Is Your Practice Vulnerable to a Cyber Security Breach?

It is a common misconception that small business or small medical practices are immune to cyber attacks. The thought being that since they pale in comparison to larger corporations, the appeal to steal sensitive information is low. However, this is not the case. Larger corporations have tighter security measures. Cyber thieves know they can easily access and obtain confidential data from small practices that have many vulnerabilities in their security.

Vulnerabilities are an intractable part of the cyber security landscape. As long as healthcare organizations rely on computer hardware and software, security flaws will be found and exploited. The vast majority of vulnerabilities (99%) leveraged in cyber attacks are publicly known beforehand. This fact should ring alarms for every healthcare IT professional.

Exploits of known vulnerabilities:

71% experienced a security incident attributed to an exploit of a software vulnerability greater than three months old.

66% experienced an incident attributed to a vulnerability less than three months old. This was the third-most common driver of security incidents found.

Zero-day vulnerabilities – those that are not publicly known before they are exploited in an attack – are rare. They make great headlines, but they are expected to play a role in less than 0.1% of cyber attacks through 2020. However, 48% of IT security professionals surveyed said their organization experienced a zero-day attack in the last 12 months, according to the same Ponemon report.

Vulnerabilities vs. Reality

Resource constraints contribute to vulnerability problems. For example, an MRI machine can cost up to $3 million. The devices are often network-enabled and paired with a control PC. If a vulnerability is discovered in the machine and no patch exists, then the organization will likely tolerate the flaw and perhaps mitigate or ignore it long before the system is replaced. The burden falls on the IT staff to “make it work” perhaps by isolating the system on the network and tightening access controls.

However, even these mitigations can encounter constraints. Medical environments – and hospitals in particular – rely on fast and easy access to data to improve patient outcomes. This can pressure IT departments to “loosen” security controls and ease constraints, potentially elevating the risk of data breach.

These factors and others help to explain why healthcare organizations continue to rely on outdated systems known to have severe security flaws. According to a July 2017 survey of 305 healthcare IT professionals in the UK and US by Infoblox:

  •  22% have systems running Windows 7, which was originally released in 2009. Windows 10 was released in 2015.
  • 20% have systems running Windows XP, which reached end-of-life and stopped receiving routine patches in 2014.

Medical Device Security

Vulnerabilities discovered in medical devices – such as CT scanners, pacemakers, and drug infusion pumps – are a growing concern to healthcare professionals, and even lawmakers.

More than half (55%) of health IT security professional said medical device security is not part of their overall cyber security strategy, according to the Ponemon study. When asked to select their greatest concern with medical device security, 39% of healthcare IT security professionals cited patient safety.

While some devices can be updated or replaced, this is not always the case. In the Infoblox survey, 15% of healthcare IT professionals said they either cannot update these systems or are unsure if they can.

Misconfiguration

Misconfiguration can open a security flaw in even the most rock-solid systems. This can cause major data leaks, especially when the system is a public-facing database. On Jan. 25, 2018, a security researcher discovered a database owned by a Long Island medical practice had been misconfigured and left publicly available. This revealed the medical information of more than 42,000 patients, including more than 3 million “medical notes” such as a doctor’s observations. Accessing the information required only knowing the server’s IP address.

In March 2018, a nonprofit healthcare conglomerate based in St. Louis notified 33,420 patients affected by a data leak caused by a server misconfiguration. The leak publicly exposed scanned images of patient driver’s licenses, insurance cards, and medical documents.

Spectre and Meltdown

On Jan. 3, 2018, security researchers revealed two security vulnerabilities present in billions of systems worldwide. Known as Spectre and Meltdown, they are among the most widespread data security flaws ever discovered. In short, the flaws are related to how most modern processors handle data. When exploited, they can allow an attacker to bypass data access controls and steal sensitive data – including data from the kernel or other applications.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Insider Abuse and Errors –The Biggest Threat to Healthcare Security

Insiders are among the biggest threats to data security in healthcare. Research suggests the problem has reach epidemic proportions – with staff members snooping, stealing, or otherwise leaking sensitive data on a scale much broader than in other industries.

The trend is consistent:

  • Insiders caused 58% of the healthcare security incidents reviewed for the 2018 Verizon PHI Data Breach Report.
  • Insiders caused 37% of 2017 healthcare data breaches reviewed in the 2018 Protenus Breach Barometer Report.
  • An insider caused the largest healthcare data breach reported to OCR in 2017, allegedly stealing data affecting 697,800 individuals.

