Internet Filtering for Healthcare

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.

The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ.

The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats.

TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality.

Webinar Details:

Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering

Date: Thursday, October 18th

Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:

John Tippett, VP, Datto Networking

Andy Katz, Network Solutions Engineer

Rocco Donnino, EVP of Strategic Alliances, TitanHQ

Click here to register for the webinar

The post Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering appeared first on HIPAA Journal.

TitanHQ Integrates Web Security into Datto’s Networking Suite

TitanHQ, the leading provider of email and web security solutions for SMBs, has formed a strategic alliance with the networking giant Datto and will be providing its innovative cloud-based web filtering solution to Datto MSPs.

Norwalk, CT-based Datto is primarily a data backup, disaster recovery, and business continuity service provider. The company’s mission is to provide SMBs with the highest quality enterprise-level technology to protect their businesses and networks.

Datto achieves this through its managed service provider (MSP) partners, giving them access to software solutions to ensure their clients are well protected. The company was acquired by Vista Equity Partners in 2017 and merged with New York-based Autotask and now has offices in 21 locations in the United States, Canada, China, Denmark, Netherlands, Germany, Singapore, Australia, and the UK. The company employs more than 1,300 staff and is the world’s leading provider of MSP-delivered IT solutions.

TitanHQ Integrates Web Filtering Solution into Datto’s Networking Range

Galway-based TitanHQ is an award-winning company that provides innovative cloud-based security solutions for SMBs, including SpamTitan – A 100% cloud-based spam filtering solution –  and WebTitan – Its cloud-based DNS web filtering solution.

The increase in ransomware and phishing attacks has made web filters an important addition to MSP’s security stacks, allowing them to add an additional level of protection to prevent unauthorized individuals from accessing their healthcare clients’ networks.

WebTitan provides real-time protection from malicious URLs, IPs, and phishing websites and is capable of blocking malware and ransomware downloads by preventing end users from visiting malicious websites. The strategic alliance between Datto and TitanHQ has seen WebTitan Cloud and WebTitan Cloud for Wi-Fi integrated into Datto’s networking range and made available to MSPs.

“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed. With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership,” said John Tippett, VP, Datto Networking   

At DattoCon 2018, the largest MSP event in the United States, TitanHQ will be demonstrating its web content filtering, email filtering, and email archiving solutions to MSPs. The company will be at booth #66 in the exhibition hall for the entire conference and TitanHQ CEO Ronan Kavanagh, Sales Director Conor Madden, Marketing Director Dryden Geary, and Alliance Manager Eddie Monaghan will all be in attendance.

The post TitanHQ Integrates Web Security into Datto’s Networking Suite appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed

 

So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.

TitanHQ’s WebTitan Now Available Through Kaseya IT Complete Suite

TitanHQ has announced its DNS-based web filtering solution, WebTitan, has now been integrated into Kaseya’s IT Complete platform. The integration allows MSPs serving the healthcare industry to offer their clients an additional layer of protection against web-based threats such as phishing, malware, and ransomware.

Via Kaseya, managed service providers can access cybersecurity solutions from some of the biggest names in the industry, including Cisco, Dell, and Bitdefender. While the platform provides MSPs with a wide range of easy-to-deploy cybersecurity solutions, one notable absence was an MSP-friendly content filtering solution.

“Security is a critical service that all MSPs must deliver. Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business,” said Frank Tisellano, Jr., Kaseya vice president product management and design. “With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection.”

A web filtering solution is a powerful tool that allows healthcare organizations to block attempts by employees to visit malicious websites, either through the clicking of hyperlinks in phishing emails, general web browsing, or redirects to malicious sites via malvertising.  A web filter is an important additional tool that helps to ensure the confidentiality, integrity, and availability of protected health information by blocking phishing attacks, malware, and ransomware downloads.

In the past month alone 10 email-based hacking incidents have been reported to OCR, with each incident resulting in the exposure of more than 500 healthcare records. The high volume of successful phishing attacks on healthcare employees highlights the need for advanced technological controls to prevent healthcare employees from visiting malicious websites and disclosing their account credentials.

Managed service providers can now access the multi-award-winning web filtering solution through Kaseya VSA and the Kaseya IT Complete Suite and deploy network-wide DNS-based web filtering in a matter of minutes, giving their healthcare clients even greater protection against malware, ransomware and phishing attacks.

The post TitanHQ’s WebTitan Now Available Through Kaseya IT Complete Suite appeared first on HIPAA Journal.

How Long Does It Take to Breach a Healthcare Network?

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, identify sensitive data, and exfiltrate the data.

61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data

The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance.

While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are required to comply with industry standards for cybersecurity.

The retail and food and beverage industries are required to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare organizations must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring safeguards to be implemented to ensure the confidentiality, integrity, and availability of healthcare data. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare provider and exfiltrate useful data, 18% said less than 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they were able to identify and exfiltrate sensitive data within an hour of breaching the network perimeter.

Even though organizations are required to comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are implemented, or that they are implemented correctly and are providing the required level of protection.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” said Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the report.

How Are Hackers Gaining Access to Networks and Data?

