Hacks Against Healthcare Industry on the Rise

Hackers are continuing to use the coronavirus crisis for personal profit. We recently wrote about the increase in malicious sites and phishing campaigns impersonating the World Health Organization and other healthcare companies. But now hackers appear to be turning their sights to the healthcare sector itself. Here are two notable cases from the past few weeks.

WHO Malware Attempt

Earlier this week, the World Health Organization confirmed hackers attempted to steal credentials from their employees. On March 13th a group of hackers launched a malicious site imitating the WHO’s internal email system. Luckily, the attempted attack was caught early and did not succeed in gaining access to the WHO’s systems. However, this is just one of many attempts being made to hack into the WHO. The chief information security officer for the organization Flavio Aggio told Reuters that hacking attempts and impersonations have doubled since the coronavirus outbreak.

Similar attempted hacks against other healthcare organizations are popping up every day. Costin Raiu, head of global research and analysis at Kaspersky, told Reuters that “any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Ransomware Attack Against HMR

Unlike the attack on the WHO, a recent ransomware attack was successful in stealing information from a UK-based medical company, Hammersmith Medicines Research (HMR). The company, which performs clinical trials of tests and vaccines, discovered an attack in progress on March 14th. While they were successful of restoring their systems, ransomware group called Maze took responsibility. On March 21st, Maze dumped the medical information of thousands of previous patients and threatened to release more documents unless HMR paid a ransom. HMR has not disclosed how the attack occurred, but have stated that they will not pay the ransom.

Four days after the initial attack, Maze released a statement saying they would not target medical organization during the coronavirus pandemic. Yet, this did not stop them from publicizing the stolen medical information a week later. After the attack gained publicity, Maze changed their tune. The group removed all of the stolen files from their website, but blamed the healthcare industry for their lack of security procedures: “We want to show that the system is unreliable. The cyber security is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users,” Maze said.

Conclusion

 Times of crisis and confusion are a hacker’s delight. The staggering increase of hacks against the healthcare industry only help prove that.  The key to mitigating these threats is to ensure that security configurations are set to industry best practices, continuously scan your networks, lock down or close open ports, secure or (preferably) remove Remote Desktop Protocol, and require Multi-Factor authentication for any remote access.  And certainly, make sure you are testing your incidence response plan.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

The SHIELD Act: New York’s Newest Cybersecurity Regulation:

Other than California, New York now has some of the strictest cybersecurity regulations in the U.S. In 2017, New York passed a bill that regulates data privacy for the financial services. Now, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is in effect as of March 21st. Unlike previous legislation, compliance is not limited to specific industries and pertains to any business that processes the personal information of New York residents. And, despite the current pandemic, lawmakers have not delayed the implementation of the new law.

Here is what you need to know to ensure compliance with the SHEILD Act.

Protected Data

Much of the data protected under the SHIELD act is already covered by the state’s breach notification laws. This includes social security numbers, driver license numbers, account numbers, and debit and credit card numbers. However, the new regulation expands the definition of protected data by also including biometric data, and email addresses in combination with passwords or security questions and answers.

The SHIELD Act also expands the definition of a security breach. A breach is considered to occur not just if an unauthorized person takes or uses private information, but also if that data is accessible to anyone not considered authorized to view that information. There are many examples of where this could possibly take place, including providing access of sensitive information to third party vendors who do not need to access that information or having the credentials of an email account compromised even though there was no sensitive data in the email folder.

Security Requirements

The SHIELD Act also lays out a series of cybersecurity protections needed to maintain compliance with the regulation. Broadly, the act requires businesses to put in place “reasonable safeguards” to ensure the privacy of their information. However, the regulation also requires organizations to maintain a written cybersecurity policy. One of the unique requirements of the policy is that organization must have at least one employee dedicated to maintaining cybersecurity procedures. In addition, cybersecurity policies need to address the following:

  • Identification of internal and external security risks
  • Assessment of the ability of technical safeguards to protect against identified risks
  • The training of employees on security practices
  • Reviewing security practices of third party vendors
  • Proper detection and response to unauthorized access
  • Regular testing of security controls
  • Secure disposal of protected information within a reasonable time frame.

