[metaslider id=2951] … Read More
US hospitals lack new technologies and best practices to defend against threats, new report says.
Some 93 major cyberattacks hit healthcare organizations this year, up from 36 in 2015, new research shows.
TrapX Labs, a division of TrapX Security, found this 63% increase in attacks on the healthcare industry for the period between January 1, 2016 and December 12. Some may have been ongoing prior to Jan. 1, but for consistency, researchers only used official reporting dates to the Department of Health and Human Services, Office of Civil Rights (HHS OCR).
Among the largest attacks were those on Banner Health (3.6M records), Newkirk Products (3.4M records), 21st Century Oncology (2.2M records), and Valley Anesthesiology Consultants (0.88M records).
The hippa compliance training is always recommended for any organization that requires it, regardless of size or annual budget. Everyone, from multibillion-dollar healthcare conglomerates to a country doctor with one administrative worker, must follow HIPAA training rules in order to protect patient data. However, even after all these measures, sophisticated attackers have now invaded that also. They are responsible for 31% of all major HIPAA data breaches reported this year, a 300% increase over the past three years, according to the report. Cybercriminals were responsible for 10% of all major data breaches in 2014 and 21% in 2015.
Despite the rise in attacks, the number of records breached dropped to about 12,057,759. That said, so many millions of health records have been stolen that the value of individual records decreased this year, TrapX reported.
Researchers pinpointed two major trends from 2016: the continued discovery and evolution of medical device hijacking, which TrapX calls MEDJACK and MEDJACK.2, and the increase of ransomware across a variety of targets.
MEDJACK involves the use of backdoors in medical devices like diagnostic or life-support equipment. Hackers use emailed links, malware-equipped memory sticks, and corrupt websites to load tools into these devices, most of which run standard/older operating systems and proprietary software.
“Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data,” says Moshe Ben-Simon, co-founder and VP of services at TrapX Labs.
One successful penetration is often enough to give hackers access to the network, where they can find unprotected devices to host attacks, chat with humans, and access information. It’s difficult to mitigate the effects of MEDJACK; many hospitals don’t even know it happens.
“Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it,” Simon explains. “The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices.”
Ransomware attacks on large and mid-sized healthcare organizations have also become more diverse. The financial depth and criticality of operations make them easy targets. It’s one thing to close a business for one day; it’s entirely different to force a hospital shutdown. For hospitals to prevent such attacks on their financial information, they may need secure and reliable Hospital revenue cycle management software. It is possible to neutralize most cyber-attacks with the help of such advanced technologies
A July 2016 survey conducted by Solutionary discovered healthcare is the industry most frequently targeted by malware, accounting for 88% of all detections in Q2. Hackers target healthcare because organizations will usually pay ransom for valuable patient data.
TrapX researchers predict ransomware will reach “unprecedented levels” next year as quick ROI, and easy access to untraceable money such as Bitcoin, make it easier for hackers to launch more attacks at once.
It’s one prediction among many that spell trouble for the healthcare industry in 2017.
Experts anticipate cyberattacks targeting the industry will continue to set records, as most hospitals are unaware of breaches and will remain vulnerable to advanced attacks via medical devices. Mid-sized healthcare businesses will be targeted more often, they predict.
However, more advanced equipment may not necessarily solve problems. The Internet of Things is expected to generate new attack vectors, as most IoT devices don’t have built-in security and don’t let third parties install protective software. If compromised, they provide a backdoor for hackers that can be used for months without hospitals noticing.
Going forward, healthcare organizations will be forced to implement sorely needed security practices. A study from the Healthcare Information and Management Systems Society (HIMSS) found most fail to adopt basic safeguards like anti-malware tools, firewalls, and encryption.
Even as major breaches make headlines, it’s difficult to get healthcare execs to tighten their focus on security.
“Traditionally healthcare providers are in the business of saving lives, so the IT security staffs have a difficult time competing for budget dollars,” says Lee Kim, HIMSS director of privacy and security. “As recent as five years ago, you would hear people saying that people wouldn’t want to attack a healthcare facility because they didn’t believe anyone would want to do harm to the patients.”
Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.
In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.
Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?
The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:
1. They think cyber security is a technology problem.
2. They follow a cyber security check list once-and-done.
3. They don’t have a cyber security awareness training program in place.
First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.
Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.
Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.
Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in your work and in a regulated industry. Therefore, the concept, language, even governance of risk management is part of the daily lexicon. This is why it’s so important that you understand how to respond to risk as well as being aware of what the risks may be before they occur.
Not so with small and mid-market business less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.
More importantly: A company’s Information Technology generates Value. It does so through myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media, and technology businesses, etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.) Owing to these security breach issues, many businesses tend to opt for services of reliable service providers like Privacera (https://privacera.com/products/centralized-access-control/) and similar others. By having centralized and secure access to all the data of the business, they are most likely to be not affected by cybercrimes.
Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.
Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.
Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.
Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.
Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.
It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.
The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.
Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.
To protect sensitive data, businesses must take the time to refocus on best practices
In the past five years, businesses of all sizes have realized just how vulnerable they are to cyber attacks.
The astonishing increase in the number of attacks each year troubles corporate leaders, IT professionals and chief information security officers, who see their security efforts foiled by hackers.
The number of large corporations targeted since 2015 is proof that everyone is vulnerable. Wherever you look, there is an Ashley Madison, Home Depot or JP Morgan Chase breach that makes you realize just how precarious security structures are.
In sports, teams regroup at halftime and get back to work in the second half with a refocused goal of finishing the game strong. The same holds true for security practices. To help businesses beef up security in the second half of 2016, here are some ideas to keep data safe:
1. Be aware of stored data
It is astonishing how many big firms do not know they have huge chunks of data in their systems. Technologies such as the Internet of Things contribute a lot to this, but company data should be handled better overall. Knowing what is stored in their systems would provide companies with information about which data needs to be protected most against threats.
2. Focus on protecting data
The biggest cases of 2015 related to data breaches of global services and corporations. Business owners think that beefing up firewalls and security perimeters is the answer, but they couldn’t be more wrong. Protecting their data should be the priority. Secure encryption is vital to prevent data from being compromised easily should the corporate network be breached.
3. Address the mobile threat
Many corporations allow employees to use their personal devices in the workplace. It’s safe to assume that most employees do not take the necessary security measures for their mobile devices. This puts corporate data on such devices at great risk. IT administrators need to have better—not more—control over such devices.
4. Spread awareness
It’s always good to make employees companywide aware of the threats they face. Talking with employees regularly about new and emerging threats and sharing ideas about improving security is good practice.
5. Take insider threats seriously
You could shell out millions of dollars trying to protect your network from outside threats only to be undone by an employee who clicks on a nefarious link and compromises sensitive data. Hackers regularly send malicious emails to many employees in a firm in hopes that one of them falls for it—and someone frequently does. Encourage employees to be more vigilant since such emails often can easily be spotted.
Reprinted from ThirdCertainty Guest Essay by Oscar Marque
Sophos was recently identified as one of the leaders in the UTM Magic Quadrant, along with Fortinet and Checkpoint. Gartner defines the unified threat management (UTM) market as multifunction network security products used by small or midsize businesses (SMBs).
Amongst its strengths Gartner identified:
- Sophos’ SG UTM series’ ease of use consistently rates high. The interface contains general guidance on what each feature does, which is useful for SMB operators, who are not all security experts.
- Sophos has good endpoint integration, allowing the firewall to push wireless and VPN policies for mobile devices, and can also restrict access to wireless networks for noncompliant mobile devices.
- Sophos SG UTM series support is available in a variety of European languages, and its local presales and support presence receives positive scores from Gartner customers.
To found out more about the complete Sophos line of products, contact us at 866-431-8972 ext 221.
The news is full of stories of large well respected organizations (Target, Home Depot, Sony) and government agencies being victims of cyber crimes. Reporters than make statements like – well if these organizations can be victims, what does that mean to the small/midsized organizations.
So the truth is that no one is safe from cyber threats, to the cyber criminals organizations are just numbers (IP Addresses) and they are looking for those that have a weakness that can be exploited.
The challenge is to eliminate the weaknesses to the best of your ability. As I was writing this, I am reminded of the story of the Three Little Pigs and the Big Bad Wolf – funny how security can relate to a fable written in 1886. We all know the story – the first pig builds his house out of straw, which, unfortunately for the pig was not the best idea. The second pig builds his house out of sticks – again the news is not great for the pig. The third pig, takes his time and builds his house out of bricks, the wolf discovers that he cannot blow down the house, and has to revert to other tactics to get into the house. ( Denial of Service ).
He then attempts to trick the pig out of the house by asking to meet him at various places ( social engineering ), but the pig outsmarts him every time. Ultimately the wolf attempts to come down the chimney, where the pig captures the wolf.
In a very rudimentary way – this is how security works, first take your time and ensure that you have strong “perimeter defense” (an enterprise class firewall) , ensure that you have visibility on your “perimeter” so that you can see who is trying to get in, make sure that if they do get in that there is a way to limit their effectiveness be it antimalware (to quarantine viruses, malware, ransomware),or network access control (to stop data exfiltration).
Looking at these large, global entities, and putting into the perspective of the three little pigs – if the pig built an apartment complex, there are numerous ways to get in (windows/balconies), and even with an alarm, you are running from floor to floor to capture the wolf.
For those that of us that are not Target, Home Depot, etc, there are ways to protect yourself, as well as to attempt to identify who the cyber criminal is. I invite you to contact us to discuss your concerns, email at firstname.lastname@example.org or call at 866-431-8972.