Last week we talked about the alarming percentage of data breaches that are occurring in health care organizations.  The latest Poneman report found that “89 percent of surveyed health care providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches.”

TrendMicro reports that the top reasons cited for data loss were “SMB employees’ tendency to open attachments to or click links embedded in spam, to leave their systems unattended, to not frequently change their passwords, and to visit restricted sites. This negligence puts critical business data at risk from data stealing cyber criminals and malicious insiders.”

In this report SMB’s state that they are no longer just at risk of losing data due to external threats such as hacker attacks and other external compromises, but  they are, in fact, in “even graver danger due to employee negligence or maliciousness. Even worse, 64% agree that their organizations need to rearchitect their security infrastructure against hackers or malicious insiders attempting to steal data.”

They say that the effort to mitigate this risk “may require focusing on data-centric security for confidential information, which entails relying on not only traditional outside-in protection but also on protection from the inside-out.”

This report brings forward the risks from employees using mobile devices such as smartphones, tablets, and laptops, and says that the era of BYOD (Bring Your Own Device) is “here to stay.”

Another alarming issue brought up is that SMB’s “routinely fail to back up data.”  This issue is a fairly simple one to correct and doesn’t require in-depth analysis to understand its risk potential, but either through ignorance or a lack of understanding of the importance of an organization’s data, the SMB market still doesn’t understand that they need to budget to back up their data.

The Trend report states that “less than 50% of SMBs routinely back up
data. This, along with risky employee behaviors, the BYOD trend, lack of
adequate security protection, and various other threats to data, is putting them at great risk.”  They also say that “about a third of U.S. companies also had no backup and
disaster recovery strategies in place, citing lack of budget and resources
as primary reasons.”

Any small business needs to ask themselves if their business would survive the complete loss of their accounting systems, their payroll records, their customer data, any intellectual property that they may have on computer, and any other data that they may use daily to operate their businesses.

Reference:

SC Magazine reported that for the 2nd consecutive year, the Ponemon Institute’s “annual study on the state of security and privacy in health care found that cybercrime was the leading cause of data breaches among hospitals and other medical providers.”

Here’s an alarming statistic discovered:  45 percent of the health care organizations surveyed, “admitted to having more than five breaches over the past two years.”

SC Magazine also said that “Ponemon found that 89 percent of surveyed health care providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches.”

The top security threats that were cited in the report was Employee Negligence, at 69%, and Cyber Attacks, cited in 45% of the data breaches.

The report stated that 61% of health care organizations are “paying more attention” to how their third-party partners handle their data.  HIPAA has a Business Associate requirement now that has broad applicability to “partners” who provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services when those services have access to the organization’s PHI (Protected Health Information).

The HIPAA Privacy Rule mandates that providers have written contracts with  these partners, known as Business Associate Agreements.  The HIPAA Privacy Rule deems it non-compliance to not have these agreements in place with these partners who are subject to the rule.

The US Department of Health and Human Services defines a “business associate” as a “person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”

Since most small-to-medium health care organizations contract some or all of their IT and many other services, these organizations and their IT service providers need to be familiar with the requirements of the Privacy Rule and the use of Business Associate Agreements.

References:

Many organizations held on tight to their old Windows XP computers.  Some are still using it despite the risks and warnings.  Windows Server 2003 falls into this risk category as well.  Microsoft ended support for Windows XP on April 8th, 2014. Microsoft Windows Server 2003 extended support ended on July 14th, 2015.

What that means to most people is that Microsoft no longer provides security updates after that date.

On its face value, that might not seem like an important event, since Windows XP or Server 2003 installed on a computer will still function as it had before.  The issue is that security vulnerabilities are continually being discovered throughout the lifecycle of an OS and beyond.

Microsoft stated that “without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.”

The issue for an organization is not just the vulnerability risk, but also a compliance risk.  Microsoft stated that businesses that are “governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.”  Organizations with HIPAA compliance requirements who are still using Windows XP or Server 2003 may find that in case of a violation or data breach on those systems, that they are no longer just a victim, but that they are now considered willfully negligent.