Conclusion

There are certain businesses that do not need to meet these exact security requirements. Small businesses with under 50 employees, for example, are exempt if they can demonstrate they have taken reasonable steps to ensure the privacy of their information. In addition, organization already regulated by other privacy laws such as HIPAA, Graham-Leach-Bliley Act, or New York Department of Financial Services regulations are covered if they maintain compliance with these other regulations.

Because the scope of the SHIELD Act is so broad and could affect many businesses outside of New York, it is very important for all organizations to carefully review the new regulation. New York is likely to begin enforcement of the regulations very soon, and non-compliant business may receive fines of $5,000 per violation with no penalty caps.

However, even businesses not affected by the SHIELD Act should think seriously about implementing some of the recommended security measures. More and more states are beginning to implement similar regulations, and the burden of implementation could be costly if it is left to the last minute.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Coronavirus and the Right to Privacy

 The coronavirus has unquestionably changed the way we live. It has also forced us into strange and, until just a few weeks ago, unthinkable ethical dilemmas. To visit loved ones is worth genuine ethical reflection. Modern nations, especially in the West, are built on an ethics of individual freedoms and the right to privacy. However, the current global health crisis is forcing us to rethink just how fundamental those ethics should be. While we already feel this with regards to the freedom of movement, we are just beginning to contemplate how the coronavirus can and should effect our right to privacy.

Contact Tracing and Enforced Quarantine

In order to limit the spread of the coronavirus, experts emphasize the importance of tracking every contact infected patients have had with others. Countries such as China, Singapore, South Korea, and Taiwan have all taken aggressive measure trace all potential contact infected people have had. These measures are widely considered to be a large reason why these countries have been successful in lowering the rate of transmission. However, the aggressive measures taken have come at the cost of individual privacies.

Taiwan and Singapore, for example, regularly post detailed information about everyone who test positive, including where they live and work, what train stations they have used, and what bars and restaurants they frequent. South Korea now has an app that allows users to track the exactly movement of those infected.

Countries are also using location data to enforce quarantine for those infected. Israel, for example, is now using data collection techniques previously used for counterterrorism efforts to identify anyone potentially exposed to the virus. The government uses this information to send text messages to those exposed ordering them to quarantine.

European and the U.S. Response

As the coronavirus spreads to Europe and the U.S., lawmakers are exploring the use of similar techniques. Italy now uses location data to monitor whether people are obeying quarantine orders. In the U.S., the White House is reportedly in conversations with tech companies to use anonymized location data to track the spread of the virus. HIPPA regulations are being waived to allow doctors and mental health providers to more freely use telecommunication to speak with patients. Companies in Italy, Austria, and Germany have also announced that they will provide location data to governments.

However, with privacy regulations such as the GDPR, it is unclear how aggressively European countries will be able to use personal information. The European Data Protection Board (EDPB) released a statement urging governments to continue to abide by privacy regulations in place. At the same time, however, the EDPB conceded that countries may suspend such regulations “when processing is necessary for reasons of substantial public interest in the area of public health.”

Consequences

Relaxing the right to privacy has garnered mixed responses by government officials and security experts. Many have pointed out that while the measures taken are extreme, personal information such as location data is highly effective in limiting the spread of the coronavirus. “We are stretched very thin in most states,” said the director of the Center for Global Health at Oregon State University, “so this kind of technology can help every state to prioritize, given their limited resources, which communities, which areas, need more aggressive tracking and testing.”

Others are concerned how this could endanger those whose information is made public. In South Korea, some have used information released by the government to identify infected individuals and attack them online. This has led officials to question how the government uses this information, worrying it will discourage others from getting tested for fear of being publicly exposed.

