Cyber Readiness Stalls Despite Increased Intensity of Attacks

According to Hiscox’s Third Cyber Readiness Report, which surveyed 5,400 firms in the U.S. and the E.U., cyber threats have “become the unavoidable cost of doing business today.” The Report notes that for the first time, “a significant majority of firms surveyed said they experienced one or more cyber-attacks in the last 12 months. Both the cost and frequency of attacks have increased markedly compared with a year ago, and where hackers formerly focused mainly on larger companies, small-and-medium sized firms are now equally vulnerable.” The number of firms that reported cyber incidents rose from 45 percent in 2018 to 61 percent in 2019.

Hiscox, a well-known cyber insurer, shares its experiences in the Report by stating that business email account compromise “is currently the main cause of cyber claims, followed by ransomware.” This is very consistent with our experience over the past year.

Other key findings of the Report include the following:

  • More firms fail the cyber readiness test—including cyber strategy and execution.
  • Cyber losses soared last year and costs increased 61 percent with medium and large firms bearing a disproportionate percentage of the cost, which is attributed to the largest incidents.
  • 65 percent of firms experienced cyber-related issues in their supply chain in the past year, which mean they are becoming commonplace.
  • The frequency and intensity of cyber-attacks are increasing.
  • More small and medium sized firms were attacked in the past year.
  • No industry is immune from cyber-attacks.
  • Relying on the cloud includes risk.
  • The financial impact of cyber-crime increased as much as 61 percent in the past year.
  • Cyber readiness has stalled.

The positive news in the report is that businesses understand that cyber threats are real and they are taking action to combat them. Some ways in which firms are responding to the threat include the following:

  • More firms appoint someone to lead cyber efforts.
  • More firms are responding to incidents with concrete actions.
  • Firms recognize that the threats and increased regulation is not going away and are addressing it with realism instead of complacency.
  • Firms are responding to regulatory compliance.

Finally, the Report reiterates that prevention is still key in addressing cyber risks. The Hiscox Report can be accessed at www.hiscox.com.

HHS Information Security Program Deemed ‘Not Effective’

There was unfortunately some bleak news out of the Department of Health & Human Services, (HHS) Office of the Inspector General (OIG) recently. The OIG recently released the results of a performance audit of the HHS’ compliance with the Federal Information Security Modernization Act of 2014 (FISMA). The OIG Report states that FISMA requires that there be an annual independent evaluation of the information security program and practices of the agency to determine the effectiveness of such program and practices.

Although the report concluded that there were some improvements over previous years, the audit concluded that HHS’ information security program was ‘Not Effective.’

In the crucial area of data protection and privacy, the report outlined the following findings:

  • The Department did not document their review and updates for the guidance associated with the privacy based risk assessments to reflect the current environment.
  • One Operating Division’s guidance and requirements to address data protection and privacy controls was not updated within two years as required by HHS.
  • Security requirements outlined in privacy impact assessments were outdated or incomplete.

The findings also included comments in the Data Protection and Privacy section of the Report that indicated that there were weaknesses in the security controls for protecting personally identifiable information (PII) and other agency sensitive data throughout the data lifecycle. A final recommendation regarding data protection and security, which HHS concurred with, was that HHS must update relevant Department policies, procedures, and guidance and also work with the Operating Divisions to measure the effectiveness of privacy specific controls and trainings.

Given the enormous amount of personal information and health information that the federal government has in its possession, the risk and unfortunate likelihood of a data breach, and the value of that personal and health data, the federal government, and HHS in particular, must make necessary improvements to its data privacy and security measures.

Cybersecurity Reporting to the Board

Robinson+Cole has the distinct pleasure to host the CISO Executive Network in Hartford and Boston. It is an opportunity to hang out with Chief Information Security Officers (CISOs), develop relationships with them, discuss commonality in the issues they experience, and collaborate on different strategies to address their concerns.

