Tag Archives: breaches

Suppliers Under Attack

The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.

The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.

Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.

Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.

While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.

Among those companies are:

  • Northern Light Health – 657,000 people’s information compromised
  • Saint Luke’s Foundation – 360,000 people
  • Multicare Health System – 179,000 people
  • University of Florida Health – 136,000 people

and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.

This is just ONE VENDOR who serves healthcare that was attacked this year.

Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.

Some organizations were affected by both breaches.

And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.

In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.

In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.

These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.

Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.

But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.

So what needs to happen?

First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.

Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.

There is no rocket science involved. What is involved is

  • Time
  • Money
  • People
  • Motivation

Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.

But as a company that hires these vendors, you can impact this.

Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.

You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.

The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.

In the case of healthcare, it is easy – it is the law!

If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today

Law Firms Face Cyber Security Risks

“This is not time for firms to keep calm and carry on.  The proper response is to freak out.” – Prof. Dan Solove, GWU Law School

While I am not sure that freaking out is, in fact, the only proper response, I think that what Prof. Solove is saying is that ignoring the situation is not going to work very well.  We are beginning to seem law firms being hacked showing up in the news. Firms such as Weil and Cravath have been outed by the FBI.  Bloomberg says that 80 out of the top 100 law firms have been hacked.  The Russian hacker Oleras has announced he is trying to hack 48 specific law firms.  It seems like the handwriting is on the wall.

Professor Solove calls hacking law firms a “gourmet data feast“.  Once they get in, many law firms have little to no monitoring, so the odds of getting caught are nearly zero.  In addition, many firms have no internal access controls, so while associates are not supposed to access files for clients that they are not working on, there is nothing to stop a hacker, who is using an associate’s credentials, from hacking every client’s data and sending it to their server in Outer Slobovia.

The gourmet data feast comes from the fact that most law firms have hundreds of clients and the data that they have may include HIPAA protected information, non public personal information, financial information, criminal trial information, civil trial information, merger and acquisition information, insider trading protected information and other sensitive files.  Hackers mouths just water at the thought of it.

Prof. solove suggests that state laws governing breach of confidentiality, public disclosure of private facts and negligence may be used against attorneys that do not take appropriate steps to protect their client’s information.  Even if the case is not ultimately successful, the reputational damage can be significant.

In the case of HIPAA protected information, the fines can be very steep.  HHS can fine a law firm that has a client’s protected health information up to $1.5 million per violation.  In addition, the client can be fined because the law firm is now considered a business associate under HIPAA and HiTech regulations and if the client does not have a written and signed business associate agreement, they can be held liable for violating HIPAA as well.

In addition to dealing with the breach – paying for forensics investigations, dealing with lawsuits and depositions, reputational damage and regulatory fines, victim clients could file ethics complaints for failing to adequately protect confidential information.

A client’s trade secrets could be disclosed and I am not sure how you can possibly put that genie back in the bottle.

In addition, the client could be liable too, via vicarious liability.

Since the client did not adequately vet the law firm for cyber security risk prior to hiring them, they get to share in the responsibility.  Assuming this happens the client could both get sued by the victims and sue the firm.

To really make things messy, the FTC recently sued a company for violating section 5 of the FTC Act – unfair or deceptive practices – for failing to vet their vendor prior to giving them sensitive information.  This means that the FTC could commence an action against your client for your data breach.  Under typical FTC consent orders, the FTC will be closely watching your client for a mere 20 years and requiring an external audit every year or two.  Who do you think the client is going to turn to in order to recover those costs?

To make matters a little more uncomfortable, the insurance broker Marsh did a study recently and found that only half of the law firms surveyed had cyber risk insurance and 60% said that they had not calculated the effective revenue that could be lost following a breach.  For the firms that do have insurance, whether the insurance would adequately cover the effects of a breach is unknown.

One last thought.  Professor Solove has almost 900,000 followers to his LinkedIn blog in addition to being a law professor at GWU Law School.  In the blogging world, that is a ridiculously large following.  He is also the organizer of the annual Privacy + Security forum in Washington, DC.  I would suggest that he would likely qualify as an expert.

Information for this post came from Prof. Solove’s company, Teach Privacy.

Why Healthcare Providers Need To Have An Effective Cyber Security Program

The Anchorage Community Mental Health Services (ACMHS) just agreed to pay a $150,000 fine after a 2012 breach of approximately 2,500 patients protected Health Information (PHI) due to malware on their healthcare software system according to Healthcare IT News.

Apparently ACMHS had adopted the sample Security Rule policies in 2005 but didn’t bother to follow them from 2005 to the date of the breach in 2012.  As a result, they ran outdated, unpatched software leading to the breach.

In addition to the $150,000 fine, they agreed to a corrective action plan lasting two years, which, if they complete successfully, they are off the hook for this HIPAA violation.

While this organization had 5 locations, if they only have 2,743 patients, they are small.

On the other hand, the good, old fashioned paper breaches are still going strong.  Parkview Health System in Ft. Wayne Indiana decided that placing 71 boxes of patient records on the driveway of a retiring physician  (who was out of town) was a good plan.  They had to cough up $800,000 in fines.

But these fines are not limited to the small guys.  New York Presbyterian Hospital/Columbia University Medical System paid a $4.8 million fine after patient records for 6,800 patients would up on Google back in 2010.

These 3 incidents represent a small part of the $26 million in fines the Feds have levied against healthcare entities so far.

While having a good cyber security program won’t stop you from having a breach, it will improve the odds.  For example, If your cyber security program requires you to encrypt data on laptops and tablets and you actually do that, when one of your employees loses a device containing PHI, you have a safe harbor meaning that you don’t have to pay a fine.


