DATA BREACHES CONTINUE TO TARGET THE HEALTHCARE SECTOR

There has been an increasing number of data breaches, ransomware and cyber attacks on healthcare organizations. Additionally, the COVID-19 pandemic has seen a bigger surge of such attacks on the healthcare sector. While some cybercrime gangs have sworn off attacking these facilities as they provide critical services; others view hospitals as easy targets since they are seen as weak and distracted by the pandemic. Tens of thousands of patient records are being stolen and being published on the dark web every week.

Here are some of the significant attacks on healthcare providers in the last few months.

Leon Medical Centre and Nocona General Hospital

A breach affecting about 500 individuals saw the patients’ records being stolen from Leon Medical Centers and posted on the dark web. The Center serves eight locations in Miami, Florida and Nocona General Hospital, which has three locations in Texas. The stolen data includes scanned diagnostic results and letters to insurers that include personally identifiable information such as name, contact information, social security number, financial information, date of birth, insurance information, etc.

At Leon Medical Centers, the data was stolen in a ransomware attack in November 2020 and was officially announced by the hospital in January 2021. A cybercrime gang known as ‘Conti’ was behind the attack. They are said to have demanded a ransom payment in return for a decryption key and have promised not to publish the   Nocona has not published a breach disclosure on its website yet. An attorney for the hospital chain has said that the company was not a victim of ransomware. The breach on healthcare providers is just the tip of the iceberg. Read about healthcare security and compliance concerns due to Covid-19 on our blog.

The University of Vermont Health Network

The hospital was forced to shut down its IT system after identifying a cyberattack on October 28, 2020. The attack infected 5,000 network computers. The system outage lasted for more than 40 days and the health system reassigned or furloughed around 300 workers who were unable to do their jobs as a result of the computer outage. The UVM Health Network brought in the National Guard’s cybersecurity unit to help restore the computers. During the outage, the health system postponed some services. The health system was estimated to lose $1.5 million per day in revenue and extra expenses and the entire incident was expected to cost more than $63 million by the time it is resolved.

Other Victims 

Ryuk ransomware affected six hospitals in the U.S. for over 24 hours. The attacks began on October 26, 2020, and the federal government reported the hit in an advisory on October 28. There was a list of 400 targeted hospitals that were circulated among Russian hackers. A few hospitals self-reported IT outages due to ransomware during that time, including Sky Lakes Medical Center in Oregon and St. Lawrence Health System, Upstate New York.

Sky Lakes Medical Center eventually purchased 2,000 new computers as a result of the attack. In response to the attack, unaffected health systems across the U.S. took preventative measures including pre-emptive email shutdowns and tightening security networks to protect against future attacks.

In the past, the federal government has issued a cybersecurity warning to healthcare providers about “credible, ongoing and persistent” threats, encouraging cyber teams and companies to continuously monitor and proactively look for issues within their networks and systems to respond quickly. Cybersecurity programs should include a very detailed and robust security awareness program as nearly all cyberattacks are initially carried out through a single user’s action. Software provided by SureShield can protect healthcare organizations and assist in implementing an enterprise-wide and risk management plan. Given the alarming healthcare data breach statistics in 2020, it is important that organizations mitigate cybersecurity risk by:

  • assessing the level of liability on endpoints and stratifying risk
  • securing local copies of data using transparent encryption
  • purging unnecessary data to reduce the amount of information stored at endpoints
  • monitoring third-party downloading of PHI on any device

To learn more about how SureShield can help, follow us on Twitter and LinkedIn for further updates or email us at info@sure-shield.com.

HOW TO CHOOSE A CMMC PARTNER

With the latest updates by the Department of Defense (DoD), a Cybersecurity Maturity Model Certification (CMMC) has to be obtained to be able to do any business with the DoD. With the DoD moving away from self-certification models,  vendors who service the DoD now have new issues facing them if they choose to continue supplying the Defense Industry Base (DIB). The CMMC is now a prerequisite for all DoD contractors. Since there are different levels of cybersecurity maturity levels, the one you wish to achieve will help you decide which type of assistance you will need.

Choosing a Cybersecurity Maturity Model Certification partner does not have to be an intimidating task. There are a few important things that your organization should be looking out for when going through the hiring procedure:

CERTIFIED THIRD-PARTY ASSESSMENT ORGANIZATION

The assessing authorization should be a certified third-party assessment organization.  Your CMMC partner must have C3PAO, without this they are not equipped to provide cybersecurity maturity model certification.

STRONG BACKGROUND AND EXPERIENCE

Look for a C3PAO that has a solid background and experience in cybersecurity over an organization that might just offer cybersecurity as a secondary or tertiary service. As C3PAO isn’t only confined to one industry, anyone who pays the fees and meets the specification can acquire C3PAO. This does not always mean they are the best fit for you, or that they can effectively deliver the services. For example, if company A is an IT services company and company B is a cybersecurity specialist business, even though they both more or less fall under the IT industry and are also C3PAO, company B has the capability and expertise to provide the certification efficiently. This is because company B has professional knowledge of the extensive implementation of cybersecurity not only for CMMC, but for your business as well.

