HOW TO IDENTIFY SENSITIVE DATA

Sensitive data is the classified records or private information that is meant to be protected and is made inaccessible to outside parties unless it is granted permission. The data may be available in physical or digital form, but, either way, sensitive data appears as private records. A moral or legal purpose can also additionally warrant the need to have more difficult regulations on those who can get admission to personal or an organisation’s sensitive data.

For example, a data breach in a government organisation could reveal sensitive information, secrets and techniques to overseas powers. The same will be applied to person or organisation data, which could pose grave risks like company spying, coverage risk, cyber threats or a breach withinside the privacy of your clients, or that of your workers. Read about the largest data breaches of 2020 to know more.

The legal definition of sensitive data describes it as information that ought to be protected against unauthorized disclosure. Typically, there are 3 important kinds of sensitive data that hackers tend to exploit, and they are personal information, business information, and classified records. If any of these data fall into the wrong hands, it could deal a deadly blow to the parties concerned, no matter who they are.

THE DIFFERENT TYPES OF SENSITIVE DATA

The sensitivity of data could be categorized into differing types and decided through federal guidelines, as procured through the security control units, industry-specific or an individual along with an Information Security Officer.

Sensitive data may be categorized into 4 types:

1.Public or Low Data Sensitivity: Data with a public class commonly pose a little-to-no hazard if disclosed, on account that public information is freely reachable by anyone. Some examples of public or low data sensitivity are data encompassing a public university directory or a business’s client pricing.

2.Internal or Moderate Data Sensitivity: This is information that isn’t supposed to be made available publicly and whilst there can be a few stages of damage if exposed, that potential damage is minimal. This could appear like a company’s organizational chart or IT provider information.

3.High data sensitivity /Confidential data
If private and confidential records are breached, it may cause enormous damage including exposure to criminal liability, cyber-attacks, etc to an individual or any organization. Examples of this sensitivity level consist of, however, is not confined to, the following: IT safety info, social safety numbers, controlled unclassified info, identifiable human subject research, student loan application data, protected health records, and so on.

4.Restricted Sensitive Data
These are relatively sensitive records that might be blanketed with an NDA (Non-disclosure Agreement) to limit criminal risk. Examples of sensitive records that could be restricted consist of alternate secrets, credit card details, Potentially Identifiable Information (PII), and so on. Additionally private information, trade secrets, employee information and customer information, intellectual property records, industry-specific records, and more. Careless disclosure of such information or records can critically damage an individual or nation as a whole.

PROTECT YOUR DATA AND PREVENT EXPOSURE

Some steps need to be taken to shield sensitive information. There are 3 steps through which sensitive information may be protected and its exposure prevented.

1,Identify all sensitive information:
The first step is to become aware of and organize all of the information primarily based on their sensitivity.

2.Quick reply and Assess risks:
Data robbery and leakage is a habitual hassle and it possibly won’t stop and it is important to investigate or assess the risks you may face. Read to know how to conduct a cyber risk assessment.

3.Monitor and put into effect security features:
This step entails growing feasible security features to guard in opposition to robbery of sensitive information. For example implementing cybersecurity solutions such as HackShield, which is a holistic and affordable solution that is simple to use and easy to implement is a good way to protect your sensitive information.

It mitigates cyber risk by:

  • Instantly discovering sensitive data and applying transparent encryption
  • Monitoring and auditing data movement at the endpoint to ensure compliance
  • Assessing the level of liability on endpoints and stratify risk
  • Tracking and protecting selected data for anyone in the system
  • Shutting down access to protected data for terminated employees or discontinued third parties
  • Monitoring third-party downloading of protected health information (PHI) on any device
  • Writing rules as to who can have access to information
  • Preventing the transfer of data to non-authorized targets

To know more about how to protect and identify your sensitive data, read our blog or follow us on LinkedIn or Twitter for updates.

SOLARWINDS SUPPLY CHAIN ATTACK & THE DARK WEB

The SolarWinds Supply Chain attack in December 2020 impacted major government organizations and companies. This incident highlights the severe impact software supply chain attacks can have on organizations and the proof that many of them are woefully unprepared to prevent and detect such threats. The attack was said to have allowed hackers to access the network of US cybersecurity firm FireEye. Even though FireEye did not name the hackers, the Washington Post reports it is APT29 or Cozy Bear, the hacking arm of Russia’s foreign intelligence service, the SVR. Read more about the SolarWinds Supply Chain breach on our blog.

Information Sold on the Dark Web

SolarWinds Supply Chain develops software, known as Orion, which helps businesses manage their own IT, networks, systems and infrastructure. It is believed that fewer than 18,000 of its major government and corporate clients were compromised. This includes US government agencies. There have been several claims from hackers, regarding stolen data and tools. More importantly, there have been attempts to sell it online. They also claim to have more data over time as they work through all the data they have. It remains to be known whether the sale or alleged data and tools are genuine.

The group speculated to be Cozy Bear or APT29 announced on the regular web and the dark web that they would be putting the data they have stolen up for sale. They are offering to sell the data in four lots – Microsoft for $US600,000, Cisco for US$500,000, SolarWinds for $250,000, and FireEye for $US50,000. Alternatively, one buyer could get the lot for $1 million.

