What Employees Need To Know About Phishing Attacks

Phishing is just one of many tools in a hacker’s repertoire and happens to be one of their most effective.  Through phishing, hackers dangle their bait in front of preoccupied employees who would never dream that their PC could provide an open door for a hacker.  That’s why it is so important that employees understand how phishing works, how costly it can be, and what they can do to avoid letting themselves become an unwitting accomplice to a hacker’s attack on their company.

Phishing

The Nature of Phishing

Phishing involves a malicious entity that sends out emails that look like they are from reputable, well-known companies (maybe even the employee’s own employer) – but these emails are not what they seem.

Sometimes the purpose of a phishing email is to trick the recipient into revealing information such as logins, passwords, or personal information. Other times, phishing emails are used to install malware on the recipient’s computer. Once the hacker behind the phishing attack has succeeded in infiltrating the target system via login information or malware, the damage they cause quickly escalates.

Phishing Can Be Very Costly

So how expensive can phishing be?  Well, consider what happened to a bank in Virginia that fell victim to two phishing attacks in just eight months. Their disaster began when an employee received and opened a phishing email which succeeded in installing malware on company computers.  The malware was able to use the victim’s computer to access the STAR Network, a site used to handle debit card transactions.  Through the STAR Network, the hackers behind the malware were able to steal $569,000 in that one incident alone.

But that wasn’t the end of the matter.  Eight months later, even after hiring a cybersecurity forensics firm and following their advice to better secure their system, the same bank was victimized again through another phishing email.  This time, the hackers again gained access to the STAR Network, but then used the bank’s Navigator system.  Through those systems combined, the hackers were able to credit money to various bank accounts and then withdraw the money using hundreds of different ATMs.  Losses from this incident amounted to almost $2 million.

To make matters even worse, the bank’s cyber insurance provider denied coverage and the bank is now forced to pursue a lawsuit to recover their losses.

The Very Real Dangers Of Phishing Attacks

Phishing wouldn’t be so effective if it wasn’t so easy for busy employees to fall victim to seemingly legitimate emails or innocent-looking attachments.  The malware that was used to initiate the first attack on the bank discussed in this article was embedded in a Microsoft Word document.  Most of us have worked with thousands of Word documents during our careers and have never been victimized by one – but it only takes one time to cost a business millions of dollars.

In this case, once that document was opened, the malware was installed and the group behind it had access to what they needed. The bank in question hired Verizon to investigate both incidents. It was finally determined that the same group of Russian hackers were likely responsible for both attacks.

Common Sense Required

Even the most powerful of cyber security systems is still susceptible to attacks that take the form of phishing or social engineering. As long as people continue to subscribe to the view that firewalls, anti-virus, and anti-malware systems provide all the protection against cyberattacks that a company needs, then successful phishing attacks will continue. Education is one of the forgotten keys to foiling phishing attacks.

Employees need to be taught how to recognize a suspicious email and be given real-world examples of how convincing phishing emails can appear.  They need to be encouraged to view both emails and attachments with a critical eye.  Employees must also understand that, under no circumstances, is there a legitimate reason for someone to ask for their password.

Another aspect of this type of education is making sure that people realize that the targets of phishing are not C-suite executives or IT technicians, but employees from all levels.  Through a connection to the company’s network, any employee’s computer could serve as a launching pad for an industrious hacker’s plan of attack.

Conclusion

Phishing attacks are a reality that must be addressed if a company wants to avoid becoming a victim.  These attacks often result in very expensive losses that may not be covered by insurance.  While the importance of a rigorous cyber security system is never to be overestimated, neither is the importance of employee education.  Too many employees have unwittingly become accomplices in costly cyberattacks because they didn’t recognize a phishing email and never thought they could be the target of one.  The first line of defense against phishing isn’t a network firewall, but a trained employee who knows how to recognize a suspicious email or a questionable attachment.