This week the meetings centered around effective ways to report cybersecurity progress to your leadership Board. As one who frequently presents to Boards, educates Boards and is on several Boards myself, and despite the fact that this was not the first time I have attended a session discussing the gap between information security and the Board, it was a great conversation. The following are 10 takeaways that I thought I would share:

  1. Assess honestly whether you are the right person to report to the Board. If you are not a good speaker or have a difficult time focusing or connecting with a group, recruit someone more effective to report to the Board. Keep to your strengths.
  2. During your first time reporting to the Board, tell them your qualifications to garner respect and their attention.
  3. Pick one to two topics, don’t get too detailed, and stay focused.
  4. Provide a general assessment of cyber progress, then discuss your chosen topic(s).
  5. Stay positive and refrain from always reporting on doom and gloom.
  6. Don’t get too far in the weeds and don’t get too techy—if you see Board members’ eyes wandering or glazing over, you are losing them.
  7. If you are reporting on an incident or a strategy to respond to a weakness or vulnerability, provide a synopsis of what happened or what needs improvement, what you are doing to respond to it or improve it, and that you will keep them advised of progress.
  8. Don’t throw your boss under the bus.
  9. Consider using easy to read dashboards or other ways to provide a synopsis.
  10. Consider turning open and unfilled staff positions to provide support for other needs, such as an analysis of vendors and tools that could save the company money.

Boards know that cyber risk is a top priority, read about it in the news, and are afraid the organization will be the next one to suffer a breach. Understand that they usually don’t have a technical background, so keep the technical discussions simple. Focus on cyber risks and your strategy for managing it. Above all, get in the Board room, develop relationships with your Board members and involve them in solutions.

Privacy Tip #187 – Charitable Giving Scams

We all watched in horror last week as the beautiful spire of Notre Dame Cathedral was engulfed in flames. I visited Notre Dame for the first time, right before I started my first year of law school, and it was awe inspiring. The fire and tragedy of the loss hit us all, and many of us want to be part of the restoration effort to rebuild this magnificent treasure.

Unfortunately, despite our best intentions, others with bad intentions know that we want to help in a time of need, and they are pouncing on our good intentions and the tragedy to steal from us.

There are several ways that scammers can use needy causes to steal from generous people willing to donate to a cause.

The first is through telephone solicitation. Thieves call posing as volunteers for a recent cause, like rebuilding Notre Dame and ask for donations over the telephone. This is not a recommended way to make a donation. You really don’t know who is on the other end of the line, and giving them a credit card number over the telephone is risky.

The second way is through crowdfunding. Scammers can set up fraudulent crowdfunding sites that say money will be donated to the cause, when in fact, the money is going in their pockets. Before choosing an organization to donate to, research the organization to confirm it is legitimate and reputable, go to the official website and don’t click on any email links, or donate the old fashioned way and send a check to the charity’s physical headquarters.

If responding to the fire of Notre Dame, or another cause that you care about, be aware that there are scammers in the world that want to take advantage of our good intentions. Avoid charitable giving scams so your favorite charity actually receives your donation.

OCR Issues Five New HIPAA FAQs on Health Information Apps

On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers.

The new FAQs are available here under the Header “Access Right, Apps and APIs.”

In the FAQs, OCR:

  • Emphasizes that an individual’s right to access her/his protected health information (“PHI” or “ePHI”) under HIPAA generally obligates a covered entity to send PHI to a designated app, even if the covered entity is concerned about the app’s security or how the app will subsequently use or disclose the PHI;
  • Explains that a covered entity would not be liable under HIPAA for an app’s subsequent use or disclosure of PHI sent to the app at the direction of an individual, unless the app was “developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity”; and
  • Notes that a covered entity that transmits ePHI to an app via an unsecure manner or channel – at an individual’s direction – would not be responsible for unauthorized access during such transmission, but such an entity may want to counsel the individual regarding the security risks involved in such a transmission.

