OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

As Hurricane Florence approaches the North Carolina coastline, OCR has released guidance to ensure that medical information is shared appropriately during the hurricane.

The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule.

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

Continue reading OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

NYDFS Cybersecurity Regulation Enters New Transitional Phase

Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to comply with several additional requirements of the NYDFS cybersecurity regulation.

After September 4th, companies will be required to:

  • report annually to the board concerning critical aspects of the cybersecurity program;
  • have an audit trail that reconstructs material financial transactions to support normal operations in the event of a breach;
  • implement policies and procedures to ensure the use of secure development practices for in-house developed applications;
  • implement encryption to protect nonpublic information;
  • develop policies and procedures to ensure secure disposal of information not necessary for business operations; and
  • implement a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or nonpublic information.

Continue reading NYDFS Cybersecurity Regulation Enters New Transitional Phase

Gone Phishing? We Hope Not!

Training your employees to recognize a phishing campaign just got a whole lot harder. A new phishing attack targeting Microsoft’s popular Office 365 platform has impacted roughly 10 percent of its users globally … and that’s just an estimate. What makes it more problematic is that the attackers are harvesting usernames and passwords under the guise of document sharing via SharePoint.

Corporate Usernames and Passwords Are Valuable

As organizations move to cloud-based solutions, phishers are changing the way they attempt to steal credentials. Once stolen, corporate usernames and passwords allow attackers to:

  • carry out further phishing attacks against top executives;
  • deploy money transfer schemes to convince financial departments to fraudulently wire large sums of money (i.e. CEO impersonation);
  • scan the company’s email server for information that can be sold; and
  • deploy ransomware or other advanced threats through Remote Desktop Protocol.

Continue reading Gone Phishing? We Hope Not!

UK Small Businesses Struggle with Data Storage

According to recent research by Seagate Technology, a world leader in data storage solutions, many small and medium-sized UK companies (SMBs) are having a difficult time transitioning to newer, more secure methods of data storage and management.

Seagate polled a sample of 1,006 UK SMB employees and found that 23% of SMBs still rely on USB drives for their primary company data storage, 35% use a centralized on-site server and 29% use cloud-based storage solutions.

A Significant Security Risk

Not only is storing company data in differing locations and technologies time-consuming for employees, it also represents a significant security risk. Using a central server or cloud storage allows businesses to store many different types of data in one location, on top of having other benefits such as scheduling regular backups – resulting in a safe, secure and cost-effective way to centralize company data. Continue reading UK Small Businesses Struggle with Data Storage

Air Canada – The Latest Company Compromised by Data Breach

Air Canada, the largest airline of Canada by fleet size and passengers carried, has reported a massive data breach of its app, putting thousands of passenger passport details, among other personal information, at risk.

Air Canada’s Response

The airline issued a warning to mobile app users that their personal data may have been compromised in a cyberattack. This may placs those who entered their details at risk of identity theft. It is believed approximately 20,000 customers may have had their data stolen. All Air Canada app users have been asked to change their passwords.

Profile data, such as names, email addresses, passport numbers, genders and dates of birth, among others, can all be stored in the airline’s app – making this stored data a potential target in the attack. Continue reading Air Canada – The Latest Company Compromised by Data Breach

Over 2 Million Customers Affected by T-Mobile Data Breach

T-Mobile is warning customers of a data breach that occurred in late August 2018. The company reported to Motherboard that hackers stole the personal data of over 2 million people during the incident.

T-Mobile’s Response

T-Mobile released an official statement saying it quickly shut down a cyberattack on their database, but the incident may have exposed the personal data of 2.3 million of its 77 million customers, or slightly less than 3% of customers.

“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” T-Mobile said. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you. None of your financial data – including credit card information – or Social Security numbers were involved, and no passwords were compromised.” Continue reading Over 2 Million Customers Affected by T-Mobile Data Breach

SamSam Ransomware: A Continued and Growing Cyber Threat

The SamSam ransomware has affected far more victims than initially thought – raising nearly $6 million and counting in ransom demands. According to Sophos’ research of the SamSam ransomware, it’s estimated that roughly 233 victims have paid a ransom to the attackers so far.

Sophos Report

Sophos has uncovered new details about the SamSam ransomware, focusing on how it works and how it’s evolving. Most ransomware is spread out in large, untargeted spam campaigns sent to thousands of people. These attacks use simple techniques to infect victims, raising money through large numbers of relatively small ransom requests. SamSam, on the other hand, is used in specific, targeted attacks.

