If you have a daughter in K-12 who is in the Girl Scouts, check out the fact that they can now earn cybersecurity badges if they demonstrate a mastery of Internet security. Brilliant! What a great way to get girls interested in cybersecurity and provide them with a hot career path at the same time. … Continue Reading
The Office for Civil Rights (OCR) recently released guidance entitled “My Entity Just Experienced a Cyber-attack! What Do We Do Now?” The Checklist is a practical tool for health care entities and outlines several steps to take following a cyber-attack. According to the Checklist, in the event of a cyber-attack or similar emergency an entity: … Continue Reading
A new survey released by Altman Vilandrie & Company, which surveyed 400 IT personnel who have purchased Internet of Things (IoT) security products, shows that 46 percent of companies that buy IoT security admitted they have experienced an IoT related security intrusion or breach within the last two years, representing hundreds of millions of dollars. … Continue Reading
The American Institute of CPAs (AICPA), has released a risk management reporting framework that is intended to “establish a common, underlying language for Cybersecurity risk management reporting—almost akin to US GAAP or IFRS for financial reporting.” According to AICPA, the framework may be used by both management and CPAs to “enhance cybersecurity risk management reporting … Continue Reading
San Francisco based OneLogin, which provides single sign on and identity management services for companies and app vendors, recently notified its users that it has discovered an unauthorized access to its data. The idea behind OneLogin is for a user to have one username and password that it can use through OneLogin’s platform for all … Continue Reading
Following the massive WannaCry event, the mantra among security folks is push patches to vulnerabilities as soon as they are released. US-CERT issued a warning late last week that there is a newly discovered flaw, CVE-2017-7494, that exists in Samba, which can be exploited via mass attacks. Samba provides Windows-based file and print services for … Continue Reading
A new study by WhiteScope concludes that pacemakers from four manufacturers contain security weaknesses that expose them to remote tampering. Pacemakers run on radio frequency and health care providers can adjust them to assist patients with heart abnormalities without having to undergo surgery. However, according to the study, the programmers who are adjusting the pacemakers … Continue Reading
No industry is immune from ransomware attacks—including senior living communities. Senior living communities have exploded now that baby boomers are selling homes, down-sizing and getting ready for that stage of life. Many of us in the sandwich generation are choosing communities for our parents. When residents move into a senior resident community, the community collects … Continue Reading
The fall-out from WannaCry continues, particularly in the healthcare sector. There are new reports that WannaCry affected at least two hospital systems in the U.S. and encrypted medical devices (power injector systems) in the hospitals. There are additional anecdotal reports that other medical devices were affected by WannaCry. According to medical device company spokesmen, if … Continue Reading
In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on … Continue Reading
We have read multiple reports on WannaCry and if you are reading this and don’t know what WannaCry is, Google it for the background story. The clear message is this is not the last major attack we will see, and future attacks will only get more sophisticated. It is being estimated that the cost associated … Continue Reading
On May 11, 2017, The American Bar Association (ABA) updated its 1999 opinion regarding lawyers’ use of email for communication. Although many state bar associations have issued opinions on electronic communications and the use of cloud computing services, the ABA has now provided clear guidance for lawyers on their ethical responsibilities of competence, confidentiality and … Continue Reading
The National Institute of Standards and Technology (NIST) announced this week that it has issued draft cybersecurity guidance for hospitals to consider when using infusion pumps, particularly since infusion pumps are no longer standalone devices and many are now wireless. This increases the risk of cybersecurity threats that could potentially compromise personal information if the … Continue Reading
The Federal Trade Commission (FTC) announced on May 9, 2017, that it has launched a new website that “helps small businesses avoid scams and cyber-attacks.” The website, www.ftc.gov/SmallBusiness.com, is filled with articles, videos and other information to help small businesses avoid scams and recover from a cyber-attack, as well as security tips to protect networks … Continue Reading
By now, it’s pretty common knowledge that Alexa has been on a dollhouse shopping spree, and is also helping to solve a murder. Clearly, Alexa cannot be trusted and that’s why she has only limited trigger words, including options such as “Alexa,” “Amazon,” “computer,” and “Echo.” When you speak those words, or other “wake words” … Continue Reading
We have previously reported on the vicious ransomware Locky and how it victimized companies throughout 2016 [View previous posts here, here, and here]. Although Locky quieted down in late 2016, according to researchers at Cisco Talos, Locky is perking up again in 2017 in a major way. Only this time, instead of using phishing email … Continue Reading
Governor Susana Martinez recently signed into law the New Mexico “Data Breach Notification Act” (the Act), making New Mexico the 48th state (plus Puerto Rico and the District of Columbia) to adopt legislation mandating the provision of notice in the event of a data breach. The Act – which takes effect June 16, 2017 – … Continue Reading
Bangor Health Center, a psychiatric practice located in Bangor, Maine, has notified 4,229 patients that a hacker from Moldova has accessed their psychiatric records, including names, addresses, Social Security numbers, telephone numbers, diagnoses and doctors’ notes. The health center provides outpatient therapy to both children and adults for behavioral health conditions including substance use disorders, … Continue Reading
The Food and Drug Administration (FDA) recently issued a warning letter to St. Jude Medical, alleging that it failed to properly investigate issues with the batteries in its defibrillator implants and for failing to fix the cybersecurity of its in-home monitoring system, known as Merlin@home. The monitoring system is wireless and is connected to St. … Continue Reading
The Association of Corporate Counsel (ACC) has issued its first-ever data security guidelines, which outline basic data security measures that in-house counsel can use to evaluate their outside counsel. Most companies these days are auditing their law firms’ data security measures, but since data breaches occurred at some of the largest U.S. based law firms … Continue Reading
In an effort to combat an increasing number of fraudulent transfers carried out using its network, SWIFT, the international bank transfer network, announced this month that it is adding new tools and controls designed to prevent fraudulent transfers in real time. SWIFT reported that the new tools integrate into the SWIFT system directly without the … Continue Reading
Following in the footsteps of the State of New York, the Colorado Department of Regulatory Agencies has proposed amendments to the Colorado Securities Act to require investment advisers and broker-dealers to implement new cybersecurity requirements to ensure security of the information in their possession. As we have predicted before, this is probably just the beginning … Continue Reading
New U.S. Computer Emergency Readiness Team (U.S.-Cert) guidelines around incident reporting went into effect this week (April 1, 2017). The guidelines require all federal departments and agencies, state, local, tribal and territorial government entities, information sharing and analysis organizations and private-sector organizations to report any security incident impacting the confidentiality, integrity or availability of a federal … Continue Reading
Last week, IBM published its X-Force Threat Intelligence Index (Index), which summarizes the state of leaked records and vulnerabilities to data in 2016. It is depressing, but informative. The Index notes that the number of compromised records “grew a historic 566 percent in 2016 from 600 million to more than 4 billion.” Billion with a … Continue Reading