The trend has extended into 2018. A Calyptix review of the data breaches reported to the OCR from Jan. 1 to May 15 this year revealed:

  • 45% were caused by “unauthorized access / disclosure”, a type of breach typically associated with insiders. The breaches accounted for 55% of the total records exposed during the period.
  • 9% were caused by “loss” or “improper disposal”, which are also often associated with insiders.

The numbers might be inflated by the stringent breach reporting requirements in HIPAA. However, other industries – such as the public sector – also have stringent reporting requirements. While they often see higher levels of insider incidents, they are nowhere near the levels seen in healthcare, suggesting the severity of the problem may be unique to the industry.

Why Insiders Breach

Why do staff members knowingly violate HIPAA guidelines, causing a data breach? In a review of 306 data breaches in healthcare shown to be caused by insiders, 48% were financially motivated and 31% were motivated by fun or curiosity, according the Verizon report. Interestingly, another 10% were motivated by convenience.

Insider data breaches come in two general types: intentional and accidental. A staff member either mistakenly leaks data – such as by emailing health records to the wrong patient – or purposefully exposes the data – such as by theft or snooping. One snooping case reported in 2017 went undiscovered for 14 years. An employee at a Massachusetts hospital was found to have inappropriately accessed the medical records of as many as 1,176 patients over the years.

The person’s motivation can have a significant impact on the scale of the breach. For example, an insider who is financially motivated to steal patient health data may try to grab as much as possible. Malicious or nosey insiders are also more likely to attempt to hide their actions. On the other hand, an employee who makes an honest mistake will likely try to minimize the impact. This may partly explain why data breaches involving “insider wrongdoing” were shown to impact 14% more patient records in 2017 than breaches caused by “insider error”, according to the Protenus report.

Gaps in IT Security Knowledge

Many factors – including large volumes of sensitive data, legacy systems, and complex networks – combine to support a high level of insider breaches. Another factor may be a lower awareness of cyber security issues among healthcare staff. When tested on their security knowledge in 2017, end users in healthcare came in second-to- last compared to other industries, answering 23% of the questions incorrectly, according to a study by Wombat Security.

Healthcare IT professionals seem to echo this finding. More than half (52%) of those surveyed agreed with the statement, “Employees’ lack of awareness affects our ability to achieve a strong security posture.”

The problem also extends to specialized IT security staff, with 74% of respondents in healthcare IT indicating that “insufficient staffing” had hampered the organization’s cyber security posture – more than any other challenge cited. Filling the gaps is apparently not easy, with 79% reporting it is at least “somewhat difficult” to recruit IT security personnel. Nearly one-third (32%) reported it is “extremely difficult”

More Training Needed

Security awareness training is required by HIPAA – but the necessary quality and quantity of training is open to interpretation. In a survey of 239 IT security professionals completed in Jan.2018 by the Healthcare Information Management and Systems Society (HIMSS), only 8.4% said their organization did not have a security awareness training program – which is a good sign. Unfortunately, more than half of respondents (51.8%) said they conduct training just once per year. About one-in-five (22.9%) train monthly.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Healthcare Hacking & Malware – Targeting Patient Medical Records

Healthcare hacking and malware is big business for bad guys. Cyber criminals are launching attacks against healthcare networks every single day. Healthcare hacking and malware is generally done by “malicious outsiders” rather than rogue employees. The motivation is almost always money.

 

Hackers Are Drawn to Data

Why do hackers target the healthcare industry? Many speculate one reason is the value of the data stored by hospitals, care providers, and other medical offices. When asked the types of information they believe hackers are most interested in, more than half of healthcare IT professionals surveyed pointed to the following three types:

  • Patient medical records: 77%
  • Patient billing information: 56%
  • Login credentials: 54%

Patient medical records remain a profitable commodity on the dark web. Criminals can use the records to conduct medical fraud schemes – collecting payments from public services such as Medicaid and Medicare – and can go undiscovered for years.

Patient billing information – including credit card numbers – is also valuable to data thieves and can be used for fraudulent transactions.

However, the lifespan of such schemes is often far shorter than medical-related ones. The payment card industry is far more efficient in detecting and blocking fraudulent transactions than government regulators in the medical field. This may partly explain why more healthcare IT professionals say hackers are targeting medical records.

Login credentials, of course, are often targeted to gain access to additional systems storing valuable data. Other types of data – such as clinical research, email content, and employee information – can also be targeted, though fewer respondents cited them than the three data types mentioned above.

The use of stolen credentials was found in nearly half (49%) of all healthcare security incidents attributed to “hacking” in the Verizon 2018 Protected Health Information Data Breach Report.

