Healthcare Data Security

Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses

The advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was behind the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers, according to a recent alert from Microsoft.

Rather than conducting attacks on many companies and organizations, Nobelium is favoring a compromise-one-to-compromise-many approach. This is possible because service providers are often given administrative access to customers’ networks to allow them to provide IT services. Nobelium is attempting to leverage that privileged access to conduct attacks on downstream businesses and has been conducting attacks since at least May 2021.

Nobelium uses several techniques to compromise the networks of service providers, including phishing and spear phishing attacks, token theft, malware, supply chain attacks, API abuse, and password spraying attacks on accounts using commonly used passwords and passwords that have previously been stolen in data breaches.

Once access to service providers’ networks has been gained, Nobelium moves laterally in cloud environments then leverages the trusted access to conduct attacks on downstream businesses using trusted channels such as externally facing VPNs or the unique software solutions used by service providers to access customers’ networks.

Some of the attacks conducted by Nobelium have been highly sophisticated and involved chaining together artifacts and access from multiple service providers in order to reach their end target, as indicated in the diagram below.

Example of a Nobelium attack leveraging multiple service providers. Source: Microsoft Threat Intelligence Center

Microsoft Threat Intelligence Center (MSTIC) has made several recommendations for service providers and downstream businesses to help with mitigation and remediation.

CPSs and MSPs that rely on elevated privileges to provide services to their customers have been advised to verify and monitor compliance with Microsoft Partner Center security requirements, which include enabling multifactor authentication and enforcing conditional access policies, adopting the Secure Application Model Framework, checking activity logs and monitoring user activities, and removing delegated administrative privileges that are no longer in use.

All downstream businesses that rely on service providers that have administrative access have been advised to review, audit, and minimize access privileges and delegated permissions, including hardening and monitoring all tenant administrator accounts and reviewing service provider permissions access from B2B and local accounts. They should also verify MFA is enabled and conditional access policies are being enforced and regularly review audit logs and configurations.

Microsoft has published detailed information on the tactics, techniques, and procedures (TTP) of Nobelium in its alerts to help IT security teams to block, detect, investigate, and mitigate attacks.

The post Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses appeared first on HIPAA Journal.

Medical AI Database Containing More Than 800 Million Records Exposed Online

An unsecured database belonging to the American medical AI platform provider Deep6.ai has been identified by security researcher Jeremiah Fowler and Website Planet.  The database contained more than 800 million records of patients and physicians and could be accessed over the Internet by anyone without requiring a password.

Deep6.ai has developed AI-based software that can be used on raw data to identify individuals with medical conditions that are not mentioned in their medical records. The software is particularly useful for finding individuals who match the criteria for clinical trials and can significantly shorten the time to find suitable trial participants.

The database contained 68.53 GB of data and included 886,521,320 records, most of which related to individuals in the United States. While some of the information was encrypted, physician notes and physician information were in plain text and could be viewed by anyone.

Fowler and Website Planet identified the following information in the dataset: Date, document type, physician note, encounter IDs, patient IDs, notes, uuid, patient type, noteId, date of service, note type, and detailed note text. Physician notes contained details of patients’ illnesses, treatment, medications, and in some cases, information about patients’ family, social, and emotional issues.

The dataset consisted of three parts: A concept index containing 21 million records that exposed lab test results and medications; a patient index containing 422 million records that exposed internal patient logging and tracking processes, although patient names were not stored in plain text; and a provider index, which included 89,000 records that exposed physician names, internal patient ID numbers, document locations and .CSV files, and other potentially sensitive information, with files showing where data are stored.

In addition to exposing the data to anyone with an Internet connection, the database was also vulnerable to a ransomware attack. After searching the database, Fowler and Website Planet were able to determine the database belonged to Deep6.ai. Following responsible disclosure practices, Deep6.ai was notified and the database was immediately secured. It is unclear for how long the database was exposed online and whether anyone accessed the data during that window of opportunity.

The post Medical AI Database Containing More Than 800 Million Records Exposed Online appeared first on HIPAA Journal.

Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps

B. Braun has released software updates to fix five vulnerabilities in its Infusomat Space and Perfusor Space Infusion Pumps. The vulnerabilities could be exploited remotely in a low complexity attack.

In North America, the flaws affect Battery pack SP with WiFi (All software Versions 028U000061 and earlier) that have been installed in an Infusomat Space Infusion Pump or a Perfusor Space Infusion pump, and SpaceStation with SpaceCom 2 (All software Versions 012U000061 and earlier). The vulnerabilities were identified by Douglas McKee and Philippe Laulheret of McAfee, who reported them to B. Braun.