The most popular types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has soared in recent years, yet it was not a preferred attack method, favored by only 3% of respondents to the survey.

Social engineering is used sometimes or always by 50% of attackers, with phishing emails by far the most popular social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on employees is used by 22%, and 16% obtain the information they need over the telephone.

The most commonly used tools for attacks were open source hacking tools and exploit packs, which combined are used by 80% of surveyed hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to change their tactics that often. Almost a quarter of hackers only change their attack methods once a year and 20% said they update their methods twice a year.

As for the motivation for the attacks, it is not always financial. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial gain.

One take home message from the survey is just how important it is to implement security awareness programs and train staff cybersecurity best practices and to be alert to the threat from social engineering and phishing attacks. With almost half of hackers preferring these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve organizations’ security posture.

The post How Long Does It Take to Breach a Healthcare Network? appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

How Can Healthcare Organizations Protect Against Cyber Extortion

In its January 2018 Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights drew attention to the rise in extortion attempts on healthcare organizations and offered advice on how healthcare organizations can protect against cyber extortion

Ransomware Attacks Have Risen Significantly

Ransomware attacks on healthcare organizations have increased significantly over the past two years. Healthcare providers are heavily reliant on access to electronic data and any attack that prevents access is likely to have a major impact on patients. The inevitable disruption to services – and the cost of that disruption – makes it more likely that a ransom will be paid.

The relatively high probability of a ransom being paid, coupled with the ease of attacking healthcare organizations, has made the industry an attractive target for cybercriminals.

It may be more cost effective and better for patients if a ransom to be paid instead of recovering data from backups. That was certainly the view of Hancock Health. A ransom payment of 4 Bitcoin was paid to minimize disruption when data could have been recovered from backups.

Paying a ransom may seem preferable, but there is no guarantee that data will be recoverable. This year has seen wiper malware used that mimics ransomware. In such cases, there are no keys to unlock encrypted data. There have also cases of ransoms being paid, only for further demands to be sent, such as the 2016 ransomware attack on Kansas Heart Hospital.

Data Theft and Threats of Data Dumps

There have been numerous cases of data theft by hackers followed by threats to dump the data online if a ransom payment is not made – The modus operandi of the hacking group, TheDarkOverlord. The hacking group was responsible for many cyber extortion attacks on healthcare providers over the past 2 years.

Typically, this type of attack sees vulnerabilities exploited to gain access to data. Brute force attacks allow weak passwords to be guessed, and the past year saw several healthcare organizations have data stolen as a result of misconfigurations of databases and unsecured Amazon S3 buckets. Several attacks saw data deleted from healthcare organizations’ databases after data had been exfiltrated, adding an extra incentive to pay the ransom demand.

As with ransomware attacks, there is no guarantee that the attacker will return data, make good on a promise not to publish data or delete any copies of stolen PHI.

DoS and DDoS Attacks

Not all cyber extortion attempts involve the theft of data or use of encryption to prevent PHI access. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks direct large volumes of traffic to computers and servers rendering them inaccessible. Demands for payment are often issued to stop the attacks, or threats of attacks are made unless payment is made.

How Can Healthcare Organizations Reduce Cyber Extortion Risk?

There are several ways that healthcare organization can reduce the risk of cyber extortion attacks, most of which are general cybersecurity best practices which should already have been adopted. Others are requirements of HIPAA Rules.

The most important measure, and one which so many healthcare organizations fail at,  is to perform a comprehensive, organization-wide risk analysis covering all systems and devices containing ePHI and systems/devices that can be used to access PHI. A risk management program must also be implemented that addresses all identified vulnerabilities and reduces them to an acceptable level.

Since so many cyber extortion attacks take advantage of unplugged vulnerabilities, healthcare organizations need to ensure all software and operating systems are kept up to date and patches are applied promptly. Robust inventory and vulnerability identification processes are necessary to ensure the accuracy and completeness of risk analyses.

Healthcare organizations should consider signing up with information Sharing and Analysis Organizations (ISAO) and other providers of threat intelligence to discover new threats and vulnerabilities in time to block attacks.

Ransomware attacks often occur as a result of healthcare employees responding to malicious emails. Unless a security awareness training program is implemented, employees will be a major weak point in security defenses. Technologies should also be implemented to block malicious emails and prevent them from reaching end users’ inboxes.

While anti-malware, anti-virus, and other signature-based malware defenses are not as effective as they once were, they are still an essential part of security defenses for healthcare organizations. Firewalls and other perimeter and network defenses should also be deployed, while internal defenses should be hardened to slow down attacks and prevent lateral movement within a network. Network segmentation is strongly recommended.

Just as encryption can prevent breaches when portable devices are lost or stolen, encryption can also prevent attackers from gaining access to sensitive data if the network is breached. Regular backups should also be created to ensure data recovery is possible without paying a ransom. A good backup strategy is the 3-2-1 approach. At least three copies of data, on two different media, with one copy stored securely off-site.

Backups are only of use if data recovery is possible. Backups should therefore be tested to make sure data has not been corrupted and can be recovered in the event of a cyberattack.

The post How Can Healthcare Organizations Protect Against Cyber Extortion appeared first on HIPAA Journal.