Cybersecurity is in the news a lot lately. Particularly a lot of news just since the beginning of the year. As usual, we review all the news looking for important things to share with our clients and listeners.  There are just so many different stories to choose from this week, we decided to cover several of them in one episode.  So, here are 6 cybersecurity lessons in the news.

Some of them may be things you saw before but all of them were worth discussing what we should be aware of and learn from all the information coming in for 2018.

HIPAA For MSPs by David Sims 6 Cybersecurity Lessons In The News
00:00:00 00:00:00

There are so many news stories happening right now that I can’t decide what to make an entire episode out of for this week.  So, we are doing another one of those hodgepodge episodes that covers several different news stories.cybersecurity lessons in the news

1 – States are rolling out data privacy and security laws all over the country

NC announced one was introduced this month.  It has some pretty interesting requirements in it.

“The rise in data breaches prompted state Attorney General Josh Stein and state Representative Jason Saine to introduce the Act to Strengthen Identity Theft Protections. If passed, North Carolina will have some of the toughest data breach notification laws in the United States.”

The bill includes consumer protections after the breach clearly aimed at Equifax by requiring credit reporting agencies to provide 5 years for free credit monitoring.  But, it also hits all businesses including healthcare.

Updates what constitutes a security breach. Any incident of unauthorized access to or acquisition of someone’s personal information is a breach. The new definition will now include Ransomware attacks – these are when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the affected consumer(s) and the Attorney General’s office. This will empower the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization.

Tighter data protection. Imposes a duty for a business that owns or licenses personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. Additionally, the definition of protected information is updated to include medical information and insurance account numbers.

Quicker consumer notification. When a consumer’s personal information has been compromised by a security breach, the entity that was breached must notify the affected consumer and the Attorney General’s office within 15 days. This quick notification will allow consumers to freeze their credit across all major credit reporting agencies and take other preventative measures to prevent identity theft before it occurs.

Clarifies penalties. A business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the NC Unfair and Deceptive Trade Practices Act and each person affected by the breach represents a separate and distinct violation of the law.

That last bit opens up a whole list of questions.  It means that you have grounds to sue for these data breaches.  If they find that the business did not have “reasonable security procedures and practices” in place the business is screwed.  So, you have to PROVE you are doing security.

If it’s not documented, it didn’t happen!

2 – Hawaii ballistic missile scare includes cybersecurity embarrassment.

While the scare was bad enough for many reasons, the news stories showed us why they may want to evaluate the entire department from the bottom up.

Really, a post-it note with the password on it in a file photo of the center.  That means it wasn’t a selfie or something being taken – they knew it was happening!

3 – Why do you need an inventory of devices, disposal procedures, and encryption?

Computer discovered stolen from Advocate Lutheran General Hospital in Park Ridge – The desktop computer was reported stolen Jan. 8 after a man reportedly contacted the hospital to say he bought a computer that had belonged to Advocate and needed help unlocking it.

A desktop was thankfully encrypted in this case to prevent there being a serious and reportable breach.  So first, let’s point out the importance of encrypting even desktops.  That policy decision saved them here.

If they had proper disposal policies followed, the drive would have been removed or destroyed before this made it around the world.  Much less embarrassing situation.

Finally, if you have an inventory, you keep up with where the devices are and make sure none of the other two problems occur.

And, just to reiterate the point, what if you end up in a court case with an ex-employee.  As part of the court documents filed you learn THEN that the employee took a laptop with them loaded with patient information.  28,434 patients involved in the data breach.  You have to explain in your notifications what happened so you have to tell them that you just found out an employee took a laptop loaded up with your information on it.

If you had the inventory and termination checklists handled properly you would certainly hope to catch this before being surprised in November that an employee who left in May had a laptop and loaded with PHI.

4 – Ransomware Attacks spreading like the flu

Several announcements by hospitals lately plus a lot of news about being hit. Haven’t seen this many after another since the end of 2016.

Allscripts ransomware attack in their NC data center.

Many groups have the “I don’t have to worry about it” attitude because they use cloud or data center solutions.  What happens if your provider goes down?

More than once we have heard cases of data centers getting hit with ransomware.  Not going into the details here but I can tell you it happens.

If your provider of the cloud services go down what do you do?  We all do a lot these days while expecting 100% uptime and availability of internet and cloud services.  Do you have a plan for when you don’t have them?  Here is a perfect case of why you should consider it.  Nuance suffered severely during the NotPetya outbreak.  I never expected them to have problems to that extent but they aren’t perfect either.

5 – CMS confuses everyone about text messaging

First, there is an article published by HCCA saying CMS is telling hospitals they can’t use ANY text messaging for healthcare.  Not even secure ones.

CMS has sent emails to at least two hospitals saying that “texting is not permitted”—and that includes secure text messaging applications. Citing concerns about privacy, security and the integrity of medical records, the “hospital team” from the Survey & Certification Group said CMS doesn’t allow texting.

“After meeting with vendors regarding these products, it was determined they cannot always ensure the privacy and confidentiality of PHI (protected health information) of the information being transmitted. This resulted in the no texting determination,” CMS said in the Nov. 30 email, obtained by RMC. CMS also based its opinion on the Medicare Conditions of Participation section about the retention of medical records and their confidentiality. Another hospital asked whether CMS intended the texting ban to apply to secure encrypted texting solutions, and CMS responded again that it means no texting, says the hospital manager who received the email.

That stirred everything up for sure. How can we get away with no secure text messaging at all?  But, they talked with the secure messaging vendors and believe they can’t provide adequate security to allow any text messages?  Wow!  Enough madness occurred after that article published on Dec 18th.

Eventually, CMS published another memo Dec 28.

Memo on December 28, 2017, provides guidance saying:

  • Texting patient information among members of the healthcare team is permissible if accomplished through a secure platform.
  • Texting of patient orders is prohibited regardless of the platform utilized.
  • Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

6 – Why you don’t assume that you are ok

Researchers stumbled on a hacker group stealing Android user credentials since 2012. It starts with a phishing attack via WhatsApp or Facebook.

But the group involved is much more devious. It traced back to Lebanon. According to reports, the group has a lot of tricks up their sleeve.

Dark Caracal has been conducting multi-platform cyber-espionage campaigns and linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, and Linux, and 60 domain/IP based IOCs.

I find that reading the news is overwhelming sometimes.  Not because of the news itself but just how much work all of these examples mean for me and my team.  When we see these articles we use them for training classes, additional assessment questions, policy and procedure updates, audits, and more.  For those who must protect information staying on top of the news is a must.  Thankfully, we have access to information like never before which is both a gift and a curse. (A nod to fans of Tony Shalhoub’s Adrian Monk character)