The hackers have allegedly already uploaded the files to the dark web, however, a key or password is required for access. They say that they can prove that the data is genuine and that the sale does not include any intelligence data from the US Treasury or the Department of Commerce, which were also hit in the attack.

Cisco has revealed that there is no evidence that their intellectual property was stolen in the attack, but are aware of the website claiming to have the data for sale. Microsoft also acknowledged that they had detected malicious SolarWinds applications in its environment. One account is said to have been used to view the source code and source code repositories. However, they claim that the activity did not put the security of its services or customer data at risk.

Hundreds of thousands of companies and government organisations across the world use SolarWinds’ Orion software. Hackers infiltrated SolarWinds’ systems and inserted malicious code into updates that were sent out and installed by a number of the company’s customers. The updates were released between March and June 2020, meaning hackers were potentially able to spy on many of these organisations for many months. This is why organizations need to have the means to protect themselves from hackers by instilling dark web surveillance software. Such software alerts organizations when they or their data is at risk.

BreachShield provides comprehensive dark web monitoring and risk response guidance:

  • Network intelligence with multiple risk assessment techniques
  • Compilation of threat actor communications to identify threats in one searchable database
  • Dark web forum human-driven data analysis and advanced threat intelligence
  • Key insights into real-time risks with breach intelligence and third-party exposure
  • Protection for network assets such as infected devices, malicious access, compromised credentials, etc
  • Safeguards corporate credit cards
  • Root cause analysis by integrating data from SureShield’s modules (SecurityShieldHackShield, and ComplyShield)
  • Comprehensive risk response and remediation process

In short, the software provides 4 simple ways to mitigate your organization’s risk:

  • Discover and identify breached data
  • Establish continuous monitoring
  • Receive threat intelligence alerts
  • Guided remediation to avoid further risk exposure

Check out our website for more information on how to keep your organization safe. Follow us on Twitter and LinkedIn for some insightful updates.

HOW TO CONDUCT A CYBER RISK ASSESSMENT

There has been a marked and steady increase in cyber-attacks and cyber-criminals have a multitude of tools at their disposal to gain sensitive information. Business organizations, especially, face a greater risk. Managing risk is a critical task and the process starts with a risk assessment. If you don’t assess your risks, they cannot be properly managed, and your business is left exposed to threats. Cyberattacks do more damage than just financial loss. It could also damage a businesses reputation and involve a loss of performance which can all impact and even dissolve your business permanently. Read how data breaches continue to target the healthcare sector on our blog.

Conducting a risk assessment is a vital method to understand vulnerabilities, threats and consequences as well as their potential impact on your business.

Here are 4 steps on how to conduct a risk assessment:

1. Identify Threats

A threat is any vulnerability that could be exploited to breach security to cause harm or steal data from your organization. Hackers, malware, and other IT security risks are just a few threats. Some others are natural disasters, system failure, human error and adversarial threats (third party vendors, trusted insiders, established hacker collectives, etc). The most common threats that affect every organization are unauthorized access, misuse of information by authorized users, data leakage, loss of data and disruption of service.

2. Assess Risks 

The next step is evaluating the likelihood and consequences of each risk. Security professionals must be able to determine how often certain threats will occur. Conducting a risk assessment will help them and assess whether stronger security measures are required. This allows companies and executives to allocate a budget to hinder future cyber-attacks. It is vital to understand the nature of risks and their ability to affect daily operations. Incorporating appropriate controls and mitigation strategies can help in this feat. HackShield is a great and affordable way to address data liability within a secured environment to mitigate cyber risk by:

  • Instantly discovering sensitive data and applying transparent encryption
  • Assessing the level of liability on endpoints and stratify risk
  • Tracking and protecting selected data for anyone in the system
  • Shutting down access to protected data for terminated employees or discontinued third parties
  • Monitoring third-party downloading of protected health information (PHI) on any device
  • Writing rules as to who can have access to information
  • Preventing the transfer of data to non-authorized targets
  • Monitoring and auditing data movement at the endpoint to ensure compliance

3. Analyze Controls 

Several categories of information are needed to adequately assess your control environment. Some examples are organizational user provisioning controls, administration controls, risk management controls, etc. Read more about risk management processes on our blog. The control categories may be broadly defined as satisfactory, satisfactory with recommendations, needs improvement or inadequate. It is advised to use multiple layers of security as opposed to one for better security prospects. To mitigate cyber threats it is crucial to create a successful “culture of cybersecurity” that will be understood by the entire organization. This will result in fewer cyber-attacks and good cyber-hygiene.

