The harsh realities of cybersecurity are not always easy to hear, but they are the one thing that we cannot compromise on as they can have a huge impact on our lives. We must remain cyber aware and be vigilant in order to combat cyber threats.
In this episode:
3 Harsh Realities – Ep 345
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[07:47] News about modernizing HIPAA proposed by bipartisan legislation:Don’t get too excited about anything here, folks. Don’t get me wrong, this is great and it needs to be done. The current laws were from the early 2000s and so much has changed since then, but the laws haven’t kept up. This is great news if it becomes a thing and the commission can actually change data privacy laws for healthcare, but it won’t change anything in your life for a long time. But it is worth keeping an eye on, though.
[10:03] We also had a question come in this week that was pretty ummm…. well here it is (paraphrased to protect their identity):Can you help guide us to finding the source of what may be a rising problem?
Recently, we have had a handful of users reach out and say they got a text message from our new CEO (which he did not send of course).
The source of these texts are real people using Google Voice as you can see by the example below [not included in this recap]. These have come from multiple different google voice DIDs.
At no time did the conversations last long enough for any links to be sent, but it is very concerning.
Can you help guide us to the next steps to help track this down?
The only correlation I can find between all the users is that they all use LinkedIn. Nothing else really makes sense. We have had a couple instances of compromised email over the last year, but all were resolved fairly quickly.
I’m focusing on LinkedIn for 2 reasons:
- About 10 days after our CEO noted his promotion online and changed his title there, we started getting spear phishing attempts.
- Their data breach last June
I am at a bit of a loss where to go next with this.
Donna’s Answer:
The minute the change is made on LinkedIn there is a new CEO every employee listed as an employee on LinkedIn will be a target. They take the list from there and run it against available phone numbers from other breaches. If they exist anywhere, they will be used from there.
Another likely reason was one of the email accounts compromised included a contact list with all info on staff members. Either the group that stole those are sitting on the company news to use it for attacks or they sold it to someone else who does that. Then, they can do spear smsing attacks against anyone in the company.
BTW, using Google Voice is the way they can rotate through phone numbers that don’t trace back to anyone. It is just like using gmail in an attack.
Their team should be trained to never respond to any text or voice messages from numbers they do not know. Ever. Also, assume the data wasn’t exfiltrated from those email accounts which means you need to up your game with security. They will be targeted with fake invoices, fake requests for W2 details, etc. because all the contact info is there for them to spoof like crazy.
3 Harsh Realities
[21:02] We ran across this great article from Threatpost recently and thought it would be great to share it.3 Tips for Facing the Harsh Truths of Cybersecurity in 2022, Part I | Threatpost
We’re not even going to go through the tips that are covered in this article. They are great tips and there’s plenty of great information in them. I encourage you to go read the whole article. But the beginning of this article is the topic of our whole episode… just the beginning. Because until we get past this, it doesn’t matter what the tips are. And we’ve got so many problems getting past this.
First, ransomware is prevalent, and there is no way to completely eliminate the threat.
Even if you were able to stop ransomware today, the criminals will pivot and create a different way they do it tomorrow. The only way to be ransomware proof is to have zero data, none. Ransomware is a threat. You can identify the threats to your business and then decide how you are going to manage them. You can mitigate the damage that will occur, but you cannot eliminate the threat of ransomware from the ecosystem.
[26:05]If you or your IT vendor are operating under the assumption that you are keeping them out, you’re already failing. Your IT team may have been able to accomplish that 12 or so years ago, but not in today’s world. You need to understand there is a difference between IT and cybersecurity. Go back and listen to IT and cybersecurity are not the same – Ep 325 if you need a refresher on the differences.
It’s not important enough to just show that you have security software installed on your devices and firewalls and such and that you pay a vendor for IT and security services. You also need to prove that your security safeguards are effective and are doing what they are designed to do. You need to know if it Is detecting things, what’s the latest update from the vendor, what things it will protect you from, how it will respond to things it detects. If you’ve been running any kind of security, let’s just say for a year, and it’s never indicated anything, then it’s probably not working because you should be getting security incidents fairly often. No news is good news is not good news.
It’s like with your backups. It’s no good to just prove you have a backup if you can’t recover the data from that backup. Or if you tell me you’ve never had a breach to report to HHS, then you’re not looking. You need to audit these things and make sure they are working as intended.
[36:24]Here’s another harsh truth: You don’t know what you don’t know. And if you aren’t looking and constantly evaluating what’s happening on the network, there’s no way to know until a criminal drops their bomb and holds your systems and data hostage.
We hear people say that they only have to do a risk analysis every couple of years. You should be constantly doing a risk analysis as things change in your environment. You should be evaluating where your data lives, how it is coming and going, what systems and staff and vendors are accessing it. Map that out and reevaluate it instead of just saying nothing’s changed. The chances that nothing has changed on your network in the last year are very low. Changes can open doors to new threats and you need to evaluate your safeguards to properly mitigate those threats.
Donna and David’s Soapbox Rant
[42:37] We hear people say, and see vendors trying to sell you their services, that HIPAA regulations and cybersecurity frameworks change all of the time. How can we possibly keep up? The fact is… NO they don’t. HIPAA, HICP, NIST, etc do not change all the time. To be fair, there are frameworks like CIS and HITRUST that are updated on a regular basis, but those frameworks make money every time they update it. The ones that aren’t for profit, do not change all of the time.Compliance regulations like HIPAA are not changing. What changes is people’s understanding of it. When someone realizes something about HIPAA that they weren’t aware of, they think that must be new. No, it’s just that person is just now learning about it. Again, you don’t know what you don’t know. And because you didn’t know it doesn’t mean something has changed.
The harsh reality is that just because it seems like something changed, it could simply be that your understanding of it changed. And just because you think you understand it, does not mean it hasn’t changed. And it doesn’t mean that your understanding of it is right.
Cyber risks are not problems that must be managed. You will not eliminate ransomware threats, you can only mitigate them. In today’s world, you should operate under the assumption that attackers are already in your network. Once they get in, they spend more time getting to know your systems and data than most of their victims have ever done. Our only defense is true cybersecurity awareness and constant vigilance in monitoring our protections in place.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