The most serious vulnerability is a critical flaw in B. Braun SpaceCom2 that has been assigned a CVSS severity score of 9 out of 10. The flaw – tracked as CVE-2021-33885 – is due to insufficient verification of data authenticity and could be exploited by a remote attacker to send malicious data to the device, which would be used in place of the correct data.

An improper input validation flaw – CVE-2021-33886 – would allow a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements, although the attacker would need to be on the same network as the device, which limits the potential for exploitation. The flaw has been assigned a CVSS score of 6.8.

A missing authentication for critical function vulnerability – CVE-2021-33882 – could be exploited by a remote attacker to reconfigure the device from an unknown source, due to the lack of authentication on proprietary networking commands. The flaw has also been assigned a CVSS score of 6.8.

Due to unrestricted uploads of dangerous file types, a remote attacker could upload a malicious file to the /tmp directory of the device through the webpage API, which could result in critical files being overwritten affecting device functionality. The flaw is tracked as CVE-2021-33884 and has a CVSS severity score of 6.5.

The last vulnerability is an information exposure issue that could allow an attacker to obtain critical values for a pump’s internal configuration due to the transmission of sensitive information in cleartext. The flaw is tracked as CVE-2021-33883 and has been assigned a CVSS severity score of 5.9.

  1. Braun has fixed the flaws in the following software updates:
  • Battery pack SP with Wi-Fi, software 028U00062 (SN 138852 and lower)
  • Battery pack SP with Wi-Fi, software 054U00091 (SN 138853 and higher)
  • SpaceStation with SpaceCom 2 software Versions 012U000083

At present, there have been no reported cases of exploitation of the flaws; however, the updates should be applied as soon as possible.

B.Braun also recommends ensuring infusion pumps are housed in separate environments that are protected by firewalls or VLANs, that authentication measures are put in place to prevent unauthorized access, and that the devices are not directly accessible over the Internet. If remote access is required, secure methods of access should be used, such as a Virtual Private Network (VPN).

The post Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps appeared first on HIPAA Journal.

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail.

Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums.

In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela.

Three of Johnson’s co-conspirators were arrested and charged for their roles in the UPMC cyberattack. In August 2016, Cuban national Yolandy Perex Llanes was extradited to the United States and pleaded guilty in April 2017 to money laundering and aggravated identity theft. He was sentenced in 2017 to 6 months of time served.

In April 2017, Justin A. Tollefson of Spanaway, Washington, a staff sergeant at Joint Base Lewis-McChord in Tacoma, Washington, pleaded guilty to four counts of using the stolen identities of UPMC employees to file fraudulent tax returns. He had purchased the PII on a dark web forum and used the data to file fraudulent tax returns in the names of four UPMC employees. $56,333 was paid by the IRS in income tax refunds, but Tollefson was arrested before he received any funds. The judge was lenient as Tollefson had not profited from the fraud and sentenced him in 2017 to 3 years of probation.

Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to conspiracy to defraud the United States in July 2017 for her role in the identity theft and tax fraud crimes. She received a 16-month time-served sentence and was deported to Venezuela.

Johnson received the maximum sentence despite pleading guilty to the hacking charges due to the severity of the offenses and the impact they had on the lives of his victims. Chief United States District Judge Mark R, Hornak said Johnson’s behavior was like a “bulldozer” through people’s lives and his indiscriminate hacking activities showed no regard for his victims. “The actions of criminals like Justin Johnson can have long-lasting and devastating effects on the lives of innocent people,” said Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation.

Johnson was sentenced to serve 60 months in jail for the conspiracy to defraud the United States charge and a mandatory 24-month sentence for aggravated identity theft, with the sentences to run consecutively.

“Justin Johnson stole the names, Social Security numbers, addresses, and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman. “Today’s sentence sends a deterrent message that hacking has serious consequences.”

The post UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence appeared first on HIPAA Journal.

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months.

Healthcare data breaches August 2020 to September 2021

While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months.

Healthcare records breached over the past 12 months

Largest Healthcare Data Breaches Reported in September 2021

16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records.

The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was reported to the HHS as affecting 500,000 individuals. The cyberattack is believed to have been conducted by a nation-state hacking group.

Two major data breaches were reported by eye care providers: A hacking incident at U.S. Vision Optical resulted in the exposure of the PHI of 180,000 individuals, and a phishing incident at Simon Eye Management gave the attackers access to email accounts containing the PHI of 144,373 individuals. The breaches are not believed to be related, but they are two of a handful of recent incidents affecting eye care providers.