4. Review Potential Risks

After the first three steps of identifying, assessing, and controlling necessary mitigation strategies, organizations must continuously be on the look-out for potential risks. If the controls prove to be ineffective, organizations should go back and re-evaluate their mitigation strategies. The growing number of sophisticated and targeted attacks put security professionals at a higher risk of attacks, which is why risk assessment should be a continuous process. The goal is to achieve fewer data breaches and reduced consequences following cyber attacks. ComplyShield can successfully help you incorporate risk mitigation techniques. It was designed to provide a unified platform for corporate healthcare compliance and risk management activities which automatically integrates with security and risk management and audit operations. It provides:

  • Simple activation of any compliance framework like HIPAA, HITECH, PCI DSS, ISO 27K, FISMA, SOX
  • Collaboration tools for all compliance activities
  • Dashboard and compliance status reports
  • Integration with SecurityShield apps to document compliance status related to IT security
  • Ready-to-use, built-in policies, procedures, and assessment templates
  • Complete audit trail to document all required activities

To know more about SureShield, follow us on LinkedIn and Twitter or email us at info@sure-shield.com for further updates.

DATA BREACHES CONTINUE TO TARGET THE HEALTHCARE SECTOR

There has been an increasing number of data breaches, ransomware and cyber attacks on healthcare organizations. Additionally, the COVID-19 pandemic has seen a bigger surge of such attacks on the healthcare sector. While some cybercrime gangs have sworn off attacking these facilities as they provide critical services; others view hospitals as easy targets since they are seen as weak and distracted by the pandemic. Tens of thousands of patient records are being stolen and being published on the dark web every week.

Here are some of the significant attacks on healthcare providers in the last few months.

Leon Medical Centre and Nocona General Hospital

A breach affecting about 500 individuals saw the patients’ records being stolen from Leon Medical Centers and posted on the dark web. The Center serves eight locations in Miami, Florida and Nocona General Hospital, which has three locations in Texas. The stolen data includes scanned diagnostic results and letters to insurers that include personally identifiable information such as name, contact information, social security number, financial information, date of birth, insurance information, etc.

At Leon Medical Centers, the data was stolen in a ransomware attack in November 2020 and was officially announced by the hospital in January 2021. A cybercrime gang known as ‘Conti’ was behind the attack. They are said to have demanded a ransom payment in return for a decryption key and have promised not to publish the   Nocona has not published a breach disclosure on its website yet. An attorney for the hospital chain has said that the company was not a victim of ransomware. The breach on healthcare providers is just the tip of the iceberg. Read about healthcare security and compliance concerns due to Covid-19 on our blog.

The University of Vermont Health Network

The hospital was forced to shut down its IT system after identifying a cyberattack on October 28, 2020. The attack infected 5,000 network computers. The system outage lasted for more than 40 days and the health system reassigned or furloughed around 300 workers who were unable to do their jobs as a result of the computer outage. The UVM Health Network brought in the National Guard’s cybersecurity unit to help restore the computers. During the outage, the health system postponed some services. The health system was estimated to lose $1.5 million per day in revenue and extra expenses and the entire incident was expected to cost more than $63 million by the time it is resolved.

Other Victims 

Ryuk ransomware affected six hospitals in the U.S. for over 24 hours. The attacks began on October 26, 2020, and the federal government reported the hit in an advisory on October 28. There was a list of 400 targeted hospitals that were circulated among Russian hackers. A few hospitals self-reported IT outages due to ransomware during that time, including Sky Lakes Medical Center in Oregon and St. Lawrence Health System, Upstate New York.

Sky Lakes Medical Center eventually purchased 2,000 new computers as a result of the attack. In response to the attack, unaffected health systems across the U.S. took preventative measures including pre-emptive email shutdowns and tightening security networks to protect against future attacks.

In the past, the federal government has issued a cybersecurity warning to healthcare providers about “credible, ongoing and persistent” threats, encouraging cyber teams and companies to continuously monitor and proactively look for issues within their networks and systems to respond quickly. Cybersecurity programs should include a very detailed and robust security awareness program as nearly all cyberattacks are initially carried out through a single user’s action. Software provided by SureShield can protect healthcare organizations and assist in implementing an enterprise-wide and risk management plan. Given the alarming healthcare data breach statistics in 2020, it is important that organizations mitigate cybersecurity risk by:

  • assessing the level of liability on endpoints and stratifying risk
  • securing local copies of data using transparent encryption
  • purging unnecessary data to reduce the amount of information stored at endpoints
  • monitoring third-party downloading of PHI on any device

To learn more about how SureShield can help, follow us on Twitter and LinkedIn for further updates or email us at info@sure-shield.com.

SOLARWINDS SUPPLY CHAIN BREACH

SolarWinds is a software company that primarily deals in systems management tools used by IT professionals. The most widely deployed SolarWinds product is Orion, which is a Network Management System (NMS). SolarWinds stated that its customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.

During the SolarWinds attack, hackers planted a backdoor in software updates for SolarWinds Orion platform, which could be activated when customers updated the software. A customer was the first to disclose the backdoor, which was soon called ‘Sunburst.’

The SolarWinds supply chain breach should be considered critical given that it could lead to full organization compromise. It has undoubtedly raised questions about whether your company will be impacted. To help the community understand its exposure, we have assembled a list of seven crucial questions to ask third parties in order to determine their response to this incident. See below for the questions and some possible response options to evaluate risk levels and understand potential third-party disruptions.