Ransomware- The Rise of Cyber Extortion in Healthcare

mPoweredIT_Enforce Managed Security_Hacker

Today, it’s almost impossible to say the word “malware” without talking about ransomware. It is one of the most common and destructive forms of malware online today. Thieves take over your computer systems and hold your files hostage until you pay the ransom. Even if you decide to pay up, there is no guarantee you’ll get your files back or what condition they’ll be in. Nowhere is this cybercrime easier to see than in the healthcare industry, which continues to endure waves of the attacks.

While only 30 ransomware breaches in healthcare were reported in 2016, the number more than doubled to 64 the following year, according to a study by Protenus and Databreaches.net. The attacks are having a significant impact. Four of the five largest data breaches reported to the Office for Civil Rights (OCR) in 2017 were attributed to ransomware.

The jump in reports may be partially in response to new guidelines published by the OCR in July 2017. The document, released after a rash of attacks, clarified the OCR’s position that ransomware infections that encrypt protected health information (PHI) are presumed a HIPAA violation and must be reported – unless the victim can prove otherwise.

Of course, the jump may also be driven by a genuine increase in ransomware attacks, which was seen across many industries. A 59% increase in ransomware was observed year over year in 2017, according to McAfee Labs’ March 2018 Threat Report.

In study after study, researchers find ransomware to dominate the malware infections found in healthcare. More than 70% of malware-based security incidents involving PHI were attributed to ransomware in a Verizon report. That’s ten-times the number attributed to the second most-common type, RAM scrapers, which were found in just 7% of the incidents.

Examples of Cyber Extortion

Cyber extortion is a growing tend according to the OCR’s Jan. 2018 Cybersecurity Newsletter. The department predicts the threat “will continue to be a major source of disruption for many organizations.”

However, other types of cyber extortion have cropped up. They include the use of distributed denial of service (DDoS) attacks. This is when an attacker will render network systems unreachable to intended users, and then demand payment to end the flood of online traffic. Another type cited in the newsletter is perhaps the simplest of all. It occurs when an attacker steals sensitive data and threatens to publish or sell it unless payment is made.

Many varieties of cyber extortion are likely to emerge in the coming years as malicious outsiders continue looking for new ways to turn malware and hacking skills into profit.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Consequences of a Data Breach

Data breaches reveal the personal information of millions of Americans each year. In healthcare, the trend causes even greater concern due to the nature of the data. The consequences of a data breach are costly to healthcare providers, and more importantly, damaging to the victims.

Here is a sample of developments in this area during the start of 2018

All 50 States Require Breach Notification

On May 1, the Alabama Data Breach Notification Law of 2018 came into effect, making Alabama the final U.S. state to enact such legislation. The law requires notification of breach victims within 45 days of a breach’s discovery, which is 15 days shorter than HIPAA’s 60-day limit. Failure to comply with the notification guidelines can result in a penalty of up to $5,000 per day of the violation.

CT Residents Can Sue for Medical Data Breach


The Connecticut Supreme Court unanimously ruled in January that residents can file lawsuits against healthcare providers seeking damages for negligent disclosure of their medical records resulting in harm. The state joins Massachusetts, Missouri, and New York in allowing such lawsuits, which are not explicitly allowed by HIPAA.

States Looking to Cut Notification Window


A bill to amend Colorado’s data breach notification laws is advancing through the state legislature (not passed as of May 14, 2018). Among other changes, the bill would require organizations to notify individuals affected by a data breach within 30 days of discovery.

Massachusetts Launches Breach Portal

Perhaps following the lead of the OCR’s infamous HIPAA Breach Portal, Massachusetts launched a web portal in February for organizations to submit breach notifications. The portal is later expected to host information on reported breaches, including the organization breached, when the breach occurred, and the number of people affected.

Email- The Gateway to Cyber Attacks

Many cyber attacks that are attributed to “hacking” or “malware” first enter the organization through an old, reliable channel: email.

Email is a door into the network. With a cleverly crafted message, hackers can convince employees to install malware, share access credentials, or perform any number of actions to open an entry point for a larger attack. In this way, staff members become unwitting supporters of the attacks and help them to succeed. The mistake takes only a few seconds of oversight and can spark a data breach that harms the organization for years. In certain environments, only one employee has to make a single mistake to give attackers a foothold.