Ransomware continues to be extensively used in attacks on the healthcare industry. 6 of the top 16 attacks in September involved ransomware and potentially saw PHI stolen. Several ransomware gangs have targeted the healthcare sector, with the FIN12 group one of the most active. A recent analysis of FIN12 attacks by Mandiant revealed 20% of the gang’s attacks have been on the healthcare industry, with the attacks accounting for around 20% of all incidents Mandiant responds to.

Hackers have been targeting the healthcare industry, but data breaches can also be caused by insiders with privileged access to PHI. One notable ‘insider’ breach was reported by Premier Management Company and involved data being accessed by a former employee after termination. The incident highlights the importance of ensuring access to PHI (and IT systems) is blocked immediately when an employee is terminated, leaves the company, or when job functions change that no longer require an employee to have access to PHI.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
State of Alaska Department of Health & Social Services AK Health Plan 500,000 Nation-state hacking Incident
U.S. Vision Optical NJ Healthcare Provider 180,000 Unspecified hacking incident
Simon Eye Management DE Healthcare Provider 144,373 Email account breach (phishing)
Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan IL Health Plan 49,000 Ransomware attack
Talbert House OH Healthcare Provider 45,000 Unspecified hacking incident (data exfiltration)
Premier Management Company TX Healthcare Provider 37,636 PHI accessed by an employee after termination
Central Texas Medical Specialists, PLLC dba Austin Cancer Centers TX Healthcare Provider 36,503 Malware
Orlick & Kasper, M.D.’s, P.A. FL Healthcare Provider 30,000 Theft of electronic devices containing PHI
McAllen Surgical Specialty Center, Ltd. TX Healthcare Provider 29,227 Ransomware attack
Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans AZ Health Plan 28,000 Ransomware attack
Horizon House, Inc. PA Healthcare Provider 27,823 Ransomware attack
Rehabilitation Support Services, Inc. NY Healthcare Provider 23,907 Unspecified hacking incident (data exfiltration)
Samaritan Center of Puget Sound WA Healthcare Provider 20,866 Theft of electronic devices containing PHI
Directions for Living FL Healthcare Provider 19,494 Ransomware attack
Buddhist Tzu Chi Medical Foundation CA Healthcare Provider 18,968 Ransomware attack
Eastern Los Angeles Regional Center CA Business Associate 12,921 Email account breach (phishing)

Causes of September 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 53.2% of all breaches reported in the month and 91.6% of all breached records. 1,147,383 healthcare records were exposed or stolen in those incidents, with an average breach size of 33,747 records and a median breach size of 2,453 records.

The number of incidents involving the theft of physical records or electronic equipment containing PHI increased month-over-month. September saw 6 theft incidents reported and 60,236 records compromised. The mean breach size was 10,039 records and the median breach size was 3,918 records. 4 of those breaches involved electronic equipment and could have been prevented had encryption been used.

There were 7 data breaches reported that involved unauthorized access or disclosures of data by insiders. 45,639 records were breached across those incidents, 37,636 of which were obtained in a single incident. The average breach size was 6,520 records and the median breach size was 1,738 records.

Causes of September 2021 healthcare data breaches

Given the high number of hacking and ransomware incidents reported, it is no surprise that the most common location of breached PHI is network servers. Email accounts continue to be targeted in phishing attacks, with 13 incidents in September involving PHI stored in email accounts. The number of devices containing PHI that were stolen highlights the importance of using encryption to protect stored data.

Location of PHI in September 2021 healthcare data breaches

September 2021 Data Breaches by HIPAA-Regulated Entity

Healthcare providers were the worst affected covered entity with 30 reported breaches. 10 breaches were reported by health plans, 6 breaches were reported by business associates, and one breach was reported by a healthcare clearinghouse.

5 breaches of those breaches were reported by a HIPAA-covered entity but occurred at a business associate. The adjusted figures are shown in the pie chart below.

September 2021 healthcare data breaches by HIPAA-regulated entity type

September 2021 Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities based in 25 states. Texas was the worst affected state with 6 reported breaches of 500 or more records, followed by California with 5 breaches and Connecticut with 4.

State Breaches
Texas 6
California 5
Connecticut 4
Florida & Washington 3
Arizona, Georgia, Illinois, New York, Ohio, & Pennsylvania 2
Alaska, Delaware, Indiana, Kentucky, Maryland, Minnesota, Missouri, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Virginia, & Wisconsin 1

HIPAA Enforcement Activity in September 2021

The Department of Health and Human Services’ Office for Civil Rights now has a new director, and it is currently unclear what direction she will take in the department’s HIPAA enforcement actions.