  • Has the organization been impacted by the recent SolarWinds “Sunburst” malware cyberattack? The answer to this question should either be a ‘Yes’ or a ‘No’.
  • What is the type of impact to the organization as an outcome of this cyberattack? There can be four different answers to this question. One answer is that there is a significant impact to the network, IT operations or security products. The cyberattack has caused systems or infrastructure to stop working or become unavailable. There has also been a loss of confidentiality or integrity of data. Another response could be that there could also be a high level of impact to the network, IT operations or security products. Service availability has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data. Yet another could be a low level of impact to the network, IT operations or security products. No loss of confidentiality or integrity of data; minimal or no disruption of service availability. Lastly, the cyber attack has had little to no impact on the network, IT operations or security products.
  • Does it affect critical services delivered to clients? The answer to this question could either be a ‘Yes’ or a ‘No’.
  • Does the organization have an incident investigation and response plan in place? This too can have four possible answers. First, the organization has documented incident management policy. Second, the incident management policy includes rules for reporting information security events and weaknesses. Third, an incident response plan is established as part of incident investigation and recovery. Finally, incident response planning includes escalation procedures to internal parties, and communication procedures to clients.
  • You should also inquire about a point of contact who can answer any additional queries.
  • Has the organization amended existing controls or implemented new controls to rectify and mitigate the impact the cyber-attack has had on the business? This question can have four answers. One could be that the controls have been identified and implemented to mitigate the impact from the cyber-attack. Another could be that the controls have been recognized and are currently being implemented to mitigate the impact from the cyber-attack. The third could be that the organization has identified which controls need to be updated or implemented, however, this has not been executed yet. Finally, controls are not or are not able to be administered.
  • If controls are unable to be implemented, is the organization able to execute compensating controls or methods to avoid future cyber-attacks? This can have two answers. First, compensating controls or workaround methods have been implemented which has mitigated the impact caused by the cyber-attack. Second, the organization has not identified or is able to implement compensating controls to mitigate the impact caused by the cyber-attack.

SureShield is an IT risk and compliance management partner that ensures ease when it comes to implementing CMMC level accreditation that companies require. It offers compliance assessment for applicable controls, provides audit support and allows maintenance of a state of continuous readiness. Check out our website for more information. Also read our blog on everything you need to know about CMMC and how to choose a CMMC partner to keep you safe.

OPPORTUNITIES AND NEW CHALLENGES WITH CMMC

How will Primes and Subcontractors maintain compliance?

A change is coming for government contractors who provide goods and services to the U.S. Department of Defense. In 2020, contractors will be required to comply with the recently announced Cybersecurity Maturity Model Certification (CMMC) process.

CMMC stands for Cybersecurity Maturity Model Certification. It is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD. It outlines a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.

In 2015 the DoD identified specific cyber requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012). DFARS required DoD contractors to adopt cybersecurity processes and standards created by the National Institute of Standards and Technology (NIST). All government contractors needed to represent that they had implemented the requirements of the NIST SP 800-171 by the end 2017. The framework, NIST SP 800-171, was part of a broad government initiative to protect the DoD supply chain from cyber threats and other security risks.

The framework required contractors to “self-attest” that they had met the requirements of NIST 800-171. It became apparent that this did not go far enough and CMMC was introduced to take the NIST 800-171 framework, add new levels of controls and levels of security maturity, and now require contractors to be officially certified.  The intent is to bring even higher levels of assurance to protect DoD assets. The framework defines cybersecurity practices at the highest level by domains. Each domain is then segmented by capabilities, and capabilities identify contractor achievements that ensure cybersecurity requirements are met within each domain. DoD contractors will need to demonstrate compliance with required capabilities by showing adherence to practices and processes that have been mapped across the five maturity levels of CMMC.

The CMMC Accreditation Body (AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs). Companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

While CMMC has been rolled out, organizations are still awaiting the list of C3PAOs.  As such for an organization to work in the current environment they must meet the NIST SP 800-171 requirements and in anticipation of future contracts make sure they are prepared for CMMC certification.

The challenge resides in how to meet both requirements.  While NIST SP 800-171 will be a subset of CMMC, how can an organization go about preparing for both without adding extra layers of cost and work?  Ideally they should work in a fashion that incorporates both frameworks and allows for proper reporting on each.

Working with providers who understand how to leverage these requirements will allow an organization to make sure they are ready now and for future contracts. Utilizing software that harmonizes both frameworks and can provide the requisite reports and information to meet the current NIST 800-171 and future CMMC certification requirements will help in assuring ongoing and future business.

Learn how SureShield can assist in this process.

EVERYTHING YOU NEED TO KNOW ABOUT CMMC

In response to the increasing trend of cyber threats, the Department of Defense (DoD) recently implemented a new cybersecurity standard for contractors who work with the US Military Services in order to be assured that its vendors are adequately securing their confidential data. In one of the biggest-ever changes to Defense contracting, the Cybersecurity Maturity Model Certification or CMMC now requires contractors to go through five-tiers of network security controls that will need to be checked by third-party assessors. Getting a CMMC Assessment will now be an added cost that contractors in the Defense sector have to bear and only those who provide commercial off-the-shelf products or services will be exempt.

