Skip to content

Archives: Cybersecurity

Subscribe to Cybersecurity

Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA).  Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines.  This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.

FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies.  This guidance applies them to federal agency collection of cyber threat indicators as described below.  In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading CISA Guidelines: Privacy and Civil Liberties Interim Guidelines for Federal Agencies

Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.california-flag-graphic

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

Continue Reading California by the Numbers (Part 2): How to Stay out of the 2017 Report

Look for Part 2 tomorrow:  Recommendations on how to stay out of future reportscalifornia-flag-graphic

California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.

The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.

Continue Reading California by the Numbers (Part 1): 24 Million Compromised in 2015

In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired, questioned that assertion.The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.
  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.
  3. Installing pop-up blockers and ad-blocking software.
  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.  If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.

FBI on Ransomwaredigitallife03-111715

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular.    The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.
  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.
  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601
  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.  

Tweet

This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December.  CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.   The DHS Federal Register notice was published this morning here.

As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information. Continue Reading Cyber Threat Information Sharing Guidelines Released by DHS

Remember this?   weakestlink 

“Wetware” – coder slang for biological life forms (i.e., people) – is the weak link in most companies’ data security protections, according to a new data security report issued by the Association of Corporate Counsel (ACC).  Companies surveyed attributed data breaches to a host of human foibles, including lost laptops or devices (9%), “phishing” emails that induce employees to click on malicious links or open infected documents (12%) or simple “employee error” (24%).  A distressing 15% were classified as inside jobs.

The full report can be obtained from the ACC.

The ACC report highlights the paramount importance of employee training to a company’s data security program.  The strongest and most assiduously updated firewalls and malware detection systems cannot stay ahead of every newly-crafted piece of malicious code.  Training employees in best practices with respect to email and data handling provide an additional bulwark against threats that data security technology simply cannot root out.  It’s no accident that the mantra of most data security professionals is “People, Process, Technology” – in that order.  

 

 

people-process-technology-Custom-3

Watch out for your weakest link!

SECThe 2016 lists are starting to be released by regulatory agencies in the United States, giving a heads’ up to covered entities as to what compliance issues will take front and center this year.  Once again, the Office of Compliance Inspection (OCIE) of the US Securities & Exchange Commission (SEC) has put cybersecurity on the top of its examination priorities.  OCIE is responsible for conducting examinations of the entities required to be registered under various SEC regulations, including broker-dealers, transfer agents, investment advisers, and investment companies.

Continue Reading Cybersecurity Tops SEC Office of Compliance Inspections 2016 Examination Priorities

 

Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas.  The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.

Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves.   Continue Reading Happy New Year – Cybersecurity Information Sharing Act

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information. We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response. We waited for commencement of the second round of HITECH-mandated audits, but it never came. As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016.

Massive Data Breaches

The year began inauspiciously, with one of the largest data breaches to ever hit the U.S. health care industry. We are, of course, referring to the theft of approximately 80 million personal records from health insurer Anthem Inc. The theft spanned over 14 states, and included names, birthdates, email addresses, Social Security numbers, and other personal data. The Anthem breach, however, was not an isolated incident. There were at least four other multi-million record data breaches affecting the health care industry in 2015, including:

Premera Blue Cross (11 million individuals affected)

Carefirst BlueCross BlueShield (1.1 million individuals affected)

UCLA Health (4.5 million individuals affected)

Excellus (10 million individuals affected)

One common thread throughout these breaches, beyond their sheer magnitude, is the inability of the entities to quickly identify and report the breach. For example, Excellus hired a security firm to conduct a forensic analysis of its computer system. The analysts concluded that their breach had occurred as early as December of 2013. UCLA Health faced similar delays in identifying their breach. One reason for this may be a result of another common thread: the advanced nature of the attacks. While not independently verified, a number of the affected entities have reported that the acts were “very sophisticated.” While the culprits of these mega-breaches have not been identified by name, many suspect state sponsorship of the attacks by China. Continue Reading HIPAA and Health Care Data Privacy – 2015 in Review

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
  • • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
  • • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
  • • Provide all assessments to FTC;
  • • Keep records relied on to prepare each annual assessment for three years; and
  • • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.