The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.
All entities, especially those in the healthcare field, can learn from this valuable resource.
The Four-Part Best Practice Guide
The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry. Continue reading HHS Publishes Cybersecurity Best Practice Guide→
Alabama remains the sole U.S. state without a breach notification law, but not for long. Yesterday, Alabama’s pending breach notification bill unanimously passed the House of Representatives and is headed to the Governor’s desk awaiting final passage.
Here are some of highlights of the two pieces of legislation.
South Dakota: Breach Notification Law
“Information Holder”: includes “any person or business that conducts business in the state” andowns or retains “personal or protected information” of South Dakota residents.
Personal AND Protected Information:
This South Dakota bill distinguishes and covers both personal information and protected information.
“Personal information” includes a person’s first name or first initial and last name combined with one or more of the following data elements (SSN, driver’s license number, account number with access code, etc.) but also includes health information (as defined in HIPAA) and employee identification numbers in combination with access code or biometric data.
“Protected information” includes: (1) “a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” and (2) financial account number, in combination with a “required security code, access code or password that permits access to a person’s financial account.”
Of note, the definition of “protected information” does not include a person’s name.
“Breach of system security” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person.
Breach Notification Requirements:
Trigger: Following “discovery by or notification to” an entity of a “breach of system security”, the entity must notify “any resident whose personal OR protected information was or is reasonably believed to have been, acquired by an unauthorized person”.
Timeline: Notification to affected individuals is required within 60 days of discovery of the breach.
Notification is NOT required if the Entity can reasonable determine that the breach will not likely result in harm to the “affected person”.
However, this harm exception is an option after an “appropriate investigation and notice to the attorney general”.
The entity must keep documentation of any no-harm breach in writing for no less than three years.
South Dakota has included a very broad definition of “unauthorized person,” a term that is defined in only a few state data breach notification laws.
The bill also defines “unauthorized person” to include a person with access to “personal information who has acquired or disclosed the personal information outside the guidelines for access of disclosure…” This definition is very unique amongst data breach notification laws and addresses those otherwise authorized persons that exceed their scope of authorization.
Other Notification Requirements:
Attorney General: If more than 250 individuals are affected, the entity must notify the South Dakota Attorney General.
Consumer Reporting Agencies: If notification to affected individuals is required, the bill requires notification to “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.” This provision is a bit unusual –as it does not include a numerical threshold of affected persons as a trigger to credit reporting agency notifications (see AG trigger above).
The Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
A violation of this breach notification law is also considered a deceptive act under the state’s consumer protection laws, allowing the possibility of both criminal liability and a possible private right of action.
While SB 62 does not expressly create a private right of action, South Dakota Attorney General noted that this violation has the same effect through express incorporation of South Dakota’s Deceptive Trade Practices Act.
This private right of action issue will likely be litigated after the law takes effect this summer.
If an entity is already compliant with HIPAA, GLBA or regulated by another federal law that maintains procedures for breach of a system then that entity is deemed to be in compliance with this state law IF it notified affected South Dakota residents in accordance with the provisions of that applicable federal law or regulation.
If an entity maintains its own notification procedures as part of an information security policy, then the entity is in compliance with notification requirements if they notify each person affected in accordance with their internal policies regarding breach of system security.
This law will take effect on July 1, 2018.
Alabama: Proposed Bill
Alabama’s proposed bill would require a notification period of 45 days from the determination of a breach and follows suit with similar breach law definitions of “Breach of Security”, “Personally Identifiable Information (PII)” and exceptions.
Alabama Attorney General Steve Marshall has been vocally supportive of the bill through this legislative process, thanking the Alabama Senate for “taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked”.
Well…now it’s 49 states to follow for data breach notification requirements, and Alabama will complete the patchwork of state breach notification laws in the coming weeks.
For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at firstname.lastname@example.org.
Troy Hunt, operator of the infamous ‘Have I Been Pwned’ service, is providing a massive list of compromised passwords to help organizations provide better security for users.
The issue Hunt is addressing is a common hacker tactic called ‘credential stuffing.’ This process involves hackers using lists of compromised account credentials to unlock an account on a separate website or service. For example, using a compromised social media login to attempt to access the user’s email account.