The Cybersecurity Maturity Model Certification combines certifications into a unified cybersecurity standard and will assess the maturity of an organization’s cyber risk mitigation practices. Defense Industrial Base (DIB) partners as well as contractors are required to meet the DoD’s new CMMC guidelines to bid on future projects.

How did the change in CMMC requirements come about?

The USA loses a whopping USD 6 Billion a year to adversaries due to exfiltration, data rights and R&D losses. With robust cybersecurity protocols in place, the loss may be  reduced by 10% or more,   money better utilized by reinvesting in partners in the industrial base to give the country a competitive edge. In other words, the changes in requirements are a reflection of the Pentagon’s endeavors to protect defense industrial base networks and controlled unclassified information from cyber attacks.

What do the CMMC rules entail?

CMMC rules will require contractors to be certified by third-party auditors to ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security, with level one being the lowest (basic cyber hygiene) and level five being the most stringent (proactive and advanced cyber practices). Each level consists of practices and processes that a contractor must follow if he wishes to achieve that level of certification.

The five levels correlate to the following:

  • Level 1 – Safeguard Federal Contract Information (FCI)
  • Level 2 – Serve as a transition step in cybersecurity maturity progression to protect CUI
  • Level 3 – Protect Uncontrolled, Unclassified Information (CUI)
  • Level 4 and 5 – Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)

To adequately prepare,  an organization will need to do the following:

  • Do Readiness Assessment and Gap Analysis
  • Create aRemediation Plan
  • Monitor and Report on findings
  • Prepare a System Security Plan (SSP)

How SureShield Can Help

Sure Shield CMMC

SureShield software can be utilized to streamline all the above processes. The solution can be used to conduct a readiness assessment and gap analysis based on the CMMC framework, identify gaps and provide a remediation plan with associated reporting and output the System Security Plan that will be required for certification. Next, we help you secure and prove to the CMMC Auditor that all key risks are understood and effectively managed by establishing a methodology to conduct risk assessment. Lastly, we build and execute a risk mitigation plan to help you get your CMMC certification by fixing gaps that need to be addressed for you to implement an actionable Risk Treatment Plan.

ANALYZING THE HEALTHCARE SECURITY & COMPLIANCE CONCERNS DRIVEN BY COVID-19

While the global healthcare sector focuses its attention on fighting the Covid-19 Pandemic, cyber criminals have been quick to take advantage with attacks having risen over 300% since the pandemic began. From the U.S. Department of Health and Human Services reporting an attempted DDoS attack, to the World Health Organization revealing that it has had double the cyber attack attempts on its systems, the vulnerabilities of the healthcare IT and cybersecurity systems have continued to be highly stressed.

What makes healthcare-related data so attractive?

The healthcare sector was already under attack much before Covid-19 took the world by storm. Public Health Records offer the most detailed individual data available anywhere – and for scammers looking to commit identity theft, credit card scams and other fraudulent activities, stealing medical records prove to be the most financially attractive means to do so.

Such data is in huge demand and is bought and sold at lucrative prices, unlike simple credit card and social security numbers which are worth as little as a few cents. Unlike organizations in other sectors, for hospitals, getting their compromised systems back up and running as quickly as possible can be a matter of life-and-death and it is because of this that  they are more likely to pay what the attackers demand. Further, the healthcare industry is far behind in terms of digital literacy and cyber security. Many use outdated software and have insufficient regulations, making them easy targets.

Even in the routine functioning of a hospital, many of the devices are interconnected via the Internet of Medical Things (IoMT), opening them up to vulnerabilities and giving fraudsters plenty of opportunities. Each connected device acts as another gateway through which an attacker can access and hack devices and networks. While hacking into internal communication systems is dangerous, imagine how dire the situation can get when devices such as surgical equipment and ventilators are tampered with.

How COVID exposes even more vulnerabilities

With employees working from home and accessing sensitive company information, possibly with unsecure internet connections, organizations don’t have much control over the unsecure networks or devices that employees use. The systems and data can be easily compromised, especially when personal data is accessed or unsecure websites are accessed. To add to this, health systems are understaffed in terms of IT and Cybersecurity Professionals.

Before Covid-19, tele-activities in healthcare were not common. But today, teleworking, teleconferencing, tele-governance and telehealth have become a vital need. There has been very little time to digitize healthcare to that extent and with haphazard systems put together in a short span of time, windows of opportunities have opened up for cyber criminals.

Cyber security in healthcare in the past was overlooked as it didn’t score high in essential services to the healthcare industry. But now, healthcare organizations need to ensure that vendors and services providers have these controls in place, and they need to do it in a very short span of time.