While nearly all countries have explained suspending the right to privacy is a temporary measure for the benefit of the public health, many worry it will have a permanent effect on how governments and countries view privacy concerns. After 9/11, for example, the U.S. used highly invasive surveillance measures that have since become common place among law enforcement agencies. According to the New York Times, privacy experts worry something similar could happen after the current crisis.

What restrictions we, as a society, can tolerate, and what effect this will have after the current crisis remains an open question. However, it may also involve a false choice.  There are technologies to both assist contract tracing and preserve anonymity.  Privacy by Design does not have to be put on pause as we develop these tools.  In fact, if we want to encourage wide adoption, it might be required.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

A Breach of Breaches Past

A breach of breaches past has come back to haunt us. Last week, a cybersecurity expert discovered a that a collection of over 5 billion records from previous data dumps were left exposed and publicly accessible. What’s worse, the exposure occurred at the hands of a cybersecurity firm, Keepnet Labs. Because all of the data was previously exposed, no new information was put at risk. However, the size and sensitive nature of the data involved could lead to renewed risk for victims of previous breaches

What was Exposed and How?

The London-based security firm created a database of exposed information from some of the biggest data dumps between 2012 and 2019. This includes records from well-known data dumps such as Adobe, Last.FM, Twitter, LinkedIn, and others. What’s more, the records within the database includes some highly-sensitive such as emails and passwords. The exact reason for compiling this database is not yet clear.

Keepnet Exposed Database

The incident was not the result of any malicious action. Instead, Keepnet Labs placed the records in Elasticsearch, an open source data and analytics search engine, and neglected to use any password protection or firewalls to keep the database private.

The lack of such basic protections may be because Elasticsearch’s security features are disabled by default. In fact, Elasticsearch has suffered a series of similar breaches within the past few years. Only two months ago, 250 million records of Microsoft customers were exposed through similar misconfigurations on Elasticsearch servers. Given amount and size of these exposures, it is unclear why Elasticsearch has not taken more steps to ensure the security of their services.

Consequences

Just because the data involved in this breach has all been previously leaked does not mean this incident isn’t something to be concerned about. According to reports, the records are extremely well structured, and the sheer size of the database makes the information easily accessible for hackers to use in phishing schemes or to resell online. This could lead to those whose records were previously exposed see a renewal of fraud attempts in the upcoming months.

Want to see if the breach of breaches past could come back to haunt you? We recommend going to haveibeenpwned.com. The website allows you to search any email address or passwords you have used to see if your information was exposed in previous breaches, including many of the breaches involved in Keepnet Lab’s database.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Hacker Fails

Recently, we’ve written a series of articles looking the at various ways the coronavirus intersects with cybersecurity concerns. And while we don’t want to downplay the importance of maintaining cybersecurity practices throughout the crisis, we could all use a little distraction from time to time. So, we decided to have some fun today. And what is more fun than hearing stories about hackers who completely and totally messed up? So, without further ado, we present three major hacker fails to keep your mind off the news for a few minutes.

Hacker Fail #1: The Spy Who Hacked Me (Then Posted it on YouTube)

This should go without saying, but if you’re going to install malware on hospital computers, you probably shouldn’t upload a video of yourself doing it. As it happens, that is exactly what Jesse William McGraw did. McGraw was a night security guard at Northern Central Medical Plaza in Dallas. One night he decided to film a video of himself pretending to be a spy who was infiltrating the premises (with James Bond music and all). Of course, as a security guard, he had access to the entire building and wasn’t actually doing anything illegal. That is, until he started installing malware on a dozen of the hospital’s computers.

Authorities quickly arrested McGraw and discovered he was actually the leader of a hacking group called the Electronik Tribulation Army. For his part, McGraw was sentenced to 9 years in prison and ordered to pay over $30,000 in restitution.

Hacker Fail #2: VPN FML

This story involves one of the most news-worthy cyber-attacks in the past few years: and hack and leak of emails from the Democratic National Committee. The documents were leaked online over the course of few months by a hacker calling himself Guccifer 2.0. While leaking the documents, Guccifer portrayed himself as a lone hacker conducted the attack for the fun of it.

