HEALTHCARE INFOSECURITY NEWSLETTER

February 2018

Cloud Security Learning Curve Remains High: Latest Amazon S3 Misconfiguration Illustrates Need for Safety Nets

John Hawley, deltarisk.com, January 25, 2018

We can add yet another sensitive data breach to our lessons learned catalog. This one, involving a large volume of sensitive medical records exposed to the world, goes in the fat folder related to misconfigured storage services. A U.S.-based digital records management company stored this information in a large PDF file, which was then stored in an Amazon Web Services (AWS) Cloud S3 storage bucket. Anyone who had the unique URL associated with the S3 bucket could bypass Amazon encryption to access this privileged information.

Read More

Why Healthcare CISOs Need to Revamp Cybersecurity Training

Laura Lee, healthitdatamanagement.com, January 16, 2018

Some may say healthcare chief security information officers have the cards stacked against them. No other industry has the combined data trove, ongoing IT transformation and complicated delivery system to navigate that healthcare organizations do. The race to innovate and digitize patient care has introduced mobile, cloud and Internet of Things (IoT) technology, exponentially expanding the attack surface, while sprawling (and often outdated) legacy systems further complicate enterprise security efforts.

Read More

Industries Most at Risk of Phishing Attacks Revealed

Mirko Zorz, helpnetsecurity.com, January 24, 2017

A new KnowBe4 study of phishing statistics for top industries, shows small insurance companies have the highest percentage of phish-prone employees in the small to mid–size organization category. Not-for-profit organizations take the lead in large organizations. The study, drawn from a data set of more than six million users across nearly 11,000 organizations, benchmarks real-world phishing results.

Read More

Disaster Recovery and Contingency Plans Are Critical to Healthcare Cyber Security

Chris Nerney, cio.com, January 16, 2018

More than two weeks after Hurricane Maria struck Puerto Rico in mid-September, five of the island’s 69 hospitals remained closed. Of the 64 hospitals operating fully or partially, only 17 were connected to the power grid, the governor’s office said at the time. The vast majority relied on generators to power electronic health records (EHRs) systems and other IT tools, medical equipment, storage refrigerators, and utilities. Just weeks earlier, Hurricane Harvey battered the Texas and Louisiana coasts, forcing at least 16 hospitals in Texas to close in the storm’s immediate aftermath, and necessitating relocation of as many as 1,000 patients to hospitals and other medical facilities across the state.

Read More

How Healthcare Organizations Can Reduce Cyber Extortion Risk

Elizabeth Snell, healthitsecurity.com, January 31, 2018

Healthcare organizations must be mindful of how they reduce cyber extortion risk because covered entities maintain sensitive data and provide necessary services, OCR stated in its January Cybersecurity Newsletter. Cyber extortion often consists of cyber criminals demanding money from organizations in exchange for the criminals stopping their malicious activity. This activity could include stealing sensitive information or interrupting computer services, OCR explained.

Read More

90% Of Healthcare IT Pros Raising Cyber Security Budget

Dan Gunderman, cshub.com, January 2, 2018

Yet again, cyber security has made its presence known. Health systems executives placed it as a top priority for 2018, ahead of artificial intelligence (AI) and other burgeoning technologies. Respondents indicated that they will be seeking proven solutions – ones that can impact the enterprise from the outset. This affords the health systems the ability to monitor active cyber threats. New findings suggest that the cyber security spend trumps more innovative technology, such as wearables.

Read More

Cybercriminals Stole $172 Billion From 978 million Consumers in the Past Year

Help Net Security Staff, helpnetsecurity.com, January 23, 2018

Globally, cybercrime victims share a similar profile: they are everyday consumers who use multiple devices whether at home or on the go, but have a blind spot when it comes to cyber security basics. This group tends to use the same password across multiple accounts or share it with others. Equally concerning, 39 percent of global cybercrime victims despite their experience, gained trust in their ability to protect their data and personal information from future attacks and 33 percent believe they had a low risk1 of becoming a cybercrime victim.

Read More

How to Deal with Ransomware in 2018: Mitigate the Damage and Don’t Pay the Ransom

John LeBrecht, deltarisk.com, January 18, 2018

It’s a new year, but ransomware incidents show no signs of going away soon. Organizations continue to be faced with a tough dilemma: pay the ransom, or rely on contingency plan to regain access to critical files and systems. Hancock Health is the latest organization to pay the ransom. Infected by the SamSam ransomware, the Indiana-based hospital spent $55,000 to get their systems up and running again, despite having backups. They decided that paying the ransom would be the fastest way to unlock their email system and internal operating system rather than restoring their backups, which could take days or weeks.

Read More

HIMSS: NIST CSF Can Improve Healthcare Cybersecurity Infrastructure Plan

Elizabeth Snell, healthitsecurity.com, January 23, 2018

NIST’s second draft of its Cybersecurity Framework (the Framework) is overall a positive step toward improving the nation’s cybersecurity, according to comments from HIMSS. However, there is room for some improvement to ensure that healthcare cybersecurity infrastructure is improved. “HIMSS supports NIST’s inclusion of holistic security principles throughout the Framework—including the alignment of cybersecurity risk management with the 2 business context and resources that support critical functions,” read the letter addressed to NIST Director Dr. Walter Copan.

Read More