We need to get on the record with our 2020 predictions even if we both agree we have no freaking idea what is going to happen in 2020. If anyone out there says they honestly believe they have a true beat on it, check them out. We do have a few 2020 predictions that we feel sure enough about to say it outloud to you guys.
In this episode:
2020 Predictions Sortof – Ep 236
–
The HIPAA Boot Camp
Confirmed 2020 Sessions Dates
March 24, 25, 26
Tucker, GA
For info go to TheHIPAABootCamp.com
[button link=”https://helpmewithhipaa.com/hbc” type=”big” center=”yes” newwindow=”yes”] Registration Form[/button]
Share Help Me With HIPAA with one person this week!
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
2020 Predictions Sortof
David’s Personal 2020 Predictions
- AI & Deep Fakes will start to become a bigger cyber security problem
- 5G will result in the first public disclosure of a data breach caused by a mobile device
Donna’s and David’s Agreed Upon 2020 Predictions
A lot of big settlements are going to make the news and OCR enforcement will tear it up between now and the election. OCR will not be the only one to watch because the states to get rolling on this as well.
There are too many things going on out there that I know about much less the ones I haven’t even heard about yet. Access to patient’s records better be on your list to get cleaned up because that train has left the station and will run over if you aren’t taking care of it now. BAs better get ready because they will be on the hot seat once more of the enforcement actions include them. State action begins to make noises but California officials won’t be enforcing CCPA right away. They plan to take it easy until the fall.
New authentication methods will be tested but no one solution will become the go to solution just yet.
Attackers are working on ways to bypass 2FA already either by tech means or social engineering. We are testing more of them as we can around here. I do have to say I love my Gatekeeper device at my desk and those guys have some new things like integration with a fingerprint reader which I look forward to watching progress.
LastPass tools have been our go to for years. New features are rolling out from them like LastPass Identity Solution will be the next thing we need to figure out. I haven’t worked it all out yet but it is the next step in simplifying multi factor authentication where you have no idea what the super complex passwords are in place. Better remember to tell my team about that before this comes out and they hear about it the same time as you guys.
NO MORE ADMIN/ADMIN TYPE DEFAULTS ON DEVICES! Please vendors get in line with the requirement to stop setting up the simple logins. Yes, I loved them when I was doing tech support because I could just look it up and get into most devices. That is NOT a good idea today.
IoT / OT / IoMT will be the source of a healthcare data breach in 2020.
Alexa still hasn’t stopped recording you even if your skills are on the HIPAA section. The device itself can still be tricked to log conversations within a specific skill. You load the skill and boom your stuff is being tracked. Amazon removes the skill but lets the vendor add it back in a few days according to Threatpost’s article.
Shout out to Alex for making sure I didn’t miss that Threatpost story. He knows how much we just LOVE these smart speaker assistant things in healthcare.
Ransomware gets much, much worse is the most solid one of our 2020 predictions
No longer are consumers the focus of ransomware gangs that have changed to businesses and governments. Targeting will continue to increase because they have been very, very successful in 2019. Emsisoft 2019 ransomware report has some staggering stats in it:
In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion. The impacted organizations included: The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.The State of Ransomware in the US
BTW, they state that they released their report earlier because Pensacola’s data was published on the web. Emsisoft feels that we have reached a crisis state with data now being exposed and people need to be aware and take immediate action.
My first pass of the report I thought they sell malware tools so take it with a grain of salt. Upon reading more details I realized a lot of their data came from other studies and the traffic stats reported came from more sources than just them. They even point out when there are numbers others provide that they couldn’t confirm.
Multiple practices have elected to close their doors after ransomware attacks and that will not be the end of it. We have heard of at least 2. OCRs approach to these cases will be very interesting to watch but who knows when we will learn the details about those cases, if ever.
But wait, it gets worse.
We can now confirm that attackers are working within the network for months and exfiltrating data BEFORE dropping the ransomware payload. Very few ransomware attack victims will be able to make a reasonable determination that there was no network infiltration or exfiltration of data now that they have taken it up to this level. At least two gangs have confirmed it with official announcements and actions. Maze started doing the outing of those who did not pay on their own version of the wall of shame including sharing data they took from the systems. The Sodinokibi group announced that they plan to start doing the same as Maze has done by outing the data of those who do not pay. Unless you can prove for certain the ransomware that hits your office is basic run of the mill simple stuff, you will be reporting breaches all over the place.
Here’s the next thing we must figure out. The FBI and everyone else including us always says do not pay the ransom. But, in healthcare someone will have to decide what happens if you don’t pay and they publish the data online. Whose fault will that be considered when it comes to HIPAA. Either way you look at it under current rules, you may be screwed.
But wait, it gets even worse.
Paying the ransom doesn’t mean you get your data and magically all of your systems are up and running again in a couple of hours. That has become very clear now so don’t make a plan around paying them off.