Of course, we know now that this hack was instead conducted by the Russian government, specifically the GRU, Russia’s intelligence agency. As it turned out, tracing the hack back to the GRU didn’t take much work because Guccifer made a very simple mistake: he forgot to turn on his VPN. VPN’s help users stay anonymous online by connecting to the internet using shared IP addresses. Guccifer routinely used a VPN to cover his tracks online, but at one point simply forgot to turn it on before logging onto a social media site. The mistake allowed authorities to trace the hackers location directly back to GRU headquarters.

And the rest, they say, is quite literally history.

Hacker Fail #3: Hoist with his own petard

We saved the stupidest for last. For a while now, a transcript of a chat between hackers has been passed around the internet. In the chat, two rivals hackers were arguing with one another and threatening to attack the other. One of the hackers claimed to be using a program that allowed him to remotely delete a hard drive by simply entering in the target’s IP address. Calling his bluff, the other hacker shared his IP in the chat. However, instead of giving his actually IP, he gave him a loopback address that pointed right back at the would-be hacker’s own computer. So, when he ran the IP address through the program, he ended up wiping out his own hard drive instead of his rival’s.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Communication Key to Keeping Remote Workers Engaged and Cyber Safe

At this point, many companies have instituted work at home policies.  And, assuming that the organizations have taken the right steps to secure their remote workers and increase their bandwidth to handle the increased loads and redundancies, business can get back to the new normal, correct?

Not quite.  The key to managing remotely is communication.  And I’m not talking about emails from the company referencing COVID-19.  I’m talking about ongoing communication that keeps the staff engaged, strengthens the culture and overcomes isolation.

There are many ways to do this.  Here are a few you can do right away.

  1.  Daily virtual standup meetings.  Have your teams jump on a video call same time each day to have a quick chat about what went well and what blockers have come up since the prior days call.  Make it video so people can see each other which improves the socialization aspect of the meeting.
  2. Catch them doing something good.  Each day call out someone for doing something well, especially if it involves helping clients or each other.  Support is now a key differentiator and it should be rewarded.
  3. Conduct white-hat phishing exercises.  Phishing hasn’t gone away.  In fact, COVID-19 has given the bad guys something else to use a lure.  Keep your team digitally aware by running phishing simulations, but let them know you are doing it and reward them for any phish they report.  That way you both sensitive the team to be on the lookout for suspicious emails and keep them positively engaged at the same time.
  4. Step up security training for privileged users.  With the changes to network access and perhaps the installation of additional technologies to support remote access, it is critical you spend the time with your systems, application and network teams on security role-based training to ensure that the assets are appropriately configured.  Misconfiguration poses a large cyber threat in the best of times;  even more so now.  Of course, make sure you are catching them doing something good, as well. (See #2 above.)
  5. Create standing “tea-times”.  Let’s face it, part of working together is socialization.  For teams not used to working remotely (and therefore not used to connecting with each other on a social basis remotely), carve out some time each day which permits them to reach out and talk to each other about whatever they want.  You don’t have to over engineer this, giving permission might be all you need to do.

The resilience of an organization’s ability to respond to any challenge is in no small part due to the strength and resilience of its culture.  Focusing on, communicating with, and recognizing your staff will go a long way to keep people working together.  Even when they’re apart.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Privacy in the Age of Coronavirus

One can argue about the steps taken so far with regards to the coronavirus, but perhaps no other report has had an impact on what the United States is now doing to curb the spread of the virus than the report published on March 16 by the UK’s Imperial College COVID-19 Response Team.  In plain, stark language, the report warns of the dangers of doing nothing and emphasizes that if we want to minimize mortality rate “combining all four interventions (social distancing of the entire population, case isolation, household quarantine and school and university closure) is predicted to have the largest impact.”

Key to this is case isolation and household quarantine, both of which are containment measures.  Containment requires, at minimum identification (you have to know who is symptomatic to make sure they are isolated and you have to know who the symptomatic were in contact with to make sure they are quarantined) and communication (you have to know whether you’ve been in contact with someone if you are to self-quarantine).

