Aristotle once said, “Patience is bitter, but its fruit is sweet.” That’s totally spot on when you think about cybersecurity threats and how sneaky cybercriminals can be. These attackers plant their harmful seeds and just hang back, waiting for the right time to take advantage of old weaknesses. Their patience and careful planning mean they can strike effectively, sometimes after years of waiting, showing just how tricky it is to handle digital security. It really highlights why we need to be on our toes all the time, with solid and forward-thinking security measures to guard our sensitive info from these crafty threats.
In this episode:
Attackers Enjoy Sweet Fruit of Patience – Ep 454
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Say What!?!
[11:16] Yet another case for the list of Right of Access enforcement actions. This one hit our email as we were recording the one we covered last week.HHS Office for Civil Rights Imposes a Civil Monetary Penalty on New Jersey Nursing Facility for Failing to Provide Timely Access to Patient Records
Hackensack Meridian Health, West Caldwell Care Center | HHS.gov
Essex Residential Care, LLC, to pay $100,000 after failing to comply with HIPAA Right of Access. They are a SNF, skilled nursing facility, that provides long-term care and rehabilitation services using the name Hackensack Meridian Health.
In May 2020, OCR received a complaint that a personal representative was not provided access to his mother’s medical records. The records were allegedly withheld even after Hackensack Meridian Health received sufficient documentation demonstrating that the son was serving as his mother’s personal representative.
They said they will just pay the fine with a letter that said the SNF was “not contesting the findings of OCR’s proposed determination, and will pay the $100,000.00 CMP”. Granted all of this was happening during the peak of COVID-19’s original outbreak which was brutal on these facilities particularly in the NE. It isn’t clear why they ended up here. I know from experience that had they just asked OCR to confirm what they had done, they would have gotten answers. Instead they said that their “personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.”
They argued at first that they shouldn’t have to pay anything because “HIPAA bars the imposition of a CMP in this case, as a matter of law, because any violation was not due to willful neglect and was timely corrected” which seemed odd. They didn’t correct it timely if the records weren’t provided until November after they were requested in April. In fact, they even agreed that it was June 23, 2020 when they should have sent it after being told to by OCR and they didn’t do it then.
But, then a little more information came out because it turns out there was litigation happening.
“WCCC also acknowledged that WCCC staff failed to provide the Complainant with a copy of the medical record”, and instead, provided a copy of the mother’s medical records to another facility to which the patient was transferred. WCCC indicated that at the time of the original request, both the Complainant and the mother were parties to ongoing litigation with WCCC over non-payment for care. WCCC also indicated that it was struggling with the COVID-19 pandemic. WCCC’s attorney asserts that the Complainant sent his request for a copy of his mother’s medical records by email and then filed his complaint with OCR exactly 30 days later— before WCCC’s response to the initial request was due. WCCC’s attorney indicated that WCCC acknowledges it should have handled the Complainant’s request differently by providing the Complainant with a copy of the requested medical record by May 23, 2020.
It is unclear what was going on here but there are always things we can assume if we can read between the lines. But, clearly there is more to the whole mess than what is included here.
We did get details of how they calculated the CMP and the evaluation they did. They went through the required mitigating factors list and found no reason to increase nor decrease the amount calculated.
the appropriate penalty tier for this violation from June 23, 2020, to December 1, 2020, 2020, is Reasonable Cause, as follows:
Calendar Year 2020: 161 days at $1,280 per day (Maximum potential CMP of $206,080)
Total Maximum CMP: $206,080, capped at $100,000
Attackers Enjoy Sweet Fruit of Patience
[21:30] Translations of ancient Greek text tell us that Aristotle said “Patience is bitter, but its fruit is sweet.” We have talked about the way attackers will wait until the time is right to launch things as they lurk inside your network. It goes even further than that though. They will plant seeds to use in attacks for years before they even get into a network. A couple of recent stories shine a light on just how patient they are when doing these things. They plant all kinds of seeds for things that can be used later even if they don’t know what they will use them for at some point in the future.Cyber Safety Review Board Report on Microsoft Exchange Hack 2023
Review of the Summer 2023 Microsoft Exchange Online Intrusion
Recommendation 5: Given Microsoft’s inability to determine how and when the adversary was able to steal its signing key, all CSPs should review and revise as appropriate their logging and overall forensics capabilities around their identity systems and other systems that enable environment-level compromise, such as root key material. CSPs should maintain sufficient forensics to detect exfiltration of those data, including logging all access to those systems and any private keys stored within them. These logs should be analyzed continuously for any unauthorized insider or external threat actor activity. Retention should include all time the key was in active use and extend at least two years beyond the expiration of that key. Longer retention periods of at least 10 years may be appropriate for some high-value log types.
There is A LOT of information in that report and we may do another episode on it but our focus today is just how long they will wait. There is a new one of those stories that just came out. At least in this one a MS employee may be the internet hero if all is as it appears to be.
The importance of not ignoring something that looks odd.
[36:03] This one is very scary and thankfully we only need to wonder what if – or it seems like that for now.This one even made the NY Times over the weekend. The headline read ”Did one guy just stop a major cyberattack? A Microsoft engineer noticed something was off on a piece of software he worked on. He
soon discovered someone was probably trying to gain access to computers all over the world.” His name is Andres Freund. Let’s give him credit for this. Although, he wouldn’t even give the NYT a picture to use because he just did his job and followed the process for reporting issues.
He was flying back from a visit to his parents in Germany at some point earlier this year. As any good nerd he was on the plane checking out how his automated tests did. The log had some error messages he didn’t recognize as normal. It just looked odd but he figured he was just tired and made a mental note of it. Once he got back to his normal work he noticed one of the programs, SSH, was using more processing power than normal. As he looked into that problem he wondered if those odd things in the logs had anything to do with it. Short story – they did, he reported the problem and helped document everything. He really may have saved the day without knowing it.
They found a backdoor being installed on any system that used this application and pretty much all Linux systems would use it. Turns out the application distribution system had been compromised and a backdoor was built into the repository that everyone in the world uses.
Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
They started in 2021 to plant this thing in 2024.
It’s obvious that hackers are patient enough to bide their time, waiting for the perfect moment to strike. The greater the potential payoff, the more they’re prepared to hang back, sometimes for ages, or even position their people strategically and play the waiting game.
It’s clear that the world of cybersecurity is like a slow-burning fuse, with cybercriminals playing the long game. This chat sheds light on just how calculated these attacks can be, like the one on Microsoft that could’ve been prevented with better vigilance. It’s a wake-up call for everyone, especially big companies, to step up their security game and not just react to threats but actively prevent them. We need to keep evolving our defenses because, as we’ve seen, the attackers are definitely patient and ready to pounce when we least expect it. Let’s not make it easy for them!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
