They say ignorance is bliss. Ignorance can also leave you vulnerable to cyber attacks and patient safety issues. As we see news about cyber attacks coming from everywhere, you might ask “Is it really that bad?” Yes, yes it is. And it continues to get worse.
In this episode:
Is it really that bad? – Ep 309
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[03:58] The Health Care and Public Sector Coordinating Council (HSCC) sent a letter to the White House and copied the Senate and House leaders because they were concerned about cybersecurity and health care. The letter stresses the importance of combating cybersecurity issues in the healthcare industry as a matter of patient safety. They are requesting the government to devote cybersecurity funding to healthcare.Health Sector Cybersecurity Letter to President Biden – 06-10-2021
The letter makes a point of saying:
They also say:
So, basically they are saying that if you make everyone else better and leave us out, things are not going to go well. Because all of these critical infrastructures are connected.
[13:19] The healthcare sector is often overlooked. In an article from Healthcare Info Security, Groups Urge Biden, Congress to Bolster Health Sector Cyber, Greg Garcia, HSCC executive director, says that “…a strong understanding or intense interest in the dire cyber challenges facing the healthcare sector is also apparently lacking in some corners of Congress.”The article includes quotes from the letter to the White House stating that the HSCC “was pleased to see the recently enacted American Rescue Plan direct $650 million to the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency for cybersecurity risk mitigation programs, none of the funding is directly targeted to help the healthcare sector.”
Another interesting quote from the article is one from the VP of CHIME (College of Healthcare Information Management Executives) which represents healthcare CISOs and CIOs, tells ISMG:
Recognized security practices is something that we are excited about and are working with our clients on.
Is it really that bad?
[25:24] Here’s another one in Donna’s backyard. This just came out this week, announced by the Department of Justice, that the CEO of a network security company is charged with a cyber attack on Gwinnett Medical Center.Same story covered by DataBreaches.net: Chief Operating Officer of Network Security Company Charged with Cyberattack on Medical Center
So, this story does not revolve around ransomware or anyone stealing data from servers. Details are limited on this story so far, but basically the CEO of a Metro Atlanta network security company that serves the healthcare industry conducted a cyber attack, disrupting phone service, disrupting network printer service and obtaining information from a digitizing device. He’s charged with 17 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer.
This is a great example of the reason you should include devices, beyond your computers and servers like printers, scanners, phone systems, and any other device connected to your network, in your risk analysis and document how you are securing these devices.
The main point is you can’t assume an attack is from external sources. It can be from people that you know, insiders.
[32:22] While I was reading the article about the Gwinnett Medical Center deal on DataBreaches.net, I saw this one: Middletown Man Sentenced To Six Months of Home Confinement For Damaging Former Employer’s Computer Network. Here, the guy, Levi Delgado was sentenced to six months of home confinement and over $13,000 in restitution. He pled guilty back in February to one count of causing damage to a protected computer.Delgado was the IT administrator at a medical center and they had terminated his employment. Following termination, he was no longer authorized to access the computers. His credentials that had allowed him to access it were disabled. However:
Now, the article does say that no patient information was compromised or accessed. Meaning there was not an improper disclosure. He was attacking the system as a whole. Although confidentiality wasn’t impacted, availability was and potentially integrity. Because if he was deleting things do we know everything that he deleted? Were they able to put it back?. This access abuse, privilege abuse… and that is a huge problem. Even if it’s not your vendor, but you let somebody go internally. You need to worry about their access too.
We always say that people need to stop imagining these criminals like one guy in his basement in a hoodie. Here are three different articles that address that exact topic. When you put them all together, you start to see the real picture of what we are up against here.
The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: ‘They Do Not Care’
Inner Workings Of DarkSide Cybergang Reveal It’s Run Like Any Other Business
Hacker Known as Max Is a 55-Year-Old Woman, Prosecutors Say
[51:30] And, finally, if you didn’t think it could get any worse… just this morning as we were preparing to record this episode, we saw this article: Ransomware Gang Goes Nuclear, Hitting US Weapons Contractor. The article tells the story of a small company in New Mexico, Sol Oriens, who is a contractor for the Department of Energy National Nuclear Security Administration. This company is a consulting firm focusing on managing advanced technologies and concepts with strong potential for military and space applications. They were hit by the REvil, aka Sodinokibi, ransomware operation.Here’s David take on this… You know when you take something and put it in the trash bin that gets rolled out to the road. It’s trash, right? Then, somebody comes by and takes it, it’s not stealing at that point. It was trash and was going to be thrown out anyway. So, if you’re treating your data like it’s trash and somebody comes by and takes it, then, no harm, no foul, you should have protected it.
When we say is it really that bad, it’s REALLY bad. Attacks can come from internal staff or vendors you work with everyday, not always from external hackers and ransomware gangs. You should have termination processes for internal staff, vendors and especially IT folks. It’s more important than ever to broaden your outlook on where attacks could come from.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