The FAQs also address potential liability of a covered entity’s EHR system developer under HIPAA following transmission of ePHI to an app on behalf of the covered entity. OCR similarly counsels that liability could attach under HIPAA where the EHR system developer owns the app or has a business associate relationship with the app developer, and makes the app available to, through or on behalf of the covered entity. OCR also notes that “an app’s facilitation of access” to an individual’s ePHI does not in itself create a business associate relationship between the app and a covered entity or EHR system developer.

Ultimately, the new FAQs provide important guidance for covered entities, EHR developers and app developers on the intersection of new forms of technology – such as wearables and health tracking apps – with HIPAA and health care providers. The FAQs also provide a reminder regarding the limits on the applicability of HIPAA, and reiterate the importance of HIPAA’s right to access for individuals.

VPN Packages Store Cookies Insecurely

The Department of Homeland Security (DHS) issued a warning on April 15, 2019, entitled “VPN Applications Insecurely Store Session Cookies” (Vulnerability Note VU#192371) stating that “[M]ultiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.”

The affected products identified by DHS are:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

According to US-CERT, “[I]f an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”

A patch is available for the Palo Alto products, but as of April 15, 2019, US-CERT was unaware of a patch for the Cisco product.

If your organization is using any of these products, or if you believe that your organization is vulnerable, US-CERT suggests that you contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE.

WIPRO Hacked

I have been alerting clients that I know use Wipro, but may have missed some of you. It is being reported that IT outsourcing company Wipro Ltd. has been hacked through several phishing campaigns from what is believed to be a state-sponsored attacker.

According to recent reports, including KrebsonSecurity, sources have stated that “Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.” Apparently, at least 11 of Wipro’s customers have traced malicious and suspicious activity to systems that were communicating with Wipro’s network. It is disputed whether the attack lasted weeks or months.

According to Wipro, it was hit with a zero-day attack. Wipro has sent its affected clients a set of indicators of compromise, which includes clues about tactics, tools and procedures that attackers use that may assist them in determining whether they were compromised during the hop from Wipro’s system to a client’s system. A helpful Wipro client shared the indicators with Wipro and Wipro then sent it to its other clients.

It is also being reported that the successful attack against Wipro was caused by a successful phishing email to one of Wipro’s employees, which was followed by several more successful phishing campaigns against other employees.

There is some concern that Wipro’s systems may still be compromised, so Wipro clients should be aware of this possibility, how it can be used to compromise their system, and prepare for it.

KrebsonSecurity has published the indicators of compromise provided by Wipro clients, which can be accessed here.

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued against MDA arising from three HIPAA breaches in 2011 and 2012 (see our previous analysis of the ALJ’s decision here).

The CMPs were imposed in 2017 after an investigation which found that MDA allegedly violated HIPAA’s Security Rule and Privacy Rule in connection with the improper disclosure of ePHI of at least 34,883 individuals.  In three separate incidents, portable electronic devices (two thumb drives and one laptop computer) of MDA workforce members containing ePHI were stolen or lost.  In each case, the data on the portable electronic device were not encrypted. HHS’s Office for Civil Rights (OCR) thus alleged that MDA had violated the Privacy Rule prohibition on unauthorized disclosure of ePHI, as well as the Security Rule’s requirements concerning implementation of technical safeguards (and specifically, the encryption of ePHI where reasonable and appropriate).