Going Phishing

When we talk about email as a vessel for hacking or malware, we are referring to an attack called “phishing.” This is when an attacker will disguise as a trustworthy individual or institution in an attempt to acquire sensitive information.  Email-based cyber attacks are very common and are growing more sophisticated. Broad- scale phishing emails, which are often easier to spot, are giving way to targeted, spear phishing emails – which are more closely tailored to the recipient and far more convincing.

More than two-thirds (69%) of health IT professionals surveyed said their organizations experienced a spear phishing attack in the last 12 months, according to the Ponemon report. This happens almost exclusively through email, though in rare cases it occurs over the phone. When asked to consider their organization’s most recent major security incident, 62% of healthcare information security professionals said email was the initial point of compromise, according to the HIMSS report. This was far beyond any other channel mentioned (“other” was second at 13% and “don’t know” was third at 12%).

Most often, malicious emails attempt to trick recipients into opening a malware attachment, clicking to visit a malicious website, or clicking to open a phony web form. However, the channel can also be used to leak or steal sensitive data directly. An attacker may convince an employee to reply to an email with access credentials or other sensitive information. Also, employees can accidentally email patient data to the wrong person (a.k.a. “misdelivery”).

Email is the top location for data breaches reported to OCR from Jan. 1 to May 15, 2018, accounting for 25% of the total during the period.

Email is also the top location for data breaches reported to OCR in 2017, accounting for 23% of the total and impacting 11% of all affected individuals.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Is Your Practice Vulnerable to a Cyber Security Breach?

It is a common misconception that small business or small medical practices are immune to cyber attacks. The thought being that since they pale in comparison to larger corporations, the appeal to steal sensitive information is low. However, this is not the case. Larger corporations have tighter security measures. Cyber thieves know they can easily access and obtain confidential data from small practices that have many vulnerabilities in their security.

Vulnerabilities are an intractable part of the cyber security landscape. As long as healthcare organizations rely on computer hardware and software, security flaws will be found and exploited. The vast majority of vulnerabilities (99%) leveraged in cyber attacks are publicly known beforehand. This fact should ring alarms for every healthcare IT professional.

Exploits of known vulnerabilities:

71% experienced a security incident attributed to an exploit of a software vulnerability greater than three months old.

66% experienced an incident attributed to a vulnerability less than three months old. This was the third-most common driver of security incidents found.

Zero-day vulnerabilities – those that are not publicly known before they are exploited in an attack – are rare. They make great headlines, but they are expected to play a role in less than 0.1% of cyber attacks through 2020. However, 48% of IT security professionals surveyed said their organization experienced a zero-day attack in the last 12 months, according to the same Ponemon report.

Vulnerabilities vs. Reality

Resource constraints contribute to vulnerability problems. For example, an MRI machine can cost up to $3 million. The devices are often network-enabled and paired with a control PC. If a vulnerability is discovered in the machine and no patch exists, then the organization will likely tolerate the flaw and perhaps mitigate or ignore it long before the system is replaced. The burden falls on the IT staff to “make it work” perhaps by isolating the system on the network and tightening access controls.

However, even these mitigations can encounter constraints. Medical environments – and hospitals in particular – rely on fast and easy access to data to improve patient outcomes. This can pressure IT departments to “loosen” security controls and ease constraints, potentially elevating the risk of data breach.

These factors and others help to explain why healthcare organizations continue to rely on outdated systems known to have severe security flaws. According to a July 2017 survey of 305 healthcare IT professionals in the UK and US by Infoblox:

  •  22% have systems running Windows 7, which was originally released in 2009. Windows 10 was released in 2015.
  • 20% have systems running Windows XP, which reached end-of-life and stopped receiving routine patches in 2014.

Medical Device Security

Vulnerabilities discovered in medical devices – such as CT scanners, pacemakers, and drug infusion pumps – are a growing concern to healthcare professionals, and even lawmakers.