SamSam attackers break into a specific victim’s network and then run the malware manually. These attacks are tailored to cause maximum damage, with ransom demands in the tens of thousands of dollars – the largest individual victim so far shelled out $64,000.

Although initially thought to specifically target healthcare, government and education sectors, the Sophos report indicates that the private sector has been equally attacked. However, victims in the private sector have been more reluctant to come forward. Continue reading SamSam Ransomware: A Continued and Growing Cyber Threat

The Cost of a Data Breach and Four Ways to Lower It

The results are in! The Ponemon Institute interviewed more than 2,200 IT, data protection, and compliance professionals from over 450 companies that had a recent data breach, and their 2018 Cost of a Data Breach Study: Global Overview reveals lessons we can all learn from.

Stats Are More Than Just Numbers – They’re Consequences

  • The average total cost of a breach in the U.S. is $7.91 million (more than double the global average of $3.86 million).
  • Data breach costs have increased by 6.4 percent from last year.
  • The number of compromised records rose by 2.2 percent.
  • Heavily regulated industries, such as healthcare, and financial organizations pay substantially more than other industries when data is compromised.
  • A data breach due to malicious or criminal activity costs $157 per record, while the cost for breaches caused by system and human errors were $131 and $128, respectively.

Key Factors that Influence Cost and What You Can Do

These days, it’s not a matter of if but when a breach will happen to you. The Study offers helpful tips to reduce the cost in the event of a breach.

  1. Pay less by finding and fixing it fast

The Study found that the quicker a company acts, the less a breach may ultimately cost. When considering a timely response, companies who identified a breach in less than 100 days saved more than $1 million. Likewise, organizations that contained or resolved a breach in less than 30 days saved more than $1 million as well. Consider an intrusion detection system (IDS) to monitor your environment for malicious activity or policy violations, so you can quickly identify any unauthorized access and save money in the long run.

  1. Create an incident response team

The Study also found that having a capable incident response (IR) team reduced the cost of a breach by almost $14 per compromised record. That may not sound like a lot but multiply it by the average number of records compromised during a breach, and the numbers quickly add up. If you don’t have an IR plan and team in place, build one and test it regularly. The Study provides tips for building a business case for IR, so you can quantify why your organization needs one.

  1. Encryption cuts costs even further

Want to bring that per record cost down even more? Encryption reduced costs by $13 per capita. Encrypting stored personally identifiable information saves you legal and notification costs should an incident occur.

  1. Limit your dependence on these factors

Third party involvement, extensive cloud migration, compliance failure, and the extensive use of mobile platforms all increase the cost of a data breach.

The Study is an annual reminder that, while breaches are expensive, certain measures can be taken to reduce the costs that follow. Download a complete copy of the Study here and learn how your organization can put its findings to work.


Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Reddit, the immensely popular social news website, has been hacked. Reddit’s CTO Christopher Slowe posted a discussion saying that it discovered the data breach in June, after an attacker compromised a handful of employee accounts.

The employees’ accounts were protected with SMS-based two-factor authentication, meaning that any would-be attacker not only would have to steal a worker’s password but also intercept the authentication verification sent to the employee’s mobile phone. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Slowe shared. Reddit is encouraging users to move to a more secure token-based Two Factor Authentication (2FA).

Compromised Data

After breaking into the employee accounts, the intruder gained access to databases and logs, including usernames and their corresponding email addresses – as well as encrypted passwords dating back to the site’s early days from 2005 through 2007. Continue reading Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Guidance on Disposing Sensitive Data-Storing Devices

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released their July 2018 newsletter entitled: Guidance on Disposing of Electronic Devices and Media(Guidance) , which provides suggestions for properly disposing technology that may contain sensitive data – such as financial or protected health information (PHI). While directly applicable to the healthcare sector, this guidance is best practice for all organizations.

OCR’s Mission

Part of OCR’s mission is to provide guidance to health care providers, insurers and other stakeholders on cybersecurity issues like properly disposing equipment that contains sensitive information. This equipment includes desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.

Improper disposal of devices can lead to a data breach that can be costly to an organization, both financially and reputationally. Some of the financial costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients. Continue reading Guidance on Disposing Sensitive Data-Storing Devices