This tactic has become increasingly more successful with the recent mega breaches at MySpace, LinkedIn, etc. Just ask cybersecurity company FireEye…
FireEye Cybersecurity Analyst Hacked
A group of attackers calling themselves 31337 targeted FireEye, a well-known cybersecurity company and owner of Mandiant. The group used credential stuffing tactics to hack into personal online accounts of Adi Peretz, a senior threat intelligence analyst of Mandiant’s consulting services unit.
From there, they found and released three corporate documents from those accounts on Pastebin – a 32 MB file labeled “Mandiant Leak: Op. #LeakTheAnalyst.” FireEye’s investigation also found Peretz’s LinkedIn account defaced along with compromised Hotmail and OneDrive accounts.
Peretz was just one of the tens of millions of other victims who had their login credentials breached over the past few years, including in the LinkedIn breach last year.
The breach of this analyst’s account illustrates the potential dangers of credential stuffing, even for a company solely focused on cybersecurity.
Employees are often found using personal accounts for work-related activities. This activity extends an organization’s cyber risk to the personal security practices of employees outside of the work environment.
To help remedy this problem, Troy Hunt launched a service called Pwned Passwords. The service provides SHA1 hashes for the 320 million passwords collected by Hunt from previous data breaches.
NIST recently released updated guidance regarding passwords and authentication practices. One new recommendation was that user-provided passwords be checked against those from previous data breaches.
Organizations and online service providers can download the list of password hashes to use in their online systems to boost their users’ password security. According to the Pwned Passwords web page, the list can be integrated and used to verify whether a password has previously appeared in a data breach. Systems can then be prompted to warn users, or even block the password outright.
Hunt’s original post noting the service highlights several use cases and actions where the list could be valuable: registration, password change, login, and others.
The Pwned Passwords service could provide organizations with a valuable tool to help boost their authentication practices.
The National Institute of Standards and Technology (NIST) published an updated document highlighting guidelines and best practices related to passwords and authentication methods.
These guidelines revise previous NIST recommendations. Security professionals can leverage the new standards when implementing or revising password policies and protocols for their organizations. The updates lean toward favoring the user, cutting out complexities that don’t actually help security.
Here’s an overview of the major changes:
Remove ‘Change your Password’ Requirements
NIST advises organizations should not require periodic changes for passwords. This guidance catches up to other industry studies showing frequent password changes are actually hurting overall password security.
This is a hefty change to policy, but it removes a burden from both IT departments and users. The only time a password should be reset according to NIST is if a user requests a change, or there is evidence of password compromise (i.e. if the user has been phished, or if a password database has been stolen and could be subject to attack).
Remove Complexity Requirements
NIST notes other than a minimum length requirement, no other complexity requirements should be imposed on users. This includes requirements to have a combinations of upper case letters, lower case letters, numbers, and symbols. Studies have shown these arbitrary complexity requirements can often lead to worse password choices by users.
Remove Password “Hints”
Password “hints” are no longer recommended either. What was originally thought to help the user remember their password can help an unauthorized individual guess the password.
NIST guidelines advise against these types of hints, along with reminder prompts (i.e. “What is the name of your first pet?”) Social engineers can often find this information through social media or other means.
Screen against Commonly Used and Compromised Password Lists
When a user chooses a new password, NIST recommends comparing it against a list or inventory of commonly-used or compromised passwords. This includes:
Passwords obtained from previous breaches
Repetitive or sequential characters (“password”, “123456”, “aaaaaa”)
2016 turned out to be a banner year for data incidents and breaches. Cyber criminals turned their attention toward ransomware and DDoS attacks. Mega breaches affected and compromised hundreds of millions of records.
BakerHostetler is one of the leading legal teams in the nation when it comes to data privacy. Last year they handled over 450 incidents, and have recently published their 3rd annual Data Security Incident Response Report. You can download the full report here.
We find theirs to be one of the most comprehensive reports when it comes to analyzing data security incidents: top causes, preparation best practices, and response tactics.