More than half (55%) of health IT security professional said medical device security is not part of their overall cyber security strategy, according to the Ponemon study. When asked to select their greatest concern with medical device security, 39% of healthcare IT security professionals cited patient safety.

While some devices can be updated or replaced, this is not always the case. In the Infoblox survey, 15% of healthcare IT professionals said they either cannot update these systems or are unsure if they can.

Misconfiguration

Misconfiguration can open a security flaw in even the most rock-solid systems. This can cause major data leaks, especially when the system is a public-facing database. On Jan. 25, 2018, a security researcher discovered a database owned by a Long Island medical practice had been misconfigured and left publicly available. This revealed the medical information of more than 42,000 patients, including more than 3 million “medical notes” such as a doctor’s observations. Accessing the information required only knowing the server’s IP address.

In March 2018, a nonprofit healthcare conglomerate based in St. Louis notified 33,420 patients affected by a data leak caused by a server misconfiguration. The leak publicly exposed scanned images of patient driver’s licenses, insurance cards, and medical documents.

Spectre and Meltdown

On Jan. 3, 2018, security researchers revealed two security vulnerabilities present in billions of systems worldwide. Known as Spectre and Meltdown, they are among the most widespread data security flaws ever discovered. In short, the flaws are related to how most modern processors handle data. When exploited, they can allow an attacker to bypass data access controls and steal sensitive data – including data from the kernel or other applications.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Insider Abuse and Errors –The Biggest Threat to Healthcare Security

Insiders are among the biggest threats to data security in healthcare. Research suggests the problem has reach epidemic proportions – with staff members snooping, stealing, or otherwise leaking sensitive data on a scale much broader than in other industries.

The trend is consistent:

  • Insiders caused 58% of the healthcare security incidents reviewed for the 2018 Verizon PHI Data Breach Report.
  • Insiders caused 37% of 2017 healthcare data breaches reviewed in the 2018 Protenus Breach Barometer Report.
  • An insider caused the largest healthcare data breach reported to OCR in 2017, allegedly stealing data affecting 697,800 individuals.

The trend has extended into 2018. A Calyptix review of the data breaches reported to the OCR from Jan. 1 to May 15 this year revealed:

  • 45% were caused by “unauthorized access / disclosure”, a type of breach typically associated with insiders. The breaches accounted for 55% of the total records exposed during the period.
  • 9% were caused by “loss” or “improper disposal”, which are also often associated with insiders.

The numbers might be inflated by the stringent breach reporting requirements in HIPAA. However, other industries – such as the public sector – also have stringent reporting requirements. While they often see higher levels of insider incidents, they are nowhere near the levels seen in healthcare, suggesting the severity of the problem may be unique to the industry.

Why Insiders Breach

Why do staff members knowingly violate HIPAA guidelines, causing a data breach? In a review of 306 data breaches in healthcare shown to be caused by insiders, 48% were financially motivated and 31% were motivated by fun or curiosity, according the Verizon report. Interestingly, another 10% were motivated by convenience.

Insider data breaches come in two general types: intentional and accidental. A staff member either mistakenly leaks data – such as by emailing health records to the wrong patient – or purposefully exposes the data – such as by theft or snooping. One snooping case reported in 2017 went undiscovered for 14 years. An employee at a Massachusetts hospital was found to have inappropriately accessed the medical records of as many as 1,176 patients over the years.

The person’s motivation can have a significant impact on the scale of the breach. For example, an insider who is financially motivated to steal patient health data may try to grab as much as possible. Malicious or nosey insiders are also more likely to attempt to hide their actions. On the other hand, an employee who makes an honest mistake will likely try to minimize the impact. This may partly explain why data breaches involving “insider wrongdoing” were shown to impact 14% more patient records in 2017 than breaches caused by “insider error”, according to the Protenus report.

