Health Care Providers Continue to Be Hit with Ransomware and Phishing

It doesn’t matter in which  state you are located, how many patients you treat, what kind of medicine you practice or how many employees you have, if you are a health care provider, you are being targeted and hackers are successful in victimizing you.

That’s my take on the recent Becker’s Health IT article that lists 66 healthcare providers around the country that have suffered a cyber-attack in the form of malware, ransomware or a phishing attack in the first six months of 2020. Although we know that health care providers are being targeted, the list of incidents is sobering.

The only thing that the 66 companies have in common is that they are healthcare providers and the attacks were successful. The list confirms the stark reality of the risk healthcare providers face from cyber-attacks.

Amazon Offers a “Quickstart Package” for Compliance with DOD’s CMMC

Amazon has announced that it has developed and is offering a “CMMC Quickstart Package” to help contractors comply with the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) required for contractors to enter into contracts with DOD.

According to an Amazon spokesman, Amazon Web Services (AWS) will be releasing a responsibility guide that “lists the CMMC requirements and, based on our shared responsibility model, outlines practices and processes that are either the customer’s responsibility, an AWS responsibility, or a shared responsibility.” In addition, AWS will issue a “CMMC compliance document template” that companies can use to assist them in seeking certification.

AWS’s stated goal “is to help companies reduce the level of effort and cost for CMMC compliance by leveraging their existing investment in other compliance program authorizations.”

Despite some confusion over the timing and details around DOD’s CMMC program, all indications are that DOD is moving forward with the program, and defense contractors are gearing up to be ready for it.

Privacy Tip #243 – Misconfigured Cloud Exposes Millions of Records of Eleven Dating Sites

Dating sites continue to be the source of compromise of sensitive personal information. Another example of this was discovered recently by security researchers at WizCase, who found that information on millions of users of up to 11 different dating service sites was accessible due to misconfigured cloud storage. 

The databases that were discovered included users’ names, billing addresses, email addresses, telephone numbers, private messages, and in some cases, partner preferences. One compromised site included clear text passwords. 

According to the researchers, the exposed data could put users at risk of phishing scams, account hijacking and blackmail.

Dating sites appear to be frequently compromised, so if you use a dating site, consider limiting the personal information you share on the site, and change your password often.

Cyber-Attacks Against Maritime Industry Quadrupled in Last Few Months

A recent report released by the British Ports Association and Astaara, a risk management firm based in the U.K., concludes that since February 2020, the maritime industry has seen a dramatic increase in cyber-attacks. The number of attacks has quadrupled, as companies struggle with COVID-19 and remote work forces.

According to the report, in what is suspected to be a state-sponsored attack, the computer systems of a port facility in Iran were attacked, causing traffic jams and disruption in operations.

In addition to state-sponsored attacks on maritime facilities, cyber-criminals are targeting the maritime industry as maritime companies transition from on-premises to work from home due to the coronavirus. The report points out that remote working is a major risk for security because the attack surface has expanded, making it harder to secure company assets and data.

The report reminds the maritime industry that it is under attack, is vulnerable to attack due to remote work of employees, and to practice basic cyber-hygiene. “Processes need to be continually reviewed and updated as necessary, training provided, and new approaches to monitoring assessed and adopted.”

CCPA Enforcement Looms

We have previously alerted our readers about the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. CCPA is one of the strictest consumer privacy laws in the U.S. and is broadly applicable [view related posts].

Although CCPA went into effect on January 1, 2020, enforcement by the California Attorney General does not start until July 1, 2020—next week. A coalition of 60 businesses have requested that Attorney General Xavier Becerra (AG) delay enforcement another six months to give businesses more time to put compliance programs in place, particularly in the face of the coronavirus, but the AG is committed to commencing enforcement next week.

According to the AG, “CCPA has been in effect since January 1, 2020. We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.”

Data security is a key component of CCPA, which provides a private right of action for individuals to pursue against a company in the wake of a security incident, if, with proper notice and an opportunity to cure, individuals can show that the business did not have adequate security protocols and measures in place at the time of the security incident.

It’s not too late to develop and implement a CCPA Compliance Program, but businesses are running out of time if they haven’t started.

Autonomous Ships May Revolutionize Maritime Industry

Experts say that autonomous ships could change the maritime industry as much as containers did when they were introduced over 50 years ago. Back in 2017, the global seaborne industry was valued at about $12 trillion. The business case for autonomous ships includes lower fuel consumption, fewer idle hours, fewer personnel, and lower costs. Of course, experts also say that autonomous ships will not replace human entirely. Advances in technology will continue to make shipping safer and more efficient, but this technology will not replace masters and crews that serve on board. Essentially, if self-driving cars are something of the near future, then autonomous or remote-controlled ships are certainly on the horizon since these vessels move at slower speeds with less-demanding requirements for position updates.

Additionally, fully autonomous vessels can decrease risks for crews in situations such as  a ship performing extremely dangerous operations like mine sweeping and ordnance removal, scientific vessels studying volcanic islands, or fire boats inserting themselves directly into flames and toxic fumes.

When will we see these autonomous ships crossing the oceans? Well, experts also say that the timeline could be less than five years. Of course, the United Nations’ International Maritime Organization will need to finalize a set of guidelines for such autonomous ships.