Small Businesses Face Big Cyber-Risks

Is your business prepared for a cyber breach?  Besides the cost, there is the potential for damage to your reputation , loss of customers, distraction while dealing with it and the potential for lawsuits, which can go on for years.

An article at AZCentral.com talks about the subject and the fact that hundreds of small businesses have been hacked recently.  The challenge with cyber-breaches is that the bad guy gets your data but you still have it too, so you might not even be aware that you have been attacked.

Sometimes you are never aware that you have been attacked.  Other times, the media catches it and announces it – like with Home Depot.  Still other times, law enforcement pays you a visit and lets you know.

Don’t think that because you are a small business that you are immune.  In fact, hackers assume that small businesses likely have less defenses and are less likely to discover an attack.  Statistics indicate that about a third of all data breaches are against organizations with less than 100 employees.

Cyber-insurance may help with the costs and your defense in court if it goes there (there are over 50 lawsuits pending against Target right now), but that won’t help with the distraction and the damage to your reputation.

Cyber-insurance is a non-standard product meaning that the exclusions and limitations vary from policy to policy.  Assuming you don’t have cyber liability insurance, you should consider it.  If you do, you should review it to understand what is covered and what is not covered.  This is a case where surprises are not a good thing.

For many businesses, cyber risk mitigation is an area where bringing in outside expertise is a good idea.

Mitch Tanenbaum

Why we are going to see more card breaches at retailers

An article in Venturebeat the other day suggested 7 reasons why we are going to continue to see credit card breaches at retailers.  First I will share their list, then I will add my own.

Their list includes:

  1. The PCI standard is failing to protect merchants from breaches
  2. Merchants are not implementing P2PE
  3. Retailers introduce new payment hardware (such as tablets) that are neither designed nor tested for security issues in a hazardous retail environment
  4. Merchants add new features to their payment platforms as patches to already buggy systems.
  5. Many of the POS systems are still running Windows XP
  6. Many card breaches lead to Russia.  Russian hackers attack American systems as a patriotic move
  7. EMV is not a silver bullet.

The article goes into more detail on each of these, but these reasons probably are obvious.  I don’t disagree with any of these conclusions.

Possibly the biggest reason that we will see continued breaches is that fixing the problem is hard.  It requires changes to software, way more testing, replacement of old, outdated platforms and changes to business processes.  All of these require time, money and possibly expertise that both brick and mortar and online retailers have not yet prioritized high enough.  So, what retailers do is comply with the PCI rules and state laws and leave it at that.

On top of it, no matter what you do, there is no quick fix.  You can do many different things and still get hacked.  It has been, and likely always will be, a cat and mouse game.

And, the public is quick to forget (although this has not yet worked for Target – they are still struggling a bit), so retailers add a few more patches and call it good.

From the retailer’s perspective, if someone told you to spend an unending bucket-o-cash on a problem without any assurances that the problem will be fixed, what would you do?

Anyone got a silver bullet?

Mitch Tanenbaum


Why do attackers like your current security strategy?

I just read a white paper on a security vendor’s (Prevoty.com) web site and I think they really understand the problem.  I have not had a chance to review their products, so I make no claims about them, but I do recommend reading the article.

First a quote from the paper:

Traditional security is like a city protected by castle walls with a moat and a drawbridge to keep invaders at bay. But now the walls have fallen down and the invaders have sprouted wings, waving to your guards as they fly over the moat. Good luck protecting your citizens.

Now onto their 5 reasons attackers love your strategy:

1. Relying on signature and past definitions exposes applications to zero-day attacks.

Most security solutions rely on the fact that what is going to happen is the future is based on what has happened in the past.  While this is partly true, it certainly isn’t exclusively true.  Examples of this are what is known as zero-day attacks – something new, something different.  It could be something as simple as something that was used in the past, but in a different context. Basing the future solely on the past is not a good security strategy.

2. A perimeter based security cannot protect today’s distributed world.

In olden days (like a few  years ago) when mobile phones, tablets and laptops were not as integrated into the enterprise as they are today, you might have been able to at least define the perimeter of your enterprise.  That would be a step towards protecting it.  Today, you cannot even tell me on what devices your corporate data exists – never mind whether you own or control those devices (the misguided principle of BYOD is the primary cause of that, but that is the subject of an entire post by itself).

3. Any attempt at active prevention that occurs outside of the application has no context

This one I might argue with a tiny little bit – but only a tiny bit.  The key point being that you MUST mitigate risk in the context that the risk exists in.  Risk is always context sensitive.

4. Developers are not, and should not be, security experts

If you are counting on your developers to protect you, you already have a problem.  This is not meant to reflect negatively on them.  That is not their focus.  Their focus is to create great applications that satisfy your business requirements.  Security is a discipline of its own and should be treated that way.

5. Your business is not application remediation

Boy, howdy!  As I said above, application, system and network security is a discipline by itself.  Hackers are working 24×7 to break into your world.  You need someone on your side that thinks the way hackers think.  Any doesn’t have to do that as a sideline.

One of the interesting things about digital attacks is that unless the attacker is unskilled or wants you to know she has been there, you often won’t know that an attacker is inside your system.  The only reason Edward Snowden is a household name today is that he ‘outed’ himself.  Initially General Alexander of the NSA told Congress that Snowden took around 250,000 documents.   Later the General said he took 1.7 million documents.  I suspect they don’t really know what the number is.  And remember, the NSA is an organization that prides itself on its data security efforts.  How does your average company compare in terms of security budget, staff and expertise to the NSA?  This is a difficult and never ending battle – for both you and the NSA.

According to a recent Experian report, 60% of small businesses that suffer a breach go out of business within 6 months.  A strategy which depends on you not being attacked may not be totally effective.

Mitch Tanenbaum