At SureShield, we can help – we provide technology that allows your organization to mitigate the risks related to your cybersecurity before they’ve even begun, while always keeping you in compliance with critical regulations.  For a healthcare organization to ensure resilience and continuity of their essential services, there is a need to focus on securing their digital assets with a multi-pronged approach to managing risks over the short and long term

ADDRESSING CYBER ATTACKS: 10 KEY STRATEGIES TO CYBER SECURE YOUR HEALTHCARE ORGANIZATION

This is Part 2 of a 2-part series on cyber attacks in the healthcare industry and steps to take to protect your healthcare organizations from cyber attacks. Part 1, “Understanding Cyber Attacks: A Growing Threat for the Healthcare Industry,” covered the growth of cyber attacks on the healthcare industry, why the industry is being targeted, and the vulnerabilities of the industry that makes it prone to cyber attacks.


Why are Cyber Attacks such a big Problem for Healthcare?

Cyber attacks are a big problem for healthcare due to the significant negative impacts they can have on a healthcare organization and the industry as a whole. These include:

  • Breach of privacy: when a cyber attack results in a data breach, patients’ protected health information (PHI) is exposed and their privacy is breached. This is major for a healthcare organization as it has many ripple effects including possible lawsuits from patients, HIPAA fines for violations, loss of confidence in the organization which can result in a loss of potential patients, among other things. These factors all negatively impact the bottom-line of the organization.
  • Reduced patient safety: cyber attacks that shut down hospital Electronic Health Records (EHRs) increase the risk to patient safety as without the ability to access these records, patients can be improperly treated. If medical devices such as MRI machines, ventilators, and infusion pumps are attacked, improper diagnoses, treatments, and deaths can result.
  • Disruption of services: a cyber attack can incapacitate a healthcare facility, shutting down its systems making it unable to function. The National Audit Office’s investigation into the WannaCry attack on the NHS, found that 34 trusts were infected and locked out of their devices and 46 were not infected but reported disruptions. This resulted in 6,912 appointments being cancelled, with an estimate of more than 19,000 appointments that would have been cancelled in total, based on the normal rate of follow‑up appointments to first appointments.
  • Financial loss: this is a significant factor in the burden of cyber attacks on healthcare facilities. Fines for HIPAA violations may be one of the main financial losses associated with breaches to PHI which can result from a cyber attack. On May 6, 2019, the US Department of Health and Human Services (HHS) announced that Touchstone Medical Imaging would be paying the Office for Civil Rights (OCR) of the HHS $3,000,000 for violations of HIPAA to settle a data breach that resulted in the PHI of 300,000 patients being exposed. This is a large sum of money for a single breach and could rise exponentially should further breaches occur. Some facilities choose to pay ransom demands rather than allow their systems to be compromised for any extended period. In June 2019, reports are that NEO Urology in Boardman Ohio paid hackers $75,000 in Bitcoins to unlock their computer system which was hacked and all data encrypted. The system was reportedly held hostage for 3 days and the organization told police that they lost between $30,000 and $50,000 per day. Financial loss can also result if there are lawsuits from patients affected by exposure of their PHI and from loss of business resulting from a loss of confidence in the organization.
  • Damage to reputation: data breaches can damage the reputation of a healthcare organization especially if these breaches occur relatively frequently. People will eventually lose trust in an organization if they are not confident that their PHI will be secure. This will lead to a loss of business and financial loss which can ruin an organization.

What are the Key Strategies to Cyber Secure your Healthcare Organization?

As demonstrated above, cyber attacks create huge problems for healthcare organizations, therefore ensuring your organization is cyber secure by implementing cyber attack and data breach prevention strategies, should be a priority for all players in the healthcare industry. While cyber attacks and data breaches may ultimately be unavoidable, being vigilant and implementing mitigation strategies are critical to keeping a healthcare organization cyber secure. Below are some key components to creating a cyber secure healthcare organization:

  1. Financial investment: make cybersecurity a major line item in the budget. This is essential as it requires money to keep on top of all the current and emerging cybersecurity threats.
  2. Human resource investment: hire highly trained and qualified individuals to handle the IT infrastructure. Also, ensure continuous training of IT staff to ensure that they can handle new and emerging cyber threats.
  3. Network and infrastructure: invest in updated computer hardware and software with supported versions of Microsoft Windows. Additionally, consider implementing technical defensive strategies such as network segmentation, firewalls, next-generation firewalls/unified threat management gateways, anti-malware solutions, anti-phishing solutions, encryption technologies, breach detection systems (BDS), vulnerability scanners, and deception technologies.
  4. Threat modelling: risk assessment: develop a tool for assessing the overall security of your organization’s IT infrastructure by systematically identifying, classifying, and quantifying the amount of risk presented by each threat being evaluated. Conduct self-audits, penetration tests, and risk assessments to find out where the vulnerable/leak points are in your IT systems, and where there is potential for data exposure. Implement measures to reduce and/or eliminate risks identified through the threat modelling and risk assessments and ensure that all endpoints are adequately protected.
  5. System updates: update all systems regularly with all the latest patches.
  6. Policies, procedures, regulations, and standards: develop, implement, and ensure adherence to IT policies and procedures. Institute a Bring your own device (BYOD) policy that covers areas such as connecting personal devices to the organization’s network and transferring sensitive information to personal devices. Ensure that your organization in in compliance with all the requisite regulations and standards that govern the healthcare industry.
  7. Training: staff must be adequately trained and knowledgeable of the organization’s IT policies and procedures which must be enforced. Additionally, conduct regular social engineering training to ensure staff are able to recognize potential threats.
  8. Develop a security strategy: the organization should develop a security strategy that brings together all the components that govern and impact IT security. It should include an incident response protocol that stipulates how all employees ought to respond should they either discover a security breach or receive a report of a breach. A pre-established incident response team should also be in place that can be quickly mobilized in case of a breach. This team can be composed of members from different functions such as technical, risk management, compliance, human resources, legal, public relations and executive management.
  9. Implement vendor and third-party risk management programs: these can include only purchasing medical devices from manufacturers who go through rigorous security assessment of the products during design and manufacture; performing risk assessments on all vendors and suppliers; and identifying third-party vendor software and performing security and vulnerability testing to ensure they are safe from hackers.
  10. Technological investments: invest in technology to help monitor your IT systems for potential threats and to help you recover once a breach has occurred. Technologies exist that can identify and encrypt unprotected files, search your systems for sensitive data and quantify the data that may be at risk, and continuously monitor systems for any suspicious activity and protect endpoints from being hacked. It is also possible to utilize technology to monitor data in the Dark Web to ascertain what records have been compromised and steps to take to recover if your system has already been breached.

