental practices also covers HIPAA training. Compliance Guard is an end-to-end solution to help busy practices simplify compliance and provides the staff training necessary to ensure the whole team is on board.

The training, and tracking who has been trained in what areas, will be helpful during a HIPAA audit. The Compliance Guard software handles all the tracking and reporting. Because the software was developed by auditors, you can be assured that it covers everything that would be assessed during an audit. You’re never alone with Compliance Guard – our Compliance Coaches will answer questions and guide you. No practice that uses Compliance Guard has ever failed an audit! 

Contact us for more information. Call 389-678-6200 or email jmamon@mpoweredit.com.

Ready for GDPR? What you need to know about new privacy regulations.

GDPR Compliance

If your company collects data on customers, you need to be GDPR compliant by May 25. Even though this is a European privacy law, it affects businesses here in the US. GDPR (General Data Protection Regulation) has new, more transparent regulations for how all companies collect and analyze data tied to EU residents.

Your company will be required to provide a clear notice when you’re collecting data, and let your customers know why you’re collecting it, how long you’ll retain it, and your deletion policies. You’ll need to ensure your employees understand the new policies, and that all your vendors are also compliant.

Your customers will now have the right to access their personal data, and correct or remove it from your database. They can also object to your processing their personal data.

For complete unbiased information on GDPR visit the European Commission.  For network security, penetration testing and all other compliance issues contact mPowered IT at 678-389-6200.

Why Bear the Outrageous Cost of Downtime?

Cloud Backup

Most SMBs don’t have a realistic idea of what it would cost if their computer network were to go down or be inaccessible for any reason. Businesses that do estimate the cost figure around $5000 per hour – but that’s actually low. The cost is actually around $18,000 per hour. Considering how much of your business is tied to your network, you have to figure not only the hard costs of recovery, lost productivity and sales, but also lost opportunity costs – the potential customers who attempted to access your business and couldn’t.

But SMBs with a solid backup and disaster recovery plan can continue business as usual, even with a system failure or power outage that lasts for days. With our Ensure program, your system is backed up continuously throughout the day, every day, and should your server fail, your business is not disrupted. Your business continues off the backup system during repairs.

No business should bear the cost of downtime, when the loss of revenue is almost completely avoidable. The Ensure program provides all the backup and disaster recovery you need for a low monthly rate. In fact, you could be on the Ensure program for many years, enjoying the peace of mind knowing your data is safe and accessible to you, and your cost would be nowhere near what you’d pay for even a few hours of downtime. It just makes good business sense to have Ensure in place – because eventually something will go wrong.

Call mPowered IT to Ensure your business continuity through any disaster – 678-389-6200

 

Would your medical practice pass a HIPAA audit?

One thing I’ve noticed as an IT professional  – and occasionally as a patient – is that no matter how brilliant doctors are with medicine and medical technology, their practices usually struggle to stay up to date with computer and network technology. It also almost goes without saying that medical practices are nearly 100% focused on patient care, scheduling, and insurance, leaving little energy to devote to HIPAA compliance. But even an innocent oversight of a detail of HIPAA compliance can be costly, in terms of fines and loss of reputation.

What medical practices really need is a way to put HIPAA compliance on rails – so it’s simple to understand and easy to handle. We’re now offering an easy-to-use software solution, Embrace Compliance Guard. It will help you with risk assessment, train your staff, verify your compliance status, produce the reports you need, and a whole lot more. It also provides Compliancy Coaches for live human help when you need it.

This software is the solution I’ve been wanting to provide to my medical clients for a long time, and now it’s available. mPowered IT, as a provider to medical clients, has been trained on this system, and we have ensured that we are HIPAA compliant too. We can provide Embrace Compliance Guard on its own or as an addition to our Managed IT Support Services for medical practices.

Learn all about it here. Or, give us a call at 678-389-6200.

How’s that phone system working out for you?

IT service issues

That phone system you put in years ago is probably in need of an upgrade, but who wants to deal with that hassle and expense? Yet, it’s hard to grow and move forward with what you have.

We are helping small businesses get a better, more advanced phone system, without the huge cost and drama. The small business phone system of the future is VoIP – a cloud-based system.

With our Embrace Voice cloud-based phone system, you never have to worry about set ups, managing, updating or repairs ever again. For one low monthly fee, you suddenly have the most cutting-edge phone system with the most advanced features.

Why stumble though another awkward conference call or irritate another customer with a less-than-friendly on-hold system, when you can quickly switch to a system that really helps your business and its future growth.

Learn more about VoIP and let’s talk about how we you can use it help your business. Call 678-389-6200.

No Personal Email Accounts for Company Business!

The Yahoo! Data Breach of 2013 may seem like old news, but 2017 revealed it was far worse than reported. After Verizon acquired Yahoo! in June 2017, they discovered the 2013 breach affected every Yahoo! customer account – three billion in total!

That mind-boggling number is three times more than Yahoo! reports when they first disclosed the breach in 2017. It’s almost 10 times greater that the whole US population.

How could that happen?

The hackers had free access to billions of email accounts for three years before they were discovered. More that 150,000 of the accounts were owned by current and former US government and military employees. They included the accounts of White House staff members, US Congress, and members of the FBA, NSA, and CIA.

Part of the problem is Business Email Compromise (BEC), a growing trend of organized cyber criminals. They get into your network, spend weeks or months studying your organization’s vendors, billing systems, and your CEO’s style of email communications. They can then send a fake email from your CEO (while he or she is away and unavailable) to someone in your finance office, requesting you send payment to someone your company would normally pay. This is a scam that works and the money is hard to track and recover.

How Your Business Could Avoid a Yahoo-type Breach 

  • Patch Vulnerabilities: This must be done in a timely manner. The more time your system spends vulnerable the easier it is for hackers to get what they want.
  • Don’t trust email from an employee’s private account. Anytime someone in your company sends you an email from a private email account, be suspicious. Reply by phone or use the company email to ask if that email was from them.
  • Use your company email for business. Make sure all company business that must be emailed is done via your company email account. That includes minor things like requesting a meeting or sending a file. Because data breaches are a huge and growing threat, it’s best to always keep your company email communications within the safety and security of your business email account.
  • Get a real security partner to assess your vulnerabilities and catch issues before they blow up into expensive and damaging problems. Call mPowered IT at 678-389-6200 and ask for a FREE VULNERABILITY ASSESSMENT.

 

 

Web Analytics