When you see a cyber-attack hit the headlines (think Yahoo, Target, Anthem…) organizations often frame themselves as victims of cutting-edge hackers and cyber-crime rings.
The BakerHostetler report notes this is often not the case. More often than not, a simple error has created the vulnerability responsible for the incident.
Baker lists several consistent trends found in cyber incidents over the years:
Skilled and unskilled attackers are still able to find a way in to networks no matter if their network has little or ‘next gen’ security
Networks are as fallible as the people who build and maintain them. People make mistakes –and they can be socially engineered, like the prevalence in responses to phishing emails
Most incidents are not the result of a sophisticated, never-before-seen, unpreventable, zero-day attack
Two new trends are highlighted in the report as ‘common’ – ransomware and DDoS attacks.
Last year, ransomware took the cyber world by storm. (If you’re not familiar with ransomware we have articles of prior examples you can read here, here, and for the latest attack recap, here.) DDoS attacks can put organizations in a similar boat as ransomware victims, forcing operations to shut down and leaving them without a paddle.
The rapid increase in ransomware and DDoS attacks show how maintaining operational functionality is just as critical as preventing data theft when it comes to data security incidents.
Below is a quick and interesting glance at the incident response trends Baker found when compiling their report:
Minimize Risk & Be Prepared
For preparation and response best practices, the basics hold tried and true. Regardless of industry or size, there are core steps to mitigate your cyber risk. The Baker Report highlights these below, calling them the Basics to Minimize Risk:
Increase Awareness of Cybersecurity Issues
Employees should be aware of cyber risks and threats to act accordingly, to prevent, and mitigate an incident. Phishing emails continue to lead the charge in attack vectors. The results being destructive and plenty: compromised credentials, installation of malware, ransomware.
Organizations should proactively train the workforce on phishing and other social engineering threats. It’s also prudent to test your employees with fake phishing emails sent internally by your team. The results provide a gauge for an organization to assess their phishing resiliency. Employees who click on the test phishing email can subsequently be redirected for further training.
Identify and Implement Basic Security Measures
After your workforce has been educated on cyber threats, the next step is tackling the basic security controls. These are the preventative measures a company can take to protect your organization and address vulnerabilities that create a target for cyber criminals.
Here are the top security measures Baker highlights in the report:
Use multi-factor authentication for remote access to any part of the company’s network or data – i.e. email platforms like Outlook
Disable remote desktop protocol on internet-facing systems
Maintain a patch management system to ensure critical software patches are installed promptly
Remove admin rights from normal users and limit the number or admin accounts
Install a web proxy to block access to untrusted websites
Conduct periodic vulnerability scans and penetration tests to help harden your network and systems
Create a Forensic Plan
The organization’s forensic plan is a critical component of a successful incident response. A good forensic plan allows organizations to scope the incident and develop a well-informed response strategy.
Key parts of a forensic plan:
Ensure the IT team understands the organization’s data environment
Identifying an external forensic firm and negotiating agreements before an incident – hint: check with your insurance carrier for forensic firms on their panel
Conduct a tabletop exercise with the forensic team to work through response procedures
Build Business Continuity into your Incident Response Plan
With more DDoS and ransomware attacks affecting operational functionality, the focus is now on how to integrate a business continuity component to the incident response plan. As you think through the Incident Response Plan, ask yourself “How is this incident, and resulting decisions impacting business operations and our day-to-day”. Having data and systems unavailable can shut down an organization’s primary operations (i.e. Shutting down systems for a hospital would put patients at risk).
Along with the ever present threat to personal information, business operations are currently at high risk when it comes to cyber-attacks. Key questions the Baker report suggests to consider when developing or reviewing your incident response plan:
Have you conducted a business impact analysis to identify the most critical systems and impact downtime?
What are the systems backup procedures?
How often are the full systems backed up?
Where are the backups stored, and how long?
What are the procedures for restoring systems and testing them to ensure functionality?
Manage your Vendors
Vendors pose a serious cyber vulnerability for organizations. Many vendors have some type of access to the organization’s systems and networks, and the vendor’s cybersecurity practices might not be up to snuff.
Take these into consideration when engaging vendors who access, process, or store sensitive information:
Do they have an incident response plan and will they share it?