Privacy Tip #242 – Protecting Children’s Privacy

The Children’s Online Privacy Protection Act (COPPA) has been on the books for years and is enforced by the Federal Trade Commission (FTC). COPPA basically prohibits companies from collecting personal information from children under the age of 13 without parental consent. The FTC has an impressive record of enforcement actions under COPPA and compliance with COPPA is an important part of a company’s compliance program, as applicable.

Many companies are unaware that there are also state laws applicable to the collection of children’s personal information, so consideration of compliance with those laws is important as well.

This week, Washington’s Attorney General Bob Ferguson (AG) announced that his office has settled an enforcement action against tech companies Super Basic LLC and its parent Maple Media LLC, which developed the “We Heart It” app, for $100,000 to end allegations that the companies unlawfully collected children’s data without parental consent.

In addition to the monetary penalty, the companies have agreed to pay $400,000 if they fail to comply with COPPA and the consent decree entered into between the parties.

The decree requires that companies use an “age gate” to prevent children under 13 from opening accounts; obtain parental consent before collecting data from children under 13; give notice directly to adults of children’s online data practices;audit user accounts to track whether accounts are being opened by children; and delete any accounts that belong to children under the age of 13.

The consent decree is similar to those handed out by the FTC,  and also serves as a reminder that both the FTC and State AGs are focused on the protection of the collection of children’s personal information and are stepping up enforcement in this area.

It also reminds parents to continue to monitor their children’s online behavior. These state and federal children’s privacy laws are for the protection of children, which is, and should be, a public-private partnership between agencies and parents.

Crozer-Keystone Health System Data for Sale Online by Attackers

It is being reported by Cointelegraph that ransomware group Netwalker is offering for sale data it exfiltrated from Pennsylvania based Crozer-Keystone Health System after the system declined to pay the requested ransom.

According to the report, Netwalker offered to sell the data through its darknet website for six days and if no one buys it, it will auction it off to the highest bidder.

According to Crozer-Keystone, it is investigating a malware attack. Cointelegraph reports that it was able to access Netwalker’s publication of the data which included “dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients.” It is being reported that Netwalker is claiming that Crozer-Keystone did not pay the requested ransom.

Unfortunately, the threat of publication of exfiltrated data by ransomware groups is becoming more common and appears to be the new business model of these attackers.

AGs Express Concerns About Contact Tracing Apps and Protection of Consumer Personal Information

As many states continue to reopen businesses and permit more gatherings, public health officials are looking to contact tracing as a key strategy for preventing further spread of COVID-19.  In contact tracing, public health staff work with patients who have suspected or confirmed COVID-19 infection to help them recall everyone with whom they had close contact during the time frame while they may have been infectious.  Staff members then warn those individuals of their potential exposure and provide information so they can understand their risk and take steps to limit the potential for further spread.  To protect patient privacy, contacts are only informed that they may have been exposed; the identity of the patient is not disclosed.

According to the CDC, digital contact-tracing tools can add value to traditional contact tracing by improving the efficiency and accuracy of data management and automating tasks, reducing the burden on public health staff by allowing electronic self-reporting by patients and contacts, and using location data, such as Bluetooth or GPS, to identify community contacts otherwise unknown to the case to review possible exposure.  Users of such reporting systems elect to share data and are alerted if they have been close to a COVID-19 patient.

With electronic data sharing and collection come concerns about consumers’ privacy.  A bipartisan coalition of 39 state Attorneys General recently signed off on a letter to Google and Apple, expressing “strong concerns” regarding the proliferation of contact-tracing apps that may not sufficiently protect consumers’ privacy.  The Attorneys General welcomed the efforts of Google and Apple to jointly develop application programming interfaced (APIs) for use in building decentralized exposure notification and contact-tracing apps, and which APIs will only be made available to public health authorities and contingent on the inclusion of features to protect consumer privacy.  The Attorneys General instead expressed particular concern about purportedly “free” COVID-19 tracing apps, already available on Google Play and the App Store, that utilize GPS tracking and which are not affiliated with any public health agency or legitimate research institution.

Alabama City Hit with Ransomware

On June 5, 2020, Florence, Alabama’s information technology systems were hit with ransomware by the DoppelPaymer group demanding a ransom payment of $378,000 in bitcoin. Mayor Steve Holt confirmed that the attack shut down the city’s email system, and that the city used an outside firm to negotiate the payment of a lower ransom of close to $300,000 to avoid the publishing of the information of citizens on the internet by the attackers.

The city was hit with the ransomware simultaneously as the information technology professionals were trying to get the City Council to approve funds to hire an outside firm to review the information technology systems. The irony is that those professionals were attempting to address risk, but municipal bureaucracy got in the way of being able to quickly and efficiently address a perceived cybersecurity risk. The unfortunate outcome is that the city is paying criminals almost $300,000 instead of using that budget, and taxpayer dollars, in shoring up the city’s cybersecurity needs. It’s a double whammy.

Municipalities continue to get hit hard with ransomware attacks. City professionals and elected officials may wish to consider and address this real and very expensive risk, determine how to respond to it with appropriate budgetary funding for prevention, and use the funds to minimize the risk instead of putting the funds in criminals’ hands and then having to spend double the amount to address the risk after the fact.