What can you do about it?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

When you need IT problems fixed yesterday

IT service issues

One of the biggest complaints I hear from businesses who use Managed Services Providers is the lack of urgency when something goes wrong. It can take hours to get a response after submitting a ticket, and then the fix can take days. Most companies are pretty happy with their MSP – until they submit that first ticket with a time-sensitive issue!

When something goes wrong, you want it fixed yesterday!

We actually do that. We monitor our clients’ systems and fix potential issues before they become a problem. So essentially, what would have been a problem today was fixed yesterday. Can your provider do that?

Now we’re not saying issues never arise – they occasionally do. And while no MSP can promise to solve every issue in a matter of minutes, we understand the urgency to get it fixed and act accordingly. At mPowered IT, we strive to respond to every ticket within 15 minutes. From there we quickly evaluate the “crisis level”, prioritize it, and give you an estimate of when the problem can be resolved.

What’s not fixed yesterday, we jump on today, and address the issue as soon as humanly possible!

 

Top 5 Security Cyber Security Threats to Your Small Business

I hate to say it, but the bad guys are getting really good at taking advantage of businesses, and they’re making a mind-boggling amount of money off it. So, it’s not going to slow down, it’s just going to escalate. I want to let you know what the biggest cyber threats are, according to Webroot’s 2018 Cyber Threat Report, so you can make sure you’re not one of their statistics.

1. Phishing – Employees are taking the bait!

Phishing scams used to be almost laughably obvious – a Nigerian prince wanted to send you money! But now these scams are so cleverly disguised, it takes an eagle eye to spot one. It’s very easy for your employees to innocently click on what appears to be a legitimate link and open your business to thieves. Today’s phishing scams are more likely to be via email from what appears to be a company you already do business with. Employees need to be trained to never provide info or click links unless they’re absolutely sure they’re from a legitimate source. Talk to us about our Security Awareness Training.

2. Static Malware is history. Polymorphism is the new threat. 

Static lists were once the preferred method of keeping known malicious files from being downloaded onto machines. However, polymorphism’s popularity means static lists are useless in defending against malware. Tiny variations in malware binaries, ones that otherwise do not change their core functions, now prevent these lists from reliably filtering out threats. Of the hundreds of millions of executable files Webroot analyzes each year, 94% percent were polymorphic. We provide the latest in endpoint protection through our Enable program.

3. Cryptojacking uses your computers without your knowledge.

The best cons are the ones you never even know about. Cryptojacking involves hijacking the computing power of a machine and reassigning it to the task of cryptomining, the process of adding transactions to a blockchain leger in exchange for a small transaction fee. Over time, these efforts can lead to steady returns on little effort for cryptojacking operations. We have advanced security services that watch for unusual behavior on your systems.

4. Ransomware – Extremely quick and profitable!

This is one of the most frustrating and costly cybercrimes. Thieves take over your computer systems and hold your files ransom until you pay up. The worst part of it is, even if you go ahead and pay the ransom, there’s no guaranteed that you’ll actually get your files back, and if you do, they could be damaged or corrupted. Two major ransomware attacks in 2017 caused over $4 billion in losses in just 24 hours. Those grabbed headlines, but the truth is, ransomware happens on a smaller scale to small business every day. A layered security approach coupled with comprehensive backup systems is the best approach to thwarting Ransomware.

5. Malicious mobile apps

With nearly two billion smartphone users, and the enormous popularity of mobile apps, this is now a sweet spot for cyber criminals. Webroot found that one third of mobile apps are now built with malicious intent. In other words, they appear to be something fun or useful, but their actual purpose is to hack your phone.Be wary of applications you install on your phone and be sure to read what access they need to the data stored there.

What can you do about it?

The first line of defense is to make sure you train your employees and keep all systems updated. Those pesky reminders that you need to update your software should never be ignored. Updates are not just improvements in function or design, they also contain fixes of known vulnerabilities.

The next line of defense is to have a great IT partner who will focus on your security. We make it our priority to keep our clients’ networks secure against all known threats, and be informed of potential future threats. It costs so little to protect your business from cyber threats, especially when you consider how much even one small attack can cost in terms of lost revenue and reputation.

Give us a call and we can help you assess your vulnerability to cybercrime and show you how to avoid it.

Call 678-389-6200.

Employee Training Can Prevent HIPAA Violations

HIPAA Compliance, HIPAA Audit

Human error is one of the primary causes of HIPAA violations. Even your best employees can make mistakes, or inadvertently create a situation that leads to a violation. All employees need HIPAA training, so that they understand what would constitute a violation, and what they should do if they see other employees mishandling information.