Do both parties understand the information (and level of sensitivity) being given?
Is the vendor agreement following ‘minimum necessary’ access principles?
Are the business associate agreements compliant under HIPAA? (If applicable)
How are you monitoring your vendors during the relationship?
Do you have a questionnaire or checklist to gauge the vendor’s information security practices and controls?
Are there notification provisions in the agreement in the event of an incident to address required notice and who bears the financial responsibility?
For more information on accessing our services as part of your cyber insurance policy – workforce cyber training, incident response planning templates, vendor management resources – you can always reach out to email@example.com.
Small businesses can feel the pain of a cyber-attack more than most enterprises. With scarce resources to allocate beyond business operations, small businesses are a prime target for cyber criminals.
There’s a false statistic circulating that 60% of small businesses fail within six months of a cyber-attack. While the number may be exaggerated, small businesses do have a hard time responding appropriately.
It’s not surprising that a cyber-attack, with all the costs and time involved, can derail a small business. Luckily, the FTC has recently provided some recourse for the little guys.
Recognizing these struggles, the FTC launched a website dedicated to help small businesses avoid scams and protect their computers and networks from cyber-attacks.
The FTC markets their new site as, “a one-stop shop where small businesses can find information to protect themselves from scammers and hackers.”
They cite several ways small businesses are specifically targeted by cyber criminals:
Social engineering tactics charging the business for supplies they didn’t order
Soliciting donations for fake charities
Phishing small businesses into giving access and control to computers and networks
The resources on the FTC site include:
Small Business Computer Security Basics Guide
Information on responding to a data breach
Guidance on threats like ransomware and phishing
There’s been a push lately to educate small and medium sized businesses on cyber risks and threats. We’ve seen guidance trickle down from regulators (see article PCI Guide for Small and Medium-Sized Businesses), and this website from FTC provides yet another resource for businesses to leverage.
One benefit to guidance materials like these from the FTC: in the event of an incident an organization can probably gain some points with the regulators by showing their due diligence with the provided regulatory cyber tools and resources.
We also strongly encourage small businesses to take advantage of the cyber risk management resources in their cyber insurance policies. We provide policyholders with easy tools to leverage:
Phishing training courses
Sample security policies and procedures
Cyber security fitness check
Incident Response Plan templates and guidance
Reach out to firstname.lastname@example.org for any help accessing these resources, or to schedule a meeting with our Virtual-CISOs to discuss any of your cyber initiatives.
Is your organization accepting credit card transactions online? Are those transactions secure according to the Payment Card Industry’s (PCI) Data Security Standards? 66% of consumers warn they won’t purchase from an organization after they’ve had a breach of payment card information.
The PCI’s Security Standards Council released a guidance document to help educate merchants on securely accepting payment cards online. The updated guidance, Best Practices for Securing E-commerce, comes at a time when online payments are a top target for cyber criminals.
E-commerce is a growing security concern for merchants. Online sales growth is rapidly increasing, and the EMV chip migration in the U.S. is causing fewer in person card transactions. Cyber criminals recognize these trends and have turned their attention to e-commerce to commit payment card fraud.
Best Practices for Securing E-commerce
A large portion of the guidance is dedicated to the topic of SSL and TLS. There’s still confusion regarding these encryption solutions and properly selecting a certificate authority.
The PCI Council announced in December 2015 that all merchants accepting payment cards are required to adopt TLS 1.1 encryption or higher by June 2018. Google added to the urgency by warning users of their Chrome browser when they visit a website without HTTPS.
Key encryption topics discussed in the guidance include:
Guidance on selecting a certificate authority
Descriptions of different certificate types
Questions to ask service providers regarding certificates and encryption
The PCI Council is taking a proactive approach to the encryption issue with SSL and TLS. The implementation deadline is still a year away, but merchants that aren’t compliant can use this guidance to help securely accept online payments.
The Department of Health and Human Services Office for Civil Rights (OCR) has issued awareness guidance to give healthcare organizations tips to prevent Distributed Denial-of-Service (DDoS) attacks.