PREVIOUS KNOWLEDGE OF NIST-171 AND DFARS

Look for providers with knowledge of the NIST 800-171 framework and DFARS. It is best to take on an associate who has previous experience with the structure that the CMMC model is based on. The two main frameworks that the cybersecurity maturity model builds upon are the NIST 800-171 and Defense Federal Acquisition Regulation (DFARS). So when finding and choosing a partner for certification, be sure to check if they have previous experience, specifically with the NIST 800-171 framework. This is the framework that the DoD currently requires an organization to adhere to if they want to engage  the DoD supply chain. Even though it is possible to self certify, many organizations still employ a specialist to ensure that the process was done explicitly and effectively. The only difference with the release of CMMC is that certification from a C3PAO has become a legal requirement for any contractor that does business with the DoD.

SureShield offers compliance assessments for applicable controls, provides audit support and allows maintenance of a state of continued readiness. Using SureShield, you will be able to perform activities required to achieve and maintain CMMC compliance. Your organization can work with us by contracting with us for our ComplyShield solution for CMMC or through one of our MSP partners. After the basic assessment, we provide your team with guidance to achieve compliance based on the completion of “Action Plans”. Check out our website for more information. Read our blog for everything you need to know about CMMC and opportunities and challenges with CMMC. For any questions, reach out to us on Twitter and Linkedin.

WHAT LEVEL OF CMMC CERTIFICATION DO YOU NEED?

In reaction to the growing number of cyber threats which resulted in billions of dollars worth of losses, the Department of Defense (DoD) introduced its newest certification system called the Cybersecurity Maturity Model Certification (CMMC). It was introduced on January 21, 2020. The CMMC is designed to safeguard the important DoD information called Controlled Unclassified Information (CUI) and Federal Contractor Information (FCI). It also attempts to alleviate the possible cyber threats associated with storing and sharing that data.

The CMMC level that an organization will need to achieve depends upon the vulnerability of the DoD information it will work with, and the scale of cyber threats associated with that information. Therefore, the more important the CUI, the higher the CMMC level will be required. Prior to compliance, companies could define their compliance under the Defense Federal Acquisition Regulations (DFARS) and NIST 800-171. Owing to the lack of proof that they had been adhering to security practices allowed companies with security gaps to carry on providing their products and services to the DoD. This inescapably led to breaches and disruptions in the defense supply chain.

WHICH COMPANIES NEED TO BE CMMC CERTIFIED?

  • If your company receives, processes, or creates CUI, your organization will need to be Level 3 or above.
  • If your company handles “High Value Assets (HVA) CUI”, your organization will need to be a Level 4 or 5.
  • If your company does not apply to either of the previous statements above, you will likely only be required to meet Levels 1 & 2.

Read on to find out more about each level.

LEVEL 1

Level 1 demonstrates “Basic Cyber Hygiene.” The 17 controls of NIST 800-171 rev1 need to be executed by the DoD contractors who wish to pass the level 1 audit. The first CMMC level is about meeting the basic demands to protect the FCI. It ensures that all employees use up-to-date antivirus software applications and safe passwords that will protect them from uncertified third parties. This is the only level where documentations do not need to be audited; the company just needs to perform the processes. All organizations having an active contract with the DoD should be able to achieve CMMC Level 1 compliance without any concerns and with minimal effort required to reinforce their cybersecurity defenses.

LEVEL 2

Level 2 demonstrates “Intermediate Cyber Hygiene”. This level requires an organization to set up and document practices and policies to manage the implementation of their CMMC efforts. The documentation of application and processes are introduced at this level to ensure practices are performed in a replicable manner. It consists of a subgroup of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Here, DoD contractors must administer another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls.

LEVEL 3

Level 3 demonstrates “Good Cyber Hygiene”. At this level, establishing, maintaining and resourcing a plan exhibiting the management of activities for practice implementation is needed to be conducted by the organization. The plan needs to include details on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. Those who would like to attain Level 3 compliance need to constantly evaluate all activities based on their cybersecurity policy. At this level, organizations are expected to support activities and review policies and processes, demonstrating a plan to manage specific tasks. The final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be applied to achieve level 3 certification.

LEVEL 4 

Level 4 demonstrates “Proactive” cybersecurity. Organizations at this level are able to take correctional action when necessary. They also notify higher level management of status or issues on a recurring basis. In addition to levels 1 through 3, 11 more controls of NIST 800-171 Rev2 plus 15 new “Other” controls must be implemented. Both CMMC Level 4 and Level 5 focus on addressing the changing strategies, methods, and plans used by Advanced Persistent Threats (APTs). These domains include access command, acknowledgement and instruction, layout management, conservation, physical safeguarding, retrieval, situational awareness, and more. At Level 4, organizations are expected to analyse and document tasks for effectiveness and advise upper management on any matters.

LEVEL 5

Level 5 demonstrates “Advanced / Progressive” cybersecurity. Level 5 requires an organization to standardize and refine process implementation across the organization. Level 5 focuses on the security of CUI from APTs. To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new “Other” controls. Organizations at this level are expected to clarify and regulate process implementation across the enterprise. The main difference between Level 4 and Level 5 is that stability is achieved across the entire organization by having a proactive cybersecurity plan and standardized processes. Contractors must put in place 171 security controls, which are grouped into 17 groups to achieve compliance with the highest CMMC level.

As your organization moves forward it helps to have an IT risk and compliance management partner that understands the complexities and nuances of dealing with defense department contracts. SureShield ensures ease when it comes to implementing these CMMC level accreditation that companies require to bid for and win contracts with the DoD. Read our blogs about opportunities and new challenges with cmmc and everything you need to know about CMMC for more information on the subject.

Follow us on Twitter and Linkedin for new updates