It’s time for more scary HIPAA stories. We tour the HIPAA haunted house in our 2nd annual Halloween episode!
Cybersecurity has become a big concern over the last 18 months. Breaches in 2015 have given way to ransomware along with more daring breaches in 2016. What is really happening on your computers, networks, and the Internet every second is terrifying in several ways. There are plenty of amazing good things happening at the speed of light but so are the bad ones.
First, we enter the room that has the Checkpoint report on cybersecurity where they reviewed the stats they have from thousands of their devices along with the information published by others sources. They analyzed the stats from 1.5B files for this report.
Here is something really scary behind the first door….
Scary HIPAA Stories Room #1: AN AVERAGE DAY AT AN ENTERPRISE ORGANIZATION
- EVERY 4 SECONDS An unknown malware is downloaded
- EVERY 5 SECONDS A host accesses a malicious website
- EVERY 30 SECONDS A threat emulation event occurs
- EVERY 53 SECONDS A bot communicates with its command and control center that’s OVER 1,630 TIMES PER DAY
- EVERY 81 SECONDS – A known malware is downloaded
- EVERY 4 MINUTES – A high-risk application is used
- EVERY 32 MINUTES Sensitive data is sent outside the organization
The numbers for 2015 (not 2016)
- 400% increase in loss of business data records the past three years
- 89% of organizations downloaded a malicious file
- more than 971 unknown malware downloads per hour, over 9 times the 106 downloads per hour in 2014
Scary HIPAA Stories Room #2: Your Life, Repackaged and Resold
In their report, “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims”, the Institute for Critical Infrastructure Technology (ICIT) really told some scary stories about PHI on the Darknet.
The Deep Web Exploitation of Health Sector Breach Victims
- Published by researchers at ICIT – Institute for Critical Infrastructure Technology – “The Cybersecurity Think Tank” http://icitech.org/
- As trusted advisors to the legislative & federal agency community, ICIT Fellows provide technology and cybersecurity research and expertise
- Presented this report to the Senate on Sept 22, 2016
Scathing report of failures in healthcare security practices
Refuse to evolve
The health sector is unique among critical infrastructures due to the fact that they are the most at-risk, in possession of vast amounts of valuable data, and perpetually and easily breached. Yet, virtually all health sector organizations refuse to evolve their layered security to combat a hyper evolving threat landscape. By doing so, health sector organizations render maximized vulnerabilities like technological gaping wounds to any adversary with the ambition to exploit them.
Implemented EHR without strong security
In the same decade that banks have cracked down on identity theft, healthcare networks have made it easier by transitioning to interconnected electronic systems without implementing strong security.
I own you
Once a hacker owns an EHR, they effectively own the victim.
No incentive to prevent devastation
*there is little incentive other than goodwill and reputation for organizations to drastically improve their security to prevent breaches. Meanwhile, every patient record compromised from every healthcare organization has the potential to devastate and financially ruin a United States citizen.*
Impacted for the rest of their lives
*The entire brutal impact of the incident that resulted from poor cybersecurity and inadequate cyber-hygiene on behalf of the healthcare organization is forced onto the shoulders of the victim to deal with for the rest of their life. These victims receive limited or no help from the government or healthcare organizations because consumer protections are not well defined in the case of medical identity theft. The stolen EHRs are sold and resold on Deep Web markets for years after the initial breach. *
*the patient may be forced to suffer the impact of the incessant exchange of the immutable details of their person on Deep Web markets for the rest of their life, all due to a healthcare organization’s lack of prioritization of cybersecurity and cyber-hygiene within their business model.*
Attacks are so easy a baby can do it
This lack of cyber-hygiene and this poor endpoint security makes an attack to steal patient data and/or to deliver malware or ransomware, trivial for even an unsophisticated attacker because practically no defense obstructs a cyber adversary from stealing patient data and selling it for exuberant profit on Deep Web markets and forums
Perfect prey for ransomware
Healthcare facilities, and hospitals in particular, are the favorite target of ransomware attacks because the organizations have poor cybersecurity and poor cyber hygiene, have available funds, and because for every second that systems remain non-operational, lives are at stake.
The Dark Overlord makes this report too
Vulnerable medical systems are not difficult to discover and remotely exploit.
Executive management who take a lackadaisical approach to cyber-hygiene make easy prey to digital age adversaries of all shapes, sizes and motivations.
Rather than ensure the confidentiality, availability, and integrity of patient records to the maximum capability of the organization, executives make budget-line decisions that shift the risk of compromise onto the patients, whose data lies in the vulnerable systems.
Regardless of how the patient record is abused, the victim patient bears the majority of the long-term impact of the compromise of a system that they had no decision of how to protect, all so that the compromised organization can save budget or procrastinate updating or replacing their Frankensteined legacy technologies. Due to the longevity of the record, adversaries may continue to exchange and exploit the compromised information for the rest of the victim’s life. For some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead.
Scary HIPAA Stories Closet: FBI Cyber Most Wanted Posters
Did you know the FBI publishes a Cyber Most Wanted list? Check out some of the hackers the FBI is trying to find.
Business Associate Management Webinar
Nov 7, 2016 @ [2:00] ET
A significant number of HIPAA breaches have been caused by BAs and their own downstream BAs. What should Covered Entities (CEs) do to protect themselves, to demonstrate due diligence, and to reduce risk?
September 12, 2016 – “A watchdog agency report highlighting data security violations by a medical contractor offers a reminder to all healthcare organizations about similar risks their BAs can pose – especially if BAs are inadequately monitored.”
Here is your chance to learn practical approaches for managing BAs. You are invited to attend a free webinar regarding BA risk management on Monday, November 7, 2016 at 2:00 PM (ET). Click here to register for this free webinar.
Covered entities (CEs) are responsible to manage their BAs from both a contract standpoint and an information privacy and security standpoint. And, BAs are responsible to do the same for their own subcontractors that are also known as “downstream BAs.”
Our three panelists offer unique insight from their own experience. They are:
- Donna Michael-Ziereis, Esq., VP & General Counsel, AtlantiCare Health System
- Joe Piccolo, VP of Corporate Compliance, Inspira Health Network
- Janice Jaffee, Director IT Operations & CISO, Bayada Home Health Care
This webinar will focus on what CEs and BAs should consider when implementing a functional BA management program, such as:
- First things first – how to get organized
- Criteria that should be considered to rate BA risk
- What to do when you have a large volume of BAs to manage
- When BA management activity should occur
- How to effectively administer BA management
- How to fit BA management into your Information Security Risk
- What are some examples of the latest breaches and settlements
We look forward to seeing you on November 7th at [2:00] PM (ET).