We started last year talking about Ryuk targeting businesses and not having a well working decryption tool. It was all new back then. Today there is that problem and so much more to address once you are hit. In fact, even when you pay you may not be able to effectively recover your business. This company made news by closing their doors just before Christmas because even after paying the ransom they haven’t recovered.
An Alabama hospital was hit this fall and did have to turn away cases and postpone non-emergent surgery which has gotten them hit with a class action lawsuit at the FEDERAL level. This case is about real patient care issues not worries over identity theft, etc. They are suing because the communities access to healthcare was dramatically impacted. Hopefully, the provider can show they were doing everything they could be expected to do under HIPAA plus more.
MSPs are a specific target to be used to attack all of their clients at the same time.
MSPs MUST get their act together to protect their client base from ransomware attacks or risk losing not only their own business but damaging the reputation of the industry as a whole. This has continued to be an issue because the IT companies have paid in many cases. In others, they just abandoned their clients. Either way those don’t look like good solutions. There have been two example cases in the last month of just how bad this situation has become:
Christmas Eve appears to be when Irvine, Calif.-based Synoptek, an MSP that maintains services for 1,100 customers across a broad spectrum of industries including healthcare, was hit with a ransomware attack spreading to all of its customers. Word on nerd street is they paid a hefty sum to start recovery
Complete Technology Solutions (CTS) with over 100 dentists along with some other businesses were hit earlier in the month and their website is missing information. Not as gone as the group we talked about in Oregon who did just disappear but close. (shout out to Gary at Black Talon interviewed in the article)
I noticed the following note in the discussion of this CTS article on the Krebs website:
CTS was compromised by a weak Connectwise Control password and no 2FA enabled. To make matters worse, they used the same password for their backup platform (Acronis, which didn’t have 2FA at the time, does now). So the attacker encrypted all their client’s devices at the same time that they deleted everyone’s backups. Another layer of making matters worse… They hadn’t uninstalled agents on former clients, so people that had fired them also got encrypted (though luckily had a decent backup). Source: We’ve picked up many of their clients. Throwaway because not trying to make enemies – just want to put out a warning to make sure you and your staff don’t make similar mistakes.
MSPs need to understand that, no matter what their size or number of clients, there are criminal gangs out there trying to break into your systems. It isn’t about you, it is about getting to your clients. MSPs have been a cash cow for ransomware payments in 2019.. Until that changes, no one will be safe.
I have read about some MSP companies that have been hit and plan to share their experience with others to help them prevent the same thing happening to them. I can only hope that happens and they do the circuit of all the MSP conferences trying to educate. We will definitely try to get them on this show! We need to be able to trust in our vendors to protect us not be the source of attack! What a great segway to the next topic
Supply Chain / Third parties will be the source of the breach or they will be getting in line
The ransomware attacks on the MSP above plus the many other third-party issues we have discussed like the story in our Dark side of HIPAA halloween episode are bad enough but that isn’t all.
The AMCA data breach comes to mind first because this one is huge and still playing out. When we hear the details it will be scary to see what caused the massive data breach. Also, it will make it clear that you need to check not only your downstream but insist that they are checking their downstream
Larger organizations are going to tighten up their third-party requirements which will either rule out the small folks who have ignored their responsibility, get people to get on the ball now, OR even better reward the ones who have been doing the work for a while now.
Software vendors are going to be hit repeatedly by attacks or their clients until SecDevOps frameworks are standardized in their environment.
Companies will finally start to understand that just because you know how to set up a computer and a network does not mean you understand how to secure it OR what HIPAA requires.
This includes the software vendor that gives you a list of things to buy and tells you things like you can use the server as a workstation. Every MSP out there does not really understand security at the level it is required in today’s threat landscape. A flat network used to be something many folks put together and manage. No network should be built like that for businesses any longer.
I explained the difference to a client one time years ago – like a decade ago. When you were smaller and the threats were not as intense as they are today we could manage a pretty solid Jr Varsity or High School Varsity level defense. Since most issues then were by rec players we were set. Now you need not only the Varsity but at least a Div 1 college level if not pro.
There are very few folks that understand the difference between enterprise and small networks already and when you add the need to understand enterprise type security in a small network you get a network where problems are only exacerbated. They get too complex when they shouldn’t be and that only makes them less secure.
This really gets back to the MSP topic but also the consultants who are “certified in HIPAA” and finding the right people to help is not easy and it will be getting more complicated.
There you have it our 2020 predictions have been published. Now we wait to see how it turns out.
Who knows where we will be at the end of 2020. There is a long list of reasons this year will have a major impact on more than just cybersecurity, HIPAA, and businesses. Those external influences could drastically impact this list but there is no way we are going to even try to guess what kinds of things may happen in our 2020 predictions outside our normal wheelhouse.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