Cyber attacks on the healthcare industry are growing. They are a nuisance, they disrupt services, they are expensive, they can damage an organization’s reputation, and recovering from an attack can be difficult. However, you can take steps to cyber secure your healthcare organization by implementing the 10 strategies listed above. These will put you ahead of the game and help you prevent and/or minimize the effect of a cyber attack.

To learn more about simple Healthcare compliance and managing data risk security from cyber attacks, download the playbook here.

UNDERSTANDING CYBER ATTACKS: A GROWING THREAT FOR THE HEALTHCARE INDUSTRY

This is Part 1 of a 2-part series addressing cyber attacks in the healthcare industry and key strategies to employ in ensuring that your systems are protected.

As the world becomes more technology driven, there has been a corresponding rise in cyber attacks on technological systems, and cybersecurity has become of paramount importance. The healthcare industry is no exception, experiencing attacks from ransomware, data breaches, distributed denial of service (DDoS) attacks, insider threat, and business email compromise and fraud scams, according to an article by the Center for Internet Security.

The prevalence of these attacks in healthcare is increasing, with a Cylance Annual Threat Report noting that for 2017, ransomware attacks were the major cause of cyber attacks, increasing 3-fold during the year and impacting the healthcare industry the most.According to the Health Information Trust Alliance (HITRUST), the number of ransomware families has been increasing since 2012 with an over 700% increase from 2015 to 2016, and a further 32% increase in 2017 over 2016 (Figure 1).

Data from the Privacy Rights Clearinghouse showed that for hack breaches that were publicly reported in 2018, the healthcare industry was significantly more affected than other Industries (Figure 2).

BSF: Businesses – Financial and Insurance Services
BSO: Businesses – Other
BSR: Businesses – Retail/Merchant – Including Online Retail
EDU: Educational Institutions
GOV: Government and Military
MED: Healthcare, Medical Providers and Medical Insurance Services

In May of 2017, the now infamous WannaCry ransomware was unleashed globally, attacking and locking down data and/or shutting down computers in countries around the world. Hospitals across the National Health Service (NHS) in the United Kingdom were significantly impacted with at least 80 of the 236 trusts across England affected and infecting another 603 primary care and other NHS organizations, according to an investigation carried out by the National Audit Office.

Today, WannaCry is still active and unmanageable as found by a survey conducted by internet of things security company Armis:

  • 103 countries are still impacted
  • Over 145,000 devices worldwide are compromised
  • At least 3,500 successful WannaCry attacks per hour, worldwide
  • 22% of Internet service providers (ISPs) have customers impacted by WannaCry
  • 60% of manufacturing organizations and 40% of healthcare organizations suffered a WannaCry attack in the past six months

Why is the Healthcare Industry being Targeted?

As previously stated, the healthcare industry is being increasingly targeted in cyber attacks and this is primarily because of the information available in the industry. The main motivation behind cyber attacks in healthcare is financial gain as patient medical information is very lucrative on the Dark Web. According to reports, medical records can be much more valuable to criminals than financial data and can be worth ten times more than credit card numbers. A global study conducted between February 2017 and April 2018 by the Ponemon Institute on behalf of IBM Security found the highest data breach resolution costs were for healthcare data breaches, costing an average of $408 per record compared to $206 per record for financial services data breaches.

“Healthcare providers such as hospitals are highly visible targets and attacks against them will be high impact, which in itself is a key motivator for many of these perpetrators. Disruptive attacks can disable, sabotage, or knock offline critical systems inside a hospital. The health and safety of vulnerable patients suffer as a result.”

– HITRUST Report

Stolen patient information can be used to create fake credit cards, obtain medical services, and commit insurance fraud, among other things. It also usually takes some time for a patient to realize their identity has been stolen which gives criminals time to carry out their nefarious activities. This contrasts with stolen financial data which is most times quickly realized.

