HOW EMPLOYEES CREATE CYBERSECURITY RISKS

By now, we all know that all employees—not just IT staff—are responsible for preventing cybersecurity attacks. But prevention isn’t the only thing bosses should be worried about when it comes to their employees. Have you considered that you may be having security issues that you aren’t told about?

A recent survey by market research firm B2B International finds that 46 percent of cybersecurity incidents in the last year stem from careless or uninformed employees, reports BizTech Magazine. But what may be even more worrisome is that employees hide IT security incidents in 40 percent of businesses worldwide to avoid punishment.

“Fully 45 of enterprises (over 1,000 employees) experience employees hiding cybersecurity incidents, with 42 percent of small and mediumsized companies (50 to 999 employees), reporting the same,” writes Phil Goldstein.

Not only is it important to make sure that all employees have training to prevent data breaches, but also be sure to encourage employees to come forward when they think there could be a problem.

Privacy & Security Ransomware Attacks Rise, Accidental Breaches Most Common Cause Of Data Loss

Hackers never quit. Their ceaseless assault on healthcare has continued during 2017, racking up hit after hit against provider organizations.

Ransomware attacks continued their rise in the first half of 2017, up 50 percent over the first half of 2016, according to the Beazley Breach Insights report from Beazley, a cyber and data breach response insurance firm that compares data on its base of clients from multiple industries, including healthcare.

Hacking and malware attacks, which include ransomware attacks, continue to be the leading cause of breaches, accounting for 32 percent of the 1,330 incidents that Beazley Breach Response Services helped clients handle in the first half of the year, the firm reported.

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

In healthcare specifically, unintended disclosure – such as misdirected faxes and emails or the improper release of discharge papers – continued to drive the majority of healthcare losses, leading to 42 percent of industry breaches during the first half of 2017, the report found. This was equal to the proportion of these breaches in the industry in the first half of 2016.

Hacks and malware accounted for only 18 percent of healthcare data breaches in the first half of 2017, compared with 17 percent during the first half of 2016, the report found.

Accidental breaches caused by employees making errors or data breached while under the control of third parties continue to be a significant problem for all industries – they accounted for 30 percent of breaches overall, just a bit behind the level of hacking and malware attacks.

“This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality,” Beazley said. “Since 2014, the number of accidental breaches reported to Beazley’s team has shown no sign of diminishing. As more stringent regulatory environments become the norm, this failure to act puts organizations at greater risk of regulatory sanctions and financial penalties.”

Unintended breaches show no signs of abating, said Katherine Keefe, global head of Beazley Breach Response Services. “They are a persistent threat and expose organizations to greater risks of regulatory sanctions and financial penalties,” Keefe said.

But they can be much more easily controlled and mitigated than external threats, she added. Organizations should not ignore this significant risk and instead put more robust systems and procedures in place, she said.

WANTED: 3 2 New Clients

We are looking for a couple of new clients. The ideal candidates:

  • have 10 or more PCs
  • who want lightning fast response to their IT problems
  • who want IT support with a “Today, Not Tomorrow” attitude
  • are tired of 2nd rate IT support • who don’t like IT surprises
  • are willing to pay a set monthly fee for IT service
  • who want honesty, reliability and predictability out of their IT Vendor
  • who are most likely (but, not required) in the Professional Services industry such as Medical, Law, Engineering, or Accounting fields

If you are ready to talk about making a switch of IT vendors, give us a call.

Computer Networks of Roanoke, Inc.
Hank Wagner
hank.wagner@computernetworksinc.com
757-333-3299 x200

Are Google Drive And Amazon AWS HIPAA Compliant?

More healthcare organizations are turning to cloud storage for its flexibility, services and functions. But, with Google and Amazon AWS being two of the largest cloud storage providers used in the healthcare sector, it’s important to ask: Are these platforms up to HIPAA standards?

As always when using a third party service, its imperative hospitals and other providers consider the proper way to use these tools to remain HIPAA compliant.

For starters, providers can’t just start using the free versions of these platforms for protected health information, said Matthew Fisher, a partner of law firm Mirick, O'Connell, DeMallie and Lougee. They must purchase the enterprise level of Google.

With this paid version, providers are also responsible for ensuring Google signs a business associate agreement to meet HIPAA standards, Fisher said. “And it’s up to the individual user -- depending on the service -- to make sure the HIPAA guidelines are put into place.”

“When a business purchases the Google Suite of apps, the provider can configure Google Drive to meet all of the organization’s security requirements,” said Erin Whaley, a partner of law firm Troutman Sanders. “AWS is similar: it has a business associate agreement to sign, but you have to implement it in a way that meets your security requirements.”

For Whaley, the area of concern is that many users are so accustomed to using these two platforms in their daily lives that they may not consider the necessary steps to protect the information within their healthcare organization.

“It’s up to the IT folks to make sure the tools are configured in that environment,” said Whaley

Whaley said that Google offers some considerations as well as ways to limit sharing a document or link. These include two-factor authentication, turning off file syncing, restricting file sharing outside of the platform, avoiding placing the patient information in the title and regularly auditing access and account logs.

Amazon AWS offers similar guidelines.

“Providers should think about how the system can be implemented to minimize risk,” said Whaley. And when providers are pursuing these subscription cloud services, Fisher said that healthcare organizations need to think about how the user is connecting to the platform. This includes securing the business associate agreement, whether it can be truly secure and verifying who can access the data.

Another concern is when users download the data from the cloud and place it onto unencrypted devices, said Fisher. “The data needs to be downloaded onto a secure environment, as well.”

“As you’re going through the implementation phases of cloud storage, you can’t just assume it’s configured in an appropriate manner,” he said. “You need to go through the process step-by-step -- starting with admin controls.”

“Then users need to figure out the scope of protection offered, and whether it aligns with your risk assessment analysis,” Fisher said.

How The CIA Disables Security Cameras

In last 20 years, we have seen hundreds of caper/heist movies where spies or bank robbers hijack surveillance cameras of secure premises to either stop recording or set up an endless loop for covert operations without leaving any evidence.

Whenever I see such scenes in a movie, I wonder and ask myself: Does this happen in real-life? Yes, it does, trust me—at least CIA agents are doing this.

WikiLeaks has just unveiled another classified CIA project, dubbed 'Dumbo,' which details how CIA agents hijack and manipulate webcams and microphones in Hollywood style "to gain and exploit physical access to target computers in CIA field operations."

The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.

  • Once identified, the Dumbo program allows the CIA agents to:
  • Mute all microphones
  • Disables all network adapters
  • Suspends any processes using a camera recording device
  • Selectively corrupted or delete recordings

However, there are two dependencies for a successful operation:

  • Dumbo program requires SYSTEM level privilege to run.
  • The USB drive must remain plugged into the system throughout the operation to maintain control over connected surveillance devices.

This project is being used by the CIA's Physical Access Group (PAG)—a special branch within the Center for Cyber Intelligence (CCI) which is tasked to gain and exploit physical access to target computers in CIA field operations.

Funny IT one liners

  1. I think my neighbor is stalking me as she's been googling my name on her computer. I saw it through my telescope last night.
  2. Entered what I ate today into my new fitness app and it just sent an ambulance to my house.
  3. I changed my password to "incorrect". So whenever I forget what it is the computer will say "Your password is incorrect".
  4. My internet is so slow, it's just faster to drive to the Google headquarters and ask them stuff in person.
  5. Wifi went down during family dinner tonight. One kid started talking and I didn't know who he was