Fortunately, the software solution I’m now offering my medical and dental practices also covers HIPAA training. Compliance Guard is an end-to-end solution to help busy practices simplify compliance and provides the staff training necessary to ensure the whole team is on board.

The training, and tracking who has been trained in what areas, will be helpful during a HIPAA audit. The Compliance Guard software handles all the tracking and reporting. Because the software was developed by auditors, you can be assured that it covers everything that would be assessed during an audit. You’re never alone with Compliance Guard – our Compliance Coaches will answer questions and guide you. No practice that uses Compliance Guard has ever failed an audit! 

Contact us for more information. Call 389-678-6200 or email jmamon@mpoweredit.com.

Ready for GDPR? What you need to know about new privacy regulations.

GDPR Compliance

If your company collects data on customers, you need to be GDPR compliant by May 25. Even though this is a European privacy law, it affects businesses here in the US. GDPR (General Data Protection Regulation) has new, more transparent regulations for how all companies collect and analyze data tied to EU residents.

Your company will be required to provide a clear notice when you’re collecting data, and let your customers know why you’re collecting it, how long you’ll retain it, and your deletion policies. You’ll need to ensure your employees understand the new policies, and that all your vendors are also compliant.

Your customers will now have the right to access their personal data, and correct or remove it from your database. They can also object to your processing their personal data.

For complete unbiased information on GDPR visit the European Commission.  For network security, penetration testing and all other compliance issues contact mPowered IT at 678-389-6200.

Why Bear the Outrageous Cost of Downtime?

Cloud Backup

Most SMBs don’t have a realistic idea of what it would cost if their computer network were to go down or be inaccessible for any reason. Businesses that do estimate the cost figure around $5000 per hour – but that’s actually low. The cost is actually around $18,000 per hour. Considering how much of your business is tied to your network, you have to figure not only the hard costs of recovery, lost productivity and sales, but also lost opportunity costs – the potential customers who attempted to access your business and couldn’t.

But SMBs with a solid backup and disaster recovery plan can continue business as usual, even with a system failure or power outage that lasts for days. With our Ensure program, your system is backed up continuously throughout the day, every day, and should your server fail, your business is not disrupted. Your business continues off the backup system during repairs.

No business should bear the cost of downtime, when the loss of revenue is almost completely avoidable. The Ensure program provides all the backup and disaster recovery you need for a low monthly rate. In fact, you could be on the Ensure program for many years, enjoying the peace of mind knowing your data is safe and accessible to you, and your cost would be nowhere near what you’d pay for even a few hours of downtime. It just makes good business sense to have Ensure in place – because eventually something will go wrong.

Call mPowered IT to Ensure your business continuity through any disaster – 678-389-6200

 

Would your medical practice pass a HIPAA audit?

One thing I’ve noticed as an IT professional  – and occasionally as a patient – is that no matter how brilliant doctors are with medicine and medical technology, their practices usually struggle to stay up to date with computer and network technology. It also almost goes without saying that medical practices are nearly 100% focused on patient care, scheduling, and insurance, leaving little energy to devote to HIPAA compliance. But even an innocent oversight of a detail of HIPAA compliance can be costly, in terms of fines and loss of reputation.

What medical practices really need is a way to put HIPAA compliance on rails – so it’s simple to understand and easy to handle. We’re now offering an easy-to-use software solution, Embrace Compliance Guard. It will help you with risk assessment, train your staff, verify your compliance status, produce the reports you need, and a whole lot more. It also provides Compliancy Coaches for live human help when you need it.

This software is the solution I’ve been wanting to provide to my medical clients for a long time, and now it’s available. mPowered IT, as a provider to medical clients, has been trained on this system, and we have ensured that we are HIPAA compliant too. We can provide Embrace Compliance Guard on its own or as an addition to our Managed IT Support Services for medical practices.

Learn all about it here. Or, give us a call at 678-389-6200.

How’s that phone system working out for you?

IT service issues

That phone system you put in years ago is probably in need of an upgrade, but who wants to deal with that hassle and expense? Yet, it’s hard to grow and move forward with what you have.

We are helping small businesses get a better, more advanced phone system, without the huge cost and drama. The small business phone system of the future is VoIP – a cloud-based system.

With our Embrace Voice cloud-based phone system, you never have to worry about set ups, managing, updating or repairs ever again. For one low monthly fee, you suddenly have the most cutting-edge phone system with the most advanced features.

Why stumble though another awkward conference call or irritate another customer with a less-than-friendly on-hold system, when you can quickly switch to a system that really helps your business and its future growth.

Learn more about VoIP and let’s talk about how we you can use it help your business. Call 678-389-6200.

Web Analytics