The unique nature of healthcare also makes it an easy target for quick money as some leaders prefer to pay the ransom demands to get their systems back online after a ransomware attack, as the inability to access systems and patient data can be literally a matter of life and death.

What makes the Healthcare Industry so Vulnerable to Cyber Attacks?

Healthcare organizations are particularly vulnerable to cyber attacks for various reasons. Coventry and Branley (2018) in a review of trends and threats to cybersecurity in healthcare, noted that traditionally no one believed that healthcare systems would be attacked and as such, protective measures were not seen as important. In their study they found that vulnerabilities in the healthcare industry originate from increase in technological connectivity, more continuous monitoring of patients outside of the clinical environment, and the widespread use of mobile consumer devices. Vulnerabilities exist due to other factors such as increased use of technology in healthcare, legacy systems with non-supported versions of Microsoft Windows, systems not updated to plug known vulnerabilities, and inadequate security mitigation policies.

INCREASED USE OF TECHNOLOGY IN HEALTHCARE

Traditionally, healthcare was mainly paper based with health records kept in a file room only accessible by authorized personnel. However, healthcare is following the lead of other industries and is increasing its use of technology. Additionally, the Health Information Technology for Economic and Clinical Health (HITECH) Act which was signed into law in 2009, promotes the adoption and meaningful use of health information technology, particularly electronic health records (EHR) whose adoption has been incentivized. Federal policies like these are driving technological advancement in healthcare. While this is great for improved patient care, it also opens the door for security vulnerabilities and possible hacking by unscrupulous individuals.

INCREASE IN TECHNOLOGICAL CONNECTIVITY

The healthcare landscape is becoming more and more connected technologically as providers seek better ways of caring for patients, especially those with chronic conditions. There is a myriad of medical devices being used to monitor and care for patients, extending lives and improving quality of life. In the past these devices were stand-alone systems but are now becoming interconnected through an organization’s network, making them potential points of vulnerability for cyber attacks.

GROWTH IN USE OF MOBILE CONSUMER DEVICES

The use of mobile technology in healthcare is increasing with smartphones and wearable devices being used by individuals to monitor medical conditions or just general health status. This presents another area of vulnerability as these general-purpose devices now hold important personal health information (PHI) that could be easily exposed in a breach.

90% of healthcare IT decision makers “plan to implement or are currently implementing a mobile device initiative as a way to improve patient care, facilitate efficiencies within care teams or both.”

– HIMSS

LEGACY SYSTEMS WITH OUTDATED, NON-SUPPORTED VERSIONS OF MS WINDOWS

The rapid rise in the use of technology in healthcare has led to many healthcare organizations struggling with old legacy systems as investment in cybersecurity has not kept up with emerging technologies. Additionally, the focus of healthcare is on patient care which at times cause other areas such as technology to be left lagging. In the WannaCry attack, most, if not all, of the systems affected were operating on outdated versions of Windows that are no longer supported by Microsoft. A cybersecurity survey by Infloblox found that 22% of healthcare IT professionals reported having Windows 7 in their organizations and 20% reported that Windows XP was operating on their network, both of which are no longer supported by Microsoft. The survey also found that medical equipment such as MRI scanners were operating on these outdated systems. Equipment operating on vulnerable operating systems can be easily exploited and attacked by malware introduced into the network.

SYSTEMS NOT UPDATED WITH REQUIRED PATCHES TO PLUG KNOWN VULNERABILITIES

Even where the systems being used are supported by Microsoft, updating and plugging known vulnerabilities is often a challenge. In our experience, businesses routinely scan their network and systems for vulnerabilities but fail to apply required fixes or patches in a timely manner. Several patches or updates can be applied automatically, but in many instances on some networks or systems, this has to be done manually. Also, specific remediation steps must be followed at times which require appropriate staff with the proper knowledge to execute.

INADEQUATE SECURITY RISK MITIGATION POLICIES OR PROCEDURES TO FOLLOW IN ORDER TO ADDRESS CURRENT OR EMERGING IT THREATS

Maintaining a secure cyber environment is a huge task especially in the current environment of new and varied threats. This is another area that some healthcare organizations struggle with as shown by the Infloblox survey which found that 15% of UK healthcare IT professionals and 11% of their US counterparts did not believe that their current security policy for newly connected devices was effective. This led the authors to surmise that hospitals and health centres may be rapidly adopting new connected devices without due care and attention being paid to security policies.

The threat to the healthcare industry from cyber attacks is real and growing. Healthcare organizations need to understand these threats, realize what is at risk, know where their vulnerabilities are, and take proactive steps to protect themselves.  There are many innovations on the market to help healthcare organizations continuously monitor and protect their systems from cyber attacks, as well as to help them recover in the event of a breach. Part 2 of this blog series (Addressing Cyber Attacks: 10 Key Strategies to Cyber Secure your Healthcare Organization) will explore key strategies and practical how-to solutions that can better prepare your healthcare organization from cyber attacks, ransomware, and data theft.

Download the Playbook for Corporate Compliance in Healthcare for a step-by-step guide for compliance and data risk security.