Once a vulnerability issue becomes known, the manufacturer then addresses the issue with a security “fix” or “patch.”  Once support has ended, any new vulnerabilities discovered will remain vulnerable to attack, with no action by a manufacturer to correct them.  Microsoft’s recommendation was to “terminate” use of Windows XP by upgrading to a newer, supported OS, which most organizations did.

There is also usability of the Operating System or the applications that run on top of it.  People using older web browsers that aren’t capable of newer SSL/TLS standards will find that they aren’t capable of visiting or using many of the ecommerce websites or other websites that require an SSL/TLS encryption.  This is pretty much any website that begins with https: on your web browser as opposed to the unencrypted http.

Google announced in April, 2016 that their new version 50 Chrome browser will not be supported on a wide range of operating systems . Windows XP, Windows Vista, Apple Mac OS X 10.6, OS X 10.7, and OS X 10.8 are no longer supported.

Cyber protocols are subject to change over time and the once secure SSL protocol is no longer considered secure.  Most modern encrypted connections to web sites and other servers are now using TLS version 1.2.

References

Support for Windows XP ended April 8th, 2014. (n.d.). Retrieved May 12, 2016, from https://www.microsoft.com/en-us/WindowsForBusiness/end-of-xp-support

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.)(ch. 8). Stamford, CT: Cengage Learning.

It seems that many infosec criminals have gone fishing these days.  Spear Phishing to be precise.  I’ve personally worked with clients who have been targeted by this relatively new threat vector.

What is “spear phishing” or “spearphishing”?  Well, you are all aware of what “phishing” is.  You know the emails pretending to be your bank or pretending to be UPS that have the suspicious looking attachment when you haven’t even shipped anything lately.  The attackers want you to click on that bank link, and enter your credentials, which will end up in the hand of a crime syndicate if you do, or click on that attachment, which will likely deploy some sort of virus onto your computer.  We talked recently about the proliferation of ransomware.  Phishing is one way that ransomware is deployed.  There is always someone in the organization who will click.

Symantec says that the “latest twist on phishing is spear phishing. No, it’s not a sport, it’s a scam and you’re the target. Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.”

Sometimes spearphishing appears to have been sent by a company executive within your company.  It might look very legitimate and urgent.  Often it is requesting that you pay certain invoices or transfer funds immediately.  This can be confusing if you are in Accounts Payable and you handle invoice payment requests daily.

Recommendations to not become a spearphishing victim are according to Symantec:

“If a “friend” emails and asks for a password or other information, call or email (in a separate email) that friend to verify that they were really who contacted you. The same goes for banks and businesses. First of all, legitimate businesses won’t email you asking for passwords or account numbers. If you think the email might be real, call the bank or business and ask. Or visit the official website. Most banks have an email address to which you can forward suspicious emails for verification.”

Just be careful on what you click on, no matter who it comes from.

Reference

The latest security failure, reported by Krebs on Security, says that “The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide.”

The USB thumb drives are used to send dental procedure code updates to dental offices nationwide. These days with Internet everywhere, why would the ADA use the US Mail to send USB drives to update these dental procedure codes? There are so many electronic options available for the dissemination of this information and the ADA is using postal mail to send electronic information.

It’s not just the expense and startlingly outdated method of data delivery, but then not using typical antivirus tools, and spreading malware to thousands of computers containing HIPAA regulated Protected Health Information is certainly alarming.

Image:  DSL Reports Security Forum. DSLR member “Mike” from Pittsburgh

As reported by KrebsOnSecurity, the ADA said it sent the following email to members who have shared their email address with the organization:

“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away.”

“To give you access to an electronic version of the 2016 CDT manual, we are offering you the ability to download the PDF version of the 2016 CDT manual that was included on the flash drive.”

The ADA said the USB “credit card” media was “manufactured in China by a subcontractor of an ADA vendor, and that some 37,000 of the devices have been distributed. The not-for-profit ADA is the nation’s largest dental association, with more than 159,000 members.”

Why wouldn’t the ADA just stop at providing the PDF file version of the manual, in the first place?

Reference