.st0{fill:#FFFFFF;}

Podcast

FBI Private Industry Notification – Ep 434 

 November 24, 2023

By  Donna Grindle

Share0
Tweet0
Share0

It is crucial to apply mitigation strategies to reduce the likelihood and impact of ransomware incidents due to the severe and far-reaching consequences these cyber threats can have on individuals, organizations, and society as a whole. The FBI recently published a notification highlighting emerging ransomware trends involving attacking the same victims multiple times. Listen in to hear what you can do to help reduce the likelihood of becoming a victim.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

FBI Private Industry Notification – Ep 434

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

We are thankful for our donors.

HIPAA Briefs

[08:18] Sanction policies are specifically required by both the Privacy Rule and the Security Rule:

  • The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”
  • The Security Rule requires covered entities and business associates to: apply “appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”

We’d recommend your sanction policy not just include the phrase “will be sanctioned up to and including termination” as that has been tested already in a court of law. Be more specific regarding potential sanctions for violations and enforce the fact that even doctors, C-suite staff and even the employee who has been “here for 25 years” is subject to the same sanctions. “Workforce” should include everyone!

HIPAA Say What!?!

[16:42]

October 2023 OCR Cybersecurity Newsletter | HHS.gov

“A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance. ”

Here is a key point in the newsletter:

Regulated entities may want to consider the following when drafting or revising their sanction policies:

  1. Documenting or implementing sanction policies pursuant to a formal process.
  2. Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
  3. Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation. NOTE: These records should be retained for at least six years.
  4. Creating sanctions that are “appropriate to the nature of the violation.”
  5. Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information.”
  6. Creating sanctions that “range from a warning to termination.”
  7. Providing examples of “potential violations of policy and procedures.”

You can have a violation of a policy and procedure that is not a HIPAA violation. You could have a HIPAA violation that is not a violation of a policy and procedure, because your policy and procedure doesn’t cover something, but it does violate the privacy rule. Lack of disapproval implies approval. So, if you continue to allow something to occur or you allow certain people to essentially violate a policy, then what you’re saying is the rules don’t apply to everybody. One thing is very, very clear about HIPAA regulations…. the rules apply to everybody.

FBI Private Industry Notifications

[21:27]

Two or More Ransomware Variants Impacting the Same Victims and Data Destruction Trends

The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification to highlight emerging ransomware trends and encourage organizations to implement the recommendations in the “Mitigations” section to reduce the likelihood and impact of ransomware incidents.

Threat

As of July 2023, the FBI noted two trends emerging across the ransomware environment and is releasing this notification for industry awareness. These new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.

  • The FBI noted a trend of dual ransomware attacks conducted in close proximity to one another. During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Variants were deployed in various combinations. This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities.
  • In early 2022, multiple ransomware groups increased use of custom data theft, wiper tools, and malware to pressure victims to negotiate. In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.
COMPLIANCE IS NOT SECURITY; SECURITY IS NOT COMPLIANCE

Mitigation

[31:28] Here are a few things that the FBI recommend doing to limit potential use of common techniques and to reduce the risk of compromise by ransomware:

  • Preparing for Cyber Incidents
  • [39:53] Identity and Access Management
  • [47:03] Protective Controls and Architecture
  • [50:43] Vulnerability and Configuration Management

 

[53:18] Here are a couple other things to compare the FBI’s notification to:

Common Cybersecurity Misconceptions Held By Small and Medium-Sized Organizations from July 2022 on staysafeonline.org

  1. My data (or the data I have access to) isn’t valuable
  2. Cybersecurity is a technology issue
  3. Cybersecurity requires a large financial investment
  4. Outsourcing work to a vendor will wash your hands of security liability in the case of a cyber incident
  5. Cyber breaches are covered by general liability insurance
  6. Cyberattacks always come from external actors
  7. Young people are better at cybersecurity than others
  8. Compliance with industry standards is enough for a security program
  9. Digital and physical security are separate
  10. New software and devices are automatically secure when I buy them

Almost everything in this misconception list could correlate to recommendations.

Here’s something else interesting… It’s from the FTC. See if you think it follows the same list from the FBI

Start with Security: A Guide for Business

  1. Start with security. (Don’t accumulate data you don’t need and don’t keep it if you don’t need it any more.)
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

Now, note the data on the last page is June 2015. Almost 10 years ago they were recommending the same things. Is it they need to change recommendations or find new ways to get people to listen? Or is it never going to get through to all sectors? This is about protecting our economic and national security interests now, not just someone telling you what to do.

Go to top

Prioritizing cybersecurity is crucial for all businesses, no matter how big or small or what industry they are in. Organizations must stay informed about the latest trends, threats, and best practices for mitigating attacks in order to minimize the risk of falling victim to these attacks. By implementing these strategies, organizations can not only protect their data and financial assets but also safeguard their reputation and maintain the trust of their customers and stakeholders.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: