Category Archives: Best Practices

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

Facebooktwitterredditlinkedinmailby feather

The Swatters have Moved on to the Next Thing

Swatting is the practice of phoning in fake 911 calls about life threatening situations and having SWAT respond to random houses, scaring the crap out of the occupants and often times doing thousands of dollars of damage, which the municipality has to pay for using tax dollars.

Earlier this year a gamer swatted what he thought was another gamer that he was upset with, but he had the wrong address and when SWAT arrived, they shot and killed the homeowner.  The officers did not face any charges and 25 year old Tyler Barriss pleaded guilty and will be sentenced to at least 20 years in jail.

Not satisfied at making small amounts of chaos and killing small numbers of innocent people, authorities today were faced with hundreds of bomb threat emails directed at schools, businesses and government buildings.   While no one was killed by police responding today, a large amount of police resources were wasted and police were likely diverted from responding to other incidents.

Some police departments, like New York, treated the bomb threats as hoaxes, but that could backfire badly if next time any of the bombs are real.

Some buildings were evacuated like city hall in Aurora, Illinois, the News & Observer in Raleigh, North Carolina, a suburban Atlanta courthouse and businesses in Detroit.

In the Denver area, Columbine High School, the site of one of the first mass school shootings (in 1999) and the genesis of a total shift in police response tactics to active shooter incidents, went into lockdown as sheriffs and bomb squad techs looked for bombs.  That bomb threat was phoned in rather than sent by email.

Today’s events will likely give swatters more ideas and put police in more no win situations.

The FBI has mobilized a national investigation.

As a target of a swatting incident, the best advice is to remain calm and do as instructed by the police.  Let them sort it out and deal with the fallout later.  Since the police have no way to know if the threat is real and who the “bad guys” are, they, unfortunately, sometimes make mistakes.

In this case, building owners, in cooperation with police, sheriffs and other law enforcement agencies had to make decisions.  Those decisions, if wrong, have the potential for catastrophic consequences.  

It is interesting that different law enforcement agencies had different responses – from evacuation to shelter in place to ignoring the threat completely. 

Since swatting has been around for several years and continues to be a problem for law enforcement, I suspect that this new version of mass swatting will continue that trend.

Police are not saying if they think today’s events are the work of one person or group of people or many, but I doubt that even if they arrest and prosecute a few people that it will discourage other crazies from trying it.

What is unprecedented in today’s activities is the scale – going from coast to coast and encompassing schools, religious institutions, government buildings and private businesses – over a hundred in all.

It seems likely that if this becomes popular that it is inevitable that people will die in the chaos.

Unfortunately, there is not much that you can do preemptively to avoid these situations.  In the case of the Kansas man who was shot and killed by police, the emergency call was eventually traced to a phone in Los Angeles, but that took days to figure out.  When police get a 911 call, they have to react in seconds.

It is likely that police and sheriff’s dispatchers are looking at options after today, but I do not see many good options.

Information for this post came from the AP and The FBI.

 

 

Facebooktwitterredditlinkedinmailby feather

NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Sextortion Campaign Adds a New Twist

Sextortion is malware that tries to convince you that the attacker has compromised your computer and has videos of you visiting adult web sites.  The attackers promise not to share the videos with your friends if you pay them money.  The videos do not exist, but scared people sometimes pay.

The new variant of the attack tells you to download a sample video to prove their claims.

In fact, the so called video is really malware.  The first piece of malware steals your account passwords, files and more.  The second piece of malware encrypts your data.

Before downloading the sample video you thought you had a problem.  After the download, you really do have a problem.

So, what should you do?

First of all, if you get a threatening email like the above, slow down, take a deep breath and consider things.

For most people – who don’t visit porn sites – keep your curiosity at bay and DELETE the email.  DO NOT OPEN THE ATTACHMENT!

I always recommend covering your webcam on your laptop.  If you have followed this advice, see the above.

For the very small group of people left, it you think that this video actually may exist, consult an expert.  They can safely deconstruct the attachment and figure out if it really what the attacker claims.

Lastly, as I always say, backup early.  And often.  Preferably multiple copies.  If possibly, at least one copy offline.  I keep at least one version of my backups in a bank vault.  Very hard to hack.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather

What Do December Breach Announcements Point Out

First it was Marriott.  The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.

That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.

Undetected.

This week 1-800-Flowers announced that it too was breached.  The Canadian division’s web site was breached.  In 2014.  They detected the breach in September 2018, four years into it.

Undetected.

How do hackers remain inside the systems of large companies for four years?

Were the hackers targeting Marriott or 1-800-Flowers?  Probably not, but once they got in they probably thought they went to hacker heaven.

If hackers can do that to large companies, what about small companies?

Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.

If you are stealing only credit cards, you can’t wait too long because credit cards expire.  In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.

Also, it seems to be taking Marriott a long time to figure out what was taken.  I am not clear that they even really know now.

Big companies already know that they are target of attackers, but so are small companies.

As companies increase the use of cloud based systems, detecting the attacks could be harder. 

Are you asking your cloud providers – all of them – who is responsible for detecting breaches?  I bet for many providers, they will say it is you.  And who responds to them?

Are you ready to respond to an incident.  Including figuring out what you are going to say on social media and how you are going to respond to social media chatter.  Sometimes that chatter can get pretty brutal.

Companies need to prepare for and test how they are going to respond.

Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.

Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.

Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.

Information for this post came from Threat Post.

Facebooktwitterredditlinkedinmailby feather