The technologies exist to help both identification and communication, but at a potential cost to privacy. There’s the impact on privacy to the symptomatic individual, those with whom they have been in contact, and even locations (towns, neighborhoods, stores) through which the person traveled.  These risks are not insubstantial. In the case of individuals, it could result in stigmatization, harassment, and even physical threats (if not harm); in the case of locations, it could result in severe economic losses and stigmatization itself.  The key to leverage technology with containment is to identify potential privacy risks and embed privacy practices into the technology to minimize those risks.

The MIT Media Lab is doing just this.  Yesterday, they released an open-source application called Private Kit: Safe Paths which uses your phone to track your location data and uses that to trace where symptomatic individuals have been and share that information to others so that they can determine whether they may have been in contact with those individuals.  And, the app does it in a privacy-preserving way.  The app works like this: it first logs your phone’s location data, but keeps it on your phone so that you retain possession of it.  If you are diagnosed, you have the choice to consent to sharing your location data with health officials who can make it public.  Ultimately, the app will share symptomatic location data with others without the middleman of a health authority so that one can see if they have been in recent contact with anyone who has been symptomatic.  It’s a powerful tool that has the potential to have a material impact on containment efforts.

Of particular interest, is the whitepaper MIT developed on this application that outlines the various privacy risks pertaining to containment and how Private Kit addresses them.  The report provides an instruction lesson to any organization conduct privacy risk assessments or evaluating privacy controls relative to GDPR or CCPA regulations or to better serve the needs of its constituents.

When confronted with the enormity of something like the coronavirus, its both critical and refreshing to know that we don’t have to throw out our rights to deal with it.  After all, in battling something like this virus, we are not only defending our selves, we are preserving the very freedoms that define who we are.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Supply Chains — Your Weakest Link?

With COVID-19, all businesses are getting their bearings in uncharted territory.  Trying to work through the changing restrictions.  Managing remote work forces.  Adapting to changing client needs.

As you go through your business continuity checklist or contingency plans, don’t forget to include your suppliers and related third parties in your considerations.  You might have the resources to weather this, but do they?  And, if a critical vendor to your supply chain is unable to deliver what does that do to your ability to deliver?

Make sure you take the time to evaluate your supply chain.  If you haven’t done so already, at minimum, take these steps:

  1. Prioritize your supply chain vendors: Go through all your vendors and ask yourself what would happen to your business if the vendor could not deliver.  Prioritize each vendor based on the risk they pose to you should their commitments fall through.
  2. Get on the phone with your highest risk vendors. Talk with them about this current situation.  Learn what strategies they have in place to respond to any potential disruptions to their workforce, operations or critical third-parties they have.  Get details and be prepared to probe as if they were part of your business.  Because, after all, they are.
  3. Treat those vendors like a partner. At this point, you need each other.  Be prepared to restructure deals or assist in other ways to help your vendor keep up its commitments.  It will help you keep clients and pay off in spades down the road.
  4. Don’t let quality control fall by the wayside. When stretched, certain things might fall short.  However, at the end of the day, you want to make sure you are delivering a reliable product to your customers.  Make sure you continue to do the right things to ensure your vendors are providing a quality product.
  5. Make contingencies. Some vendors will be there with you and for you (and you for them).  Some will not be able to.  It’s important to review the contractual commitments you have and to explore alternatives.  It may not be easy to switch horses in mid-stream, especially when the stream is raging, but you may not have any choice.

Napoleon once said that an army marches on its stomach, meaning that it is critical to focus on making sure it is well provisioned.  One could say that a company, indeed the entire the economy, marches on its supply chain.  Make sure you understand where it is strong and especially where it is weak.

The time you spend with your supply chain might make all the difference.