Since the fall of 2019 OCR has been targeting HIPAA-regulated entities that fail to comply with the HIPAA Right of Access and September saw the 20th financial penalty imposed under this initiative for the failure to provide individuals with access to their healthcare records.

Children’s Hospital & Medical Center in Omaha, NE, settled its HIPAA Right of Access case with OCR and paid an $80,000 financial penalty. This was the ninth OCR case this year to have resulted in a financial penalty for non-compliance with the HIPAA Rules.

There were no reported enforcement activities by state attorneys general in September.

The post September 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

MITRE Launches Centers to Protect Critical Infrastructure and Public Health

MITRE has launched two new organizations which have been tasked with addressing critical healthcare challenges and improving cybersecurity to better protect critical infrastructure.

MITRE is a nonprofit organization that manages federally funded research and development centers to support government agencies in defense, healthcare, homeland security, cybersecurity, and other fields. MITRE Labs was established in 2020 as part of a restructuring of MITRE, with the new unit tasked with driving breakthroughs in applied science and advanced technology to transform the future of U.S. scientific and economic leadership.

Two new organizations have now been established within MITRE labs – The Cyber Infrastructure Protection Innovation Center and the Clinical Insights Innovation Cell.

The Cyber Infrastructure Protection Innovation Center was set up to bridge the technology gap between the public and private sector and ensure the operational technology, industrial control systems, and cyber-physical systems of critical infrastructure organizations are protected.

Nation-state actors and cybercriminal gangs have been conducting attacks on critical infrastructure, as demonstrated by the recent cyberattacks on Colonial Pipeline, the meat processor JBS, and a water treatment plant in Florida. These cyberattacks can have a debilitating effect on national security, economic security, and the public health and safety of all Americans.

Critical infrastructure is mostly managed and maintained by private sector firms. The new Cyber Infrastructure Protection Innovation Center has been tasked with working across industry and government to better understand the cyber threats faced by the critical infrastructure sector and to identify practical steps that can be taken by operators of critical infrastructure to improve resilience to cyber threats.

The Clinical Insights Innovation Cell has been established to bring together leaders from the public and private sector to help address critical healthcare challenges and aims to deliver clinical and data science leadership, insight, and advanced artificial intelligence approaches.

The Clinical Insights Innovation Cell team includes data scientists, physicians, informaticists, and experts in the fields of digital health, clinical research trials, and artificial intelligence and has the goal of developing a new system of conducting clinical trials to make health systems more responsible and resilient.

“MITRE Labs has made significant progress to expand MITRE’s impact, inspire innovative disruption, accelerate risk-taking and discovery, and deliver technology capabilities,” said Charles Clancy, senior vice president and general manager of MITRE Labs. “These new groups will help us move faster, be bolder, and act as better partners for securing our nation’s critical infrastructure and leveraging clinical and genomic data to tackle the problems of infectious disease and the promise of precision medicine.”

The post MITRE Launches Centers to Protect Critical Infrastructure and Public Health appeared first on HIPAA Journal.

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty.

Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI).

Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents.

As a HIPAA covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access.

Diamond Investigated for Compliance with Federal and State Laws

The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs investigated Diamond over the data breach to determine compliance with federal and state laws. The investigation revealed Diamond had entered into a support contract with the managed service provider (MSP) Infoaxis Technologies in 2007, which including security and information technology services including maintaining its third-party server and workstations. The service agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts.

Around March 2014, Diamond downgraded its support package with the MSP, resulting in a reduction in the services provided, although Diamond maintains there was no reduction in services between the two support agreements other than the amount of time included for on-site support services.

Prior to the breach occurring, Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) service with a VPN to access the Diamond network, but because the VPN was blocked from the Bermuda office, the MSP provided a different method of access that involved opening a port in the firewall to allow RDP access, instead of using the VPN for authentication.

Between August 28, 2016 and January 14, 2017, a workstation in the Millburn office was accessed by an unauthorized individual on several occasions from a foreign IP address. The unauthorized access was detected and blocked on January 14, 2017. During the time the workstation was accessible, data on the device was not encrypted. The intruder therefore potentially accessed patient data including names, dates of birth, Social Security numbers, and medical record numbers.

An investigation into the breach also revealed an intruder accessed Diamond’s third-party server which housed its electronic medical records within a password-protected SQL server using two compromised Diamond user accounts that had weak passwords. The investigation revealed weak security settings were in place for failed login attempts and password expiration.

While the EMR data was not compromised, the intruder was able to access PHI such as test results, ultrasound images, and clinical and post-operative notes. Diamond’s investigation was unable to confirm how access to the network was gained.