Gaps in IT Security Knowledge

Many factors – including large volumes of sensitive data, legacy systems, and complex networks – combine to support a high level of insider breaches. Another factor may be a lower awareness of cyber security issues among healthcare staff. When tested on their security knowledge in 2017, end users in healthcare came in second-to- last compared to other industries, answering 23% of the questions incorrectly, according to a study by Wombat Security.

Healthcare IT professionals seem to echo this finding. More than half (52%) of those surveyed agreed with the statement, “Employees’ lack of awareness affects our ability to achieve a strong security posture.”

The problem also extends to specialized IT security staff, with 74% of respondents in healthcare IT indicating that “insufficient staffing” had hampered the organization’s cyber security posture – more than any other challenge cited. Filling the gaps is apparently not easy, with 79% reporting it is at least “somewhat difficult” to recruit IT security personnel. Nearly one-third (32%) reported it is “extremely difficult”

More Training Needed

Security awareness training is required by HIPAA – but the necessary quality and quantity of training is open to interpretation. In a survey of 239 IT security professionals completed in Jan.2018 by the Healthcare Information Management and Systems Society (HIMSS), only 8.4% said their organization did not have a security awareness training program – which is a good sign. Unfortunately, more than half of respondents (51.8%) said they conduct training just once per year. About one-in-five (22.9%) train monthly.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Healthcare Hacking & Malware – Targeting Patient Medical Records

Healthcare hacking and malware is big business for bad guys. Cyber criminals are launching attacks against healthcare networks every single day. Healthcare hacking and malware is generally done by “malicious outsiders” rather than rogue employees. The motivation is almost always money.

 

Hackers Are Drawn to Data

Why do hackers target the healthcare industry? Many speculate one reason is the value of the data stored by hospitals, care providers, and other medical offices. When asked the types of information they believe hackers are most interested in, more than half of healthcare IT professionals surveyed pointed to the following three types:

  • Patient medical records: 77%
  • Patient billing information: 56%
  • Login credentials: 54%

Patient medical records remain a profitable commodity on the dark web. Criminals can use the records to conduct medical fraud schemes – collecting payments from public services such as Medicaid and Medicare – and can go undiscovered for years.

Patient billing information – including credit card numbers – is also valuable to data thieves and can be used for fraudulent transactions.

However, the lifespan of such schemes is often far shorter than medical-related ones. The payment card industry is far more efficient in detecting and blocking fraudulent transactions than government regulators in the medical field. This may partly explain why more healthcare IT professionals say hackers are targeting medical records.

Login credentials, of course, are often targeted to gain access to additional systems storing valuable data. Other types of data – such as clinical research, email content, and employee information – can also be targeted, though fewer respondents cited them than the three data types mentioned above.

The use of stolen credentials was found in nearly half (49%) of all healthcare security incidents attributed to “hacking” in the Verizon 2018 Protected Health Information Data Breach Report.

What can you do about it?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

When you need IT problems fixed yesterday

IT service issues

One of the biggest complaints I hear from businesses who use Managed Services Providers is the lack of urgency when something goes wrong. It can take hours to get a response after submitting a ticket, and then the fix can take days. Most companies are pretty happy with their MSP – until they submit that first ticket with a time-sensitive issue!

When something goes wrong, you want it fixed yesterday!

We actually do that. We monitor our clients’ systems and fix potential issues before they become a problem. So essentially, what would have been a problem today was fixed yesterday. Can your provider do that?

Now we’re not saying issues never arise – they occasionally do. And while no MSP can promise to solve every issue in a matter of minutes, we understand the urgency to get it fixed and act accordingly. At mPowered IT, we strive to respond to every ticket within 15 minutes. From there we quickly evaluate the “crisis level”, prioritize it, and give you an estimate of when the problem can be resolved.

What’s not fixed yesterday, we jump on today, and address the issue as soon as humanly possible!

 

Top 5 Security Cyber Security Threats to Your Small Business

I hate to say it, but the bad guys are getting really good at taking advantage of businesses, and they’re making a mind-boggling amount of money off it. So, it’s not going to slow down, it’s just going to escalate. I want to let you know what the biggest cyber threats are, according to Webroot’s 2018 Cyber Threat Report, so you can make sure you’re not one of their statistics.