The guidance gives practical advice to avoid becoming a victim to DDoS attacks. These types of attacks come from attackers flooding a network or systems with tons of web traffic to prevent legitimate users from accessing the information or services.
The healthcare sector isn’t necessarily the biggest target for DDoS attacks, but the impact could be devastating. A DDoS attack might affect the ability to access critical healthcare assets – i.e. electronic health record databases or software-based medical equipment.
The guidance references a list of best practices from US-CERT to help prevent a DDoS attack:
Continuously monitor and scan for vulnerable and comprised IoT devices on networks, and follow proper remediation actions.
Create and implement password management policies and procedures for devices and their users. Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
Install and maintain anti-virus software and security patches. Update IoT devices with security patches as soon as patches become available.
Install a firewall, and configure it to restrict traffic coming into and leaving your network and IT systems.
Segment networks where appropriate and apply appropriate security controls to control access among network segments.
Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
Practice and promote security awareness. It is important to be aware and understand the capabilities of IT systems, medical devices, and HVAC systems with network capabilities that are installed on Covered Entities and Business Associates networks. If the device has open Wi-Fi connection and transmits data or can be operated remotely, it has the potential to be infected.
Follow good security practices for distributing email addresses. Applying email filters may help entities manage unwanted traffic.
It’s the question we all ask our IT people… what is the best way to create a good password? The National Institute for Standards and Technology (NIST) is trying to help answer that question.
NIST is working to develop new guidelines for password policies to be used throughout the United States government. These guidelines will serve as a solid template for all organizations to use when establishing password management policies.
Password Best Practices
NIST published the draft guidance recently, so what’s new and novel here?
Favor the User. One big takeaway from the NIST guidance is the emphasis on user friendly policies. The theme is shifting towards putting the burden on the verifier. When we make password policies hard to follow, and thus passwords hard to remember, users make poor security decisions – i.e. writing their password on a sticky note next to the computer.
Knowledge-Based Authentication. KBA is no longer a best practice. Actually, it can be counter-intuitive to security. KBA is when the website or account asks you to choose a security question that only you should know the answer to – i.e. What is your mother’s maiden name, what was your high school mascot, etc. The problem with these questions is hackers have ample resources with social media and social engineering techniques to find the answers and hack into your account.
Password Expiration. Expiring passwords are also dropping off the best practice list. This goes along with the favor the user approach. It’s unreasonable to expect your employees to choose long, complex passwords… and then make them change it every three months. The new guidance recommends passwords only be changed or reset if they’re forgotten or compromised.
SMS Authentication. This is a significant change, as many two-factor authentication methods involve sending a code by SMS or text message to go along with the username and password. With attacks against mobile networks – like the SS7 attack we reported here – there are serious problems with the security of SMS messages. NIST recommends no longer using SMS as a part of two-factor authentication.
Password Safety. Another bit of guidance from the NIST publication relates to the way passwords are stored. According to the guidelines, passwords need to be hashed, salted, and stretched. Technical details can be found in the NIST document, but they call for a salt of at least 32 bits, a keyed HMAC hash using SHA-1, SHA-2, or SHA-3, and the stretching algorithm PBKDF2 with at least 10,000 iterations.
There are many opinions swirling from security experts about password best practices. But the reality is that when we make it too difficult and put the burden on the user, security suffers. This is proven every year when the most common password list is released and “password” takes the top spot each time. Users favor convenience over security.
When developing or reviewing password policies for your organization, these guidelines can provide a good foundation to work from and help improve the overall security of your workforce. The goal is to make it easy for employees to use good security hygiene.
The Office for Civil Rights (OCR) is focusing on the security risks involved with vulnerabilities in third-party software and applications this month.
OCR released a bulletin highlighting best practices for covered entities and business associates to consider in keeping third-party software and applications patched and updated. Here are the main points:
Test software prior to installation to discover flaws in its security on the front end
Install software patches and updated versions in a timely manner
Review software license agreements to evaluate risks to protected health information
For third-party software and applications you already have deployed, first create a comprehensive inventory of that software, applications, and medical devices. Having a record of what third-party products are in place should make it more practical to monitor any new vulnerabilities and updates from the vendors.