Multiple HIPAA Violations Uncovered

The state investigation into the data breach revealed business associate agreements were not in place prior to sharing ePHI with three business associates: Infoaxis, BMedTech, and Igenomix, in violation of the HIPAA Rules. Diamond was also alleged to have violated the CFA, HIPAA Security Rule, and HIPAA Privacy Rule by removing administrative and technological safeguards protecting PHI and ePHI, which allowed unauthorized individuals to gain access to its systems and ePHI for around five and a half months.

The CFA violations included misrepresentation of HIPAA practices in its privacy and security policy, a failure to secure its network leading to a data breach, and unconscionable commercial practices.

The settlement agreement lists failures to comply with twenty-nine provisions of the HIPAA Privacy and Security Rules. Alleged violations include the failure to conduct a comprehensive risk assessment, failure to encrypt ePHI, failure to modify security measures to ensure reasonable protections for ePHI were maintained, failure to implement procedures for creating, changing, and modifying passwords, and a failure to verify the identify of individuals seeking access to ePHI.

Diamond disputes many of the claims made by the state but agreed to settle the case and pay a $495,000 financial penalty, which consists of $412,300 in civil penalties and $82,700 in investigation fees.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

In addition to the financial penalty, Diamond is required to implement additional measures to improve data security, including the use of encryption to prevent unauthorized access to ePHI, implementing a comprehensive information security program, appointing a new HIPAA officer, providing additional training to staff on security policies, developing a written incident response plan, and improving logging, monitoring, access controls, password management, and implementing a risk assessment program.

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The post New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty appeared first on HIPAA Journal.

Insider Threat Self-Assessment Tool Released by CISA

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs.

In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm.

Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by insiders can be considerable due to the knowledge those individuals have about a business and the fact they are trusted and have privileged access to systems and sensitive data.

Large organizations are likely to have conducted risk assessments and put measures in place to mitigate insider threats. Small- and medium-sized businesses tend to have limited resources and may not have assessed their risk level and are most likely to benefit from using the new tool.

The tool consists of a series of questions that will establish the level of vulnerability to insider threats and will provide feedback to users to help them develop appropriate mitigations to guard against insider threats and reduce risk to a low and acceptable level.

“CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats.  Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future,” said CISA Executive Assistant Director for Infrastructure Security David Mussington.

The post Insider Threat Self-Assessment Tool Released by CISA appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

October is Cybersecurity Awareness Month; a full month where the importance of cybersecurity is highlighted, and resources are made available to help organizations improve their security posture through the adoption of cybersecurity best practices and improving security awareness of the workforce.

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed.

The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training.

This year has the overall theme – “Do Your Part, #BeCyberSmart” – and is focused on communicating the importance of everyone playing a role in cybersecurity and protecting systems and sensitive data from hackers and scammers. Throughout the month, the National Cyber Security Alliance and its partners will be running programs to raise awareness of specific aspects of cybersecurity, with each week of the month having a different theme.

  • Week of October 4 (Week 1): Be Cyber Smart.
  • Week of October 11 (Week 2): Phight the Phish!
  • Week of October 18 (Week 3): Explore. Experience. Share.
  • Week of October 25 (Week 4): Cybersecurity First

Cybersecurity Awareness month kicks off with the theme of “Be Cyber Smart” in week 1, where cybersecurity best practices are highlighted to protect the vast amounts of personal and business data that are stored on Internet-connected platforms.

“This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” said the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Best practices being highlighted in week 1 are those that businesses and individuals should be implementing. They include always creating strong passwords, implementing multi-factor authentication on accounts, keeping software updated and patching promptly, and creating backups to ensure data can be recovered in the event of a ransomware attack or other destructive cyberattack.

“Since its inception, Cybersecurity Awareness Month has elevated the central role that cybersecurity plays in our national security and economy.  This Cybersecurity Awareness Month, we recommit to doing our part to secure and protect our internet-connected devices, technology, and networks from cyber threats at work, home, school, and anywhere else we connect online,” said, President Biden in a White House statement announcing the start of Cybersecurity Awareness Month. “I encourage all Americans to responsibly protect their sensitive data and improve their cybersecurity awareness by embracing this year’s theme: “Do Your Part.  Be Cyber Smart.”

Each week this month, HIPAA Journal will share information and resources based on the theme of the week that can be used to raise awareness of cybersecurity in your organization and improve your resilience to cyberattacks and privacy threats.

Be Cyber Smart – Your Role in Cybersecurity

Cybersecurity Basics – How to Secure Your Online Life

CISA – Cybersecurity Awareness Tip Sheets

The post Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart appeared first on HIPAA Journal.