1. Phishing – Employees are taking the bait!

Phishing scams used to be almost laughably obvious – a Nigerian prince wanted to send you money! But now these scams are so cleverly disguised, it takes an eagle eye to spot one. It’s very easy for your employees to innocently click on what appears to be a legitimate link and open your business to thieves. Today’s phishing scams are more likely to be via email from what appears to be a company you already do business with. Employees need to be trained to never provide info or click links unless they’re absolutely sure they’re from a legitimate source. Talk to us about our Security Awareness Training.

2. Static Malware is history. Polymorphism is the new threat. 

Static lists were once the preferred method of keeping known malicious files from being downloaded onto machines. However, polymorphism’s popularity means static lists are useless in defending against malware. Tiny variations in malware binaries, ones that otherwise do not change their core functions, now prevent these lists from reliably filtering out threats. Of the hundreds of millions of executable files Webroot analyzes each year, 94% percent were polymorphic. We provide the latest in endpoint protection through our Enable program.

3. Cryptojacking uses your computers without your knowledge.

The best cons are the ones you never even know about. Cryptojacking involves hijacking the computing power of a machine and reassigning it to the task of cryptomining, the process of adding transactions to a blockchain leger in exchange for a small transaction fee. Over time, these efforts can lead to steady returns on little effort for cryptojacking operations. We have advanced security services that watch for unusual behavior on your systems.

4. Ransomware – Extremely quick and profitable!

This is one of the most frustrating and costly cybercrimes. Thieves take over your computer systems and hold your files ransom until you pay up. The worst part of it is, even if you go ahead and pay the ransom, there’s no guaranteed that you’ll actually get your files back, and if you do, they could be damaged or corrupted. Two major ransomware attacks in 2017 caused over $4 billion in losses in just 24 hours. Those grabbed headlines, but the truth is, ransomware happens on a smaller scale to small business every day. A layered security approach coupled with comprehensive backup systems is the best approach to thwarting Ransomware.

5. Malicious mobile apps

With nearly two billion smartphone users, and the enormous popularity of mobile apps, this is now a sweet spot for cyber criminals. Webroot found that one third of mobile apps are now built with malicious intent. In other words, they appear to be something fun or useful, but their actual purpose is to hack your phone.Be wary of applications you install on your phone and be sure to read what access they need to the data stored there.

What can you do about it?

The first line of defense is to make sure you train your employees and keep all systems updated. Those pesky reminders that you need to update your software should never be ignored. Updates are not just improvements in function or design, they also contain fixes of known vulnerabilities.

The next line of defense is to have a great IT partner who will focus on your security. We make it our priority to keep our clients’ networks secure against all known threats, and be informed of potential future threats. It costs so little to protect your business from cyber threats, especially when you consider how much even one small attack can cost in terms of lost revenue and reputation.

Give us a call and we can help you assess your vulnerability to cybercrime and show you how to avoid it.

Call 678-389-6200.

Employee Training Can Prevent HIPAA Violations

HIPAA Compliance, HIPAA Audit

Human error is one of the primary causes of HIPAA violations. Even your best employees can make mistakes, or inadvertently create a situation that leads to a violation. All employees need HIPAA training, so that they understand what would constitute a violation, and what they should do if they see other employees mishandling information.

Fortunately, the software solution I’m now offering my medical and dental practices also covers HIPAA training. Compliance Guard is an end-to-end solution to help busy practices simplify compliance and provides the staff training necessary to ensure the whole team is on board.

The training, and tracking who has been trained in what areas, will be helpful during a HIPAA audit. The Compliance Guard software handles all the tracking and reporting. Because the software was developed by auditors, you can be assured that it covers everything that would be assessed during an audit. You’re never alone with Compliance Guard – our Compliance Coaches will answer questions and guide you. No practice that uses Compliance Guard has ever failed an audit! 

Contact us for more information. Call 389-678-6200 or email jmamon@mpoweredit.com.

Web Analytics