 

Coronavirus and Cybersecurity: The Human Factors

In the past, cybersecurity threats tend to increase in times of crisis. Now, bad actors are already using the coronavirus pandemic to their advantage. Employers are beginning to ask employees to work from home, and there are already numerous articles on security concerns about remote access. And while it is certainly important to ensure remote access systems are properly secured, it is equally as important to understand the human factors that create certain security vulnerabilities. Mass confusion and panic often lead to faulty or rash decision making, which is precisely what scammers are banking on now. A study by Check Point, for instance, revealed that coronavirus-related web domains are 50% more likely to be malicious than other domains.

When considering the coronavirus and cybersecurity, it is important for employers to use cyber awareness training to ensure employees continue to think critically and use proper judgment online. Here are four key areas to help employees limit their risk of exposure:

Use Multi-Factor Authentication

Perhaps the most important measure you can put in place is to make sure that all remote users are required to use multi-factor authentication (MFA) when accessing your system.

Device Security

Businesses need to ensure all employees that are working from home are taking appropriate steps to keep sensitive information safe. Anyone using remote access needs to be trained in the use of essential endpoint protections. VPNs, for example, are extremely important to make sure logs can’t be sniffed out by others in the neighborhood.

Employees should also be reminded of basic measures to take with personal devices. Screen and application time-outs should be set up to limit the risk that unwanted eyes around the house can view sensitive information and communications.

To limit the impact of stolen or lost devices, all sensitive information should be fully encrypted.

Online communication

Employees should be updated about current phishing campaigns that are taking advantage of the confusion and panic surrounding the coronavirus. The World Health Organization recently released a statement warning of fake emails posing as the WHO to steal money, information, and credentials. According to The Wall Street Journal, the WHO is receiving daily reports of coronavirus-related phishing schemes.

Working remotely will also require expanded use of online communications such as email, video services, and phones. It is therefore important that all communications relating to business should only take place through company-approved communication services. It is difficult to monitor the security of personal and social media messaging services and should not be used for any business-related communications.

Reporting and Incident Response

Being aware of increased cyber threats is only half the battle. Employees also need to understand how and when to report any suspected incidents. Keep help desks up and running, and encourage employees to be overly cautious in reporting any suspicious emails or activity. Employees need to know that someone can help if they think any information is at risk. 

Incident response teams should also be briefed on and prepared for any threats related to remote access work. Not only should response teams understand the current threats, everyone involved should have a clear understanding of how communication and responses will be carried out remotely. Because previous response simulations were probably conducted in-office, it is helpful to run a test response using only remote communication.

Communicate and Connect

Companies are ecosystems and healthy corporate ecosystems are a function of purpose, recognition, connection and intentional urgency.  All of which feeds into employee actions, whether it involves cybersecurity issues or marketing or administration or service issues.  Companies which do a better job of communicating what is going on in their organization and connecting with their remote staff and acknowledging their respective situations create a caring environment which helps everyone pay attention to little things – like perhaps not clicking on that strange link or hiding the fact they accidentally sent the wrong person confidential information.

Conclusion

Given the severity of the ongoing coronavirus crisis, bad actors are counting on an increase in confusion, panic, and fear to profit and cause further disruption. The coronavirus and cybersecurity concerns need to be considered, Above all else, employers need to do their part to ensure workers stay well-informed and secure. Working at home might mean we can dress a little more casually, it doesn’t mean we should be any less serious about threats online.

Beyond Compliance

Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them.  At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.

After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.

Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels.  “If you do something that upsets your customers from a privacy standpoint and then you tell them  ‘Well I’ve done everything correct under the law’ will they be any more satisfied?  Probably not.  That’s privacy risk in a nutshell.”

When focusing on cybersecurity or data privacy, the key is to understand what your risks are.  In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.

“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase.  If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.

 

Introducing PhishMarket,

Click here for a new way to secure your most valuable asset— your employees.

 

Not Ready to Commit?

Subscribe To Our Newsletter

Join our mailing list to receive the latest tips and news about cyber security and data privacy

You have successfully Subscribed! Please make sure to check your email to confirm registration.