After the ALJ upheld OCR’s imposition of the CMPs against MDA in 2018, MDA appealed to the DAB’s appellate division. The DAB affirmed the ALJ’s decision and the penalties in February, finding in pertinent part that “MDA was required to implement encryption” and that the encryption requirement as applied to MDA was “plainly mandatory” under HIPAA. MDA had argued that because the encryption standard within the Security Rule is an “addressable” implementation specification, it was optional. In response, the DAB determined that addressable was not equivalent to optional, but instead required an analysis of whether implementation of such a specification was reasonable and appropriate, and unless it was not reasonable or appropriate under the circumstances, implementation was required. The DAB further determined that “undisputable evidence shows that MDA determined that encryption of its portable electronic devices was reasonable and appropriate” and noted that various risk analyses carried out by MDA identified the lack of encryption of ePHI as a high security risk. The DAB thus concluded that “the [HIPAA] regulations did not permit MDA to forgo encryption because it did not document that encryption was not reasonable and appropriate… [and] the record… shows no genuine dispute that MDA, in fact, determined, in its own words, not only that encryption was “reasonable and appropriate” but that encryption “must be a required security control.”

The DAB also affirmed the ALJ’s decision that the CMPs imposed against MDA were reasonable. MDA had argued that the CMPs were excessive in part because they were based on a determination that the Privacy Rule had been violated 34,883 times (based on the number of individuals’ ePHI allegedly disclosed), even though MDA only lost devices on three occasions (and thus should have only been alleged to have committed three violations). The DAB also upheld OCR’s imposition of per-day CMPs for MDA’s alleged Security Rule violations, relying in part on Security Rule preamble commentary (from HHS) that CMPs for ongoing Security Rule violations could be based on the number of days of noncompliance.

This dispute concerning HIPAA compliance, and MDA’s continued challenge to the substantial CMPs imposed by OCR in 2017, serves as an important reminder to health care providers and other entities subject to HIPAA that “addressable” implementation specifications under the Security Rule – considered at times to be less important than “required” specifications – are likely to be seen by OCR as mandatory unless an entity can demonstrate otherwise. Health care providers would therefore be well-served to review the Security Rule’s safeguards and addressable implementation specifications, and to document the basis for any such specifications that the entity can demonstrate are not reasonable or appropriate for implementation. Furthermore, it remains to be seen whether the Fifth Circuit will intervene in this dispute, and if so whether a federal circuit court may have a different interpretation than HHS of the application of HHS-drafted regulations under HIPAA.

Incident Response Plan Saves Money

The Ponemon Institute recently completed research, sponsored by IBM Resilient, entitled “The 2019 Cyber Resilient Organization,” which surveyed more than 3,600 security and IT professionals around the world to determine organizations’ ability to maintain their core purpose and integrity in the face of cyber-attacks.

According to IBM, the research found that “a vast majority of organizations surveyed are still unprepared to properly respond to cybersecurity incidents, with 77 percent of respondents indicating they do not have a cybersecurity incident response plan applied consistently across the enterprise.”

Following the results of IBM/Ponemon’s 2018 study on the cost of a data breach, which showed that companies that respond quickly and efficiently to contain a cyber-attack within 30 days save over $1 million on average, this study shows that organizations are still falling short when it comes to planning for an incident and testing the incident response plan.

Almost half of the respondents admitted that, since they do not have an incident response plan in place, they are not in full compliance with GDPR.

Significantly, 62 percent of those surveyed state that aligning the privacy and cybersecurity teams of the organization “is essential to achieving resilience” and that data privacy has become a top priority in organizations.

Finally, the survey found that more than half of those surveyed (54 percent) do not test their incident response plans regularly, “which can leave them less prepared to effectively manage the complex processes and coordination” following an attack.

Message: developing, implementing and testing an incident response plan saves money. According to this research, it is a sound investment.

Privacy Tip #186 – Some Hotmail Users’ Emails Compromised

On April 14, 2019, Microsoft alerted some account owners that Microsoft Outlook and Hotmail email addresses had been compromised over a three-month period.

According to Microsoft, “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.” It also said “[U]pon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access.”

The unauthorized access occurred between January 1, 2019, and March 28, 2019.

Microsoft recommends that users change their passwords and “be careful when receiving any emails from any misleading domain name, any email that requests personal information or payment, or any unsolicited request from an untrusted source.” This is a sound practice at all times, not just when you have been alerted by your email provider that an account has been compromised.

LexBlog